Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations

Thanks for the response! (and apologies for the slowness of the response).

Since it seems that none of the other WG members have chosen to respond,
I'll try to return to the original list of questions after sending this
reply, to see what I can answer.

On 08/05/2015 01:04 AM, Nick Doty wrote:
> Hi Harald,
>
> I apologize for the belated reply. I do my best to respond to your
> questions inline; I don't speak for all members of the Privacy
> Interest Group, but hopefully my individual thoughts can still be useful.
>
>> On Jul 14, 2015, at 5:13 AM, Harald Alvestrand <harald@alvestrand.no
>> <mailto:harald@alvestrand.no>> wrote:
>>
>> Signed PGP part
>> Thank you for your comments!
>>
>> This is obviously material that needs input from the group on how we
>> handle, but some questions that I as process manager have on these
>> comments:
>>
>> - The specification as it stands represents results of long debates.
>> Part of these debates are documented in the IETF security documents
>> for RTCWEB. Can we assume that these documents have been read and
>> understood for further commenting?
>>
>
> I have previously reviewed and commented on the rtcweb security
> architecture drafts, so I'm reasonably familiar with those texts.
> However, I haven't kept up with all the rtcweb/WebRTC discussions and
> I'm sure many volunteers in PING haven't either, so please feel free
> to include pointers to specific document sections or discussions.

OK, will try.
>
>> - We have understood the style of specification in the W3C to be that
>> user interface issues (such as what indicators to display, and how
>> permission is requested) are strictly outside of the remit of the
>> specification. We can require that permission be granted, and that an
>> indicator be shown, but its exact form is an implementation matter. Is
>> that a common understanding we can assume here too?
>>
>
> W3C specs have typically refrained from specifying user interfaces, a
> trend I think most participants are comfortable with. I think that
> doesn't typically prohibit putting requirements on a user interface,
> or guidance for how a user interface might usefully be presented (in
> fact, we've sometimes heard complaints when W3C groups didn't do
> this), just a recognition that user interface design will likely vary
> and doesn't benefit from standardization. That makes it harder to draw
> a bright line, I understand.

OK, we seem to agree here - guidance is reasonable and useful,
requirements (in MUST/SHOULD form) needs to be on the functionality we
want, not on how it is implemented.
>
>> - The fingerprinting guidance document has the status (according to
>> itself) of "unofficial draft", and does not link to any working group
>> or mailing list. What can we expect about a declaration of consensus
>> on this specification in the future? Is it on someone's roadmap to
>> declare consensus on it?
>>
>
> That's an excellent question. The Privacy Interest Group has been
> working on the "Fingerprinting Guidance for Web Specification Authors"
> document with the expectation that we would develop consensus and
> publish it as an Interest Group Note. (We should probably publish it
> as a Draft Interest Group Note in the meantime to lessen such
> confusion.) We are also collaborating with the Technical Architecture
> Group (TAG) on its contents/guidance. I'll expand the Status of this
> Document section to make this more explicit (it did link to the
> public-privacy mailing list, but that could be clearer).

Thanks!

>
>> Thanks in advance for enlightenement on these topics!
>>
>>   Harald, chair hat on
>>
>
> Hope this helps,
> Nick

Received on Monday, 21 September 2015 09:43:22 UTC