{minutes} HTML WG media telecom 2014-07-22 EME status and bugs from Joe Steele on 2014-07-22 (public-html-media@w3.org from July 2014)

From: Joe Steele <steele@adobe.com>
Date: Tue, 22 Jul 2014 16:19:56 +0000
To: "<public-html-media@w3.org>" <public-html-media@w3.org>
Message-ID: <3572ACF4-AAF7-421B-ADA0-2B1E081C5040@adobe.com>

http://www.w3.org/2014/07/22-html-media-minutes.html

Joe Steele

HTML Media Task Force Teleconference

22 Jul 2014

Agenda

See also: IRC log

Attendees

Present
paulc, +1.415.832.aaaa, davide, +1.408.536.aabb, +1.425.868.aacc, joesteele, geguchi, markw, ddorwin, adrianba, ReimundoGarcia, jdsmith, BobLund, glenn
Regrets
Chair
paulc
Scribe
joesteele, joesteele_
Contents

Topics
Role Call
Action items and Issues
EME status and bugs
Encrypted Media Extensions Stream Format and Initialization Data Format Registry
New EME bugs
[Bug 26332] New: Applications should only use EME APIs on secure origins (e.g. HTTPS)
[Bug 26313] New: Steps for createSession should define what happens if the sessionType is not supported
[Bug 26401] New: Key message destinationURL usage is not reflected in examples
Bugs discussed at last meeting
Bug 26207 - Provide a way to check system capabilities required for UHD playback
Bug 25896 - Why is EME creating new DOMException subclasses?
EME Use cases Wiki
Summary of Action Items
<trackbot> Date: 22 July 2014
<paulc> Good morning.
<davide> good afternoon
<joesteele> Scribe: joesteele
<paulc> Agenda: http://lists.w3.org/Archives/Public/public-html-media/2014Jul/0014.html
Role Call

Previous minutes -- http://lists.w3.org/Archives/Public/public-html-media/2014Jun/0072.html
Action items and Issues

EME status and bugs

<paulc> Editor's draft: http://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html
paulc: Editors draft has had 2-3 drafts since last mtg
... few new bugs
<paulc> http://tinyurl.com/7tfambo
paulc: this is the list of bugs
... 22 bugs total
Encrypted Media Extensions Stream Format and Initialization Data Format Registry

<paulc> https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/initdata-format-registry.html
pauc: that is the registry -- need to make sure editors are aware this is referenced in editors draft
... although no "references" list in the editors draft
<paulc> See bug https://www.w3.org/Bugs/Public/show_bug.cgi?id=25733
pauc: normally there would be a list of references
... this bug was discussing the registry for in-band source tracks
... Director has said we are ok with having pointers to informative registries even when they use normative language
... we can add a "references" section and point to this registry
ddorwin: will add as part of the refactoring
<ddorwin> ReSpec
ddorwin: using ReSpec
<ddorwin> Tracking bug for ReSpec: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25506
paulc: anyone working on this bug knows about this also -- moot now because MSE heartbeat was published
New EME bugs

[Bug 26332] New: Applications should only use EME APIs on secure origins (e.g. HTTPS)

<paulc> https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332
paulc: David do you want to say anything?
ddorwin: chances are that CDMs are exposing IDs that are not well protected, we should protect them with secure origin
... this is a common theme on the Internet
paulc: several commenters I don't usually see
... is it clear what changes we would make?
... is comment 5 the only change proposed?
<paulc> See comment five: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332#c5
ddorwin: this is still open to provide guidance, needs to be normative
paulc: Adrian or Jerry have a comment?
jdsmith: I wonder if this is a strong countermeasure - would need a license server on the other end to exploit the ID
joesteele: I am in favor of this because it provides protection for the application vendor, but not so much worried about the privacy implications. I believe the protections are already described for the IDs
markw: I support the comments about the identifiers, we have text about protecting that already. The problem with having the origin as HTTPS is that all the content has to be downloaded over HTTPS -- don't support for that reason
ddorwin: not meant to be offensive, there is no normative text about protecting the identifier.
... only thing we can do is relate to the origin
... no obvious to me how the ID is protected - each CDM has to be checked by the UA to make sure it is not leaking these IDs
jdsmith: my question is -- do we want to be stringently requiring HTTPS when there are valid use cases for HTTP.
... there is an implication that CDMs need to protect their data exchanges
... this might be a strong counter-measure for sites that could use HTTP
paulc: some people were not aware of this bug - so folks should add their comments in the bug
... let's go broad and continue with the other new bugs
[Bug 26313] New: Steps for createSession should define what happens if the sessionType is not supported

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26313
paulc: Jerry you created, David commented right after, have you seen Davids response?
<paulc> See David's response: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26313#c1
jdsmith: had not seen this yet
paulc: we could move forward then, you can respond in the bug
... editors might be able to just resolve
[Bug 26401] New: Key message destinationURL usage is not reflected in examples

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26401
<paulc> Example 2 at https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html#examples
joesteele: this was added just to add in support for destinationURL since it will be required for some CDMs
<ddorwin> Related bug: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25920
ddorwin: resolution of the bug was to remove this until we have a way to do this in a safe way
... defaultURL is now NULL in the text
<ddorwin> step 7.8 of https://dvcs.w3.org/hg/html-media/raw-file/default/encrypted-media/encrypted-media.html#dom-createsession
<paulc> Joe is concerned about code in function handleKeyNeeded(event)
joesteele: I am not in favor of removing destinationURL -- was hoping that was not the outcome of previous bug
<ddorwin> handleKeyNeeded() is a handler for needkey, which does not have a destinationURL
<ddorwin> Probably want handleMessage() in 8.4.
<paulc> Actually Joe is pointing to function licenseRequestReady(event)
ddorwin: the function you refereded to is not the right one -- think you mean licenseRequestReady()
... need to talk about what the language should actually be -- currently specified as NULL in the initial message
... in the createSession algorithm
<ddorwin> https://dvcs.w3.org/hg/html-media/raw-file/default/encrypted-media/encrypted-media.html#dom-update sets destinationURL in step 4.6
ddorwin: the initial one is currently specified as NULL
... I will update the bug with pointers
joesteele: I will update the bug from there
... provide some example code that I think should work
Bugs discussed at last meeting

Bug 26207 - Provide a way to check system capabilities required for UHD playback

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26207
<joesteele_> scribe: joesteele_
paulc: maybe I missed it -- several folks have responded
... maybe you can just let us know how you want this bug processed
... Jerry to look at the bug and repsonses
Bug 25896 - Why is EME creating new DOMException subclasses?

<paulc> https://www.w3.org/Bugs/Public/show_bug.cgi?id=25896#c12
paulc: proposal made to close
... anyone objecting should respond in the bug
jdsmith: with this change we lose the numeric capability in the error
ddorwin: I propose closing this bug and opening a new one to add this capability back as needed
... removed the MediaKeyErrors because things have changed -- commented out with issue statements
... should explore Jerrys use case separately
... Joe had a question about getting systemCodes back from Promise rejection
paulc: has the other bug been opened?
jdsmith: I will take the action to open that bug
EME Use cases Wiki

https://www.w3.org/wiki/HTML/Media_Task_Force/EME_Use_Cases
paulc: Joe can summarize his update and call for more comments
<ddorwin> The error bug I was referring to is https://www.w3.org/Bugs/Public/show_bug.cgi?id=26372. Please take a look since errors are up in the air.
<paulc> Mark's feedback: http://lists.w3.org/Archives/Public/public-html-media/2014Jul/0016.html
<paulc> Joe: Use cases on the Wiki should all be supported today
<paulc> ... keyrelease and downscaling might not be supported by some CDMs
<paulc> ... seems to be general agreement that this is good set of use cases
<paulc> ... Joe wanted to get agreement before fleshing them out more
<paulc> ... and Joe has not yet added (to a separate section) future use cases
<paulc> Joe thinks he agrees with Mark's comments and Joe will reflect this back into the Wiki
<paulc> David has done some editing
<paulc> Bob Lund commented positively
ddorwin: there is a new bug on errors -- that was what I wanted to say
... last conversation
... no comments on the wiki
markw: I noticed that there may be confusion about system sessions and license - which seem to be separate things
... can have session that persists when license does not
... not sure how we resolve this - text in the specification talks about both things
<paulc> Joe: Not sure that the Wiki uses case motivate the need for loadSession capability
<paulc> ... some need for handling persistence but not sure of the need for saving a session
<paulc> Joe will send an email or file a bug on Mark's point and agrees there is confusion there
ddorwin: have had some discussion around this -- it was added as a way to manage offline and support the secure proof of key release model
... existing normative text should support both of those models
... may be different from how some keys model key persistence
... need to have a common way to model this
... we could think about another session type but not sure that makes sense
<paulc> Joe: My impression of the loadSession feature is that it was designed by implementers that don't support persistence and without discussion with CDM implementations that do support persistence
<paulc> ... I agree there should be a common model but it may not be this one
<paulc> ... I don't have a new model to propose yet
<paulc> Joe offered to send an email about this and get more discussion going
joesteele: not clear who will use this feature as defined today
... I will send an email about this as noted
jdsmith: just wanted to say we are having similar problems with the loadSession model -- might need some reconsideration
markw: we are talking about system licenses I would agree with many of the comments made, but when talking about session and secure key release need a way to find those previous sessions
... assumed loadSession would be used for that
paulc: comment about more advanced use cases -- I would discourage that until we deal with the existing use cases
... will put on the top of the agenda for next week
joesteele: ok
<ddorwin> loadSession(), etc. were designed to have a consistent model that supports multiple use cases and that could be broadly supported across implementations (possibly with "wrapping" to match the spec). This was discussed with app developers, so there is a desire for this consistent model.
Summary of Action Items

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014-07-22 16:13:57 $

Received on Tuesday, 22 July 2014 16:20:28 UTC