D 2013-07-16T11:30:17.039
J comment My\searlier\sthoughts\son\sprivacy\srevolved\saround\sthe\sidea\sthat\sprivacy\sonline\swas\slargely\sillusory\s(a\sserver\scan\strace\syou\sto\san\sIP,\sand\sthat\sIP\scan\sbe\sreasonably\scorrelated\swith\sother\sinformation\sto\sidentify\syou\sto\ssome\sextent,\sand\sthe\sISP\scan\sbe\smade\sto\sreveal\sthe\smapping\sfrom\sthat\sIP/port\sto\sa\slegal\sperson).\sTherefore,\sit\swas\sbetter\sto\smake\sidentity\sabsolute,\sby\sidentifying\severy\srequest\swith\sa\ssource\sentity,\sand\shaving\sthe\scluster\shosting\sthat\sentity\ssign\sit.\r\n\r\nBut,\sI\sfeel\sI\shave\sunder-estimated\sthe\ssheer\slevel\sof\sinsidious\ssurveillance\sthat\shas\sbecome\spossible\swith\scentralisation\sof\slogs\sfrom\sdifferent\sorganisations,\sand\sso\sI\sneed\sto\schange\sthis\sstance.\r\n\r\nSo,\stherefore,\sI\ssuggest\sthat\sMERCURY\srequests\sare\s*not*\sauthenticated\sby\sdefault,\sbut\sa\sflag\sin\sthe\sEID\s(or\sa\srejection\sof\sthe\srequest\sby\sthe\sfar\send,\sreplying\swith\sthe\sdemand\sfor\sauthentication),\smuch\slike\sis\sproposed\sfor\shandling\sencryption,\scan\sbe\sused\sto\srequest\sit.\sUnlike\sencryption,\showever,\sauthentication\srequests\sadditional\sinformation\sfrom\sthe\sclient,\sso\sby\sdefault\sit\swill\sbe\srejected\sand\sthe\srequest\swill\sfail.\sTo\senable\sit,\sthe\sclient\smust\sprovide\sa\scallback\sto\sthe\sMERCURY\srequest\sinitiation\sthat\sis\scalled\sif\sauthentication\sis\srequired,\sand\swhose\sreturn\svalue\swill\scause\sthe\sacceptance\sor\srejection\sof\sthat\sauthentication\srequest.\sIf\sthe\sEID\shas\sthe\s"please\sauthenticate"\sflag,\sthen\srejection\sof\sthat\sby\sthe\scallback\swill\scause\san\sattempt\sto\sperform\sthe\srequest\swithout\sauthentication;\sif\sthat\sis\srejected,\sthe\srequest\sfails.\sSome\sentities\smay\snot\srequire\sauthentication,\sbut\soffer\sextra\sservices\sif\sauthentication\sis\sprovided;\sto\ssupport\sthis,\sa\sMERCURY\srequest\smay\sexplicitly\sdemand\sauthentication,\sin\swhich\scase\sthe\scallback\sis\sNOT\sinvoked.\r\n\r\nA\s"request\sto\sauthenticate"\s(which\sis\sthe\sreturn\svalue\sof\sthe\scallback,\sor\spassed\sdirectly\sto\sthe\sMERCURY\srequest\swhen\sexplicitly\srequesting\sauthentication)\sconsists\sof\sa\sbase\sidentity\s-\seither\selecting\sto\suse\sthe\sinitiating\sentity's\sown\sidentity,\sor\sa\ssupplied\s"independent\spublic-key\sidentity"\sobject\scontaining\sa\skeypair\s-\sand\sa\schain\sof\szero\sor\smore\sproxy\scertificates,\sleading\sfrom\sthe\sentity's\sidentity\sor\san\sindependent\spublic-key\sidentity,\sgranting\sit\sthe\s(time-limited)\sright\sto\sact\s"as"\sanother\sentity.\r\n\r\nThe\sintention\sis\sthat\suser-interface\scode\swill,\swhen\sthe\suser\sperforms\san\sinteraction\swith\san\sentity\sthat\srequires\sauthentication,\spop\sup\sa\sdialog\srequesting\spermission\sand\sallowing\sthe\suser\sto\sselect\sfrom\sa\snumber\sof\savailable\sidentities.\sAs\sthe\srequest\scomes\sfrom\sa\sUI\sentity,\srather\sthan\sthe\suser's\sown\sUA\sentity,\sthe\srequest\swill\susually\sneed\sto\sinvolve\sthe\sproxy\scertificate\sgranted\sto\sthe\sUI\sby\sthe\sUA\sto\sallow\sthe\sUI\sto\sexecute\sit.\r\n\r\nThis\sis\sbetter\sthan\sthe\sbrowser\scookie\smess,\swhile\salso\soffering\sprivacy\sby\sdefault.\r\n\r\nWe\smust\salso,\sin\sthe\sdesign\sof\sMERCURY,\sexecute\sgreat\scare\sas\sto\swhat\sother\sinformation\sabout\sthe\suser\swe\smight\sleak,\sthat\scould\sbe\sused\sto\sidentify\sthem.\sAlthough\sidentifying\stheir\sUI\sentity\s(which\swill\sactually\sbe\sgenerating\sthe\sMERCURY\srequests)\sis\snot\sas\sbad\sas\sidentifying\stheir\sUA,\swe\sshould\sstill\sbe\scareful\sto\smake\sthe\sMERCURY\sprotocol\snot\sleak\sidentifying\sinformation.\sAlso,\sunnecessary\sbulk\sin\sthe\spackets\sincreases\snetwork\soverhead.
J private_contact edd852a1b86b4a3139e73d229e5a61a63d12b819
J severity Critical
J status Open
J title Improve\sprivacy\ssupport
J type Code_Defect
K 3b8d13ee40eb4e2b57a103f42597d6e2f794b1b6
U alaric
Z 6f2e339a7ed4dc6bc3d30cf9d9b59000
