- From: Martin Splitt <mr.avgp@gmail.com>
- Date: Wed, 13 Jul 2016 12:00:06 +0200
- To: Florian Bösch <pyalot@gmail.com>
- Cc: Brandon Jones <bajones@google.com>, public-webvr@w3.org
- Message-ID: <CADp4Syody5avWeY5miL+QTjbtmiVp=x-=HP9z=eb8qvKnDtN9A@mail.gmail.com>
Hey Florian, thanks for the feedback! I have some questions about some of the points you made, let's try to focus on the issue of TLS-only WebVR and not divert into the general topic of TLS-everywhere. Oh and thank Brandon for involving the community in this question and for pushing the standard forward by providing us with builds :) Much appreciated! So, let's see.. Am 13.07.2016 11:28 vorm. schrieb "Florian Bösch" <pyalot@gmail.com>: > >> This is consistent with our current policy for powerful new features, > > It's a bad policy. Mind elaborating on this? The policy is not a surprise seeing browser vendors concerned with transport encryption for privacy and integrity of content and data. I don't find it "bad" to safeguard users from MitM etc. for many features such as geolocation or payments. For WebVR this is debatable, I guess, but not a bad policy in general. What makes it bad? >> >> We are, in effect, giving sites the ability to take over not just your cursor > > Gaze isn't your cursor. And it's not "taking it over". If you don't react to gaze, you make users puke, there's no choice on following gaze if you're writing VR. > >> >> or your screen > > You're not giving people the control to take over somebodies screen, unless you consider "writing any webpage" the same. Why don't you make "any wepage" HTTPS only? Hm funny that, ain't it? It's not your cursor but it makes you more susceptible to bad experiences and tearing down the headset may be a little late to avoid a very bad experience. Also, what's so bad about having every website on HTTPS, besides the nuisance that is the CA business. Let's Encrypt tries to remediate that (and hopefully more will follow). >> >> but completely override one of your senses. > > You're not overriding anybodies senses. It's a HMD, people can take it off. > That's not sufficient when something bad has already happened. Think of jumpscares,for instance. >> >> It's prudent for us to ensure the digital reality we deliver > > You don't deliver anything. Website authors deliver content, you're just transmitting it. How authors transmit is up to them, not to you. > Browser vendors provide us with the ability to deliver content using VR hardware , I dont see your point here. >> >> to users is authenticated, > > TLS does nothing whatsoever for authentication in any way. > It authenticates the content provider to the user. >> >> integrity-checked, and confidential. > > Those largely don't matter in any way specific to WebVR, in fact, they matter even less for WebVR than for general web content. > Here I agree with you, I would like to see what information we exactly try to protect from prying eyes. Integrity, though, I accept as a valuable asset. >> We welcome feedback, especially if this policy makes your planned use case infeasible! > > TLS makes all kinds of things infeasible. Can you give a example?
Received on Wednesday, 13 July 2016 10:04:02 UTC