This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
It is clear why the proposal does not specify key and license transferal formats, but some informative text could avoid confusion. For instance, if HTTPS is used and a key is encrypted using some other system then double encryption is taking place and that isn’t obvious in the proposal. Suggest adding informative text in the following places: 1. In the addkey sequence, step 5.4.1, change “Process key” to something like “Process key, may involve handler (CDM) specific decryption”. 2. At appropriate places in the Javascript examples add a comment indicating the xmlhttp.response may be encrypted in a CDM specific manner.
We're not sure what difference this proposal makes to implementations. Please can you provide more information about why this is necessary?
The request is simply for informative clarification to notify users of the API that xmlhttp.response decrypts and an additional encryption is needed if the response is not to be in the clear in memory. If the authors feel that that is self-evident then the bug can be closed.