Re: revocation requirement (was Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations) from Eric Rescorla on 2015-10-29 (public-privacy@w3.org from October to December 2015)

From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 29 Oct 2015 15:18:17 +0900
To: Nick Doty <npdoty@w3.org>
Cc: Rigo Wenning <rigo@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>, "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <CABcZeBMoJ9w0T2gn4PdjQE-NdYyHwnjUX4R_TpcjQQxZFzctQA@mail.gmail.com>

https://github.com/rtcweb-wg/security-arch

On Thu, Oct 29, 2015 at 3:15 PM, Nick Doty <npdoty@w3.org> wrote:

> On Oct 29, 2015, at 3:04 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
> I'm not
>> very versed in IETF process and Specification writing. But aren't those
>> reflecting the requirements from Stephen during review asking for MUST
>> revoke?
>>
>
> I don't recall any decision to add normative text for MUST revoke. However,
> despite that, both browsers allow this. If someone wanted to send a PR
> for that text, I would be fine with that.
>
>
> I believe Rigo is referring to this text in RFC 7478:
>
>    The browser must provide mechanisms for users to revise and even
>    completely revoke consent to use device resources such as camera and
>    microphone.
> http://tools.ietf.org/html/rfc7478#section-4.2
>
> If, to comply with that, we should add a requirement
> to draft-ietf-rtcweb-security-arch for revocation, which it sounds like
> implementing browsers already support, just let us know where to send the
> pull request.
>
> —Nick
>

Received on Thursday, 29 October 2015 06:19:25 UTC