- From: <bugzilla@jessica.w3.org>
- Date: Tue, 29 Jul 2014 00:25:56 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332 --- Comment #16 from Ryan Sleevi <sleevi@google.com> --- (In reply to Jerry Smith from comment #15) > We should also consider intranet use when imposing https as a prerequisite > for using EME. That situation may clearly not warrant https, and it would > make sense to give companies the option to use http. Isn't intranet use far simpler to deploy HTTPS? And the risks similar (especially in light of the gTLD explosion) > > The ID exposure originally mentioned as a concern seems well protected > already. It would require implementing a license server to retrieve and > access the ID. Further, I believe most DRMs that return this ID already > protect as part of the license message. I'm a bit confused how this conclusion was reached. Nothing seems to prevent an EME CDM from implementing it's key exchange with the license server in the clear. That is, I don't see how/why it would require implementing a license server to retrieve/access the ID. That some CDMs have a strong binding to the license server is a point for them, but nothing in EME seems to mandate this level of security. Nor is it an example that the CDM<->License server protocol is itself robust (not vulnerable to crypto-analytic attacks that would reveal ID, for example). ClearKey seems to be proof-positive that you can implement an 'open' exchange. > > Given this, I don't think we should wire EME to fail on http sites, but have > no objection to recommending its use. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Tuesday, 29 July 2014 00:25:57 UTC