- From: <bugzilla@jessica.w3.org>
- Date: Tue, 29 Jul 2014 01:24:22 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332 --- Comment #17 from Mark Watson <watsonm@netflix.com> --- (In reply to Ryan Sleevi from comment #16) > (In reply to Jerry Smith from comment #15) > I'm a bit confused how this conclusion was reached. Nothing seems to prevent > an EME CDM from implementing it's key exchange with the license server in > the clear. That is, I don't see how/why it would require implementing a > license server to retrieve/access the ID. > > That some CDMs have a strong binding to the license server is a point for > them, but nothing in EME seems to mandate this level of security. Nor is it > an example that the CDM<->License server protocol is itself robust (not > vulnerable to crypto-analytic attacks that would reveal ID, for example). > ClearKey seems to be proof-positive that you can implement an 'open' > exchange. > The EME model is one where the implementors of a UA choose to integrate with particular CDMs, not one where users can install arbitrary CDMs. As such, the implementor of the UA can have certain knowledge of the properties of the CDM. As with any web API, it is for the UA implementor to take care about what information they expose, to obtain suitable user consent for exposure of information etc. It's not something where the specification needs to dictate to UA implementors. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Tuesday, 29 July 2014 01:24:23 UTC