Re: On HME extension and vulnerability disclosure programs

• From: <chaals@yandex-team.ru>
• Date: Sun, 29 Jan 2017 12:48:44 +0100
• To: Cory Doctorow <cory@eff.org>, Philippe Le Hégaret <plh@w3.org>, "public-html-media@w3.org" <public-html-media@w3.org>
• Message-Id: <261271485690524@webcorp01h.yandex-team.ru>

28.01.2017, 12:43, "Cory Doctorow" <cory@eff.org>:
> Thank you, Philippe.
>
> A couple of questions:
>
> 1. Would publication of EME as a W3C rec be affected by this best
> practices work, or does the Director envision that EME would go out with
> no protections for security disclosures while this work trailed behind it?

I would also like to know the answer. It *seems* to envision a path along those lines, but I trust that at minimum there would not be a W3C Recommendation before such work has been published.

> 2. Members have expressed other concerns regarding anti-circumvention
> and EME -- for example, Vision Australia, SSB Bart, the Royal National
> Institute for Blind People, Media Access Australia, Braillenet and
> Benetech have all expressed concerns about the need to immunize those
> who circumvent to add accessibility features (note that all of these
> members have granted me permission to disclose their concerns and votes
> in polls on charter renewal and publication).
>
> These members represent, I believe, all of the W3C members that
> represent visually disabled people and people with other
> sensory/physical disabilities.

No, they do not. Nomensa, Deque and TPG spring to mind. I think it is also fair to say that companies like IBM, HP, Microsoft, Apple and Google have done a lot of important work to ensure the rights of people with disabilities can be exercised in practice - even while it is fair to acknowledge that they have a patchy record.

> A list of accessibility use-cases that require this protection, and a
> further discussion, can be found in this document:
>
> https://www.eff.org/deeplinks/2016/03/interoperability-and-w3c-defending-future-present

Against which technical experts who are passionate advocates for accessibility who have carefully assessed the technology over years have declared that there isn't a problem.

I suspect the truth is somewhere in the middle, but I cetainly don't recognise your claims as unarguably factual.

> Is the Director going to take any action on the concerns of the entire
> visual impairment caucus of the W3C?

That seems to misrepresent the situation.

cheers

Chaals

> Cory
>
> On 01/27/2017 03:41 PM, Philippe Le Hégaret wrote:
>>  All,
>>
>>  This is an update on the status of the HTML Media Extensions charter
>>  extension and the Proposed Recommendation transition request for the
>>  Encrypted Media Extensions specification.
>>
>>  Further to the recent review regarding the HTML Media Extensions Working
>>  Group, the Director has been reviewing the expressions of support to
>>  continue the work as well as the objections to continuing the work in
>>  its present form.
>>
>>  While the Director recognized the technical progress and stability of
>>  the work, the lack of consensus to protect security researchers remained
>>  an issue. The Director had asked the Team to find a resolution that was
>>  agreed to by both supporters of the charter extension and objectors. The
>>  team was unable to find such a resolution. The Director has concluded
>>  that the best practical method to improve protections at this stage is
>>  to overrule the objections of the charter extension, but establish
>>  momentum for protection by establishing best practices for responsible
>>  vulnerability disclosure.
>>
>>  In the interest of promoting vulnerability disclosure programs, W3C will
>>  establish a set of guidelines intended to protect security and privacy
>>  researchers when proper and reasonable disclosure procedures are followed.
>>
>>  Specifically, the W3C Team will publish on 2 March 2017 a set of
>>  guidelines for vulnerability disclosure programs that protect security
>>  and privacy researchers as a W3C Team submission. This will represent
>>  our initial sense of best practice and will serve as input for further
>>  work in this space. Prior to the publication of the team submission,
>>  input will be welcome on public-security-disclosure@w3.org. The
>>  Responsible Vulnerability Disclosure program [1] established by Netflix
>>  will be used as a starting point.
>>
>>  Following the 2 March date, the W3C Director will send a Call for Review
>>  for the Encrypted Media Extensions Proposed Recommendation, soliciting
>>  feedback and expression of interest for the specification and the
>>  initial draft of W3C guidelines for security and privacy researchers
>>  disclosure programs.
>>
>>  The Working Group Charter [2] is hereby extended until 30 April 2017.
>>
>>  More information could be found at
>>    https://www.w3.org/2017/01/GVDP-factsheet.html
>>
>>  Philippe
>>
>>  [1] https://help.netflix.com/en/node/6657#gsc.tab=0
>>  [2] http://www.w3.org/2013/09/html-charter.html
> --
>
> FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
> GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>
> --
>
> Cory Doctorow
> doctorow@craphound.com
> Wickr: doctorow
>
> For avoidance of doubt: This email does not constitute permission to add
> me to your mailing list.
>
> blog: boingboing.net
> upcoming appearances: craphound.com/?page_id=4667
> books (novels, collections graphic novels, essay collections): craphound.com
> latest nonfiction: Information Doesn't Want to Be Free
> latest graphic novel: In Real Life
> podcast: feeds.feedburner.com/doctorow_podcast
> latest novel: Homeland craphound.com/homeland
> latest short story collection: With a Little Help craphound.com/walh
>
> Join my mailing list and find out about upcoming books, stories,
> articles and appearances:
>
> http://www.ctyme.com/mailman/listinfo/doctorow
>
> READ CAREFULLY. By reading this email, you agree, on behalf of your
> employer, to release me from all obligations and waivers arising from
> any and all NON-NEGOTIATED agreements, licenses, terms-of-service,
> shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
> non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
> entered into with your employer, its partners, licensors, agents and
> assigns, in perpetuity, without prejudice to my ongoing rights and
> privileges. You further represent that you have the authority to release
> me from any BOGUS AGREEMENTS on behalf of your employer.
>
> As is the case with every email you've ever received, this email has not
> been scanned for all known viruses.
>
> Duh.

-- 
Charles McCathie Nevile - standards - Yandex
chaals@yandex-team.ru - - - Find more at http://yandex.com

Received on Sunday, 29 January 2017 11:49:22 UTC