[DotGNU]Re: [Auth]Freport Update

[Hans Zandbelt]

At 02:54 3/15/2002 -0600, John wrote:
>That's it. Although ID-Sec has been much better supported, I still see
>it's failure to protect the "sites-visited meta-data"  as a major
>departure from DotGNU's original edict of fully protecting customer

This is *not* an IDsec problem!
IDsec in itself *does* guarantee that Profile Requesters cannot relate
eachothers data by using "meaningless" session identifiers!

However it depends on the nature and the amount of the
data itself that you give to Profile Requesters wether this will actually
work out: if you pass your private address to Profile Requester A and to Profile
Requester B, it's quite logical that they will be able to associate
these visits with the same person ... This is not an IDsec problem:
it's a problem that you would have with these Profile Requesters.
You shouldn't give this kind of profile data to malicious Profile Requesters;
The only thing IDsec can do is that it won't give this kind of data to 
Profile Requesters that you don't trust.

As a matter of fact, Service Providers today can easily assemble user
profiles bases on client IP addresses. This is also an issue that will
not be solved and that is out of scope here.

I have explained this before and you can read it in the draft
specification. Please do so before making this kind of statements!

Regards,

Hans.


------------------------------------------------------------
Hans Zandbelt                         address@hidden 
Telematica Instituut                     http://www.telin.nl 
P.O.Box 589, 7500 AN                   Phone: +31 53 4850445 
Enschede, Netherlands                    Fax: +31 53 4850400