>> 12. Single Site Unlinkability (SSU)
>> The user should be able to visit the same site multiple times without
>> the site being able to tell that it is the same user, even if the user
>> is, for example, asserting the same external claims each time. This
>> protects the user's privacy. Obviously if data provided by the user is
>> unique to that user (for example, age and address combined are often
>> sufficient to uniquely identify a person) then no amount of cleverness
>> can provide SSU, but SSU should be available to the extent permitted
>> by the uniqueness of the data provided.
>
> This is an interesting requirement and obviously of value, but
> it's worth noting that there are contexts in which linkability
> (CI) is precisely what's desired--blog comments, for example.
>
> So, you wouldn't want to design a system that always provided SSU. :)
I think many of the requirements (no, haven't made a list yet) have the
assumption of "when appropriate", or "when desired", where "desired" is
some combination of what the user wants and what the application wants or
will permit.
