Friday, April 2, 2010

Re: [Geopriv] Deploying authorization policy

I suspect there are shades of gray here. It's clearly used for pictures (or albums), not so much for larger-scale access (e.g., all my Picasa pictures or the whole Facebook profile). Thus, I suspect a "secret" location URL that reveals where I am at 5 pm today may not raise much of an eyebrow, but a URL that allows tracking me from today until next December more so. To their credit, Picasa also does a pretty decent job of explaining how to use this URL, e.g., by showing an HTML snippet.

Henning

On Apr 2, 2010, at 5:40 PM, Richard Barnes wrote:

> Henning,
>
> It seems to me that the the "random stuff in a URI" authentication scheme is already really used today. For example, say I post pictures to Picasa. I can mark albums as public or private, and only the public albums show up on my user page when a random stranger views it, at a URI of the form:
>
> <http://picasaweb.google.com/username>
>
> However, when I as the owner load a picture or album page, it provides a URI that I can send to anyone that will show them the picture (but nothing else) or one that shows the album. These URIs have the form:
>
> <http://picasaweb.google.com/username/albumname?authkey=293590D256FBEE1F75E816>
>
> (Borrowing Henning's random bytes.)
>
> So it seems like the market is refuting your hypothesis about user preferences.
>
> --Richard
>
>
>
> On Apr 2, 2010, at 5:06 PM, Henning Schulzrinne wrote:
>
>>>
>>> One thing that I believe where some misunderstanding starts is that
>>> users are expected to hand around new URLs all the time (whenever they
>>> fetch new onces from their LIS). This is in theory possible but in
>>> practice that might be difficult. Instead, it is more likely that one
>>> would want to publish location to a server that fulfills already other
>>> rules (such as a presence server alike concept; you could even call
>>> Yahoo's FireEagle, Ovi Chat, Google's Latitude). Other uses have a
>>> long-term contact point to go to for many reasons already.
>>
>> On a side note: One of the problems with by-possession URLs is that the semantics are not always clear to the user. In other words, by looking at the URL, users can't tell that they are giving away their location, for example. People include URLs in email messages, Twitter posts and web pages all the time, without fully understanding the semantics and the consequences. I suspect people would be upset if
>>
>> http://www.facebook.com/henning.schulzrinne
>>
>> just gave public access (as it does today), while
>>
>> http://www.facebook.com/henning.schulzrinne/293590D256FBEE1F75E816
>>
>> gave full access to everything, without further authentication.
>>
>> Henning
>> _______________________________________________
>> Geopriv mailing list
>> Geopriv@ietf.org
>> https://www.ietf.org/mailman/listinfo/geopriv
>
>

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Posted by at