Re: Require security review before FPWD from Mike West on 2014-11-03 (public-w3process@w3.org from November 2014)

From: Mike West <mkwst@google.com>
Date: Mon, 3 Nov 2014 15:17:59 +0100
To: Sam Ruby <rubys@intertwingly.net>
Cc: public-w3process@w3.org
Message-ID: <CAKXHy=e-iUiM0EswHX1B4O7P-aUHurO6DdhxaK2gP7fV5nnUqw@mail.gmail.com>

Skimming through this thread again, the concept of a questionnaire makes a
lot of sense to me. I did a quick brain dump at
https://github.com/mikewest/spec-questionnaire/blob/master/questionnaire.markdown
which
skims through some of the questions that come to mind regarding both
security and privacy considerations.

Does that document capture the general direction folks are considering?

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Mon, Nov 3, 2014 at 2:07 PM, Sam Ruby <rubys@intertwingly.net> wrote:

>
>
> On 11/03/2014 07:33 AM, Anne van Kesteren wrote:
>
>> On Mon, Nov 3, 2014 at 1:10 PM, David Singer <singer@apple.com>
>> wrote:
>>
>>> Since I have no idea how we got from ‘when is it required that an
>>> XXX review be done?’ to ‘has the W3C endorsed DRM?’ I can only
>>> conclude that we’re seriously at cross purposes.
>>>
>>
>> I brought up EME as an example of where vendors implemented and
>> shipped something that is bad for security and privacy. Reviewers
>> are at a loss. You said vendors should follow the W3C. I argued that
>> such an argument did not apply here as the W3C has not made up its
>> made mind (or so claims the leadership).
>>
>
> Having recently been at a F2F with those vendors, I can confidently
> state that a security review prior to FPWD would not have changed vendor
> behavior.  In fact, I see a lot of parallel to the <video> tag[1].  That
> being said, discussion is ongoing, and I encourage readers to consult
> the following:
>
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332#c130
>
> https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-
> media/encrypted-media.html#privacy-secureorigin
>
> - Sam Ruby
>
> [1] http://lists.w3.org/Archives/Public/public-whatwg-archive/
> 2009Jun/0599.html
>
>

Received on Monday, 3 November 2014 14:18:49 UTC