Comments on security and privacy sections

[ddorwin]

@steelejoe wrote the following in #221 (comment). I've moved the remaining items (and one reply) here to separate them from the larger "review" issue #221.

I have some nit-picky comments. Should be relatively easy to address.

Section 10.3.2 Mitigations
TLS -- "Furthermore, origin-specific permissions in combination with a secure origin, ensure that permissions granted to an application cannot be abused by a network attacker.". This language is too strong. We can safely say that TLS makes abuse far less likely, but not impossible. This should be changed to "Origin-specific permissions in combination with a secure origin make abuse of permissions granted to an application by a network attacker far less likely.".
...

Section 11.4.2 Mitigations "Shared blacklists"
This section is unclear. What is a "Key System origin"? Does this refer to the dotted identifier for the Key System itself, in which case a blacklist seems like overkill since there are only a small number of Key Systems. Or does this refer specifically to use a particular Key System on an application origin? The latter seems more likely. If that is the correct interpretation this should be changed to "User agents may allow users to share blacklists of application origins and/or Key Systems".

Section 11.4.2 Mitigations "Per-origin user alerts / prompts and permissions"
This sentence "User agents must prompt or otherwise inform the user before allowing use of a Distinctive Identifier that is not unique per-origin and/or not clearable is used. " is unnecessary based on the note following. Why not just remove it and the note? Apologies if this has been discussed in depth -- I did not see it.

[ddorwin]

Section 10.3.2 Mitigations
@steelejoe, wrote:

This language is too strong. We can safely say that TLS makes abuse far less likely, but not impossible.

It seems the potential for abuse of permissions with TLS would be similar to violating other "guarantees" provided by TLS. While I agree that nothing is impossible, I don't see why we would treat this assertion differently from others, such as "Applications using TLS can be sure..." at the beginning of that paragraph. Am I missing something?

Section 11.4.2 Mitigations "Shared blacklists"
I believe this comes from https://www.w3.org/TR/webstorage/#user-tracking, which says:

User agents may allow users to share their persistent storage domain blacklists.

I agree the wording is strange. Blacklisting Key Systems, even in combination with origin seems strange since the UA is to have vetted the Key Systems it exposes. Also, the spec already recommends implementations "Provide user controls to disable Key Systems or Key System use of identifiers." On the other hand, your proposal is more general.

Section 11.4.2 Mitigations "Per-origin user alerts / prompts and permissions"
The most relevant discussion is in #51, which relates to similar text in an algorithm. The resolution was that if a user agent is asked to use a non-compliant CDM implementation or configuration, it should fail. There is a similar NOTE in this algorithm, and its text was aligned with this one in PR #66. However, the algorithm no longer allows for such non-compliant implementations, so this section probably shouldn't either.

[ddorwin]

PR #303.