[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS)

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #69 from Mark Watson <watsonm@netflix.com> ---
(In reply to Ryan Sleevi from comment #68)
> (In reply to Joe Steele from comment #64)

> > Your assumptions seem to be that all DRM protocols are home-grown and not
> > based on robust well analyzed protocols. You have not offered any proof of
> > this other than your experience. 
> 
> The proof is in the very fact that Mark Watson has repeatedly told the W3C
> in a variety of forums that the protocols employed CANNOT be discussed in an
> open context.
> 

I don't recall saying that even once, never mind repeatedly.

It's quite likely I have pointed out the fact that none of the proprietary DRM
vendors have published their protools. As Joe points out, this doesn't mean
they are not using open standard protocols and open, well-reviewed,
implementations, just that we don't know what they are using because they have
not told us.

However, UA implementors that integrate CDMs may well know these things for the
CDMs they integrate and should be able to make their own security decisions on
that basis.

Furthermore, UA implementors that properly sandbox the CDM will know what kind
of identifiers it has access to as well as what it does with them.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Friday, 22 August 2014 14:26:12 UTC