Re: TTML2 horizontal review (Self-Review Questionnaire: Security and Privacy)

Please bear with us on this.

Issue https://github.com/w3c/ttml2/issues/116 is linked from Annex D Media
Type Registration section. That issue is "Restore Media Type
Registration". With Director permission we may do this by reference to the
Working Group Note https://www.w3.org/TR/ttml-profile-registry/ -
regardless the registration section will be coincident with the media type
registration section in that document, which includes a security
considerations section.

Note that the ttml-profile-registry document may be updated in the next
few weeks with non-substantive editorial changes to sections other than
the media type registration.

Nigel


On 18/11/2016, 17:11, "David Singer" <singer@mac.com> wrote:

>The questionnaires are there to help you write a security and privacy
>considerations section, which is missing.
>
>> 3.16 Does this specification have a "Security Considerations" and
>> "Privacy Considerations" section?
>> --> YES it does. See the media type registration which is an integral
>> part of it.
>
>No, it doesn¡¯t.  There is no section of that title, and a search for
>¡®privacy¡¯ or ¡®security¡¯ comes up empty.
><https://www.w3.org/TR/ttml2/>
>
>
>
>> On Nov 18, 2016, at 8:42 , Thierry MICHEL <tmichel@w3.org> wrote:
>>
>> Colleagues,
>>
>> The Timed Text Working Group (TTWG) published yesterday an ordinary
>>Working Draft of Timed Text Markup Language 2 (TTML2)
>> W3C Working Draft 17 November 2016
>> https://www.w3.org/TR/2016/WD-ttml2-20161117/

>>
>> FYI, this publication is not the last publication before requesting
>>transition to Candidate Recommendation. The TTWG plans to publish a
>>final WD soon. We will let you know.
>>
>> Meanwhile, the TTWG invites you to review this TTML2 WD.
>>
>> The horizontal review should focus only on the new features
>> introduced in TTML2.
>> Please refer to the section for changes between Timed Text Markup
>>Language (TTML) Version 1 (TTML1) and Version 2 (TTML2).
>>
>>https://www.w3.org/TR/2016/WD-ttml2-20161117/#changes-from-ttml1-vocabula

>>ry
>>
>> The TTWG has also answered the Self-Review Questionnaire: Security and
>>Privacy available at
>> https://www.w3.org/TR/security-privacy-questionnaire/

>>
>> The TTWG answer are as follows:
>>
>> Questions to Consider:
>> 3.1 Does this specification deal with personally-identifiable
>> information?
>> --> NO it doesn't.
>>
>> 3.2 Does this specification deal with high-value data?
>> --> NO it doesn't.
>>
>> 3.3 Does this specification introduce new state for an origin that
>> persists across browsing sessions?
>> --> NO it doesn't.
>>
>> 3.4 Does this specification expose persistent, cross-origin state to the
>> web?
>> --> NO it doesn't.
>>
>> 3.5 Does this specification expose any other data to an origin that it
>> doesnt currently have access to?
>> --> NO it doesn't.
>>
>> 3.6 Does this specification enable new script execution/loading
>> mechanisms?
>> -->  This question as worded is ambiguous to us; is it only about
>>script loading and script execution ?
>> In our case, a TTML2 document in which a change in the value of an
>>externally passed in parameter or a media query (for example) may cause
>>a modification of behavior, and this may lead to the loading of external
>>resources including audio, images etc, though excluding scripts. We do
>>not consider "condition" mechanism to be a scripting language.
>> TTML2 allows loading of resources, just not scripts, and has fetch
>>semantics by the introduction of external resource loading. It also
>>allows the addition of links on spans that can have hyperlinks.
>>
>> 3.7 Does this specification allow an origin access to a user©ös location?
>> --> NO it doesn't.
>>
>> 3.8 Does this specification allow an origin access to sensors on a
>> users device?
>> --> NO it doesn't.
>>
>> 3.9 Does this specification allow an origin access to aspects of a
>> user©ös local computing environment?
>> --> NO it doesn't.
>>
>> 3.10 Does this specification allow an origin access to other devices?
>> --> NO it doesn't.
>>
>> 3.11 Does this specification allow an origin some measure of control
>> over a user agent©ös native UI?
>> --> NO it doesn't.
>>
>> 3.12 Does this specification expose temporary identifiers to the web?
>> --> NO it doesn't.
>>
>> 3.13 Does this specification distinguish between behavior in first-party
>> and third-party contexts?
>> --> NO it doesn't.
>>
>> 3.14 How should this specification work in the context of a user agent's
>> "incognito" mode?
>> --> This specification has no impact on any incognito mode since the
>> answer to all the questions about exposing details to origins are "No".
>>
>> 3.15 Does this specification persist data to a user©ös local device?
>> --> User agents may choose to cache referenced external resources; this
>> implementation detail is not covered by this specification and the
>> specification makes no explicit requirement for caching or non-caching
>> of any external resource.
>>
>> 3.16 Does this specification have a "Security Considerations" and
>> "Privacy Considerations" section?
>> --> YES it does. See the media type registration which is an integral
>> part of it.
>>
>> http://www.iana.org/assignments/media-types/application/ttml+xml

>>
>> 3.17 Does this specification allow downgrading default security
>> characteristics?
>> --> NO it doesn't.
>>
>> _______________________________
>>
>> The TAG document [1] does not say where to send the self questionnaire
>>answers. Therefore I am sending it to <www-tag@w3.org>.
>>
>> Please send your comments to TTWG Public mailing list
>><public-tt@w3.org>.
>>
>> Looking forward to your review,
>>
>> Best,
>>
>> Thierry Michel
>> TTWG Team contact.
>>
>> [1]
>> https://www.w3.org/TR/security-privacy-questionnaire/

>>
>>
>>
>>
>>
>>
>>
>
>Dave Singer
>
>singer@mac.com
>



-----------------------------
http://www.bbc.co.uk

This e-mail (and any attachments) is confidential and
may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender
immediately.
Please note that the BBC monitors e-mails
sent or received.
Further communication will signify your consent to
this.
-----------------------------

Received on Friday, 18 November 2016 17:21:55 UTC