[minutes] TV Control API CG call - 08 March 2016

The minutes of today's call are available at:

  https://www.w3.org/2016/03/08-tvapi-minutes.html

... and copied as raw text below.

Thanks,
Francois.


-----
TV Control API CG call

08 Mar 2016

   See also: [2]IRC log

      [2] http://www.w3.org/2016/03/08-tvapi-irc

Attendees

   Present
          Kaz, Francois, Chris, Igarashi_san, Ryan, Sung_Hei, Bin,
          Paul

   Chair
          Bin

   Scribe
          Chris, Francois

Contents

     * [3]Topics
         1. [4]Review of action items
     * [5]Summary of Action Items
     * [6]Summary of Resolutions
     __________________________________________________________

Review of action items

   Bin: The draft WG charter is still out for AC review

   Bin: so we'll wait for the outcome of the review
   ... We had a good discussion last time, thanks Chris and Ryan
   ... There are 3 actions from last time

   Bin: reviewed automotive work and security work
   ... don't think we need changes to the draft
   ... maybe we can ask Ryan about the latest status of the
   automotive group

   ryan: my update on the media tuner or the automotive in
   general?

   cpn: security work specifically

   Kaz: The automotive security TF has been working on use cases
   and requirements in a google doc
   ... Also work on some basic architecture since the TPAC meeting
   ... There was some detailed discussion at the Paris meeting,
   with Genivi

   <kaz> [7]auto minutes - Mar. 3

      [7] https://www.w3.org/2016/03/03-auto-minutes.html

   Kaz: We recently have another security expert, from New Sky
   Security, which should accelerate the security discussion

   <kaz> [8]security wiki

      [8] https://www.w3.org/auto/security/wiki/ASP_TF

   Bin: We should continue to contact with this expert and see how
   their security model could apply to our use case
   ... So, we could leave this action open, as we haven't
   identified the impact on our spec yet
   ... And maybe Kaz can help get in contact with the automotive
   TF
   ... You could also join the security TF call

   Chris: I think there are other good W3C resources. There's a
   fingerprinting guidance document, security questionnaire, and
   priviledged Context document
   ... All very useful input.
   ... It seems useful to go through each of our API features and
   evaluate them against these documents.
   ... E.g. the ability to scan/list channels, to schedule
   recordings, etc.
   ... Each of these areas may have different level of impacts.
   ... I noticed in the NFC CG that they produced a report on
   security and privacy considerations.

   <cpn> [9]http://w3c.github.io/web-nfc/security-privacy.html --
   NFC report

      [9] http://w3c.github.io/web-nfc/security-privacy.html

   Chris: The Permissions API is interesting for us. It allows the
   user to allow or deny a particular API.
   ... I don't know if that's the right model for us, or if we
   need something different for that.

   <kaz> [10]auto tpac minutes

     [10] https://www.w3.org/2015/10/26-27-auto-minutes.html

   Chris: Something I heard from the Automotive meeting at TPAC:
   two possible runtimes, regular Web runtime and Web-view runtime
   with the possibility to deliver a signed package.
   ... In some other specification that I've looked at, the
   Generic Sensors API just says that some reading should be only
   available to secure contexts.

   <cpn> The draft on github: [11]https://w3c.github.io/sensors/

     [11] https://w3c.github.io/sensors/

   <cpn> [12]https://w3c.github.io/fingerprinting-guidance/

     [12] https://w3c.github.io/fingerprinting-guidance/

   <cpn> [13]https://www.w3.org/TR/permissions/ -- permissions API

     [13] https://www.w3.org/TR/permissions/

   <cpn> [14]https://www.w3.org/TR/powerful-features/ --
   privileged contexts

     [14] https://www.w3.org/TR/powerful-features/

   Chris: This all relates to some of the requirements we may have
   around the visibility of EPG metadata
   ... Do we allow arbitrary Web pages to have access to EPG data?
   Or is it something that we may want to constrain to certain
   restricted contexts.
   ... There may be business incentive to restrict access.
   ... It's not just the end-user privacy, also need to consider
   the content provider's side as well.

   Bin: Right, it's still a debatting point in most of these
   markets.

   <cpn> Kaz: On the previous aotomotive call there was some
   discussion, what should the destination device should this be?

   Kaz: In the Automotive API, the discussion is also about the
   destination server for the EPG data. Is it localhost?
   ... Some server-based URL?
   ... The security depends on the destination as well

   Bin: I guess there are no answers yet.
   ... So one of the areas to investigate is full/restricted
   access to EPG data.

   Kaz: The NFC CG started similar kinds of discussions, the
   result is great.

   Bin: I propose to leave these action items open and create two
   additional action items

   <scribe> ACTION: Kaz to get in touch with security experts in
   the Automotive group [recorded in
   [15]http://www.w3.org/2016/03/08-tvapi-minutes.html#action01]

     [15] http://www.w3.org/2016/03/08-tvapi-minutes.html#action01]

   <trackbot> Error creating an ACTION: data field(s) missing from
   result. Please mail <sysreq@w3.org> with details about what
   happened.

   <scribe> ACTION: Bin to draft a Wiki page listing high-level
   requirements related to restricted access to EPG metadata for
   the sake of security. [recorded in
   [16]http://www.w3.org/2016/03/08-tvapi-minutes.html#action02]

     [16] http://www.w3.org/2016/03/08-tvapi-minutes.html#action02]

   <trackbot> Error creating an ACTION: data field(s) missing from
   result. Please mail <sysreq@w3.org> with details about what
   happened.

   Chris: Should we do that on the Wiki, or create a report using
   ReSpec?
   ... I'm just looking at the NFC group and they published this
   as a CG report.

   Bin: Right, that's a final report, but I'm more interested to
   collect requirements here.
   ... Once we have done that, we may decide whether to publish a
   report.

   Ryan: [shows the automotive tuner use cases]
   ... All of these pertain to the media tuner API. The functional
   owner shows who has the information that's needed in each case
   ... Some of these have multiple owners, e.g., for the parental
   lock there's both Web Application and Infotainment Systsm
   ... That was the premise behind the functional owner
   ... All the system functions listed here should all be present
   in the media tuner API
   ... Based on what's needed in current applications today
   ... I'm currently reformatting the media tuner web page into
   the correct format, also to make it more self explanatory
   ... I want to create a draft, to put the pieces together

   Bin: I have a question about the functional owner. If the owner
   is the Infotainment System, is it that the functionality needs
   to be addressed by the API?

   Ryan: Not really, all of these need addressing by the API, the
   owner shows more in which direction the information flows
   ... For example, the Login function is really for the Web
   Application's use

   Bin: I agree, so all of these need API support, so the question
   is whether they are defined by us, or somewhere else

   Ryan: Yes

   Kaz: Is the google spreadsheet public? If so we should put it
   in the minutes

   <rdavis>
   [17]https://docs.google.com/a/pandora.com/spreadsheets/d/1yEZVI
   qgtxp-HgW3dZx9qnUzwOLgGmzmkGO-pF7m8noc/edit?usp=sharing

     [17] https://docs.google.com/a/pandora.com/spreadsheets/d/1yEZVIqgtxp-HgW3dZx9qnUzwOLgGmzmkGO-pF7m8noc/edit?usp=sharing

   Bin: There's another column for the mapping between the media
   API and the TV control API

   Ryan: Yes, I'll be doing that

   Bin: Thanks Ryan for the great work

   <scribe> ACTION: Ryan to continue use case mapping between the
   automotive media API and the TV Control API, and start to put
   together a draft [recorded in
   [18]http://www.w3.org/2016/03/08-tvapi-minutes.html#action03]

     [18] http://www.w3.org/2016/03/08-tvapi-minutes.html#action03]

   <trackbot> Error creating an ACTION: data field(s) missing from
   result. Please mail <sysreq@w3.org> with details about what
   happened.

   Bin: That completes the review of active items. Is there
   anything new in terms of Phase 2 contributions?
   ... Once Ryan has completed the mapping, there may be some
   gaps, so we can consider those in our requirements
   ... Is there any other business?

   Kaz: Please ask your AC reps to respond to the WG charter
   review

   <kaz> (positively :)

   Bin: Anything else?
   ... Thank you all for your contributions, and we'll speak on
   the next call in 4 weeks

   [adjourned]

Summary of Action Items

   [NEW] ACTION: Bin to draft a Wiki page listing high-level
   requirements related to restricted access to EPG metadata for
   the sake of security. [recorded in
   [19]http://www.w3.org/2016/03/08-tvapi-minutes.html#action02]
   [NEW] ACTION: Kaz to get in touch with security experts in the
   Automotive group [recorded in
   [20]http://www.w3.org/2016/03/08-tvapi-minutes.html#action01]
   [NEW] ACTION: Ryan to continue use case mapping between the
   automotive media API and the TV Control API, and start to put
   together a draft [recorded in
   [21]http://www.w3.org/2016/03/08-tvapi-minutes.html#action03]

     [19] http://www.w3.org/2016/03/08-tvapi-minutes.html#action02
     [20] http://www.w3.org/2016/03/08-tvapi-minutes.html#action01
     [21] http://www.w3.org/2016/03/08-tvapi-minutes.html#action03

Summary of Resolutions

   [End of minutes]

Received on Tuesday, 8 March 2016 17:07:18 UTC