Re: On HME extension and vulnerability disclosure programs

Thank you, Philippe.

A couple of questions:

1. Would publication of EME as a W3C rec be affected by this best
practices work, or does the Director envision that EME would go out with
no protections for security disclosures while this work trailed behind it?

2. Members have expressed other concerns regarding anti-circumvention
and EME -- for example, Vision Australia, SSB Bart, the Royal National
Institute for Blind People, Media Access Australia, Braillenet and
Benetech have all expressed concerns about the need to immunize those
who circumvent to add accessibility features (note that all of these
members have granted me permission to disclose their concerns and votes
in polls on charter renewal and publication).

These members represent, I believe, all of the W3C members that
represent visually disabled people and people with other
sensory/physical disabilities.

A list of accessibility use-cases that require this protection, and a
further discussion, can be found in this document:

https://www.eff.org/deeplinks/2016/03/interoperability-and-w3c-defending-future-present

Is the Director going to take any action on the concerns of the entire
visual impairment caucus of the W3C?

Cory


On 01/27/2017 03:41 PM, Philippe Le Hégaret wrote:
> All,
> 
> This is an update on the status of the HTML Media Extensions charter
> extension and the Proposed Recommendation transition request for the
> Encrypted Media Extensions specification.
> 
> Further to the recent review regarding the HTML Media Extensions Working
> Group, the Director has been reviewing the expressions of support to
> continue the work as well as the objections to continuing the work in
> its present form.
> 
> While the Director recognized the technical progress and stability of
> the work, the lack of consensus to protect security researchers remained
> an issue. The Director had asked the Team to find a resolution that was
> agreed to by both supporters of the charter extension and objectors. The
> team was unable to find such a resolution. The Director has concluded
> that the best practical method to improve protections at this stage is
> to overrule the objections of the charter extension, but establish
> momentum for protection by establishing best practices for responsible
> vulnerability disclosure.
> 
> In the interest of promoting vulnerability disclosure programs, W3C will
> establish a set of guidelines intended to protect security and privacy
> researchers when proper and reasonable disclosure procedures are followed.
> 
> Specifically, the W3C Team will publish on 2 March 2017 a set of
> guidelines for vulnerability disclosure programs that protect security
> and privacy researchers as a W3C Team submission. This will represent
> our initial sense of best practice and will serve as input for further
> work in this space. Prior to the publication of the team submission,
> input will be welcome on public-security-disclosure@w3.org. The
> Responsible Vulnerability Disclosure program [1] established by Netflix
> will be used as a starting point.
> 
> Following the 2 March date, the W3C Director will send a Call for Review
> for the Encrypted Media Extensions Proposed Recommendation, soliciting
> feedback and expression of interest for the specification and the
> initial draft of W3C guidelines for security and privacy researchers
> disclosure programs.
> 
> The Working Group Charter [2] is hereby extended until 30 April 2017.
> 
> More information could be found at
>   https://www.w3.org/2017/01/GVDP-factsheet.html
> 
> 
> Philippe
> 
> [1] https://help.netflix.com/en/node/6657#gsc.tab=0
> [2] http://www.w3.org/2013/09/html-charter.html
> 
> 
> 
-- 

FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS

--

Cory Doctorow
doctorow@craphound.com
Wickr: doctorow

For avoidance of doubt: This email does not constitute permission to add
me to your mailing list.

blog: boingboing.net
upcoming appearances: craphound.com/?page_id=4667
books (novels, collections graphic novels, essay collections): craphound.com
latest nonfiction: Information Doesn't Want to Be Free
latest graphic novel: In Real Life
podcast: feeds.feedburner.com/doctorow_podcast
latest novel: Homeland craphound.com/homeland
latest short story collection: With a Little Help craphound.com/walh

Join my mailing list and find out about upcoming books, stories,
articles and appearances:

http://www.ctyme.com/mailman/listinfo/doctorow

READ CAREFULLY. By reading this email, you agree, on behalf of your
employer, to release me from all obligations and waivers arising from
any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
entered into with your employer, its partners, licensors, agents and
assigns, in perpetuity, without prejudice to my ongoing rights and
privileges. You further represent that you have the authority to release
me from any BOGUS AGREEMENTS on behalf of your employer.

As is the case with every email you've ever received, this email has not
been scanned for all known viruses.

Duh.

Received on Saturday, 28 January 2017 11:41:16 UTC