Re: revocation requirement (was Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations)

On Oct 29, 2015, at 3:19 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 29 October 2015 at 15:15, Nick Doty <npdoty@w3.org> wrote:
>> If, to comply with that, we should add a requirement to
>> draft-ietf-rtcweb-security-arch for revocation, which it sounds like
>> implementing browsers already support, just let us know where to send the
>> pull request.
> 
> I think that mediacapture is a more reasonable place to house that
> sort of requirement.

Currently there is a non-normative suggestion about this in Media Capture and Streams section on Privacy and Security Considerations.
http://w3c.github.io/mediacapture-main/#privacy-and-security-considerations <http://w3c.github.io/mediacapture-main/#privacy-and-security-considerations>

Per the comments in PING's earlier message, we believe it would be useful to make this a normative requirement.
https://lists.w3.org/Archives/Public/public-privacy/2015OctDec/0028.html <https://lists.w3.org/Archives/Public/public-privacy/2015OctDec/0028.html>

As a mechanical matter, should we make a pull request to Media Capture and Streams? Or if the editors typically resolve these themselves, that's great.

> On 29 October 2015 at 15:29, Eric Rescorla <ekr@rtfm.com> wrote:
>> I would also be fine with that. Generally, we have been levying security
>> requirements in the IETF documents, but I'm certainly happy to do less.
>> 
> I was under the impression that you were doing that within the WebRTC
> context only.  But there are requirements there as well.  I wouldn't
> object to a modest amount of duplication for something like this.

Yeah, I would typically agree. I can submit a pull request to rtcweb-wg/security-arch as well. This wouldn't apply just to Web browsers.

—Nick

Received on Thursday, 29 October 2015 06:39:04 UTC