On 3/1/21 3:11 PM, Phillip Hallam-Baker wrote:
Lets take a step back. There are two separate sets of concerns related to 'privacy'
1) Disclosure of an identifier allows a service attack using that identifier.
2) Linking separate uses of an identifier allows a profile to be constructed of the individual that can be used against the interest of the individual.
3) if it's already known that a service provider is routinely violating its users' privacy, why would anyone trust them to be an authentication service or identity provider for any service that they themselves did not operate?
(what I haven't tried to determine yet is whether HTTP cookies
get exchanged during OAuth2 transactions... )
Keith
