Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations from Eric Rescorla on 2015-10-29 (public-privacy@w3.org from October to December 2015)

From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 29 Oct 2015 15:04:05 +0900
To: Rigo Wenning <rigo@w3.org>
Cc: Martin Thomson <martin.thomson@gmail.com>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>, Mathieu Hofman <Mathieu.Hofman@citrix.com>, Harald Alvestrand <harald@alvestrand.no>, Nick Doty <npdoty@w3.org>, "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <CABcZeBNJRzv5_e-rUZN7h7nbTUhWSkGNZFPUFXeP=jd4N8aBiQ@mail.gmail.com>

On Thu, Oct 29, 2015 at 2:57 PM, Rigo Wenning <rigo@w3.org> wrote:

> On Thursday 29 October 2015 14:38:07 Eric Rescorla wrote:
>
> > BTW, if you look into RFC 7478, it says in its browser considerations:
> > > ==
> > > The browser is expected to provide mechanisms for getting user consent
> to
> > > use
> > > device resources such as camera and microphone.
> > > ==
> > > Now tell me how is not asking the user getting you consent?
> >
> > You did ask the user. The permission persists. The normative text
> > here is the security document, which specifically contemplates
> > persistent consent.
>
> Above you write, Chrome doesn't prompt the user when being on HTTPS.


Chrome prompts the user once when on HTTPS and then persists the results.
They prompt the user every time on HTTP.


I
> understand that Firefox asked the user. So the Firefox team is doing the
> right
> thing. Now you're pointing me to the fact that the requirement for the user
> consent is only informational as it is in the security considerations.


The requirement for some form of consent is a MUST in the security
architecture
document.

https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-11#section-5.2



> I'm not
> very versed in IETF process and Specification writing. But aren't those
> reflecting the requirements from Stephen during review asking for MUST
> revoke?
>

I don't recall any decision to add normative text for MUST revoke. However,
despite that, both browsers allow this. If someone wanted to send a PR
for that text, I would be fine with that.


> > But furthermore it says:
> > > ==
> > > The browser is expected to provide mechanisms for informing the user
> that
> > > device resources such as camera and microphone are in use ("hot").
> > >
> > > The browser must provide mechanisms for users to revise and even
> > > completely
> > > revoke consent to use device resources such as camera and microphone.
> > > ==
> >
> > And as I said, both Chrome and Firefox already do these things.
>
> Ok, so on HTTPS they give permission forever without asking the user but
> they
> show a beacon in the browser-chrome? Because like "You" was not precise,
> "these things" don't help me to asses the situation.


Chrome and Firefox do both of the two things listed in this quoted block

1. Inform the user that the devices are hot.
2. Provide mechanisms for revoking consent.

-Ekr

Received on Thursday, 29 October 2015 06:05:13 UTC