15:11:18 RRSAgent has joined #webrtc 15:11:18 logging to https://www.w3.org/2020/09/15-webrtc-irc 15:11:23 Present: Bernard, Harald, Florent, Henrik, Guido, Youenn, Palak, Carine, Dom, Jianjun_Zhu, Riju, Francois_Beaufort, Eero_Hakkuinen 15:11:26 Chair: Harald, Bernard 15:11:38 Topic: ISSUE 47 RTP Header Extension Encryption 15:11:52 ... RTP data gets encrypted, but not headers in current implementations 15:12:26 ... encrypting headers has an RFC, but it is not correctly implemented, due to its high complexity and big impact on SDP bloat 15:12:51 ... this was discussed recently in AVTCore where the topic is handled 15:13:05 ... The WebRTC WG needs to consider an API to enable encrypting RTP headers 15:13:13 ... The proposal is a all-or-nothing switch in the API 15:13:20 ... either encrypt everything or nothing 15:13:33 ... The SDP representation will be defined in AVTCore 15:13:55 ... from an API perspective, we would add an rtpHeaderEncpryptionPolicy field to RTCConfiguration 15:13:57 Patrick has joined #webrtc 15:14:17 ... the backwards compat option is "negotiate" (fallback to unecnrypted) 15:14:34 ... and a new option "require" which throws if encryption is not possible 15:14:41 Orphis has joined #webrtc 15:14:49 ... there would also be a flag on Transceiver to indicate if encryption has happened 15:15:30 ... My proposal is that by default, "negotiate" is picked (for backwards compat) - later we could consider movign to "require" once there is broad adoption 15:15:41 s/... RTP data gets/Henrik: RTP data gets/ 15:16:02 ... There was discussion of adding this on a transceiver-basis, but we thought we should keep it simple 15:16:15 Bernard: in particular, separate encryption can't be done when BUNDLing 15:16:36 Youenn: could we ask AVTCore of a negotiation per session rather than per m-line? 15:16:50 Bernard: our proposal would work either way 15:17:00 Present+ Patrick_Rockhill 15:17:42 Henrik: the AVTCore discussion may lead the flag to move from the transceiver up to the PeerConnection 15:18:00 Youenn: I like the config option and the rollout option 15:18:16 .. I'm skeptical at the transceiver flag if what we want is the whole thing to be encrypted 15:18:54 Henrik: with the negotiate policy, you may end up with one m-section having encrypted headers and others not 15:19:09 ... we could fail in that situation though 15:19:26 Harald: the encrypted negotiated flag belongs on the DTLS transport 15:20:01 RESOLVED: Add new option to RTCConfig, and add the flag to either PC or DTLSTransport based on AVTCore results 15:20:17 Bernard: AVTCore meeting is coming up - someone should volunteer a proposal 15:20:20 Topic: Media Capture 15:20:25 Subtopic: Issue 646 15:20:50 Youenn: we had a number of privacy discussions with the Privacy IG which we should try to drive to conclusion ahead of our meeting with them next month 15:21:01 ... Issue 646 is about making enumerateDevices return an empty list by default 15:21:19 ... the current behavior exposes 2 bits of info: whether there is at least a camera, and whether there is at least a microphone 15:21:28 ... after gUM resolves, we expose more info 15:22:03 ... the typical use cases to expose these 2 bits of info is to enable a Web app to provide a gUM UI only when it has supporting devices 15:22:22 ... we ran an experiment with returning an empty list, and it turned out not Web compatible 15:23:05 jianjunz has joined #webrtc 15:23:19 ... The proposal is to keep current approach and allow UA to fake presence of devices to UAs who would want to remove fingerprinting 15:24:56 PROPOSED: behavior of enumrateDevices() doesn't change; the WG will consider adding non-normative guidance on fingerprinting 15:24:59 Henrik: I support this 15:25:01 Dom: +1 15:25:23 Henrik: the problem would go away with the new device picker approach 15:25:40 Youenn: not necessarily you might still want to make the picker trigger optional i nthe UI 15:25:46 RESOLVED: behavior of enumrateDevices() doesn't change; the WG will consider adding non-normative guidance on fingerprinting 15:25:52 Subtopic: Issue 640 15:26:14 Youenn: PING suggested we reveal only label on devices users have granted permissions to 15:26:37 ... the reason for exposing all labels is to allow for in-page picker 15:27:04 ... The proposal would be to keep the current consensus with guidance on sanitizing labels 15:27:27 ... For instance, Firefox & Safari sanitize the name of airpods (which often contains personally identifiable information) 15:28:07 ... we already have some indirection between labels and what gets shown to JS, we could go a bit further 15:28:10 Henrik: +1 15:28:27 ... I don't think we can remove labels as long as Web pages have to build their own pickers 15:28:50 ... once an in-chrome pickers become the new way, we can reconsider, but that seems a long way in the future 15:28:50 Bernard: +1 15:29:19 Henrik: it is true that it can be used for fingerprinting, but that's in a context where the app may already be able to see my face, so maybe not such a big deal comparatively 15:29:24 Youenn: there are counter examples 15:29:57 Harald: I don't find that argument compelling enough for a change 15:30:39 Henrik: a UA could also pick to expose only a subset of devices 15:31:11 RESOLVED: Keep exposing all devices past gUM resolution with some possible anti-fp guidance 15:31:16 Subtopic: Issue 645 15:31:42 Youenn: enumerateDevices expose all type of devices, even if the user has only allowed one type of device (e.g. only mics) 15:32:23 ... this could be reduced on a per device-type (e.g. gum(video=true) would only expose cameras) 15:32:36 ... possibly exposing associated mics (based on groupId) 15:32:50 ... I'm not fond of the additional complexity 15:33:24 Guido: Chrome only exposes cameras when only video is requested 15:34:10 ... it has been that way for a long time 15:34:37 Henrik: this shows this is Web compatible :) 15:35:10 Youenn: I think if we go that way, we should expose associated mics 15:35:37 Henrik: this may be confusing though - it may creates the impression that only one mic exists in that case (because you would believe you have all the info 15:35:41 Youenn: true 15:36:53 Dom: is Chrome's behavior allowed in the spec? 15:37:29 Youenn: no, it's only a global boolean that controls enumerateDevices() exposure 15:37:38 Dom: so something needs to change no matter what 15:37:52 Harald: where do we stand on the WebDriver spec for gum? 15:37:58 Youenn: waiting for adoption by the WG I believe 15:38:37 Dom: so how do we move forward? 15:38:49 Youenn: I'm happy to align with Chrome in our impl 15:39:57 ... my proposal on groupId was to align with how we deal with audiooutput where we expose a speaker once the mic is listed 15:40:59 RESOLVED: Adopt per-device type of enumerateDevice label exposure; follow up on current implementation status for possible extension based on groupId 15:41:02 RRSAgent, draft minutes v2 15:41:02 I have made the request to generate https://www.w3.org/2020/09/15-webrtc-minutes.html dom 15:41:10 Topic: Media Capture Image 15:41:16 Subtopic: Issue 243 15:41:31 Youenn: lot of discussions around Pan/Tilt/Zoom (PTZ) and how it is represented via constraints 15:42:12 ... when you install an app, you get granted permissions to access e.g. cam + mic 15:42:27 ... the only choice the user has is "install" or "not install" 15:42:55 ... another approach is to leave granular choice to the user with a base permission plus additional permissions 15:43:26 ... PTZ seems to fit better that model - default to "camera" permission, and allow upgrades to PTZ permissions 15:44:42 ... Taking getDisplayMedia as an example: you ask gDM(video: true) only allows sharing a video; if you add audio: true, it adds a "share audio" UI - but this remains the user's choice 15:44:52 ... [slide 17] 15:45:58 ... there is no discussion to allow failure on not providing audio 15:46:04 ... the same should work well for PTZ 15:46:07 ... [slide 18] 15:46:19 ... this has a big impact on how constraints would work for this in gUM 15:46:40 ... e.g. what happens with gum({video {pan: {exact: 10}}) 15:47:15 ... if there is no PTZ device, this would reject with OverConstrained - this means increased a small fingerprinting increase 15:47:39 ... it's a known issue with gUM - while can't easily fix it, I hope we don't increase the scope as we would with PTZ 15:48:18 ... if the user has a PTZ, but doesn't pick it - should this still be OverConstrained? 15:48:43 ... it sounds like applying the getDisplayMedia model without requiring PTZ would work better 15:48:59 ... if so, that means skipping all PTZ-required constraints in gUM 15:49:16 Henrik: isn't the information exposed in any case in getSettings? 15:49:39 Youenn: there are discussions in sanitizing getSettings based on what permissions have been granted - we'll come back to this later 15:49:43 ... [slide 19] 15:50:07 geheimnis` has joined #webrtc 15:50:23 ... if the user has the option to grant PTZ access, but the UA doesn't have a device picker - in that case, the UA should prioritize picking a PTZ camera 15:50:38 ... the UA may have to fallback on a non-PTZ device in case of hardware error 15:51:56 ... the current spec doesn't give lower priority (via fitness distance) to PTZ constraints 15:52:21 ... my proposal is to ensure the PTZ cameras get picked when permission is granted 15:52:55 ... The result would be to add a ptz MediaConstraint (in addition to "video", "audio") 15:53:23 ... and uses that as a trigger to prioritizing ptz devices - and request permission only if there is such a device 15:53:47 ... pan, tilt and zoom would still be used as constraints for applyConstraints, but would be skipped in gUM 15:54:04 ... [slide 21] 15:55:43 ... This approach means no additional fingerprinting, allows PTZ position sanitization, it limits the complexity, is compatible with the future device-picker approach 15:55:53 ... it's very different from the current spec, but solves real issues 15:57:47 Henrik: couldn't we throw on attempting to set required constraints on PTZ? would only allow "ideal"? 15:58:05 Youenn: we could do that; I think ptz: true is simpler though 15:59:08 Riju: [slide 24] we have an alternate proposal we submitted as a pull request, based on Jan-Ivar's input 16:00:01 Eero: the idea of the proposal is to align PTZ with other constraints in {video} with just boolean values rather than numeric values 16:01:52 Youenn: how would this work with UAs that have a different prompt from Chrome? 16:02:17 ... also, doesn't fix the issue with PTZ permission granted while the browser not picking a PTZ device 16:02:56 Henrik: I like the model of leaving choices to the user, but within the current model of gUM where the Web app makes the choice 16:03:33 ... what's the prompt that you envision? how would the UA asks about PTZ device in a way the user would understand? 16:04:09 Youenn: the UA could be to allow it only for advanced users, or only to sites with persistent camera access 16:04:50 ... if the user may have challenges understanding camera + PTZ prompt ("use and move a camera") vs camera without PTZ (just "use a camera") 16:05:03 ... it's likely that users will make mistakes 16:05:28 Henrik: what's the risk of granting PTZ permission? 16:06:05 Youenn: with PTZ, the preview of what you grant access to is different from what may be exposed over time 16:06:11 ... without the user being aware 16:06:25 Riju: note that PTZ is restricted to top level browsing context 16:06:42 Youenn: right, but there is no requirement to show the self-view over time 16:06:57 ... that's why PTZ needs a different privilege level 16:07:22 ... initially the plan was to keep it in the same permission, but we received feedback this needed a different permission which indeed makes sense 16:07:31 ... that makes it harder to re-use the usual gUM constraints model 16:08:15 Riju: one limitation is that PTZ is only limited to video - PTZ permission supersedes the simple camera permission 16:08:58 Youenn: I'm not saying the Chrome model is bad, but my suggestions is trying to make it future-proof and aligned with the changes we're considering for gUM 16:09:17 Francois: we're talking about the spec - the UA can show a notification when the camera moves 16:09:52 Henrik: but the notification only deals with cases when the user is paying attention to the browser - the risks exist also when the user isn't around 16:10:02 Francois: why did you pick this additional ptz boolean? 16:10:20 Youenn: it's modeled after the getDisplayMedia approach to audio 16:10:42 ... the idea is that it allows the user to opt-in to an additional privilege 16:10:49 ... it's beyond a constraint 16:10:59 Harald: to me, PTZ feels very much like a constraint 16:11:22 ... moving away from the original model makes it harder to understand the overall model 16:11:40 Henrik: yet, choosing a device feels pretty different from moving a camera - feels like different APIs 16:11:52 Youenn: they're exposed at different APIs (gUM vs applyConstraints) 16:12:44 Harald: I'm hesitant to add special rules and syntax 16:13:33 Dom: but how would we deal with the different permission level? constraints weren't built to deal with that 16:14:37 Youenn: as an implementor, I would want to show a different notification to the user before PTZ can be used 16:15:33 Youenn: my main point is that PTZ constraints should not be required 16:15:40 Henrik: I like that 16:16:09 Youenn: I don't care very strongly about the syntax / model, as long as we keep in mind the issues I mentioned on allowing UA flexibility, fingerprinting, non-required PTZ constraints 16:16:22 Guido: we could treat them all as "ideal" rather than "exact" 16:16:26 Youenn: +1 16:17:09 Henrik: I think disregarding the required aspects for PTZ would be enough to get us what we want 16:17:29 ... could we throw on required constraints for PTZ? 16:17:40 Youenn: is there consensus on not having required constraints on PTZ? 16:17:57 Harald: I'm not happy about special-casing 16:19:05 ... I like throwing Overconstrained when the dev ask for required PTZ 16:19:29 RESOLVED: throw Overconstrainted on requried values for PTZ and deal with sorting devices separately 16:21:29 Guido: we need to understand the intersection with advanced constraints 16:23:29 Subtopic: Issue 245 16:23:38 Youenn: a page can use a PTZ device with or without PTZ permission 16:23:53 ... if PTZ is granted, we should expose everything 16:24:25 ... if not, we should expose that a device has PTZ capabilities, but without detailed information (min/max, dynamic values) 16:25:23 Francois: this increases the fingerprinting 16:25:31 Youenn: but only after gUM permission has been granted 16:25:47 ... I think it's fine to expose some at that point 16:26:16 Carine: what's the use case? 16:26:40 Youenn: it gives the opportunity to the Web page to detect the availability of a PTZ device to expose a new PTZ-based feature 16:27:07 Henrik: fine with it 16:27:22 Dom: we should flag this for PING check given fingerprinting impact 16:28:08 RESOLVE: Sanitize PTZ capabilities/setting based on PTZ (the UA may expose additional PTZ info without PTZ permission) - subject to PING review 16:30:00 Carine: can PTZ be deactivated (like mute on mic)? 16:30:21 Youenn: we don't have support for that atm 16:30:35 Henrik: moving up from PTZ:false to PTZ:true would require re-prompting right? 16:30:40 Youenn: right 16:31:09 Youenn: let's raise "muting" PTZ as a separate issue 16:31:47 RRSAgent, draft minutes v2 16:31:47 I have made the request to generate https://www.w3.org/2020/09/15-webrtc-minutes.html dom 16:31:55 RRSAgent, make log public 16:33:47 s/RESOLVE:/RESOLVED:/ 16:33:49 RRSAgent, draft minutes v2 16:33:50 I have made the request to generate https://www.w3.org/2020/09/15-webrtc-minutes.html dom 16:35:23 Meeting: WebRTC Virtual interim 16:35:26 RRSAgent, draft minutes v2 16:35:26 I have made the request to generate https://www.w3.org/2020/09/15-webrtc-minutes.html dom