Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations

Hi Harald,

I apologize for the belated reply. I do my best to respond to your questions inline; I don't speak for all members of the Privacy Interest Group, but hopefully my individual thoughts can still be useful.

> On Jul 14, 2015, at 5:13 AM, Harald Alvestrand <harald@alvestrand.no> wrote:
> 
> Signed PGP part
> Thank you for your comments!
> 
> This is obviously material that needs input from the group on how we
> handle, but some questions that I as process manager have on these
> comments:
> 
> - The specification as it stands represents results of long debates.
> Part of these debates are documented in the IETF security documents
> for RTCWEB. Can we assume that these documents have been read and
> understood for further commenting?

I have previously reviewed and commented on the rtcweb security architecture drafts, so I'm reasonably familiar with those texts. However, I haven't kept up with all the rtcweb/WebRTC discussions and I'm sure many volunteers in PING haven't either, so please feel free to include pointers to specific document sections or discussions.

> 
> - We have understood the style of specification in the W3C to be that
> user interface issues (such as what indicators to display, and how
> permission is requested) are strictly outside of the remit of the
> specification. We can require that permission be granted, and that an
> indicator be shown, but its exact form is an implementation matter. Is
> that a common understanding we can assume here too?

W3C specs have typically refrained from specifying user interfaces, a trend I think most participants are comfortable with. I think that doesn't typically prohibit putting requirements on a user interface, or guidance for how a user interface might usefully be presented (in fact, we've sometimes heard complaints when W3C groups didn't do this), just a recognition that user interface design will likely vary and doesn't benefit from standardization. That makes it harder to draw a bright line, I understand.

> 
> - The fingerprinting guidance document has the status (according to
> itself) of "unofficial draft", and does not link to any working group
> or mailing list. What can we expect about a declaration of consensus
> on this specification in the future? Is it on someone's roadmap to
> declare consensus on it?

That's an excellent question. The Privacy Interest Group has been working on the "Fingerprinting Guidance for Web Specification Authors" document with the expectation that we would develop consensus and publish it as an Interest Group Note. (We should probably publish it as a Draft Interest Group Note in the meantime to lessen such confusion.) We are also collaborating with the Technical Architecture Group (TAG) on its contents/guidance. I'll expand the Status of this Document section to make this more explicit (it did link to the public-privacy mailing list, but that could be clearer).

> 
> Thanks in advance for enlightenement on these topics!
> 
>   Harald, chair hat on

Hope this helps,
Nick

Received on Tuesday, 4 August 2015 23:04:43 UTC