[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS) from bugzilla@jessica.w3.org on 2014-08-19 (public-html-bugzilla@w3.org from August 2014)

From: <bugzilla@jessica.w3.org>
Date: Tue, 19 Aug 2014 21:05:46 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-26332-2486-BzlgZAg4c8@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #35 from David Dorwin <ddorwin@google.com> ---
(In reply to Glenn Adams from comment #26)
> A user that entirely relies upon a UA to "assuage their privacy concerns" is
> simply ignorant of the risks that exist in either the pre-EME world of media
> or the EME world. EME and CDMs don't change this fact.

Many users do assume user agents are doing what they can to protect the user's
privacy, and user agents are continuously implementing features to address
(emerging) threats.

(In reply to Glenn Adams from comment #31)
> Sure it does. And that is by design. CDMs are explicitly out of scope of EME.

> That is a consequence of ruling that CDM details are out of scope of EME.
> That can't be helped.

I think it is incorrect to say that all CDM details are out of scope. The spec
currently leaves robustness, license exchange, etc. undefined, but there are
some requirements on the CDM's behavior in the normative algorithms and we are
discussing others to improve interoperability.

> The WG is not going to revisit the decision of determining that CDM details
> are out-of-scope. You can object, but it will serve no purpose.

> No and No. It will not improve the spec (and in fact will damage it). And No
> the WG will not revisit the decision that CDMs are out of scope.

These are opinions It's not possible to make such absolute statements about
what the HTML WG might do.

> Sure. But you are merely stating the obvious: "that not defining CDMs means
> that the security and privacy consideration of CDMs cannot be evaluated".
> That is a consequence of ruling that CDM details are out of scope of EME.
> That can't be helped.

Even if one assumes the CDM details are out of scope, the spec can mitigate
issues through normative requirements on the user agents - that is what is
being discussed here.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Tuesday, 19 August 2014 21:05:47 UTC