Re: 3 Proposals: session ID, business-card auth, customer auth

Daniel W. Connolly (
Thu, 20 Jul 1995 12:01:48 -0400

In message <>, James Pitkow writes
>Dan wrote:
>> Please demonstrate how this is done. No fair spreading Fear,
>> Uncertainty, and Doubt.
>Ok. Here's a business card that you require for site access:

Whoa. I was asking how Request-ID can be used to compromise
privacy. No fair muddling it up with business cards.

>Now, if you enable mechanisms that permit log files to contain ids across
>sites AND you do not impose a policy to protect users,

Who said that? Not me. I would certainly expect anybody collecting
business cards to write up their policy for access to that data
and make it available. I would probably even mandate that in
the spec.

>Interestingly, it seems that companies on the Web are asking for more
>information about the effectiveness of their advertising then they can
>get now. When I buy a magazine off a newsstand, no one knows how long
>I looked at the pages, what my name is, etc.

Not unless you return the reader-response cards, or participate in
a survey, or...

I never suggested that _all_ infomation providers would require
a business card on _all_ data. Just that it may be appropriate
at times.


Come on folks, this is a big distributed system. The interesting thing
about distributed systems is not just that you can use more than one
box to get the job done. It's that you can accomodate a variety
of policies within the system. Each site decides how much access
to resources it provides to the community, and what it requires
in return.


> Instead, companies make
>their decisions based upon reliable estimates of subscription rates and
>the demographics that compose those readers.

And they spend a lot of money doing that, and it costs YOU.