revocation requirement (was Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations) from Nick Doty on 2015-10-29 (public-media-capture@w3.org from October 2015)

From: Nick Doty <npdoty@w3.org>
Date: Thu, 29 Oct 2015 15:15:31 +0900
To: Eric Rescorla <ekr@rtfm.com>, Rigo Wenning <rigo@w3.org>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>, "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-Id: <D4CC5A2C-2911-45C2-BA8B-C1CCEF59BA9D@w3.org>

On Oct 29, 2015, at 3:04 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> I'm not
> very versed in IETF process and Specification writing. But aren't those
> reflecting the requirements from Stephen during review asking for MUST revoke?
> 
> I don't recall any decision to add normative text for MUST revoke. However,
> despite that, both browsers allow this. If someone wanted to send a PR
> for that text, I would be fine with that.

I believe Rigo is referring to this text in RFC 7478:

   The browser must provide mechanisms for users to revise and even
   completely revoke consent to use device resources such as camera and
   microphone.
http://tools.ietf.org/html/rfc7478#section-4.2 <http://tools.ietf.org/html/rfc7478#section-4.2>

If, to comply with that, we should add a requirement to draft-ietf-rtcweb-security-arch for revocation, which it sounds like implementing browsers already support, just let us know where to send the pull request.

—Nick

Received on Thursday, 29 October 2015 06:15:53 UTC