[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[DotGNU]Re: [Auth]Freport Update

From: Hans Zandbelt
Subject: [DotGNU]Re: [Auth]Freport Update
Date: Fri, 15 Mar 2002 11:16:52 +0100

At 02:54 3/15/2002 -0600, John wrote:
>That's it. Although ID-Sec has been much better supported, I still see
>it's failure to protect the "sites-visited meta-data"  as a major
>departure from DotGNU's original edict of fully protecting customer

This is *not* an IDsec problem!
IDsec in itself *does* guarantee that Profile Requesters cannot relate
eachothers data by using "meaningless" session identifiers!

However it depends on the nature and the amount of the
data itself that you give to Profile Requesters wether this will actually
work out: if you pass your private address to Profile Requester A and to Profile
Requester B, it's quite logical that they will be able to associate
these visits with the same person ... This is not an IDsec problem:
it's a problem that you would have with these Profile Requesters.
You shouldn't give this kind of profile data to malicious Profile Requesters;
The only thing IDsec can do is that it won't give this kind of data to 
Profile Requesters that you don't trust.

As a matter of fact, Service Providers today can easily assemble user
profiles bases on client IP addresses. This is also an issue that will
not be solved and that is out of scope here.

I have explained this before and you can read it in the draft
specification. Please do so before making this kind of statements!



Hans Zandbelt                         address@hidden 
Telematica Instituut            
P.O.Box 589, 7500 AN                   Phone: +31 53 4850445 
Enschede, Netherlands                    Fax: +31 53 4850400 

reply via email to

[Prev in Thread] Current Thread [Next in Thread]