15:03:27 RRSAgent has joined #html-media
15:03:27 logging to http://www.w3.org/2017/04/20-html-media-irc
15:03:49 sorry, phone issues on our side :(
15:03:51 present+
15:04:26 trackbot, start telcon
15:04:29 RRSAgent, make logs public
15:04:32 Zakim, this will be 63342
15:04:32 Meeting: HTML Media Task Force Teleconference
15:04:32 Date: 20 April 2017
15:04:32 ok, trackbot
15:04:55 agenda+ HME WG member discussion with W3C Director on EME Proposed Recommendation
15:05:14 agenda+ EME open issues
15:05:25 agenda+ Any other business
15:06:19 zakim, who is on the phone?
15:06:19 Present: jdsmith, dsinger, dob, johnsim, markw, paulc, jeff, wseltzer
15:06:31 present+ plh
15:06:43 present+ timbl
15:06:44 present+ timbl
15:06:51 present+ amy
15:06:55 timbl has joined #html-media
15:06:55 present+
15:06:56 present+ hsivonen
15:07:10 ddorwin has joined #html-media
15:07:21 present+ Gerry Smith
15:07:26 present+ Danny O'Brien
15:07:38 present+ Mark Netflix
15:07:45 Zakim, who is here?
15:07:45 Present: jdsmith, dsinger, dob, johnsim, markw, paulc, jeff, wseltzer, plh, timbl, amy, BobLund, hsivonen, Gerry, Smith, Danny, O'Brien, Netflix
15:07:47 On IRC I see ddorwin, timbl, RRSAgent, hsivonen, BobLund, jeff, plh, amy, Zakim, markw, Dsinger_, dob, johnsim, jdsmith, pal, paulc, wseltzer, robink, cwilso, adrianba, timeless,
15:07:47 ... slightlyoff, Josh_Soref, trackbot
15:07:52 present+ Mike Champion
15:07:55 present+ ddorwin
15:08:08 present+ BobLund
15:08:15 s/Gerry/JD
15:08:20 present+ ddorwin
15:08:40 Paul: I think we have everyone here
15:08:46 present+ pal
15:08:56 ... some people are on IRC who are not on the call. They may have bots
15:09:09 ... Is there anyone who wants to register attendance on the phone to correct
15:09:12 zakim, who is here?
15:09:12 Present: jdsmith, dsinger, dob, johnsim, markw, paulc, jeff, wseltzer, plh, timbl, amy, BobLund, hsivonen, Gerry, Smith, Danny, O'Brien, Netflix, Mike, Champion, ddorwin, pal
15:09:16 On IRC I see ddorwin, timbl, RRSAgent, hsivonen, BobLund, jeff, plh, amy, Zakim, markw, Dsinger_, dob, johnsim, jdsmith, pal, paulc, wseltzer, robink, cwilso, adrianba, timeless,
15:09:16 ... slightlyoff, Josh_Soref, trackbot
15:09:26 ? Noble+
15:09:35 Jer Noble
15:09:36 present+ timbl
15:09:41 agenda
15:09:44 zakim, move to next agendum
15:09:44 agendum 1. "HME WG member discussion with W3C Director on EME Proposed Recommendation" taken up [from paulc]
15:09:59 Jer Noble
15:10:17 Paul: I've convened this is at Director's request
15:10:47 ... I'd like to turn this over to Tim.
15:11:05 ... given that this was requested by the director, I will reserve the right to give the floor to the director at any point
15:11:40 Tim: we may have more than one discussion. So we don't' have to make sure we finish all the things which have come up
15:12:23 ... the background I think we're all aware of - things are very contentious. issues around DRM. there are hugely varying different opinions about how the world should work. goes way outside they ways typically W3C has done except a couple of cases
15:12:54 ... for this call I want to focus on technical bits, for example the TAG. the model we had on the white board was the EME system connecting the browser to connect to DRM system.
15:13:17 ... the way we'd done that was a sandbox. so the role of EME in that way, was to protect the user from the DRM blob
15:13:51 .. there lots of reasons people don't like DRM. two are that it's a security risk (sony rootkit fame) and 2. privacy.
15:14:09 Guest49 has joined #html-media
15:14:15 ... that it could leak info on almost anything. seems to me the reason to have DRM naked on your machine
15:14:39 .. one reason was that the browser was a user agent and protects the users while allowing user to interact and have a life and buy and sell things and watch movies
15:14:54 present+
15:15:01 present+
15:15:07 ... My concern is that the diagram should be modified to have the sandbox in there as a red line. there was pushback from the group saying the sandbox isn't typical
15:15:11 q+
15:15:27 Chair: paulc
15:15:28 q
15:15:31 q+
15:15:32 ... in the TAG we talked about the sandbox in chrome and Firefox and i got the impression the sandbox was typical
15:15:32 q+
15:16:00 q+
15:16:05 ... i'd like to get a sense form the group of sandboxing. maybe we're missing trick and maybe the spec should be modified to protect users privacy and integrity of the user computer to the extent they can be
15:16:11 Paul: I have people ready to respond.
15:16:22 ack markw
15:16:22 Q+ to ask why all drms are necessarily a risk.
15:16:59 Mark Watson: I think as the person who commented on this when the TAG gave their opinion. I'm not saying a sandbox is not necsseary or typical. just that the people who can say are browser implementors
15:17:29 ... they can include in architecture. in other places, not so given. w/ ? the DRM is part of the system. so it's not different than the MS code
15:18:19 ... unless they have reasons to do then it's up to them. the final point is that the specs should make clear the browser should protect the user. there are parts of the spec that do this but if unclear we should change. browser are supposed to protect
15:18:42 ack dob
15:18:43 Tim: excellent. i felt the text didn't give this, maybe I should re-read this. i had understood didn't insist but that would be good
15:19:33 s/? the DRM/Microsoft the DRM/
15:19:35 Danny O'Brien: One of the issues is that there's always interaction w/ DRM - technical and legal. Marks discussion of perimeter in CDM is based around who has incentive to protect
15:20:13 ... if you're trusting MS to run browser you're trusting them to run DRM. the trouble w/ the legal situation is that understanding what's in CDM are different. one of the ways we work in looking at sandbox is trying to break them
15:20:30 ... don't know if you saw @ but someone broke not just the sandbox but the virtual machine
15:20:38 Tim: that was dramatic
15:21:22 Danny: we know part of the maintenance is the external overview. the challenge here, we can discuss, CDM. if you're talking about security you can't talk about legal risks. criminal procession.
15:21:43 ... For the rootkit case we had to advise people and we coudnt' say they would not be legally challenged
15:22:31 Tim: that point has been made before and will be made again. it's important. we have the best practices. we hope the positive way, to reduce risks. the question i'm putting before you is requiring in EME spec is protecting privacy
15:22:52 ... not wandring through files. it's reasonable to sandbox files don't trust. it's reasonable to be an org to
15:23:20 .. try to protect trust. there are models. one is code which can be trusted. but also mark pointed out, these are different cases
15:23:27 q?
15:23:37 ... not about testing, nevermind testing is the case. let's say what the case should be.
15:23:56 ... shouldn't we say info should not be exo-trated? by outside
15:24:27 s/exo-trated?/exfiltrated/
15:24:32 Paul: want to make sure you're aware we spend 10s if not 100s of hours on identification of a user. the WG spent a huge amount of time on this for security and privacy
15:24:41 ack hsi
15:24:44 ... quesiton is there enough there or not
15:25:30 Henri: earlier it mentioned the sandbox. Firefox on desktop there's a downloadable CDM. on android we have an implementation we use platform of widevine. it comes ot user on phone
15:26:07 ... we don't get to sandbox it. with a @? we use two kernels on the hyperviser. one is lInux. another kernel boots in trust zone. the DRM runs on trust zone, on the other kernel on top of a hyper visor
15:26:32 s/comes ot /comes to /
15:26:33 ... could make distinction hyperviser does not run on CDM but all three, CDM, hyper viser and kernel are all mystery code
15:26:57 ... in the trust zone model the user, the sandbox can't ? the CDM
15:27:08 ack johnsim
15:27:11 Tim: it's good to get different architectures enmerated
15:27:27 Dana?: similar for chrome. two implementations which use sandboxinig
15:27:37 ... industry trend is platform CDM
15:27:45 s/Dana/Davdi
15:27:54 s/Davdi/David
15:28:30 John Simmons: first point to make is the one David echoed. trend is for CDM is in the platform + the hardware. brings up issue of when sandbox takes place
15:28:44 ... design principles on windows is let the OS apply security to the objects it controls
15:28:46 s/with a @? we use/with ARM TrustZone there are/
15:29:06 ... question is how to sandbox them. also why you sandbox them. you sandbox software which is untrusted
15:29:10 s/Dana?/ddorwin/
15:29:39 q+
15:29:51 ... there's lots of software not a CDM. reasons given for why CDMs are considered inherently untrustworthy. can be downloaded from malicious site. 3rd party. that's true about a lot of software
15:30:03 s/two implementations which use sandboxinig/As far as I'm aware, those are the only two implementations that use sandboxing./
15:30:05 ... are you suggesting just sandboxing just CDM or all 3rd party
15:30:24 Tim: not just because just a good thing to do. priority is to protect the users
15:30:44 ... throughout history the browser has protected the user. eg: JavaScript can't access files
15:30:51 rrsagent, generate the minutes
15:30:51 I have made the request to generate http://www.w3.org/2017/04/20-html-media-minutes.html paulc
15:31:13 ... that's a model in which the user is protected form all kinds of things. you don't get a codec rummaging around user files. location sending back credit card details.
15:31:17 s/hyperviser does not run on CDM/hypervisor is not part of the CDM/
15:31:57 ... we haven't had examples of browsers doing this so we haven't had to write it down. but because those things have an unwritten rule a codec does what it does. it would be appealing and an outcry if it did.
15:32:30 ... recent class action w/ a company w/ using data when supposed to be a speaker. the reason EME has to be strong about this is w/ players, to a certain extent, w/ DRM blobs
15:32:48 s/David?/ddorwin/
15:32:49 ... while platforms might have great integrity, there might be native apps which
15:33:37 ... sit there and abuse users. it's out there that it's fine for a native app to read user's calendar. there is a history of abuse of user privacy by native apps so I think people see this as if you download DRM it's a bit like that
15:33:53 q+
15:34:00 ... otherwise you might trust it. it may need specifying. does the group feel there would never be a breach of 3rd party data like Adobe
15:34:41 John Simmons: the section 10.2 in the spec where it says what the user agent must to to get key system info to integrate security w/ this
15:34:43 https://www.w3.org/TR/encrypted-media/#cdm-security
15:34:58 ... must support user agent and user agent must ensure it must be updated
15:35:11 ... I don't know of a single CDM that does not meet that
15:35:13 ack ds
15:35:13 Dsinger_, you wanted to ask why all drms are necessarily a risk.
15:35:46 David Singer: 2 things. in some what has been said that all CDMs are foreign or untrusted. we dont' want to write assumptions like that into
15:36:02 ... specs. I don't see any reason it's less trustworthy than other code we've made
15:36:07 Tim; that point has been made
15:36:21 David Singer: if the user installs w/ browser, should be treated w/ caution. that's true
15:36:43 ... but if it's complex and thus vulnerable. we've had to sandbox codecs
15:37:10 q+
15:37:27 ... we don't now support downloadable codecs. we nee to focus on where is untrustworthy. the user is exercising caution but not about cDM itself
15:37:29 jernoble_ has joined #html-media
15:37:36 ack dob
15:38:12 Danny O'Brien: there's another aspect. DRM systems including CDM are designed to prevent the user from doing something. to lock out a capability. looking at memory etc. which means it's a place where user
15:38:18 q+
15:38:35 ... choices can be overridden. the untrustworthiness is by enabling an environment
15:38:50 ack markw
15:38:58 ... where user can be kept out where normally not have capability to trump what user is doing
15:39:45 Mark: obviously there are historical reasons for distrust. one thing we wanted to do w/ EME is carefully constraing CDM. can strengthen around privacy. would hopefully preclude things mentioned - looking at calendar or looking on machine. any browser was compliant would be sure the CDM would not
15:40:04 ... but if the CDM is the browser platform but how to remain EME compliant?
15:40:28 ... but we have a requirement that the browser ? the CDM. to describe what this would consist of, to apply rules to what's pending.
15:40:36 (This is a side-comment, and don't want to interrupt the stream, but note that there are already some uses of DRM/CDM that aren't just about playing protected content. So, for instance, including obligatory advertisements or warnings in the stream. Am I right in thinking that would be a potential use of the CDM?)
15:40:57 ack hsi
15:41:13 Henri: part of the source of the distrust if you're not allowed to look. in the case of Geko? web kit the code is open
15:41:21 s/Geko/Gecko/
15:41:26 s/browser ? the CDM/sanitize data sent to the/
15:41:33 .. in the case of Edge, it's not open but the majority of code is not obfuscated. in CDM it's obfuscated
15:41:56 ... it's reasonable for users to be more suspicious of code not allowed to look. if not open source it's not resistant to
15:42:45 agree with hsivonen: code/hardware for CDM's has to be designed to resist external examination
15:42:49 ... debugging or inspection of the object code. from browser vendor the CDM comes from 3rd party, the browser vendor can not fix the code. because fewer people are not allowed to look may have effect, good to have some defense step from sandbox
15:43:18 ... from privacy perspective if the CDM does not deliberately look in hard drive and CDM buffer overflow not being abused,
15:43:50 ... still issue of DRM design protocol being able to track users. that's where distinctive language being used. depends on design of CDM and sandbox.
15:43:59 ack john
15:44:10 ... maybe a policy thing to be discussed vs. enforced through code
15:44:40 John: I wanted to give a different perceptive to danny about CDM as untrustworhty
15:44:44 @dob: CDM's do not get to interfere with the operation of the video element in terms of pause, seek etc. so it's hard to see how they could impose obligatory advertisements. Conceivably, CDMs that perform decoding as well as decryption could modify the decoded stream, for example to superimpose things. None of the existing CDMs have this capability and in the case of platform CDMs they perform decrypt but not decode.
15:44:55 q+
15:45:16 ... when user uses CDM it's a choice. they're doing something that the user has requested. for that reason, I want to echo what Henri said, there's a catalogue of things which can happen. evne if
15:45:35 ... not intentionally doing it can be exploited through buffer overflow or how protocol
15:45:59 s/would hopefully preclude/we intended to preclude/
15:46:02 ... can be fingerprinted. valid concerns to be raised. but they change the fact that you have a CDM that's a platform not a browser.
15:46:36 ... like chromium, it's a shim to do RPC to CDM in platform. sandboxing in browser I don't believe provides protection as CDM is out of control of browser
15:46:58 dsinger has joined #html-media
15:47:16 s/remain EME compliant?/remain EME compliant? browser needs certainty that use of a platform CDM won't make them non-compliant to the specification/
15:47:19 Tim; to summarize. different architectures of how things are put together. if EME was to guarantee that conformant implementations repsected privacy and security they
15:48:02 .. would have to do this in different ways. it seems the difference, if we make a world where it's provided these guarantees are given, it's a better world than one where there are native apps w/ no expectation of privacy
15:48:10 rrsagent, generate the minutes
15:48:10 I have made the request to generate http://www.w3.org/2017/04/20-html-media-minutes.html paulc
15:48:26 s/to describe what this would consist of/CDM implementor needs to describe what this sanitization should consist of/
15:48:54 ... where people need to download a new app for a movie. so privacy and security issues are worse. we should do everything we can so users feel justifiably secure that when using EME they're being protected - even w/ different architectures working different ways
15:48:56 s/where distinctive language being used/where the language about distinctive identifiers comes in/
15:49:31 Paul: thats why the security section says the principles of what's to be achieved. the WG are aware of different architectures, want to describe principles by
15:49:41 @johnsim, sorry, I may have been imprecise here. It's the job of the CDM is to enforce technically the removal of certain capabilities that usually lie with the user. You don't usually use the user's own platform to do that, so it means that the CDM itself has to take on certain capabilities that make it a high-risk piece, because it has the potential of preventing the user's veto in other areas.
15:49:50 q+
15:49:50 ... this. the question is whether there's enough of this in the spec. beyond saying "you
15:50:01 s/what's pending/the data being supplied to the CDM/
15:50:06 ... must sandbox. that's a solution not a principle
15:50:52 Tim: if you aggregate all of those, you can interpret them in this case, we need to demonstrate the browser is protecting user as much as can. i'm happy to hear the spirit on this call is that this absolutely what the intent of spec as.
15:51:01 q+ to talk about privacy and security
15:51:06 ... maybe there need to be more "musts" for security etc. for plugged in code
15:51:15 ack plh
15:51:15 Paul: I need to watch the clock.
15:51:34 PLH: John mentioned it 's a user choice to view a video w/ CDM. I'd like to question that
15:51:54 ... it's not a requirement. its a should. TAG wants this change to "must"
15:52:24 ... w/out this , there's no way for user to know if it just a video. recently chrome removed ability to disable CDM. seems we're moving away from user consent vs. not
15:52:25 ack dd
15:52:32 q+
15:52:56 David Simmons?: what PLH referred to is the ability to remove in Chrome plugsin. now a gap, there's a feature to disable CDMs or EME. it wasn't a conscious decision
15:53:11 s/Simmons?/Dorwin/
15:53:11 s/plugsin/plug ins
15:53:47 ... to say there's a sandbox it's not a magic bullet. they are different. many suggestions but not verifiable. "must get agreement" but no way to check.
15:53:58 q-
15:54:09 rrsagent, generate the minutes
15:54:09 I have made the request to generate http://www.w3.org/2017/04/20-html-media-minutes.html paulc
15:54:22 ... besides browsers there are other implementations. that's not something they'll get for free if they take Chromium or web kit
15:54:30 ack ds
15:54:31 dsinger, you wanted to talk about privacy and security
15:54:31 s/David/John
15:54:49 s/John/David
15:54:59 jdsmith has joined #html-media
15:55:10 David, would you want to type your question?
15:55:18 I wanted to say that the requirement that code that sits between the user and the network respect the user’s privacy and security is not specific to DRMs, or the browser
15:55:24 s/they are different./there is no single definition of sandboxing - there are different levels./
15:55:35 If that is what we want to say at the W3C, we need to say it at a higher level and ikn a more general way
15:55:41 jernoble has joined #html-media
15:55:52 s/ikn/in/
15:55:53 q+
15:56:00 Paul: the queue is empty. we have 5 mins
15:56:02 ack mark
15:56:27 s/web kit/WebKit/
15:56:47 Mark: briefly, to PLH's point about consent prompts. we'd love to arrive at point where using DRM has no more risk than non DRM. not a case for prompt. by ? it's a situation where it's valued. incentive to improve security
15:57:09 ... I've argued for keeping that as a part of spec. if the prompt is not necessary it's not necessary.
15:57:18 q+
15:57:29 tim; you may not prompt when on a trusted platform. but may prompt if on external application
15:57:37 Paul: that sounds like a should to me
15:58:09 Tim: this call is about making sure that the fact that somebody using EME gets the same security and privacy guarantees as when using EME when just using
15:58:10 q+
15:58:37 zakim, close the queue
15:58:37 ok, paulc, the speaker queue is closed
15:58:43 ... a browser. like when David says we should for other things like CSS. but for DRM it may need to be more specfic. if we want to roll out and get respect in community, we must give guarantees that DRM in general does not
15:58:58 ack Jer
15:59:17 jernoble has joined #html-media
15:59:20 Jerry Noble: WebKit's perspective on sandboxing. ? vulnerability from an overrun similar to a malicious CDM.
16:00:01 ... ensuring has no access. w/ malicious cDM would have no more vulnerability than something else. we sandbox away from things. if we require by sandboxing we'd likely meet it for
16:00:04 ack he
16:00:05 s/Jerry/Jer/
16:00:08 ... figuring in vulnerabilities
16:00:15 ack hs
16:00:32 Henri: echo David's point about being centered on browsers. if you use Chrome then you see a content prompt
16:00:51 ... but what Mark said there's no incentive for prompts. for Smart TV. the vendor has
16:01:18 ... no incentive for prompt as much as Chrome OS. not so much emphasis for user privacy in all cases
16:01:20 s/if you use Chrome then/if you use Chrome OS then/
16:01:37 Paul: we're at the top of the hour. this request came from Director. Tim did this meet your goal? any questions
16:02:10 Tim; as we're out of time, maybe we'll get back to you. maybe i've got to pour over spec to see if there's a way to make a guarantee strongly and clearly. maybe it's made strongly in the fine print
16:02:19 ... thank you all for your time. really appreciate it
16:02:42 Paul: thanks to group, made call w/ only 48 hours. Director and staff traveling so it's valuable that WG showed agility to meet w/ you.
16:02:55 rrsagent, generate the minutes
16:02:55 I have made the request to generate http://www.w3.org/2017/04/20-html-media-minutes.html paulc
16:02:55 ... to give maximum info as soon as possible. thanks to them
16:03:00 s/content prompt/consent prompt/
16:03:13 zakim, who is on the call?
16:03:13