[DRAFT] Call for Horizontal Review of IMSC 1.0.1 WD for TAG / Self-Review Questionnaire

[resending from my W3 email adress]

This is the horizontal review request to the TAG including the
Self-Review Questionnaire: Security and Privacy [5]

Please review this message.

The TAG document [5] does not really say where to send the self 
questionnaire
answers. Therefore I plan to  send it to <www-tag@w3.org>.

As it is a Self-Review Questionnaire, I am not even sure it needs to be 
sent !

Horizontal Groups like WAI, I18N TAG etc, should track new FPWD and 
review those specs, witout further notice.


Thierry

_______________________________


Dear Technical Architecture Group,

The W3C Timed Text Working Group has recently published a new working
draft of the TTML Text and Image Profiles for Internet Media Subtitles
and Captions, currently known as IMSC 1.0.1.

This specification contains two optional substantive features additional
to the IMSC 1 Recommendation dated 21 April 2016 [2]:


   1. activeArea allows the document author to indicate which area
      contains active editorial content in the presentation.

   2. fillLineGap allows the document author to specify that the
      background areas of adjacent lines meet without an intervening gap.

This minor revision of the specification is designed such that
Processors and document instances that conform to the Recommendation [2]
also conform to this revision.


The TTWG invites you to review this draft, and requests comments to be
received by 07th May 2017. These comments will be used to fulfil the

W3C Process [3] requirement for Wide Review of drafts, and  Horizontal
Review [4]  prior to publication as Candidate Recommendation.


If you wish to make comments regarding this document, please send them
to public-tt@w3.org <mailto:public-tt@w3.orgwith [imsc] at the start
of your email's subject. All comments are welcome, however the scope of
review will be focused on the two new features described above.


The TTWG has also answered the Self-Review Questionnaire: Security and
Privacy [5]. The TTWG answer are as follows:

Questions to Consider:
3.1 Does this specification deal with personally-identifiable
information?
--> NO it doesn't.

3.2 Does this specification deal with high-value data?
--> NO it doesn't.

3.3 Does this specification introduce new state for an origin that
persists across browsing sessions?
--> NO it doesn't.

3.4 Does this specification expose persistent, cross-origin state to the
web?
--> NO it doesn't.

3.5 Does this specification expose any other data to an origin that it
doesnt currently have access to?
--> NO it doesn't.

3.6 Does this specification enable new script execution/loading
mechanisms?
-->  This question as worded is ambiguous to us; is it only about script
loading and script execution ?
In our case, an IMSC1.O.1  document in which a change in the value of an
externally passed in parameter or a media query (for example) may cause
a modification of behavior, and this may lead to the loading of external
resources including audio, images etc, though excluding scripts. We do
not consider "condition" mechanism to be a scripting language.
IMSC1.0.1 allows loading of resources, just not scripts, and has fetch
semantics by the introduction of external resource loading. It also
allows the addition of links on spans that can have hyperlinks.

3.7 Does this specification allow an origin access to a user's location?
--> NO it doesn't.

3.8 Does this specification allow an origin access to sensors on a
users device?
--> NO it doesn't.

3.9 Does this specification allow an origin access to aspects of a
user¹s local computing environment?
--> NO it doesn't.

3.10 Does this specification allow an origin access to other devices?
--> NO it doesn't.

3.11 Does this specification allow an origin some measure of control
over a user agent¹s native UI?
--> NO it doesn't.

3.12 Does this specification expose temporary identifiers to the web?
--> NO it doesn't.

3.13 Does this specification distinguish between behavior in first-party
and third-party contexts?
--> NO it doesn't.

3.14 How should this specification work in the context of a user agent's
"incognito" mode?
--> This specification has no impact on any incognito mode since the
answer to all the questions about exposing details to origins are "No".

3.15 Does this specification persist data to a user's local device?
--> User agents may choose to cache referenced external resources; this
implementation detail is not covered by this specification and the
specification makes no explicit requirement for caching or non-caching
of any external resource.

3.16 Does this specification have a "Security Considerations" and
"Privacy Considerations" section?
--> YES it does, see

https://www.w3.org/TR/2017/WD-ttml-imsc1.0.1-20170322/#privacy-and-security-considerations-non-normative

3.17 Does this specification allow downgrading default security
characteristics?
--> NO it doesn't.



[1] IMSC 1.0.1 latest version https://www.w3.org/TR/ttml-imsc1.0.1/

[2] IMSC 1 Recommendation
https://www.w3.org/TR/2016/REC-ttml-imsc1-20160421/

[3] W3C Process https://www.w3.org/2015/Process-20150901/

[4] Horizontal Review
https://www.w3.org/Guide/Charter.html#horizontal-review

[5] https://www.w3.org/TR/security-privacy-questionnaire


Kind regards,

On behalf of Nigel Megitt, co-Chair, W3C Timed Text Working Group
Thierry Michel, Staff Contact for TTWG.

Received on Friday, 24 March 2017 10:22:07 UTC