See also: IRC log
Bin: The draft WG charter is still out for AC review
Bin: so we'll wait for the
outcome of the review
... We had a good discussion last time, thanks Chris and
Ryan
... There are 3 actions from last time
Bin: reviewed automotive work and
security work
... don't think we need changes to the draft
... maybe we can ask Ryan about the latest status of the
automotive group
ryan: my update on the media tuner or the automotive in general?
cpn: security work specifically
Kaz: The automotive security TF
has been working on use cases and requirements in a google
doc
... Also work on some basic architecture since the TPAC
meeting
... There was some detailed discussion at the Paris meeting,
with Genivi
<kaz> auto minutes - Mar. 3
Kaz: We recently have another security expert, from New Sky Security, which should accelerate the security discussion
<kaz> security wiki
Bin: We should continue to
contact with this expert and see how their security model could
apply to our use case
... So, we could leave this action open, as we haven't
identified the impact on our spec yet
... And maybe Kaz can help get in contact with the automotive
TF
... You could also join the security TF call
Chris: I think there are other
good W3C resources. There's a fingerprinting guidance document,
security questionnaire, and priviledged Context document
... All very useful input.
... It seems useful to go through each of our API features and
evaluate them against these documents.
... E.g. the ability to scan/list channels, to schedule
recordings, etc.
... Each of these areas may have different level of
impacts.
... I noticed in the NFC CG that they produced a report on
security and privacy considerations.
<cpn> http://w3c.github.io/web-nfc/security-privacy.html -- NFC report
Chris: The Permissions API is
interesting for us. It allows the user to allow or deny a
particular API.
... I don't know if that's the right model for us, or if we
need something different for that.
<kaz> auto tpac minutes
Chris: Something I heard from the
Automotive meeting at TPAC: two possible runtimes, regular Web
runtime and Web-view runtime with the possibility to deliver a
signed package.
... In some other specification that I've looked at, the
Generic Sensors API just says that some reading should be only
available to secure contexts.
<cpn> The draft on github: https://w3c.github.io/sensors/
<cpn> https://w3c.github.io/fingerprinting-guidance/
<cpn> https://www.w3.org/TR/permissions/ -- permissions API
<cpn> https://www.w3.org/TR/powerful-features/ -- privileged contexts
Chris: This all relates to some
of the requirements we may have around the visibility of EPG
metadata
... Do we allow arbitrary Web pages to have access to EPG data?
Or is it something that we may want to constrain to certain
restricted contexts.
... There may be business incentive to restrict access.
... It's not just the end-user privacy, also need to consider
the content provider's side as well.
Bin: Right, it's still a debatting point in most of these markets.
<cpn> Kaz: On the previous aotomotive call there was some discussion, what should the destination device should this be?
Kaz: In the Automotive API, the
discussion is also about the destination server for the EPG
data. Is it localhost?
... Some server-based URL?
... The security depends on the destination as well
Bin: I guess there are no answers
yet.
... So one of the areas to investigate is full/restricted
access to EPG data.
Kaz: The NFC CG started similar kinds of discussions, the result is great.
Bin: I propose to leave these action items open and create two additional action items
<scribe> ACTION: Kaz to get in touch with security experts in the Automotive group [recorded in http://www.w3.org/2016/03/08-tvapi-minutes.html#action01]
<trackbot> Error creating an ACTION: data field(s) missing from result. Please mail <sysreq@w3.org> with details about what happened.
<scribe> ACTION: Bin to draft a Wiki page listing high-level requirements related to restricted access to EPG metadata for the sake of security. [recorded in http://www.w3.org/2016/03/08-tvapi-minutes.html#action02]
<trackbot> Error creating an ACTION: data field(s) missing from result. Please mail <sysreq@w3.org> with details about what happened.
Chris: Should we do that on the
Wiki, or create a report using ReSpec?
... I'm just looking at the NFC group and they published this
as a CG report.
Bin: Right, that's a final
report, but I'm more interested to collect requirements
here.
... Once we have done that, we may decide whether to publish a
report.
Ryan: [shows the automotive tuner
use cases]
... All of these pertain to the media tuner API. The functional
owner shows who has the information that's needed in each
case
... Some of these have multiple owners, e.g., for the parental
lock there's both Web Application and Infotainment Systsm
... That was the premise behind the functional owner
... All the system functions listed here should all be present
in the media tuner API
... Based on what's needed in current applications today
... I'm currently reformatting the media tuner web page into
the correct format, also to make it more self explanatory
... I want to create a draft, to put the pieces together
Bin: I have a question about the functional owner. If the owner is the Infotainment System, is it that the functionality needs to be addressed by the API?
Ryan: Not really, all of these
need addressing by the API, the owner shows more in which
direction the information flows
... For example, the Login function is really for the Web
Application's use
Bin: I agree, so all of these need API support, so the question is whether they are defined by us, or somewhere else
Ryan: Yes
Kaz: Is the google spreadsheet public? If so we should put it in the minutes
Bin: There's another column for the mapping between the media API and the TV control API
Ryan: Yes, I'll be doing that
Bin: Thanks Ryan for the great work
<scribe> ACTION: Ryan to continue use case mapping between the automotive media API and the TV Control API, and start to put together a draft [recorded in http://www.w3.org/2016/03/08-tvapi-minutes.html#action03]
<trackbot> Error creating an ACTION: data field(s) missing from result. Please mail <sysreq@w3.org> with details about what happened.
Bin: That completes the review of
active items. Is there anything new in terms of Phase 2
contributions?
... Once Ryan has completed the mapping, there may be some
gaps, so we can consider those in our requirements
... Is there any other business?
Kaz: Please ask your AC reps to respond to the WG charter review
<kaz> (positively :)
Bin: Anything else?
... Thank you all for your contributions, and we'll speak on
the next call in 4 weeks
[adjourned]