This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Section 9.4 contains the following text: "Such implementations should not use identifiers for a device or user of a device in the individualization process." This is too broad. I proposed instead the following: "Such implementations should not directly provide identifiers for a device or user of a device in any messages sent during the individualization process." This allows for implementations which generate unique identifiers not directly associable with the device or user by digesting a mixture of device identifiers. These identifiers can have the security property that two different devices are unlikely to generate the same identifier, but also have the privacy property that it is very difficult to match an identifier to a user+device.
I'm fine with changing the text, but I think we should be more precise in what is and is not recommended. These sections contain recommendations for implementers, so we can be specific, aim high, and included the reasons and/or an analysis of such problems. Henri provides some relevant analysis in http://lists.w3.org/Archives/Public/public-html-media/2014Oct/0092.html
Is this issue still relevant? Is there a specific suggestion addressing comment #1? If so, please open a GitHub issue. Either way, we should close this legacy bug.
Yes, this issue is still relevant. I would prefer not to be much more specific, since different implementations may use different types of identifiers. Any proprietary algorithms involved do not need to be made explicit. I can create a GitHub issue -- but it will basically just duplicate this information. Is that useful?
Migrated to https://github.com/w3c/encrypted-media/issues/110.