- From: Nigel Megitt <nigel.megitt@bbc.co.uk>
- Date: Thu, 2 Apr 2020 17:32:34 +0000
- To: "public-tt@w3.org" <public-tt@w3.org>
- CC: Nick Doty <npdoty@ischool.berkeley.edu>, Pete Snyder <psnyder@brave.com>
- Message-ID: <F2C4508C-9260-4E14-A593-EE83C4ED564A@bbc.co.uk>
Thanks all for the extra long two part call today. Minutes can be found in HTML format at https://www.w3.org/2020/04/02-tt-minutes.html In text format: [1]W3C [1] https://www.w3.org/ Timed Text Working Group Teleconference 02 April 2020 [2]Previous meeting. [3]Agenda. [4]IRC log. [2] https://www.w3.org/2020/03/26-tt-minutes.html [3] https://github.com/w3c/ttwg/issues/105 [4] https://www.w3.org/2020/04/02-tt-irc Attendees Present Andreas, Atsushi, Cyril, Gary, Glenn, Nick_Doty, Nigel, Pete_Snyder, Pierre Regrets - Chair Gary, Nigel Scribe cyril_, nigel Contents 1. [5]This meeting 2. [6]IMSC 1.2 3. [7]Note that the user can influence the document processing context 4. [8]Address A11Y comments related to WCAG 2.1 5. [9]imsc/rec 6. [10]TTML2 2nd Edition Implementation Report 7. [11]end of meeting 8. [12]Meeting with PING Meeting minutes This meeting Nigel: Today, we have a few IMSC issues, TTML2 IR, and starting at 1600 UTC, a joint … session with some members of the PING. nigel: pierre are you able to join for the 2nd hour? pal: yes nigel: any AOB? IMSC 1.2 nigel: there were a couple of editorial PRs … probably better to run them on the call … I added them to our agenda Note that the user can influence the document processing context gitub [13]https://github.com/w3c/imsc/pull/527 [13] https://github.com/w3c/imsc/pull/527 github: [14]https://github.com/w3c/imsc/pull/527 [14] https://github.com/w3c/imsc/pull/527 nigel: if you go the PR, the preview and diff now appeared … there is one note added to the D.2 appendix: MAUR considerations … I provided some review comments that are now resolved … I just want to make sure that more people look at it pal: ideally the main commenter … I don't think we can merge this until the main commenter's review nigel: we need to make sure we have consensus among us also … if it sounds good, we'll just go ahead with this text … I'll go back to the APA pal: we actually need them to participate … I'm not happy merging this until we have clear feedback from them nigel: agree, we can prompt the person or the group with the text that we agree on … the commenter who raised it is W3C staff atsushi: my personal opinion would be to ping them on GitHub glenn: I would recommend closing due to lack of response nigel: I will reach out to the commenter nigel: nobody seems to have any other comment on it SUMMARY: TTWG is happy with the current proposal and would like review by APA WG @michael-n-cooper Address A11Y comments related to WCAG 2.1 github: [15]https://github.com/w3c/imsc/pull/526 [15] https://github.com/w3c/imsc/pull/526 nigel: this PR is closing a couple of things pal: I think there are things we need to talk about pal: there is the issue raised by the APA related to updating reference to WCAG 2.1 … that's issue … and also rewriting appendix D.1 … and reference success criteria instead of interpreting and indicate how to best address them with IMSC … in the process of doing this, Nigel raised the question on an example provided in Appendix D.1 … Nigel reviewed it, suggested some changes … I went back in time to find the history of this paragraph … many eons ago … I'm really reluctant to change it … because we spent so much time on it and it's only an example … my preference would be to add one more example nigel: I'm not sure how it came as part of my review … maybe because the changes are big … I think the text came from J Birch after some debate pal: What I've done editorially is to label it as an example … if there is another example, we should add it … but we should not touch the example anymore nigel: it wasn't very clear what functional information means … it doesn't seem to mention that you can use styling attributes to achieve the same thing … it does not refer to using ttm:role to identify the kind of thing that the text is representing … simply leaving the text as is in the PR and adding another example could work pal: I'm happy to review proposed example nigel: I will provide one nigel: I like the "suggestion" feature in the current PR, it's a new GitHub feature pal: I have a question out to the commenter … I have asked a question on issue 521 and 522, 21 days ago and still waiting nigel: we can't proceed because we are waiting for some answer pal: 524 we said we will not make changes for it, we should close it nigel: we can just leave that open because we took out the milestone pal: so it's only 521 and 522 for which we are waiting for answers nigel: back on 526, we have a way forward to resolve my comments … I encourage everybody to have a look at it … I think it will resolve the APA comments pal: it could be a good template to solving the PING comments … if they could come up with guidelines … that we can reference nigel: agree imsc/rec nigel: we had a conversation about it last week … atsushi needed to take that to the team … and I wanted to know where we are atsushi: I thought to ask next week nigel: because of our decision policy? atsushi: I thought this was a recommendation from someone that we need to be secure on it nigel: it's true that with our decision policy, someone could comment on it, but unlikely atsushi: I was advised to wait some time after request to setup some difference link … to avoid misoperation on our W3C systems side … maybe Philippe's suggestion nigel: I did not notice this … if you need time before making the change, fine but let us know atsushi: could happen next week nigel: sounds good TTML2 2nd Edition Implementation Report nigel: there has been some activity by Glenn … I did some review … we are moving forward … no particular test need agenda time glenn: the only one that might is the one on line height and font strategy nigel: 252 glenn: the previous one having to do with fontStrategySelection, a presentation test … that was put in TTML2 1ed <nigel> [16]https://github.com/w3c/ttml2-tests/blob/master/ presentation/valid/ttml2-prstn-font-selection-strategy.xml [16] https://github.com/w3c/ttml2-tests/blob/master/presentation/valid/ttml2-prstn-font-selection-strategy.xml glenn: it's about the impact of font strategy selection on line height nigel: and that previous test has a description … and because there is combined character it would be clear what will happen glenn: that test that preexisted and this one rely on something that cannot be interoperably tested nigel: in the original test, we made the assumption that the default font did not support combining characters … we never verified that such a font exists glenn: you had asked if we could construct such a font … technically, yes, but that is some work … I haven't signed up for nigel: I've never done such things … we should be reaching out to Vlad glenn: there are tools in the Adobe Font Toolset that I've used in the past … there are ASCII representation of the OpenType font that you can create … and use these tools to "compile" the font … I haven't signed up for the time to do that glenn: the impetus is on the implementer to do that as part of their test setup nigel: by relying on a font provided with an implementation, we can go ahead with this test … in the same way that we did the 1st edition test on font selection strategy … there is an action to adjust the test still … that's marked in the issue … line break present so that line height can be verified … it would be good that having done that your implementation passes glenn: other than that I don't have other comments end of meeting nigel: we have no other business … let's end this part of the meeting … 5 min break until we start Meeting with PING <nigel> Gary leaves, Nick and Pete arrive nigel: Thank you again for the feedback you gave us on IMSC … we could look at the details of the specific issues … one thing that came through is … that if there is a privacy issue of fetching things on the web … why is that issue specific to IMSC pal: Nigel posed the problem correctly <npdoty> I’d be interested to learn about the accessibility approach as well, just as we are learning the most productive ways to conduct horizontal reviews and address those issues pal: there is a generic privacy and security issue … true across most if not all W3C specifications … it'd be a lot better if these generic considerations were captured in a single document … so that other don't repeat the same text, the same mitigation, ... … has there been a discussion to have a generic document, just like APA WG did for accessibility? pete: PING has authored a questionnaire … and a fingerprinting guideline document … because we are an interest group … we cannot make anything normative … it's very difficult to speak in very general case … because many specs are different pal: reading the long threat, is that the vulnerability that has been identified here is a generic fetch vulnerability npdoty: there is maybe a more general threat … we do have documentation in the fetch spec for that … but more specifically, because of font and implementation of fallbacks … you can learn information about a client … that's fairly specific to TTML pal: and CSS npdoty: maybe CSS (but have a different way of specifying) and HTML … we need to understand how fallback are done … if you just used CSS, then there would not be any need to document anything pal: the corollary to that is: is it the only issue identified? npdoty: Jeffrey did a review of TTML <npdoty> [17]https://github.com/w3c/ttml2/issues/1189 [17] https://github.com/w3c/ttml2/issues/1189 npdoty: don't remember which edition nigel: TTML2 2nd edition npdoty: he opened an issue with a series of fingerprinting versions … and in the process we opened secure transport issues pal: should we do it in TTML? npdoty: I opened the issue on IMSC because there was a change compared to the previous edition … but it'd be good in TTML nigel: we had some other feedback about accessibility from APA … and they produce a set of requirements, the MAUR, … and we had a section restating that, and based on the feedback we received … we will change that to say: given requirement X, this is how you can do it in IMSC … it'd be great to have privacy requirements … and we would say how to achieve them in IMSC … if we had an ability to do that, that would be super useful … don't know if this is applicable to Privacy npdoty: that would be a good goal … ongoing work in the PING is trying to get more granular and specific … if we can define that precisely, it would be easier for other specs … we are not yet quite at that level of precision … the document I edited gives guidelines to evaluate and some indication on how to mitigate … but different specs have different ways of solving the problem … we were not sure how IMSC fits in the web platform … is it implemented by a Web browser, follows same origin ... pal: you're going to find implementations that span the whole range … from polyfills to embedded devices and web platform glenn: the answer depends who you ask … the browser community, like Google, that it's not part of the Web platform, for historical reasons … the response to that is that for people who need to use TTML in the web, they have to use polyfills … or use server-side mechanisms pal: it's broader than that … there are Android native apps glenn: yes, wide range of responses nigel: I agree … different people define the web platform differently pal: the pragmatic issue we have is … if we agree on the attack vector (fetching) … fetching taking into account locally installed fonts … the next step is what are the mitigations … what do we write in the spec … point to "Mitigating ..." … how do we close this issue? pes: deciding on mitigation, we can provide guidance … but it takes the expertise of this group to decide … you can look at the CSS WG response … it's a little bit outside of PING jurisdiction pal: from an editor standpoint, we need to close the issue … what would it take to close it to your satisfaction npdoty: we have 3 issues open … 2 on TTML and 1 on IMSC … I agree with Pete that since you understand the diverse set of implementations … you're in the best place to decide on the mitigation … a good goal would be to have similar mitigation to what we are working on in CSS … or at least point to that … we don't want to have to be in the situation where this is solved in CSS and not in TT … we have seen that in other groups pal: this document is going to rec soon … where is the concrete mitigation we can point to? npdoty: you can choose one from the CSS WG … or if you are not ready, just note that for implementers … so that they know about that pal: I'm looking for a reference <npdoty> re: mitigating browser fingerprinting, guidance doc is: [18]https://w3c.github.io/fingerprinting-guidance/ [18] https://w3c.github.io/fingerprinting-guidance/ nigel: thanks for the link nigel: is there a specific place in the CSS thread to point to pes: no, the thread is not done, so nothing to point to <npdoty> draft proposal to eliminate font-fingerprinting is ongoing here: [19]https://github.com/w3cping/ font-anti-fingerprinting [19] https://github.com/w3cping/font-anti-fingerprinting pes: I don't think there is a solution that you can point to … it's not a copy/paste answer nigel: the question about whether there is a vector here seems to come from the notion that the decision to fetch a remote font resource or not … is conditional on installed font … but in TTML and IMSC that semantics is not defined … my assumption had been that if some text in a document makes use of a matching font which points to an external URL … unconditionally, regardless of what is installed, the implementation must fetch it … it might not be clear in the text <npdoty> yes, that sounds like a feasible mitigation nigel: but if it were, would that solve the concern ? <Zakim> nigel, you wanted to mention the idea that we don't allow font fetching to be conditional at all in TTML2 and IMSC <pes> (im just agreeing with nick) pal: on the specific proposed mitigation … I'm not sure that sufficient or wise because that would prevent caching nigel: I did not say anything about caching … cache is not relevant for fingerprinting but maybe I'm wrong pal: the second you share any resource you give information to an attacker … could be as subtle as timing, location ... … not sure there is a silver bulllet, specific to IMSC glenn: were you asking if we made lazy vs eager fetching in the spec would be a solution? nigel: not sure I would characterize it as lazy vs. eager <npdoty> unconditional as opposed to conditional nigel: when you would do it is different from if you do it nigel: in CSS, the font might not get fetched if installed … but in TTML, we would dereference and use that, no dependency on installed font glenn: I can't imagine that we would specify that cyril: It could be a note to implementers, … saying that if they are worried about fingerprinting then they could do that. Glenn: Sure. <npdoty> that’s true right now, but it’s not described, so implementers would have to discover the problem and the mitigation all individually Glenn: I would object to trying to nail that down in the spec. <pes> privacy is not an issue that can be pitched to implementors; w3c specs need to be private by default / definition Glenn: I would not object to adding informative language, but getting … agreement on that language might be problematic. … We could always give carte blanche to any informative language because … it doesn't matter, but on the other hand we've spent months … on informative language in other cases. Nigel: To clarify, Glenn, you would object to language that prohibits <npdoty> not lazy vs eager, but unconditional vs conditional (as in nigel’s proposed mitigation) Nigel: conditionally dereferencing on the basis of installed fonts? Glenn: I'd object to normative language that nails down fetching semantics. … I would also require careful scrutiny about referencing anything from CSS WG, … and check if it has buy-in from browser vendors. Cyril: 2 points. … 1. If we want to be pragmatic and publish, maybe one proposal. … Would it be acceptable to move this IMSC issue to TTML2 so we can address all … the privacy issues in the context of TTML2 in general? … 2. More broadly, this group also defines WebVTT so should we have a generic … timed text privacy document and refer to it from all the specs? <cyril> ack Glenn: Could we publish that as an informative note? Doing so would take some time … and would delay matters. That may be something for 3rd Ed for TTML2. … We could only make small tweaks to 2nd Ed in whichever appendix it is. … If you wanted something that all the docs refer to informatively you could publish … a WG Note. Pete: I take the point that every network request reveals something about the … requestor, but there's a difference. For an image file, your browser doesn't check … to see if it is present. … In this case whether or not the browser makes the request reveals something about … the environment. It's more specific than just network requests are revealing. … I can understand why this is frustrating to the group, but if your spec is producing a … new way to get fonts relative to the rest of the web platform then it is your responsibility … to define the privacy aspects of the functionality. … In general informative text is not a satisfactory way to address privacy concerns … for exactly the reason stated, that they don't make any requirements on implementations. Nick: To expand on Pete's second point there, we're coming back to the same question … we had earlier on about what the level of innovation is compared to the rest of … the web platform. I've heard some suggestions that these things are generic, so we should … just do whatever everyone else does, but also suggestions that behaviour about how … the markup is used will not be defined, or that we will not refer to CSS. … I guess that will be a regular question that comes up - is this relying on CSS and Fetch … or if it is not then it will need separate review. … I do think there are different levels of mitigation. … The first might be noting it so implementers are aware of the risks based on how … the implementation is done, but I think Pete is wise to point out that we have had … problems arising from that. That would be the first step though. Pierre: My proposed course of action is a) move this issue to TTML2 because it is not … specific to IMSC. And my proposal in TTML2 would be to note the potential privacy … issue introduced by resource fetching, specifically font fetching, and suggest one … potential mitigation, which is to suggest unconditional fetching. I'd like to hear if … anyone strongly objects to this. <cyril> cyril: I agree Nigel: I agree <pes> I object to non-normative mitigations Glenn: As long as that's a mitigation suggestion up to the implementer that's fine. <pes> for the reason stated here, that “non normative text doesnt matter” (someone in this groups on words) Glenn: The other comment I had earlier for Pete was in response to requiring it to be normative, … I firmly believe that W3C does not implement these specifications, and it does not … certify implementations or test implementations. It does not mandate behaviour <pes> thats WHATWG Glenn: or these sorts of things, so I would certainly not agree with what you said about … making these sort of things normative. … Different groups in W3C might have different positions or opinions, but TTWG has … defined a markup language that has been widely adopted in various industries. … The web platform has at various points made use of TTML and many other industries … have also, and have chosen to create other specifications adding further normative … language about the use of TTML. If others want to add normative requirements in other … specifications then they can do so. One has to make layering and abstraction decisions … about where to put such language. So far we have not done so in TTML and I don't expect … to in the future. That's my current opinion. Pete: Not sure how to respond - W3C is a member org and our HR role is to make sure … that things stay private! <npdoty> that discussion can be ongoing, but I hope we don’t get to the general practice of having a separate spec for the privacy-preserving way of implementing each spec Pete: More constructively perhaps, in the spec, if you say that when being implemented, … as part of the web platform, then it should do X, Y and Z things to resolve fonts, and … should not create new privacy harming paths, and when implemented as part of other <pes> i second nicks point above Pete: platforms it should do what those platforms do to preserve privacy. Pierre: As Glenn pointed out it is going to be very hard for the TTML spec to tell browsers <pes> is your group defining functionality that browsers are supposed to implement? Pierre: what do. We can try to suggest mitigations, but I don't think it is realistic. Glenn: We can put generic language suggesting something of that sort. <npdoty> I’d be +1 on moving the issue to ttml, since it applies to ttml as well. i might recommend that imsc refer to the ongoing issue Pierre: That was my recommendation, to clearly state the attack vector but it is not … reasonable for us to tell web browsers normatively what to do. … Even if I agreed with that, I don't think it's realistic. <npdoty> isn’t it common to define conformance criteria for implementations? Pete: In the last few moments I am suddenly confused. If it is not expecting web browsers … to implement then we should say do what they do. Glenn: We don't say anything about web browsers. Pete: I thought the uncertainty was it seems to be a new way of resolving fonts. Pierre: If it is implemented in a browser, why would it do anything other than what … browsers do. One implementation of IMSC is a polyfill. Pete: The only ask is to take a particular path when implementing through CSS or whatever … else. It seems important that if people are polyfilling into web browsers they should do it correctly. … You could either polyfill via the fetch engine and request fonts or go through CSS and … request fonts that way. Pierre: So the mitigation is? Pete: My suggestion is to be specific about whether to implement polyfills through fetch or CSS. … Then we can assess it. Pierre: We can't assess all the implementations. Realistically we can't mandate all the … ways they are implemented. Glenn: For example you might use an implementation that converts to SVG and doesn't … use CSS at all. Pierre: Exactly. That's why we can say "here's the attack vector" and propose one kind of … mitigation and recommend people use systems that have existing mitigations, but we … can't go down the path of exploring all possible mitigations. Pete: PING's remit is to address what is implemented in browsers. … When it is implemented in browsers then it needs to say how it is implemented in browsers. Pierre: Like in the case of Firefox, native C++ implementations? Pete: Exactly. Glenn: We don't define implementations period. Pierre: Do you see that being useful in general, to say something specifically about how browsers should implement something in TTML? Pete: I can't say that specifically, but what browsers do is the meat and potatoes of W3C. <pes> i said _primarily_ concerned about browsers :) Pierre: But WHATWG. <npdoty> thanks, nigel, for chairing us and helping us to communicate <npdoty> we have some different backgrounds and assumptions, so I know that isn’t always easy Nigel: We're out of time here. I think we have managed to communicate something about … what would help in terms of HR, and some proposed first steps for resolving the open … issues on IMSC and TTML2. … Thank you to Nick and Pete for joining us and helping us through this. It's been … an energetic conversation! Pierre: I will take the action to move the IMSC issue to TTML2 and propose a pull request. Nigel: Thank you. … Let's take those first steps and come back round to this as we need to. … Thanks again everyone. [adjourns meeting] <nigel> s|gitub [20]https://github.com/w3c/imsc/pull/527|| [20] https://github.com/w3c/imsc/pull/527|| <nigel> s| [21]https://github.com/w3c/imsc/pull/527| https:XXgithub.comXw3cXimscXpullX527 [21] https://github.com/w3c/imsc/pull/527| <nigel> s/s|/sX Apologies for the last three entries above - I don't know why those commands failed, but I'm giving up and leaving them in for now, hopefully to edit out later somehow! Minutes manually created (not a transcript), formatted by [22]scribe.perl version 114 (Tue Mar 17 13:45:45 2020 UTC). [22] https://w3c.github.io/scribe2/scribedoc.html
Received on Thursday, 2 April 2020 17:33:01 UTC