This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 23341 - The extension should not require special (handcuffed) hardware.
Summary: The extension should not require special (handcuffed) hardware.
Status: RESOLVED FIXED
Alias: None
Product: HTML WG
Classification: Unclassified
Component: Encrypted Media Extensions (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Target Milestone: ---
Assignee: Adrian Bateman [MSFT]
QA Contact: HTML WG Bugzilla archive list
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-24 14:48 UTC by Julio Cesar Serrano
Modified: 2013-10-15 15:18 UTC (History)
5 users (show)

See Also:


Attachments

Description Julio Cesar Serrano 2013-09-24 14:48:42 UTC
On the "Goals" section. Third line reads like this:

"Support a range of content security models, including software and
hardware-based models"

If I understand it well, it says some CDM may require specific
hardware (i.e. a crippled graphics card).
I find this to be unbearable. Seriously do you pretend to approve a
standard which would lead to
remove users freedom to general purpose computing?
Comment 1 Mark Watson 2013-09-24 15:22:33 UTC
Nothing in the specification requires special hardware. Nothing in the specification restricts access to a device's computing capabilities, general-purpose or otherwise.

Some devices may have hardware content protection capabilities(*). The sentence quoted is intended to require that EME enable applications to make use of such capabilities, when they are available.

It is clear that such capabilities will not always be available, hence software solutions are required as well.

Since the concerns are unfounded, I suggest this bug be closed as a non-issue.

(*) by 'hardware content protection capabilities' I also include software running in a Trusted Execution Environment where the security of the TEE is hardware-backed in some way.
Comment 2 Julio Cesar Serrano 2013-09-24 15:38:04 UTC
I suggest to introduce this addition: "The use of hardware protection schemes won't be mandatory in any case".
Comment 3 Mark Watson 2013-09-24 15:54:34 UTC
(In reply to Julio Cesar Serrano from comment #2)
> I suggest to introduce this addition: "The use of hardware protection
> schemes won't be mandatory in any case".

Do you mean "This specification does not mandate the use of hardware content protection schemes" ?
Comment 4 Julio Cesar Serrano 2013-09-24 22:44:39 UTC
Yes, I think that could work.
I'm sorry. English isn't my mother tongue.
Comment 5 Mark Watson 2013-09-24 22:50:04 UTC
Ok, I have no problem with that statement. However the specification doesn't mandate the use of software content protection schemes either.

And I think, rather than use the words 'mandate the use of' - because the specification doesn't 'mandate' anyone to 'use' anything - we should say whether compliance to the specification requires X, Y, Z. With this wording we could say

'This specification supports both software and hardware content protection schemes but does not require either for compliance.'
Comment 6 Julio Cesar Serrano 2013-09-24 23:29:25 UTC
(In reply to Mark Watson from comment #5)
> Ok, I have no problem with that statement. However the specification doesn't
> mandate the use of software content protection schemes either.
> 
> And I think, rather than use the words 'mandate the use of' - because the
> specification doesn't 'mandate' anyone to 'use' anything - we should say
> whether compliance to the specification requires X, Y, Z. With this wording
> we could say
> 
> 'This specification supports both software and hardware content protection
> schemes but does not require either for compliance.'

Sorry, but I think that sentence is too open. What I want to express is... that no application should force or encourage people to install new hardware for improved protection in order to access the content. But if such hardware is already present in the user computer, then and only then it is Ok to use it.

Please, may you word the appropriate sentence?
Comment 7 Mark Watson 2013-09-24 23:39:16 UTC
(In reply to Julio Cesar Serrano from comment #6)
> (In reply to Mark Watson from comment #5)
> > Ok, I have no problem with that statement. However the specification doesn't
> > mandate the use of software content protection schemes either.
> > 
> > And I think, rather than use the words 'mandate the use of' - because the
> > specification doesn't 'mandate' anyone to 'use' anything - we should say
> > whether compliance to the specification requires X, Y, Z. With this wording
> > we could say
> > 
> > 'This specification supports both software and hardware content protection
> > schemes but does not require either for compliance.'
> 
> Sorry, but I think that sentence is too open. What I want to express is...
> that no application should force or encourage people to install new hardware
> for improved protection in order to access the content. But if such hardware
> is already present in the user computer, then and only then it is Ok to use
> it.
> 
> Please, may you word the appropriate sentence?

That's difficult, because you are asking for a requirement on applications and it is not applications that implement the EME specification it's browsers. It's hard for W3C specifications to place requirements on applications that use the web platform except by requiring browsers to police application behavior.

We could say that UAs should not rely exclusively on optional hardware components for their implementation of EME CDMs. This is a recommendation to UA implementors, but it does not constrain applications.

We could even say (though I doubt the UA implementors would agree) that UAs must do some policing to ensure that a version of any given content item is available in a form suitable for playback entirely in software before that UA would allow the same content item to be played back (possibly at higher quality) through a hardware solution. I hope you'll agree that it's difficult to imagine what that policing could be in practice.
Comment 8 Julio Cesar Serrano 2013-09-24 23:48:34 UTC
It is late. My mind can be of no use now.
I am now convinced that CDM design should be also under the scope of EME Draft.
On the contrary, we are giving a white card to companies with the excuse of trying to protect content. 

Content protection is not equal to a white card. I might agree to allow some secrets to exists, but we should be able to define CDM structure and restrictions as well.
Comment 9 David Dorwin 2013-10-14 17:55:01 UTC
I propose removing the Goals section. It has repeatedly led to confusion and does not belong in a spec (it is left over from the initial proposal).
Comment 10 Adrian Bateman [MSFT] 2013-10-15 15:15:37 UTC
This was discussed on the telcon 10/15:
http://www.w3.org/2013/10/15-html-media-minutes.html

The group agreed to remove the goals section.
Comment 11 Adrian Bateman [MSFT] 2013-10-15 15:18:05 UTC
Removed the goals section: https://dvcs.w3.org/hg/html-media/rev/a5acef5bbe69