[encrypted-media] Editorial: normative language used in notes and applied to non-UA entities (#595) from Joey Parrish via GitHub on 2026-05-12 (public-html-media@w3.org from May 2026)

From: Joey Parrish via GitHub <noreply@w3.org>
Date: Tue, 12 May 2026 23:34:21 +0000
To: public-html-media@w3.org
Message-ID: <issues.opened-4433366678-1778628858-noreply@w3.org>
joeyparrish has just created a new issue for https://github.com/w3c/encrypted-media:

== Editorial: normative language used in notes and applied to non-UA entities ==
The spec has several places where RFC 2119 normative language (MUST, SHOULD, RECOMMENDED, etc.) is used in contexts where it doesn't belong. This creates ambiguity about what the actual conformance requirements are for user agent implementors.

## 1. Normative language inside notes

Notes are non-normative by convention. The following notes contain RFC 2119 terms that are either real requirements (and should be moved to normative prose) or advisory guidance (and should be rephrased without normative language):

- Line 280: `Authors SHOULD encrypt each set of stream(s)...` / `audio streams SHOULD NOT use the same key as any video stream.`
- Line 355: `It SHOULD always allow unique identification` / `information MAY be obtained`
- Lines 779-788: `they MUST be non-associable by applications` / `MUST NOT expose this capability` / `SHOULD take care to avoid exposing such correlation`
- Line 1376: `The initDataType MUST be supported independent of content types`
- Line 1804: `implementations MUST use per-origin per-profile identifiers`
- Line 1961: `Case-sensitive string comparison is RECOMMENDED`
- Line 2445: `it MUST NOT rely on user agent implementations rejecting`
- Lines 2481, 2499: `Applications SHOULD ensure...` / `Applications...SHOULD specify the encryption schemes`
- Line 2626: `the accumulated configuration MUST still contain...`
- Lines 3338-3339: `applications SHOULD NOT rely on specific timing` / `SHOULD call close()`
- Line 3470: `This value MAY change during the session lifetime`
- Lines 3494-3513: `The map MUST NOT ever be inconsistent` / `Key IDs MUST NOT be removed` / `MUST be given an appropriate status` / `user agent implementations exposing such CDMs SHOULD implement this member as follows`
- Line 4249: `It is RECOMMENDED that CDM implementations support a standard and reasonably high minimum number of keys`
- Line 5140: `script MUST NOT ever see a partially populated sequence`
- Line 6127: `the user agent MUST NOT expose Initialization Data from such media data`
- Lines 7126-7129: `it MUST NOT be possible for one or more applications...to achieve such correlation`
- Line 7340: `it MUST be transparent to the application and the APIs`

## 2. Normative language applied to non-UA entities

A user agent specification can only normatively bind user agent implementations. Applying MUST/SHOULD/RECOMMENDED to CDMs, applications/authors, or license servers is out of scope -- those entities are not conformance targets of this spec.

**CDMs:**

- Line 204: `It is RECOMMENDED that [=CDMs=] use simple lower-case ASCII key system strings.`
- Lines 5490-5491: `The [=CDM=] SHOULD NOT store session data...`
- Line 5503: `The [=CDM=] MUST ensure that data for a given session is only present in one...`
- Lines 6688, 6730: `the [=CDM=] SHALL NOT` / `The [=CDM=] MUST NOT make direct network requests`
- Lines 7057, 7215, 7226, 7438: Multiple MUST/MUST NOT on CDM behavior in the privacy and security sections
- Line 8137: `CDM implementers MUST provide sufficient information and controls`
- Lines 8480, 8518: MUST on CDM/Key System behavior in the privacy threat model

**Applications/Authors:**

- Line 2453: `This dictionary MUST NOT be used to pass state or data to the [=CDM=].`
- Line 3377: `applications MUST NOT create new sessions on this {{MediaKeys}} instance`
- Line 4817: `Applications SHOULD NOT rely on downscaling to protect content`
- Lines 8086-8091: `Authors SHOULD prevent other entities from hosting their applications in iframes`
- Line 8118: `Authors on shared hosts are therefore RECOMMENDED to avoid using the APIs`

**License servers:**

- Line 7090: `Messages from the license server to the [=CDM=] MUST NOT expose recipient-unique identifiers` -- the spec has no authority over license server behavior.

---

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Please view or discuss this issue at https://github.com/w3c/encrypted-media/issues/595 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 12 May 2026 23:34:22 UTC