[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use and abuse of cookies (was Re: controlling web "cookies")

At 4:10 PM -0800 12/21/96, Eric Murray wrote:
>On a similar note, I think that after SSL/TLS client auth
>becomes common, and if browsers will make SSL/TLS connections
>without popping up a dialog box to worn the user, then
>client auth could be used for tracking users.  The users
>cert provides the unique ID and the Referer: tag provides
>the trace of where they were last.  An https link in
>a document that points to "clicktracker.com" could
>make the https connection, demand clent auth to get
>a copy of the users cert, and add another visit to their

This argument is a strong argument for leaning more toward the capability
model described in the SPKI draft than toward the "True Names" model
inherent in the X.509 thought process.  If each privilege has a separate
cert, a web server could not use the single "True Name" cert to track usage.

(If we can't have capability certs, than Eric's idea of many nym certs
becomes the next best thing.)

Note to SPKI: How does the web server identify it cert it wants the web
browser to return?  Perhaps it asks for certs signed by key foo.

Bill Frantz       | Client in California, POP3 | Periwinkle -- Consulting
(408)356-8506     | in Pittsburgh, Packets in  | 16345 Englewood Ave.
frantz@netcom.com | Pakistan. - me             | Los Gatos, CA 95032, USA