It is clear why the proposal does not specify key and license transferal formats, but some informative text could avoid confusion. For instance, if HTTPS is used and a key is encrypted using some other system then double encryption is taking place and that isn’t obvious in the proposal. Suggest adding informative text in the following places:
1. In the addkey sequence, step 5.4.1, change “Process key” to something like “Process key, may involve handler (CDM) specific decryption”.
We're not sure what difference this proposal makes to implementations. Please can you provide more information about why this is necessary?
The request is simply for informative clarification to notify users of the API that xmlhttp.response decrypts and an additional encryption is needed if the response is not to be in the clear in memory. If the authors feel that that is self-evident then the bug can be closed.