[Bug 22909] Needs non-normative Security Considerations section

https://www.w3.org/Bugs/Public/show_bug.cgi?id=22909

--- Comment #11 from Mark Watson <watsonm@netflix.com> ---
(In reply to Joe Steele from comment #10)
> (In reply to Adrian Bateman [MSFT] from comment #9)
> > (In reply to Mark Watson from comment #7)
> > > Proposal:
> > 
> > I added this to the spec to make it easier to review:
> > https://dvcs.w3.org/hg/html-media/rev/cccd6d78bd9f
> 
> I am confused by this section:
>  "Key system implementations... User Agents may want to validate data"
> 
> Assuming the material is encrypted, how is this going to be generally
> possible? Even if it is - this may violate business agreements in place to
> prevent disclosure of keys. I think you should add something like "to the
> extent feasible", acknowledging that this is likely to be impossible.

I could imagine a lot of data validation that could be possible. Initialization
data may not be encrypted and media data may have unencrypted framing around
the encrypted samples (e.g. Common Encryption). There may be length constraints
on encrypted data that could be validated.

> 
> I also have a comment on this section "User deletion of Key System storage".
> I would recommend adding an informative note that such deletion may impact
> the playback performance and the UA could inform the user of that fact.

I agree. Could you raise a separate bug for that - I think we'll have trouble
tracking multiple comments in this bug.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Thursday, 14 November 2013 02:26:17 UTC