- From: Anssi Kostiainen via GitHub <sysbot+gh@w3.org>
- Date: Thu, 08 Jun 2023 07:06:40 +0000
- To: public-device-apis-log@w3.org
@pes10k I'm hearing we're aligned on the big picture. Here's what I think you agree to: PR #219 contains the advisory text, a human-readable description of the proposed attack and its mitigations. You're happy with this part, but you want us to in addition reflect all of this into normative prose i.e. inline it into the respective algorithms so that it is "must" (as in RFC 2119) for implementers to comply to. To make this happen in a coordinated fashion, I propose we merge PR #219 now and work on the respective updates to the algorithms in another PR. That another PR requires close coordination with implementers to ensure all the mitigations are implementable and implemented. What I meant with [implementation-defined](https://infra.spec.whatwg.org/#implementation-defined) keyword in the context of the algorithms is that the keyword should be used in places where implementers may want to e.g. use a different sliding observation window size to fit their product needs. If there's a baseline for the size to ensure an appropriate level of privacy protection we define the size normatively too, but allow implementers to be _stricter_ than the baseline. We want to be data-driven and I propose a proof of concept to be developed for the proposed attack to test its feasibility in a real-world scenario. With a PoC at hand we are better informed to specify the details of these proposed mitigations and recommend the minimum baseline. Sounds good? @kenchris will take the PoC exploration. Thanks for your contributions! -- GitHub Notification of comment by anssiko Please view or discuss this issue at https://github.com/w3c/compute-pressure/issues/197#issuecomment-1582003993 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 8 June 2023 07:06:42 UTC