[Bug 20965] EME results in a loss of control over security and privacy. from bugzilla@jessica.w3.org on 2013-02-25 (public-html-bugzilla@w3.org from February 2013)

From: <bugzilla@jessica.w3.org>
Date: Mon, 25 Feb 2013 23:01:43 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-20965-2486-tsHub77p1s@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=20965

--- Comment #25 from Fred Andrews <fredandw@live.com> ---
(In reply to comment #23)
> (In reply to comment #21)
> > 
> > Can we reach a consensus that a UA controlled CDM can not support DRM and
> > that DRM demands that the OS vendor conspire with the CDM author to limit
> > the control the user has over their computer?
> > 
> > Can we reach a consensus that DRM is not applicable to open source stacks
> > because it is not possible to limit the control the user has over their
> > computer?
> 
> No, I don't believe either of the above are obvious. We may have different
> definitions of DRM.

Could you please provide you definition of DRM?

It may be possible to avoid defining 'DRM' for the purpose of discussions
but we would need some other agreed definitions.

For example: distinguish between platforms for which the user is able to
implement their own web browser or OS that can store the decrypted output,
versus systems for which they can not. Perhaps call these 'open' and
'proprietary'?

I believe the ball is in your court. If you do not agree with the proposed
definitions then please make a proposal?

> > Can we reach a consensus that DRM could be supported in an open source
> > web browser that uses EME to interface to a proprietary CDM that runs
> > in a context that limits the control the user has over their computer?
> 
> We obviously can't limit what a user can do with their machine. DRM relies
> on providing software or hardware components which are hard to modify whilst
> retaining their intended functionality. That's a different thing.
> 
> Given that difference, then yes DRM could be supported in an open source web
> browser that integrated with components of that kind.

Please define 'integrated with'?

I object to any definition of DRM that constrains a user implementation
of a web browser or a user implementation or an operating system.

> > Can we reach consensus that DRM requires the user to trust a proprietary
> > operating system or CDM hardware module?
> 
> No, there are also software solutions which are not part of the operating
> system.

Yes, it could be in proprietary hardware.  If we expand this can we reach
consensus?

> > 
> > Can we reach consensus that the UA has no ability to control security
> > or privacy when using DRM?
> 
> No, this depends on the interface between the UA and the CDM and the
> security and privacy properties of the CDM.

The term 'control security' may have been poorly chosen, and from
above is seems we firstly need a definition of 'DRM' or similar
to even discuss this further.

Can we reach consensus that the UA has no ability to enforce security
or privacy when using DRM?

This would exclude a cooperative API between the UA and CDM for
controlling security and privacy.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Monday, 25 February 2013 23:01:45 UTC