- From: Nigel Megitt <nigel.megitt@bbc.co.uk>
- Date: Thu, 2 Apr 2020 17:32:34 +0000
- To: "public-tt@w3.org" <public-tt@w3.org>
- CC: Nick Doty <npdoty@ischool.berkeley.edu>, Pete Snyder <psnyder@brave.com>
- Message-ID: <F2C4508C-9260-4E14-A593-EE83C4ED564A@bbc.co.uk>
Thanks all for the extra long two part call today. Minutes can be found in HTML format at https://www.w3.org/2020/04/02-tt-minutes.html
In text format:
[1]W3C
[1] https://www.w3.org/
Timed Text Working Group Teleconference
02 April 2020
[2]Previous meeting. [3]Agenda. [4]IRC log.
[2] https://www.w3.org/2020/03/26-tt-minutes.html
[3] https://github.com/w3c/ttwg/issues/105
[4] https://www.w3.org/2020/04/02-tt-irc
Attendees
Present
Andreas, Atsushi, Cyril, Gary, Glenn, Nick_Doty, Nigel,
Pete_Snyder, Pierre
Regrets
-
Chair
Gary, Nigel
Scribe
cyril_, nigel
Contents
1. [5]This meeting
2. [6]IMSC 1.2
3. [7]Note that the user can influence the document processing
context
4. [8]Address A11Y comments related to WCAG 2.1
5. [9]imsc/rec
6. [10]TTML2 2nd Edition Implementation Report
7. [11]end of meeting
8. [12]Meeting with PING
Meeting minutes
This meeting
Nigel: Today, we have a few IMSC issues, TTML2 IR, and starting
at 1600 UTC, a joint
… session with some members of the PING.
nigel: pierre are you able to join for the 2nd hour?
pal: yes
nigel: any AOB?
IMSC 1.2
nigel: there were a couple of editorial PRs
… probably better to run them on the call
… I added them to our agenda
Note that the user can influence the document processing context
gitub [13]https://github.com/w3c/imsc/pull/527
[13] https://github.com/w3c/imsc/pull/527
github: [14]https://github.com/w3c/imsc/pull/527
[14] https://github.com/w3c/imsc/pull/527
nigel: if you go the PR, the preview and diff now appeared
… there is one note added to the D.2 appendix: MAUR
considerations
… I provided some review comments that are now resolved
… I just want to make sure that more people look at it
pal: ideally the main commenter
… I don't think we can merge this until the main commenter's
review
nigel: we need to make sure we have consensus among us also
… if it sounds good, we'll just go ahead with this text
… I'll go back to the APA
pal: we actually need them to participate
… I'm not happy merging this until we have clear feedback from
them
nigel: agree, we can prompt the person or the group with the
text that we agree on
… the commenter who raised it is W3C staff
atsushi: my personal opinion would be to ping them on GitHub
glenn: I would recommend closing due to lack of response
nigel: I will reach out to the commenter
nigel: nobody seems to have any other comment on it
SUMMARY: TTWG is happy with the current proposal and would like
review by APA WG @michael-n-cooper
Address A11Y comments related to WCAG 2.1
github: [15]https://github.com/w3c/imsc/pull/526
[15] https://github.com/w3c/imsc/pull/526
nigel: this PR is closing a couple of things
pal: I think there are things we need to talk about
pal: there is the issue raised by the APA related to updating
reference to WCAG 2.1
… that's issue
… and also rewriting appendix D.1
… and reference success criteria instead of interpreting and
indicate how to best address them with IMSC
… in the process of doing this, Nigel raised the question on an
example provided in Appendix D.1
… Nigel reviewed it, suggested some changes
… I went back in time to find the history of this paragraph
… many eons ago
… I'm really reluctant to change it
… because we spent so much time on it and it's only an example
… my preference would be to add one more example
nigel: I'm not sure how it came as part of my review
… maybe because the changes are big
… I think the text came from J Birch after some debate
pal: What I've done editorially is to label it as an example
… if there is another example, we should add it
… but we should not touch the example anymore
nigel: it wasn't very clear what functional information means
… it doesn't seem to mention that you can use styling
attributes to achieve the same thing
… it does not refer to using ttm:role to identify the kind of
thing that the text is representing
… simply leaving the text as is in the PR and adding another
example could work
pal: I'm happy to review proposed example
nigel: I will provide one
nigel: I like the "suggestion" feature in the current PR, it's
a new GitHub feature
pal: I have a question out to the commenter
… I have asked a question on issue 521 and 522, 21 days ago and
still waiting
nigel: we can't proceed because we are waiting for some answer
pal: 524 we said we will not make changes for it, we should
close it
nigel: we can just leave that open because we took out the
milestone
pal: so it's only 521 and 522 for which we are waiting for
answers
nigel: back on 526, we have a way forward to resolve my
comments
… I encourage everybody to have a look at it
… I think it will resolve the APA comments
pal: it could be a good template to solving the PING comments
… if they could come up with guidelines
… that we can reference
nigel: agree
imsc/rec
nigel: we had a conversation about it last week
… atsushi needed to take that to the team
… and I wanted to know where we are
atsushi: I thought to ask next week
nigel: because of our decision policy?
atsushi: I thought this was a recommendation from someone that
we need to be secure on it
nigel: it's true that with our decision policy, someone could
comment on it, but unlikely
atsushi: I was advised to wait some time after request to setup
some difference link
… to avoid misoperation on our W3C systems side
… maybe Philippe's suggestion
nigel: I did not notice this
… if you need time before making the change, fine but let us
know
atsushi: could happen next week
nigel: sounds good
TTML2 2nd Edition Implementation Report
nigel: there has been some activity by Glenn
… I did some review
… we are moving forward
… no particular test need agenda time
glenn: the only one that might is the one on line height and
font strategy
nigel: 252
glenn: the previous one having to do with
fontStrategySelection, a presentation test
… that was put in TTML2 1ed
<nigel> [16]https://github.com/w3c/ttml2-tests/blob/master/
presentation/valid/ttml2-prstn-font-selection-strategy.xml
[16] https://github.com/w3c/ttml2-tests/blob/master/presentation/valid/ttml2-prstn-font-selection-strategy.xml
glenn: it's about the impact of font strategy selection on line
height
nigel: and that previous test has a description
… and because there is combined character it would be clear
what will happen
glenn: that test that preexisted and this one rely on something
that cannot be interoperably tested
nigel: in the original test, we made the assumption that the
default font did not support combining characters
… we never verified that such a font exists
glenn: you had asked if we could construct such a font
… technically, yes, but that is some work
… I haven't signed up for
nigel: I've never done such things
… we should be reaching out to Vlad
glenn: there are tools in the Adobe Font Toolset that I've used
in the past
… there are ASCII representation of the OpenType font that you
can create
… and use these tools to "compile" the font
… I haven't signed up for the time to do that
glenn: the impetus is on the implementer to do that as part of
their test setup
nigel: by relying on a font provided with an implementation, we
can go ahead with this test
… in the same way that we did the 1st edition test on font
selection strategy
… there is an action to adjust the test still
… that's marked in the issue
… line break present so that line height can be verified
… it would be good that having done that your implementation
passes
glenn: other than that I don't have other comments
end of meeting
nigel: we have no other business
… let's end this part of the meeting
… 5 min break until we start
Meeting with PING
<nigel> Gary leaves, Nick and Pete arrive
nigel: Thank you again for the feedback you gave us on IMSC
… we could look at the details of the specific issues
… one thing that came through is
… that if there is a privacy issue of fetching things on the
web
… why is that issue specific to IMSC
pal: Nigel posed the problem correctly
<npdoty> I’d be interested to learn about the accessibility
approach as well, just as we are learning the most productive
ways to conduct horizontal reviews and address those issues
pal: there is a generic privacy and security issue
… true across most if not all W3C specifications
… it'd be a lot better if these generic considerations were
captured in a single document
… so that other don't repeat the same text, the same
mitigation, ...
… has there been a discussion to have a generic document, just
like APA WG did for accessibility?
pete: PING has authored a questionnaire
… and a fingerprinting guideline document
… because we are an interest group
… we cannot make anything normative
… it's very difficult to speak in very general case
… because many specs are different
pal: reading the long threat, is that the vulnerability that
has been identified here is a generic fetch vulnerability
npdoty: there is maybe a more general threat
… we do have documentation in the fetch spec for that
… but more specifically, because of font and implementation of
fallbacks
… you can learn information about a client
… that's fairly specific to TTML
pal: and CSS
npdoty: maybe CSS (but have a different way of specifying) and
HTML
… we need to understand how fallback are done
… if you just used CSS, then there would not be any need to
document anything
pal: the corollary to that is: is it the only issue identified?
npdoty: Jeffrey did a review of TTML
<npdoty> [17]https://github.com/w3c/ttml2/issues/1189
[17] https://github.com/w3c/ttml2/issues/1189
npdoty: don't remember which edition
nigel: TTML2 2nd edition
npdoty: he opened an issue with a series of fingerprinting
versions
… and in the process we opened secure transport issues
pal: should we do it in TTML?
npdoty: I opened the issue on IMSC because there was a change
compared to the previous edition
… but it'd be good in TTML
nigel: we had some other feedback about accessibility from APA
… and they produce a set of requirements, the MAUR,
… and we had a section restating that, and based on the
feedback we received
… we will change that to say: given requirement X, this is how
you can do it in IMSC
… it'd be great to have privacy requirements
… and we would say how to achieve them in IMSC
… if we had an ability to do that, that would be super useful
… don't know if this is applicable to Privacy
npdoty: that would be a good goal
… ongoing work in the PING is trying to get more granular and
specific
… if we can define that precisely, it would be easier for other
specs
… we are not yet quite at that level of precision
… the document I edited gives guidelines to evaluate and some
indication on how to mitigate
… but different specs have different ways of solving the
problem
… we were not sure how IMSC fits in the web platform
… is it implemented by a Web browser, follows same origin ...
pal: you're going to find implementations that span the whole
range
… from polyfills to embedded devices and web platform
glenn: the answer depends who you ask
… the browser community, like Google, that it's not part of the
Web platform, for historical reasons
… the response to that is that for people who need to use TTML
in the web, they have to use polyfills
… or use server-side mechanisms
pal: it's broader than that
… there are Android native apps
glenn: yes, wide range of responses
nigel: I agree
… different people define the web platform differently
pal: the pragmatic issue we have is
… if we agree on the attack vector (fetching)
… fetching taking into account locally installed fonts
… the next step is what are the mitigations
… what do we write in the spec
… point to "Mitigating ..."
… how do we close this issue?
pes: deciding on mitigation, we can provide guidance
… but it takes the expertise of this group to decide
… you can look at the CSS WG response
… it's a little bit outside of PING jurisdiction
pal: from an editor standpoint, we need to close the issue
… what would it take to close it to your satisfaction
npdoty: we have 3 issues open
… 2 on TTML and 1 on IMSC
… I agree with Pete that since you understand the diverse set
of implementations
… you're in the best place to decide on the mitigation
… a good goal would be to have similar mitigation to what we
are working on in CSS
… or at least point to that
… we don't want to have to be in the situation where this is
solved in CSS and not in TT
… we have seen that in other groups
pal: this document is going to rec soon
… where is the concrete mitigation we can point to?
npdoty: you can choose one from the CSS WG
… or if you are not ready, just note that for implementers
… so that they know about that
pal: I'm looking for a reference
<npdoty> re: mitigating browser fingerprinting, guidance doc
is: [18]https://w3c.github.io/fingerprinting-guidance/
[18] https://w3c.github.io/fingerprinting-guidance/
nigel: thanks for the link
nigel: is there a specific place in the CSS thread to point to
pes: no, the thread is not done, so nothing to point to
<npdoty> draft proposal to eliminate font-fingerprinting is
ongoing here: [19]https://github.com/w3cping/
font-anti-fingerprinting
[19] https://github.com/w3cping/font-anti-fingerprinting
pes: I don't think there is a solution that you can point to
… it's not a copy/paste answer
nigel: the question about whether there is a vector here seems
to come from the notion that the decision to fetch a remote
font resource or not
… is conditional on installed font
… but in TTML and IMSC that semantics is not defined
… my assumption had been that if some text in a document makes
use of a matching font which points to an external URL
… unconditionally, regardless of what is installed, the
implementation must fetch it
… it might not be clear in the text
<npdoty> yes, that sounds like a feasible mitigation
nigel: but if it were, would that solve the concern ?
<Zakim> nigel, you wanted to mention the idea that we don't
allow font fetching to be conditional at all in TTML2 and IMSC
<pes> (im just agreeing with nick)
pal: on the specific proposed mitigation
… I'm not sure that sufficient or wise because that would
prevent caching
nigel: I did not say anything about caching
… cache is not relevant for fingerprinting but maybe I'm wrong
pal: the second you share any resource you give information to
an attacker
… could be as subtle as timing, location ...
… not sure there is a silver bulllet, specific to IMSC
glenn: were you asking if we made lazy vs eager fetching in the
spec would be a solution?
nigel: not sure I would characterize it as lazy vs. eager
<npdoty> unconditional as opposed to conditional
nigel: when you would do it is different from if you do it
nigel: in CSS, the font might not get fetched if installed
… but in TTML, we would dereference and use that, no dependency
on installed font
glenn: I can't imagine that we would specify that
cyril: It could be a note to implementers,
… saying that if they are worried about fingerprinting then
they could do that.
Glenn: Sure.
<npdoty> that’s true right now, but it’s not described, so
implementers would have to discover the problem and the
mitigation all individually
Glenn: I would object to trying to nail that down in the spec.
<pes> privacy is not an issue that can be pitched to
implementors; w3c specs need to be private by default /
definition
Glenn: I would not object to adding informative language, but
getting
… agreement on that language might be problematic.
… We could always give carte blanche to any informative
language because
… it doesn't matter, but on the other hand we've spent months
… on informative language in other cases.
Nigel: To clarify, Glenn, you would object to language that
prohibits
<npdoty> not lazy vs eager, but unconditional vs conditional
(as in nigel’s proposed mitigation)
Nigel: conditionally dereferencing on the basis of installed
fonts?
Glenn: I'd object to normative language that nails down
fetching semantics.
… I would also require careful scrutiny about referencing
anything from CSS WG,
… and check if it has buy-in from browser vendors.
Cyril: 2 points.
… 1. If we want to be pragmatic and publish, maybe one
proposal.
… Would it be acceptable to move this IMSC issue to TTML2 so we
can address all
… the privacy issues in the context of TTML2 in general?
… 2. More broadly, this group also defines WebVTT so should we
have a generic
… timed text privacy document and refer to it from all the
specs?
<cyril> ack
Glenn: Could we publish that as an informative note? Doing so
would take some time
… and would delay matters. That may be something for 3rd Ed for
TTML2.
… We could only make small tweaks to 2nd Ed in whichever
appendix it is.
… If you wanted something that all the docs refer to
informatively you could publish
… a WG Note.
Pete: I take the point that every network request reveals
something about the
… requestor, but there's a difference. For an image file, your
browser doesn't check
… to see if it is present.
… In this case whether or not the browser makes the request
reveals something about
… the environment. It's more specific than just network
requests are revealing.
… I can understand why this is frustrating to the group, but if
your spec is producing a
… new way to get fonts relative to the rest of the web platform
then it is your responsibility
… to define the privacy aspects of the functionality.
… In general informative text is not a satisfactory way to
address privacy concerns
… for exactly the reason stated, that they don't make any
requirements on implementations.
Nick: To expand on Pete's second point there, we're coming back
to the same question
… we had earlier on about what the level of innovation is
compared to the rest of
… the web platform. I've heard some suggestions that these
things are generic, so we should
… just do whatever everyone else does, but also suggestions
that behaviour about how
… the markup is used will not be defined, or that we will not
refer to CSS.
… I guess that will be a regular question that comes up - is
this relying on CSS and Fetch
… or if it is not then it will need separate review.
… I do think there are different levels of mitigation.
… The first might be noting it so implementers are aware of the
risks based on how
… the implementation is done, but I think Pete is wise to point
out that we have had
… problems arising from that. That would be the first step
though.
Pierre: My proposed course of action is a) move this issue to
TTML2 because it is not
… specific to IMSC. And my proposal in TTML2 would be to note
the potential privacy
… issue introduced by resource fetching, specifically font
fetching, and suggest one
… potential mitigation, which is to suggest unconditional
fetching. I'd like to hear if
… anyone strongly objects to this.
<cyril> cyril: I agree
Nigel: I agree
<pes> I object to non-normative mitigations
Glenn: As long as that's a mitigation suggestion up to the
implementer that's fine.
<pes> for the reason stated here, that “non normative text
doesnt matter” (someone in this groups on words)
Glenn: The other comment I had earlier for Pete was in response
to requiring it to be normative,
… I firmly believe that W3C does not implement these
specifications, and it does not
… certify implementations or test implementations. It does not
mandate behaviour
<pes> thats WHATWG
Glenn: or these sorts of things, so I would certainly not agree
with what you said about
… making these sort of things normative.
… Different groups in W3C might have different positions or
opinions, but TTWG has
… defined a markup language that has been widely adopted in
various industries.
… The web platform has at various points made use of TTML and
many other industries
… have also, and have chosen to create other specifications
adding further normative
… language about the use of TTML. If others want to add
normative requirements in other
… specifications then they can do so. One has to make layering
and abstraction decisions
… about where to put such language. So far we have not done so
in TTML and I don't expect
… to in the future. That's my current opinion.
Pete: Not sure how to respond - W3C is a member org and our HR
role is to make sure
… that things stay private!
<npdoty> that discussion can be ongoing, but I hope we don’t
get to the general practice of having a separate spec for the
privacy-preserving way of implementing each spec
Pete: More constructively perhaps, in the spec, if you say that
when being implemented,
… as part of the web platform, then it should do X, Y and Z
things to resolve fonts, and
… should not create new privacy harming paths, and when
implemented as part of other
<pes> i second nicks point above
Pete: platforms it should do what those platforms do to
preserve privacy.
Pierre: As Glenn pointed out it is going to be very hard for
the TTML spec to tell browsers
<pes> is your group defining functionality that browsers are
supposed to implement?
Pierre: what do. We can try to suggest mitigations, but I don't
think it is realistic.
Glenn: We can put generic language suggesting something of that
sort.
<npdoty> I’d be +1 on moving the issue to ttml, since it
applies to ttml as well. i might recommend that imsc refer to
the ongoing issue
Pierre: That was my recommendation, to clearly state the attack
vector but it is not
… reasonable for us to tell web browsers normatively what to
do.
… Even if I agreed with that, I don't think it's realistic.
<npdoty> isn’t it common to define conformance criteria for
implementations?
Pete: In the last few moments I am suddenly confused. If it is
not expecting web browsers
… to implement then we should say do what they do.
Glenn: We don't say anything about web browsers.
Pete: I thought the uncertainty was it seems to be a new way of
resolving fonts.
Pierre: If it is implemented in a browser, why would it do
anything other than what
… browsers do. One implementation of IMSC is a polyfill.
Pete: The only ask is to take a particular path when
implementing through CSS or whatever
… else. It seems important that if people are polyfilling into
web browsers they should do it correctly.
… You could either polyfill via the fetch engine and request
fonts or go through CSS and
… request fonts that way.
Pierre: So the mitigation is?
Pete: My suggestion is to be specific about whether to
implement polyfills through fetch or CSS.
… Then we can assess it.
Pierre: We can't assess all the implementations. Realistically
we can't mandate all the
… ways they are implemented.
Glenn: For example you might use an implementation that
converts to SVG and doesn't
… use CSS at all.
Pierre: Exactly. That's why we can say "here's the attack
vector" and propose one kind of
… mitigation and recommend people use systems that have
existing mitigations, but we
… can't go down the path of exploring all possible mitigations.
Pete: PING's remit is to address what is implemented in
browsers.
… When it is implemented in browsers then it needs to say how
it is implemented in browsers.
Pierre: Like in the case of Firefox, native C++
implementations?
Pete: Exactly.
Glenn: We don't define implementations period.
Pierre: Do you see that being useful in general, to say
something specifically about how browsers should implement
something in TTML?
Pete: I can't say that specifically, but what browsers do is
the meat and potatoes of W3C.
<pes> i said _primarily_ concerned about browsers :)
Pierre: But WHATWG.
<npdoty> thanks, nigel, for chairing us and helping us to
communicate
<npdoty> we have some different backgrounds and assumptions, so
I know that isn’t always easy
Nigel: We're out of time here. I think we have managed to
communicate something about
… what would help in terms of HR, and some proposed first steps
for resolving the open
… issues on IMSC and TTML2.
… Thank you to Nick and Pete for joining us and helping us
through this. It's been
… an energetic conversation!
Pierre: I will take the action to move the IMSC issue to TTML2
and propose a pull request.
Nigel: Thank you.
… Let's take those first steps and come back round to this as
we need to.
… Thanks again everyone. [adjourns meeting]
<nigel> s|gitub [20]https://github.com/w3c/imsc/pull/527||
[20] https://github.com/w3c/imsc/pull/527||
<nigel> s| [21]https://github.com/w3c/imsc/pull/527|
https:XXgithub.comXw3cXimscXpullX527
[21] https://github.com/w3c/imsc/pull/527|
<nigel> s/s|/sX
Apologies for the last three entries above - I don't know why
those commands failed, but I'm giving up and leaving them in
for now, hopefully to edit out later somehow!
Minutes manually created (not a transcript), formatted by
[22]scribe.perl version 114 (Tue Mar 17 13:45:45 2020 UTC).
[22] https://w3c.github.io/scribe2/scribedoc.html
Received on Thursday, 2 April 2020 17:33:01 UTC