Re: Require security review before FPWD

Skimming through this thread again, the concept of a questionnaire makes a
lot of sense to me. I did a quick brain dump at
skims through some of the questions that come to mind regarding both
security and privacy considerations.

Does that document capture the general direction folks are considering?


Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Mon, Nov 3, 2014 at 2:07 PM, Sam Ruby <> wrote:

> On 11/03/2014 07:33 AM, Anne van Kesteren wrote:
>> On Mon, Nov 3, 2014 at 1:10 PM, David Singer <>
>> wrote:
>>> Since I have no idea how we got from ‘when is it required that an
>>> XXX review be done?’ to ‘has the W3C endorsed DRM?’ I can only
>>> conclude that we’re seriously at cross purposes.
>> I brought up EME as an example of where vendors implemented and
>> shipped something that is bad for security and privacy. Reviewers
>> are at a loss. You said vendors should follow the W3C. I argued that
>> such an argument did not apply here as the W3C has not made up its
>> made mind (or so claims the leadership).
> Having recently been at a F2F with those vendors, I can confidently
> state that a security review prior to FPWD would not have changed vendor
> behavior.  In fact, I see a lot of parallel to the <video> tag[1].  That
> being said, discussion is ongoing, and I encourage readers to consult
> the following:
> media/encrypted-media.html#privacy-secureorigin
> - Sam Ruby
> [1]
> 2009Jun/0599.html

Received on Monday, 3 November 2014 14:18:49 UTC