- From: John Birch <John.Birch@screensystems.tv>
- Date: Thu, 13 Oct 2016 08:48:59 +0000
- To: Thierry MICHEL <tmichel@w3.org>, W3C Public TTWG <public-tt@w3.org>, "Nigel Megitt" <nigel.megitt@bbc.co.uk>
I would suggest that question 3.2 is somewhat ambiguous also... since the value attributed to an instance of TTML 'data' (a timed text file) is an attribution made by the user? Some TTML files may contain 'valuable data' from a user's perspective (e.g. they may represent significant work effort - or have associated copyright). Clearly, the TTML specification is not specifically targeted at 'high value' data applications (it does not explicitly support encryption, for example). BR, John John Birch | Strategic Partnerships Manager | Screen Main Line : +44 1473 831700 | Ext: 2208 | Direct Dial: +44 1473 834532 Mobile: +44 7919 558380 | Fax : +44 1473 830078 John.Birch@screensystems.tv Visit us at Broadcast India, Bombay Exhibition Centre, Mumbai, 20-22 October Languages and the Media, Radisson Blu Hotel, Berlin, 3-4 November NAB New York, Javits Convention Centre, 9-10 November, Stand 1750 PBefore printing, think about the environment -----Original Message----- From: Thierry MICHEL [mailto:tmichel@w3.org] Sent: 13 October 2016 09:41 To: W3C Public TTWG <public-tt@w3.org>; Nigel Megitt <nigel.megitt@bbc.co.uk> Subject: Re: TTML2 and questionnaire for Security and Privacy; for review. Hi, Bellow are updated responses for review regarding TTML2, to answer the Self-Review Questionnaire: Security and Privacy https://www.w3.org/TR/security-privacy-questionnaire/ I have incorporated Nigel's comments and the discussion during our last telecon. Let me know if you have any concern. Thierry ---------------------------------------- Questions to Consider: 3.1 Does this specification deal with personally-identifiable information? --> NO it doesn't. 3.2 Does this specification deal with high-value data? --> NO it doesn't. 3.3 Does this specification introduce new state for an origin that persists across browsing sessions? --> NO it doesn't. 3.4 Does this specification expose persistent, cross-origin state to the web? --> NO it doesn't. 3.5 Does this specification expose any other data to an origin that it doesn’t currently have access to? --> NO it doesn't. 3.6 Does this specification enable new script execution/loading mechanisms? --> This question as worded is ambiguous to us; is it only about script loading and script execution ? In our case, a TTML2 document in which a change in the value of an externally passed in parameter or a media query (for example) may cause a modification of behavior, and this may lead to the loading of external resources including audio, images etc, though excluding scripts. We do not consider "condition" mechanism to be a scripting language. TTML2 allows loading of resources, just not scripts, and has fetch semantics by the introduction of external resource loading. It also allows the addition of links on spans that can have hyperlinks. 3.7 Does this specification allow an origin access to a user’s location? --> NO it doesn't. 3.8 Does this specification allow an origin access to sensors on a user’s device? 3.9 Does this specification allow an origin access to aspects of a user’s local computing environment? --> NO it doesn't. 3.10 Does this specification allow an origin access to other devices? --> NO it doesn't. 3.11 Does this specification allow an origin some measure of control over a user agent’s native UI? --> NO it doesn't. 3.12 Does this specification expose temporary identifiers to the web? --> NO it doesn't. 3.13 Does this specification distinguish between behavior in first-party and third-party contexts? --> NO it doesn't. 3.14 How should this specification work in the context of a user agent’s "incognito" mode? --> This specification has no impact on any incognito mode since the answer to all the questions about exposing details to origins are "No". 3.15 Does this specification persist data to a user’s local device? --> User agents may choose to cache referenced external resources; this implementation detail is not covered by this specification and the specification makes no explicit requirement for caching or non-caching of any external resource. 3.16 Does this specification have a "Security Considerations" and "Privacy Considerations" section? --> NO it doesn't. 3.17 Does this specification allow downgrading default security characteristics? --> NO it doesn't. -------------------------------------------- This message may contain confidential and/or privileged information. If you are not the intended recipient you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. Screen Subtitling Systems Ltd. Registered in England No. 2596832. Registered Office: The Old Rectory, Claydon Church Lane, Claydon, Ipswich, Suffolk, IP6 0EQ
Received on Thursday, 13 October 2016 08:49:31 UTC