Individualization section is unclear

[joeyparrish]

I recently had some confusion about individualization. I eventually figured things out, but I think it should be made clear that:

• CDM implementations only support one type of individualization or the other
• The CDM implementation dictates the mechanism used (if any), not the user agent, nor the application
• Direct individualization goes to a central non-origin-specific server, but still produces an origin-specific identifier

[mwatson2]

These seem like reasonable clarifications to me

[mwatson2]

Note that the result of direct individualization is not an origin-specific identifier, since direct individualization must not expose origin information to the individualization server. However, any identifier exposed to an origin must still be origin-specific.

[mwatson2]

PR #281

[joeyparrish]

So it's not origin-specific in the sense that the origin can't be determined, but that individualization result still differs between origins. Correct?

[mwatson2]

So it's not origin-specific in the sense that the origin can't be determined, but that individualization result still differs between origins. Correct?

Direct individualization may be performed just once, on the first ever use of the CDM or on browser installation. The result might be an origin-independent identifier, which is never exposed to applications (this would be a Distinctive Permanent Identifier, in the language of the specification). The origin-specific identifiers exposed to applications are derived from this origin-independent one in a way that makes the origin-specific identifiers non-associable, at least by everyone except potentially the individualization server.

[ddorwin]

While Direct Individualization may be performed once as @mwatson2 says above, the description above is not necessarily/likely to be accurate, at least in practice. This was the specified behavior before #117 was fixed, but it was too limiting. The problem is that any value derived from such a single identifier is likely to include some reference to the origin-independent value. Otherwise, the individualization process would not have been necessary and/or provides no additional attestation than could have been provided locally. Therefore, it is more likely that an individualization process will be performed once per origin. (The spec also allows for a single origin-independent process followed by per-origin individualization using that intermediary value.) In all cases, the server is origin-independent to protect the [Distinctive] Permanent Identifier(s).

Importantly, the last paragraph of the Direct Individualization section requires that the actual origin not be exposed during this process. Instead, a non-associable value that only the client can associate with the origin may be used. It might be helpful to provide a non-normative note expanding on this.

Speaking of the last paragraph, I believe there is a typo: “origin(s)-” is not supposed to have a dash. (The dash in “origin-” is correct.)