Re: Trust from Mark Watson on 2013-10-12 (public-restrictedmedia@w3.org from October 2013)

From: Mark Watson <watsonm@netflix.com>
Date: Sat, 12 Oct 2013 09:27:16 -0700
To: Andreas Kuckartz <a.kuckartz@ping.de>
Cc: "public-restrictedmedia@w3.org" <public-restrictedmedia@w3.org>, Milan Zamazal <pdm@zamazal.org>
Message-ID: <5012129454230646688@unknownmsgid>

Let's consider this for a moment. Without making any judgements, we
can divide existing users into two classes: those who trust Microsoft,
Google, Netflix etc. to provide software that they run on their
computers and those who do not. Both groups are fully entitled to
their respective views.

For the first group EME does not represent any change with respect to
this issue - except that the scope of the opaque component will be
dramatically reduced.

For the second group, since they cannot access any protected content
today, they are affected only if content which is unprotected today
becomes protected in future *as a result of EME*. As I have explained,
this seems unlikely.

I understand the criticism that we do not provide a solution which
does not rely on placing trust in an opaque piece of software. Let's
consider what such a solution would need to look like: we would need a
non-user-modifiable component that was completely user-verifiable.
That is, which a user could look into in such a way that they can
obtain complete confidence about what it does - at least functionally,
up to some numerical values that may not be easily observable.

Creating such a thing is challenging, but I don't know anyone who
would not welcome it if such a thing was created. Perhaps you could
get part of the way with multiple trusted third parties who were
provided with the information needed to verify the opaque components
and who would then publish their findings with a hash of the opaque
blob ? But this would not be good enough for everyone.

What I can say is that such a solution would fit right in with the EME
architecture. So, whilst I understand this as a criticism of existing
DRM, I don't understand it as a criticism of EME.

...Mark

Sent from my iPhone

On Oct 12, 2013, at 8:39 AM, Andreas Kuckartz <a.kuckartz@ping.de> wrote:

> Milan Zamazal:
>> I consider such an approach not only inconvenient (I might manage that,
>> nothing is perfect) but also intrusive and I can't completely trust the
>> provider under such conditions.
>
> As long as the provider of the software is within the jurisdiction of a
> government you also have to trust that government.
>
> If there is anybody here on this list who trusts the government in
> charge of Google, Microsoft or Netflix: please raise your hand!
>
> Reminder: LavaBit.
>
> Cheers,
> Andreas
>

Received on Saturday, 12 October 2013 16:27:44 UTC