- From: Hadley Beeman <hadley@linkedgov.org>
- Date: Tue, 18 Apr 2017 17:24:28 +0100
- To: Mark Watson <watsonm@netflix.com>, www-tag <www-tag@w3.org>
- Message-ID: <CAKK2BTv5H+zjLKNBDzn5-L4WK-+B8+J+V4eQ+FhE+TcEBjz8_Q@mail.gmail.com>
Just pasting this here to be thorough... I've responded to Mark's comment on the github issues repo for EME: https://github.com/w3c/encrypted-media/issues/389#issuecomment-294899194 Cheers, Hadley On Fri, Apr 14, 2017 at 10:12 PM, Hadley Beeman <hadley@linkedgov.org> wrote: > Hi Mark > > I'm just confirming that we have seen your comments and appreciate the > quick response! We need a bit of time to coordinate ours (as you know, we > cross many time zones) — so I just wanted to thank you and tell you we'll > get back to you soon. > > Cheers, > > Hadley > > Le ven. 14 avr. 2017 à 18:24, Mark Watson <watsonm@netflix.com> a écrit : > >> Dear TAG, >> >> I responded to Hadley's post last night and subsequently read the TAG's >> minutes on this issue. >> >> Respectfully, I do think your response misses a key point. >> >> EME not only gives browser implementors "a seat at the table" (as Alex >> pointed out) with respect to DRM but they make the *choice* *of* and >> have *responsibility* *for* the DRM implementation and/or its use*. >> Content providers no longer get to choose. This is a major shift in both >> technical and business architecture. Browser implementors have strong >> incentives to respect user security and privacy and obviously if the *user's >> agent* does not respect those things, we have much bigger problems. >> >> I've been working on this shift of responsibility to browsers for six >> years. It's the single most important thing in EME. W3C and browser >> implementor involvement has been a strong force for strengthening the >> security and privacy aspects of the specification and W3C's continued >> involvement would be a force against regression. So, its disappointing that >> this is not recognized in your comments, which read as if CDMs are just >> plugins-by-another-name over which browsers have no control. >> >> Also, several if not all browser implementors have been *exemplars of >> good practice* with respect encouraging, celebrating and rewarding >> independent security research and this is another reason to be optimistic >> that this shift in responsibility will pay dividends. There is no evidence >> that these implementors are carving out exceptions to their security >> approaches for the DRM component. >> >> The EFF's covenant did not get much support because it would entail a >> long and costly legal negotiation (cf patent policy) and reached much >> further than security research. I'd note that if one really wants to solve >> a problem in standards, it rarely works to come back with the same >> previously rejected proposal a year later (not saying the TAG did this, but >> others have). I think there could easily be a lighter-weight solution, but >> none of the people raising this problem have made any suggestions, so we >> have the guidelines as the only thing on the table. >> >> ...Mark >> >> * just to add, even if the DRM implementation is a platform capability, >> the browser implementor chooses whether it is safe to use it - and which to >> use if there are many - just as they do with any other platform capability. >> >>
Received on Tuesday, 18 April 2017 16:25:04 UTC