[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS) from bugzilla@jessica.w3.org on 2014-10-24 (public-html-bugzilla@w3.org from October 2014)

From: <bugzilla@jessica.w3.org>
Date: Fri, 24 Oct 2014 18:25:22 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-26332-2486-xvxyfiHMNz@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #97 from David Dorwin <ddorwin@google.com> ---
(In reply to Mark Watson from comment #94)
> There is clearly no consensus to require secure origins.

And the discussion was going nowhere - many of the arguments opposing a secure
origin requirement were based on hope and theoretical possibilities rather than
the properties of real DRM implementations. Maybe changing the baseline will
help drive a productive conversation about how to address the underlying
concerns while allowing user agents to do what they believe is the right thing
for their users.

> The text as now is will certainly cause a Formal Objection, from us at least.

The Formal Objection will be considered by the Director, who is also a member
of the TAG. On the other hand, not requiring a secure origin may have likewise
caused a Formal Objection from others, including the TAG, and resulted in EME
not being allowed to progress forward in the spec process because it had not
addressed the concerns of the TAG.

Your statement actually gives us a good point of reference. Short of completely
removing the new step, what mitigations would cause you not to object?

> I appreciate that it's useful for Editor's to have the flexibility to
> implement proposals that have not yet gained consensus, for the purpose of
> driving towards resolution of uncontroversial issues.
> 
> However, I strongly object to a process in which specification changes are
> made on highly contentious issues in the absence of consensus.
> 
> This is a difficult and complex topic and we should approach it
> collaboratively. Please revert the change so that we can do that.

This one-line change does not prevent collaboration, but it does fix a security
and privacy problem with the spec and bring it inline with the TAG's direction,
which in turn brings it closer to moving forward in the spec process. It also
allows us to start considering exceptions rather than going around in circles
and making no progress. Unfortunately, there have been no concrete proposals
suggested in the three months this bug has been open nor suggestions for
addressing concerns - even when I explicitly requested them in comment #90. If
this one-line change helps drive the discussion forward, then that is a good
thing. (It appears to already have had such an effect:
http://lists.w3.org/Archives/Public/public-html-media/2014Oct/0081.html.)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Friday, 24 October 2014 18:25:24 UTC