Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should UUID for unique IDs be mandated? #647

Open
inexorabletash opened this issue Mar 9, 2015 · 7 comments
Open

Should UUID for unique IDs be mandated? #647

inexorabletash opened this issue Mar 9, 2015 · 7 comments
Milestone

Comments

@inexorabletash
Copy link
Member

UUIDs are awesome.

But I notice that http://www.w3.org/TR/FileAPI/ goes out of the way to only make use of UUIDs a SHOULD not a MUST for unique IDs. Do we want to require the use of UUIDs for SW, or use less strict requirements, like File does?

(Also... if this is the first place in the platform that is outright requiring UUIDs, should we be good anti-magicians and add a UUID-minting function somewhere? Not in the SW spec, of course...)

@jungkees
Copy link
Collaborator

I don't think we should mandate it. It should just be a unique id but with some constraints I guess.

@annevk pointed out the privacy implication of the id at #643

The app: URI scheme spec also uses UUID and has a similar privacy and security considerations: http://www.w3.org/TR/2013/WD-app-uri-20130516/#privacy

So, I think I have to update the text considering those points. Please let me know if anyone has a more specific suggestion.

@annevk
Copy link
Member

annevk commented Mar 10, 2015

I think the File API is wrong in not requiring something specific. Having said that, I'm not really sure we need UUIDs. The identifiers need to be unique per-origin, not globally. Having them globally unique might actually not be good for the user.

As for a primitive, the Web Crypto API defines a randomness primitive.

@jungkees jungkees added this to the Version 1 milestone Mar 23, 2015
@jungkees
Copy link
Collaborator

An id being unique per origin means the object can be accessed in globally unique manner during its lifetime (i.e. origin + id). So its security implication is not different from using a UUID I think.

@jungkees
Copy link
Collaborator

jungkees commented Jul 8, 2015

Using and requiring UUIDs should be fine here. We're not adding any new level of privacy concern. Same ids can be in IDB for example. And they don't live longer than the cache clearing lifetime.

Closing.

@jungkees jungkees closed this as completed Jul 8, 2015
@jungkees
Copy link
Collaborator

jungkees commented Jul 9, 2015

Having discussed with @michael-nordman, it seems the implementers want more flexibility in how they use the types for ids as they're minted from inside the platform. I thought requiring a uuid seems better as otherwise devs will see different types of ids from different browsers. What do you think about altering this requirement?

FYI, Chrome's using a string serialized from a 64-bit interger.

/cc @wanderview @slightlyoff @jakearchibald

@jungkees jungkees reopened this Jul 9, 2015
@jungkees
Copy link
Collaborator

F2F:

  • Not mandating UUID but use an opaque string?
  • Seems we don't need it so move it to milestone 2

@jungkees jungkees modified the milestones: Version 2, Version 1 Jul 20, 2015
@jungkees
Copy link
Collaborator

Addressed: 66ff7c7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants