- From: Hadley Beeman <hadley@linkedgov.org>
- Date: Fri, 14 Apr 2017 21:12:35 +0000
- To: Mark Watson <watsonm@netflix.com>, www-tag <www-tag@w3.org>
- Message-ID: <CAKK2BTvVsFCyjftDs5qMLgUV8+wY2TSCGTo4Xc1RNVHoKs+LEg@mail.gmail.com>
Hi Mark I'm just confirming that we have seen your comments and appreciate the quick response! We need a bit of time to coordinate ours (as you know, we cross many time zones) — so I just wanted to thank you and tell you we'll get back to you soon. Cheers, Hadley Le ven. 14 avr. 2017 à 18:24, Mark Watson <watsonm@netflix.com> a écrit : > Dear TAG, > > I responded to Hadley's post last night and subsequently read the TAG's > minutes on this issue. > > Respectfully, I do think your response misses a key point. > > EME not only gives browser implementors "a seat at the table" (as Alex > pointed out) with respect to DRM but they make the *choice* *of* and have > *responsibility* *for* the DRM implementation and/or its use*. Content > providers no longer get to choose. This is a major shift in both technical > and business architecture. Browser implementors have strong incentives to > respect user security and privacy and obviously if the *user's agent* does > not respect those things, we have much bigger problems. > > I've been working on this shift of responsibility to browsers for six > years. It's the single most important thing in EME. W3C and browser > implementor involvement has been a strong force for strengthening the > security and privacy aspects of the specification and W3C's continued > involvement would be a force against regression. So, its disappointing that > this is not recognized in your comments, which read as if CDMs are just > plugins-by-another-name over which browsers have no control. > > Also, several if not all browser implementors have been *exemplars of > good practice* with respect encouraging, celebrating and rewarding > independent security research and this is another reason to be optimistic > that this shift in responsibility will pay dividends. There is no evidence > that these implementors are carving out exceptions to their security > approaches for the DRM component. > > The EFF's covenant did not get much support because it would entail a long > and costly legal negotiation (cf patent policy) and reached much further > than security research. I'd note that if one really wants to solve a > problem in standards, it rarely works to come back with the same previously > rejected proposal a year later (not saying the TAG did this, but others > have). I think there could easily be a lighter-weight solution, but none of > the people raising this problem have made any suggestions, so we have the > guidelines as the only thing on the table. > > ...Mark > > * just to add, even if the DRM implementation is a platform capability, > the browser implementor chooses whether it is safe to use it - and which to > use if there are many - just as they do with any other platform capability. > >
Received on Friday, 14 April 2017 21:13:19 UTC