Re: Require security review before FPWD

On Nov 3, 2014, at 13:07 , Sam Ruby <> wrote:

> On 11/03/2014 07:33 AM, Anne van Kesteren wrote:
>> On Mon, Nov 3, 2014 at 1:10 PM, David Singer <>
>> wrote:
>>> Since I have no idea how we got from ‘when is it required that an
>>> XXX review be done?’ to ‘has the W3C endorsed DRM?’ I can only
>>> conclude that we’re seriously at cross purposes.
>> I brought up EME as an example of where vendors implemented and
>> shipped something that is bad for security and privacy. Reviewers
>> are at a loss. You said vendors should follow the W3C. I argued that
>> such an argument did not apply here as the W3C has not made up its
>> made mind (or so claims the leadership).
> Having recently been at a F2F with those vendors, I can confidently
> state that a security review prior to FPWD would not have changed vendor
> behavior. 

If a vendor wants to ship before these reviews are done, of course they can.  But we owe it to them to make it clear that they have not been done, and also to do them ‘in a timely manner’ so they are not caught between shipping now (with possible XXXX issues) or not meeting their markets needs in a timely fashion.

David Singer
Manager, Software Standards, Apple Inc.

Received on Monday, 3 November 2014 15:07:44 UTC