RE: [DRAFT] horizontal review request to the TAG with Self-Review Questionnaire.

Nigel/Thierry,



Good proposed specific answers.



However, as I mentioned in today's call, I'd like to call your attention to feedback I recently received from IETF experts about security considerations for XML documents in general (not specific to TTML). This was received in the course of expert review when registering a new media type at IANA in the Security Considerations section. The IETF comment was (highlight is mine):



There also needs a statement of whether or not the format employs executable content (my read is that it does not, but since the format is extensible it should be noted that executable content could appear in an extension) and whether or not confidentiality protection is ever needed, and if so, how it would be provided.



FYI in case you want to generally address in the questionnaire the situation where the security considerations extend to arbitrary permitted extensions.



Regards,



                Mike



-----Original Message-----
From: Nigel Megitt [mailto:nigel.megitt@bbc.co.uk]
Sent: Thursday, July 27, 2017 7:47 AM
To: Timed Text Working Group <public-tt@w3.org>
Subject: FW: [DRAFT] horizontal review request to the TAG with Self-Review Questionnaire.



Thanks Thierry for putting this together, it looks good to me:



On 24/07/2017, 09:15, "Thierry MICHEL" <tmichel@w3.org<mailto:tmichel@w3.org>> wrote:



>Nigel, Glenn,

>

>This is a DRAFT of the horizontal review request to the TAG including

>the Self-Review Questionnaire: Security and Privacy [6]

>

>Please review this message.

>

>The TAG document [5] does not really say where to send the self

>questionnaire answers. Therefore I plan to  send it to <www-tag@w3.org<mailto:www-tag@w3.org>>.

>

>Horizontal Groups like WAI, I18N,  TAG etc, should track new FPWD and

>review those specs, without further notice.

>

>Thierry

>

>_______________________________

>

>

>Dear Technical Architecture Group,

>

>The W3C Timed Text Working Group has recently published a new working

>draft of the Timed Text Markup Language 2 (TTML2).

>

>https://www.w3.org/TR/2017/WD-ttml2-20170630/

>

>TTML2, provides a standardized representation of a particular subset of

>textual information with which stylistic, layout, and timing semantics

>are associated by an author or an authoring system for the purpose of

>interchange and processing.

>In addition to being used for interchange among legacy distribution

>content formats, TTML Content may be used directly as a distribution

>format, providing, for example, a standard content format to reference

>from a <track> element in an HTML5 document, or a <text> or

><textstream> media element in a [SMIL 3.0] document.

>

>The TTML2 specification updates the TTML1 specification by adding

>vocabulary and semantics to address more of its core requirements,

>including the addition of support for:

>

>     raster images (both foreground and background)

>     author supplied fonts

>     audio descriptions and text to speech

>     ruby text annotations

>     improved vertical line layout

>     text emphasis, kerning, letter spacing, shadows, and variants

>     inline block layout

>     stereoscopic presentation (for 3-D viewing)

>     high definition resolution (HDR) presentation

>     continuous animation

>     hyperlinks

>     conditional element semantics

>     improved metadata extensibility

>     formalized intermediate document syntax

>     various other improvements and bug fixes

>

>The TTWG invites you to review this draft, and requests comments to be

>received by 30 Sept 2017. These comments will be used to fulfill the

>W3C Process [3] requirement for Wide Review of drafts, and  Horizontal

>Review [4]  prior to publication as Candidate Recommendation.

>

>If you wish to make comments regarding this document, please send them

>to public-tt@w3.org<mailto:public-tt@w3.org> <mailto:public-tt@w3.org?subject=%5Bttml%5B> with

>[ttml2] at the start of your email's subject. All comments are welcome,

>however the scope of review will be mainly focused on the new features

>introduced in TTML2.

>

>A cumulative summary of all changes applied to this version since the

>current (TTML1, 2nd Edition) Recommendation was published is available

>for your convenience [5].

>

>

>

>

>The TTWG has also answered the Self-Review Questionnaire: Security and

>Privacy [6]. The TTWG answer are as follows:

>

>Questions to Consider:

>3.1 Does this specification deal with personally-identifiable

>information?

>--> NO it doesn't.

>

>3.2 Does this specification deal with high-value data?

>--> NO it doesn't.

>

>3.3 Does this specification introduce new state for an origin that

>persists across browsing sessions?

>--> NO it doesn't.

>

>3.4 Does this specification expose persistent, cross-origin state to

>the web?

>--> NO it doesn't.

>

>3.5 Does this specification expose any other data to an origin that it

>doesnt currently have access to?

>--> NO it doesn't.

>

>3.6 Does this specification enable new script execution/loading

>mechanisms?

>--> This question as worded is ambiguous to us; is it only about script

>loading and script execution ?

>In our case, a TTML2  document in which a change in the value of an

>externally passed in parameter or a media query (for example) may cause

>a modification of behavior, and this may lead to the loading of

>external resources including audio, images etc, though excluding

>scripts. We do not consider "condition" mechanism to be a scripting language.

>TTML2 allows loading of resources, just not scripts, and has fetch

>semantics by the introduction of external resource loading. It also

>allows the addition of links on spans that can have hyperlinks.

>It does not include or make reference to the processing of any script

>language, executable code or

>  of any external style sheet or style specification.

>

>

>3.7 Does this specification allow an origin access to a user's location?

>--> NO it doesn't.

>

>3.8 Does this specification allow an origin access to sensors on a

>users device?

>--> NO it doesn't.

>

>3.9 Does this specification allow an origin access to aspects of a

>userıs local computing environment?

>--> NO it doesn't.

>

>3.10 Does this specification allow an origin access to other devices?

>--> NO it doesn't.

>

>3.11 Does this specification allow an origin some measure of control

>over a user agentıs native UI?

>--> NO it doesn't.

>

>3.12 Does this specification expose temporary identifiers to the web?

>--> NO it doesn't.

>

>3.13 Does this specification distinguish between behavior in

>first-party and third-party contexts?

>--> NO it doesn't.

>

>3.14 How should this specification work in the context of a user

>agent's "incognito" mode?

>--> This specification has no impact on any incognito mode since the

>answer to all the questions about exposing details to origins are "No".

>

>3.15 Does this specification persist data to a user's local device?

>--> User agents may choose to cache referenced external resources; this

>implementation detail is not covered by this specification and the

>specification makes no explicit requirement for caching or non-caching

>of any external resource.

>

>3.16 Does this specification have a "Security Considerations" and

>"Privacy Considerations" section?

>--> YES it does, see

>

>https://www.w3.org/TR/ttml2/#security-and-privacy

>

>3.17 Does this specification allow downgrading default security

>characteristics?

>--> NO it doesn't.

>

>

>

>[1] TTML2 latest version https://www.w3.org/TR/ttml2/ [2] TTML1

>Recommendation https://www.w3.org/TR/ttml1/ [3] W3C Process

>https://www.w3.org/2017/Process-20170301/

>[4] Horizontal Review

>https://www.w3.org/Guide/Charter.html#horizontal-review

>[5] https://www.w3.org/TR/security-privacy-questionnaire

>[6] https://www.w3.org/TR/2017/WD-ttml2-20170630/ttml2-changes.html

>

>

>On behalf of Nigel Megitt, co-Chair, W3C Timed Text Working Group

>Thierry Michel, Staff Contact for TTWG.







-----------------------------

http://www.bbc.co.uk

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.

If you have received it in

error, please delete it from your system.

Do not use, copy or disclose the

information in any way nor act in reliance on it and notify the sender immediately.

Please note that the BBC monitors e-mails sent or received.

Further communication will signify your consent to this.

-----------------------------

Received on Thursday, 27 July 2017 15:43:41 UTC