Thanks to everyone for your comments, in particular thanks to Nick for a very detailed response.
There seems to be a broad consensus that the identifier used for CLIENTID must not be related to any hardware property, nor to any environment property, and it must not be predictable. Rather, the ID must be be random and must be separate per account. The ID should be changed whenever the account properties are modified by the user, like username or server hostname. The ID could also be changed if the server identifier changes, like the server's TLS certificate. The user should be able to reset the ID. The ID should be local, not shared with other devices. Assuming these requirements are met, no additional worries have been mentioned. Nick mentions a server might already be able to use heuristics to identify a user based on other attributes of interactions between client and server, and enabling CLIENTID might be an acceptable trade-off for many users. In my opinion, presenting an identifier on a silver tablet makes it much easier for a server to identify a client, because the indirect information might be less reliable, and it requires the server operator to actively implement collection of secondary attributes and building the heuristics. In other words, even if identification might already have been possible, it required work and still involved uncertainty, while the introduction of CLIENT makes identification very easy without additional investment. On the other hand, the web uses HTTP Cookies, and it was helpful that Nick mentioned them. With cookies, we already have a broadly accepted mechanisms that servers can use to recognise a client. Although it isn't the server who defines the CLIENTID, and the server cannot control what's stored inside CLIENTID, it might be appropriate to compare the privacy implications. While many servers and clients support cookies, we've also seen a lot of worry about cookies, which even resulted in legislation in the EU that users must be shall be made aware whenever cookies are used. It might be reasonable to treat CLIENTID similarly as cookies. This means, in addition to what has been said already, it might be useful to inform the user whenever a server makes use of the CLIENTID feature. Thanks again. Kai _______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
