Hacker News new | past | comments | ask | show | jobs | submit login

This cannot work without having an unique ID identifying you. Netflix cannot sign the content you watched.



I have a unique ID to netflix, I can be authenticated through that because I know my netflix credentials. They do not need to know my "data pod" ID for this - the server just needs to reply to the data pod that queried it with the right credentials.

Depending on "data pod" implementation you could also have the "netflix.com" managed fields only be editable by a call from "netflix.com" API, which I then decide to approve for bidding or not and at which price, without me being able to directly edit those fields. Basically write-only from the vendor side to prove authenticity.


I am little confused.

It is write-only from vendor side seems like vendor will sign something for authenticity. Something like token signature.

So it has to have my "pod ID", otherwise I can replay this data, with another "pod ID".

Ofc netflix or your pod, can rotate this ID, but that also requires netflix etc to constantly sign new IDs.


I think you could do something like this with web.dev/trust-tokens (same idea as PrivacyPass), where the server can vouch for you without saying who you are.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: