[Bug 25985] WebCrypto should be inter-operable from bugzilla@jessica.w3.org on 2014-06-05 (public-webcrypto@w3.org from June 2014)

From: <bugzilla@jessica.w3.org>
Date: Thu, 05 Jun 2014 02:20:55 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25985-7213-f7xSfjTSkw@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25985

--- Comment #4 from Boris Zbarsky <bzbarsky@mit.edu> ---
> Consider a hypothetical world where we require algorithms X, Y, and Z.

I understand that this world is not reasonable.

Can we have a world where we require at least one of X, Y, and Z?  And if we
can have requirements where if you implement less-secure X you also need to
implement more-secure Y, that's good too.  I understand how this last may not
be possible, though, given the various legal issues.

> Is it against interoperability if a user agent doesn't implement <img> support? 

It depends.  HTML defines several different conformance profiles which have
slightly different requirements on UAs, and also has certain behaviors that are
in fact optional.  For this particular case, a UA is allowed to not show
images, but in that case it's required to do certain other things (e.g. show
the alt text).

> What about Javascript? Cookies? Location APIs?

UAs are allowed to let the user do whatever they want, including the user
explicitly instructing the UA to violate the spec.  That's what makes UAs
_user_ agents.

The default UA configuration, however, for the "web browser" HTML conformance
class, is expected to have JavaScript and cookies enabled.  Also location APIs,
though whether to expose location information to pages is subject to user
control, of course.  On the other hand, the "mail reader" HTML conformance
class is not expected to have JavaScript enabled.

But the number of these conformance classes in HTML is finite and small, and
the general aim is to minimize the number of conformance classes and possible
different behaviors.

> Is it against interoperability if a (generic, desktop) UA that supports the
> location API executes on a device that does not have access to location
> information?

Obviously, yes, since the API won't actually work.  ;)

Whether such interop problems are _avoidable_ is a different question, of
course.  Sometimes they're not.

> Similarly, if a UA restricts access to audio/video access (via
> getUserMedia()), is it against interoperability?

The spec for getUserMedia explicitly allows the UA to restrict access based on
the user's decision here, for obvious reasons.   Yes, this means a page might
not work as the page author intended if the user decides to not let it.

In practice, most modern consumer hardware (e.g. most laptops and pretty much
every single phone and tablet) has a webcam, microphone, location support, etc.
 And people who try to use such things understand when they might be missing
and why.  That's a lot less obvious to me with algorithms.  Are we expecting
most UAs to actually ship overlapping algorithm sets, for example, or disjoint
ones?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Thursday, 5 June 2014 02:20:57 UTC