[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS) from bugzilla@jessica.w3.org on 2014-10-29 (public-html-bugzilla@w3.org from October 2014)

From: <bugzilla@jessica.w3.org>
Date: Wed, 29 Oct 2014 19:28:55 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-26332-2486-ALvxhWMBLG@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #124 from Anne <annevk@annevk.nl> ---
So it seems the problem we have is that the majority of implementations are
shipping without requiring TLS. We could require TLS in the specification, but
if the reality is that implementations do not require TLS, we might lose out on
requiring things that make sense in a non-TLS world.

Now that we require TLS, how likely is it that existing implementations will
change? I doubt new implementations will take the plunge given that EME
compatibility is complicated enough.

Now that we require TLS, how likely is it that existing implementations will
address non-TLS security and privacy concerns?

I'm all for requiring TLS, but in what timeframe can we move the
implementations there? And how do we protect users meanwhile?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 29 October 2014 19:28:57 UTC