On 2014-05-22 02:44, Robert Kaiser wrote:
Jim schrieb:
You have still not proven your claim that the CDM will be robust
I think that can only be proven once the code exists, and it still to
be written. Once it's there, I'm sure everyone will be happy if you
inspect it for that robustness.
Enough details have been supplied to make it clear that the CDM has no
chance of being confident in the state that the sandbox supplies to it
when the sandbox passes control the the CDM.
The only protection offered to the CDM is that it can look over the
memory of the process it runs in. However the sandbox can change the
process memory after it is initialized and before the CDM is loaded and
run, so the CDM has no guarantee of the provenance of the state passed
to it from the sandbox when it starts. The idea that the CDM can check
that the sandbox code matches it's expectation to guarantee provenance
of the device identifier is flawed. If Mozilla can not even get this
right then I have no confidence that the CDM would be robust.
What is Mozilla going to do when Adobe are unable to convince content
owners and distributors that this is robust? Will Mozilla use the same
propaganda to justify supporting platform CDMs? Nothing Mozilla has said
suggests otherwise. Mozilla do not know where to draw the line.
What will Mozilla do if in future the content owners and distributors
withdraw support for the CDM, after the EME API has been well
established and after DRM APIs have been convincingly added to the open
web? Mozilla will have caused great damage and will be in an even weaker
position to fight.
All Mozilla will have done is nurture and promote the EME API, and in
doing so will have set back alternatives and damaged the open web.
Given that the CDM has no control there will be Firefox derivatives
offering control over device identifiers and able to save the content.
Are Mozilla going to support content owners and distributors if they
prosecute open web developers and distributors adding innovative
features to the open web, such as EME content saving functions? The
notion that Mozilla management would act as expert witnesses for the
prosecution, claiming that the open web supports DRM restrictions, is
just absurd given the mission. If this is what Mozilla management claim
then they do not represent the open web, they do not get to claim they
are part of the open web, and they do not get to claim they champion
user security and privacy.
What are Mozilla going to do when some CDM innovations allows HTTP
requests to be passed to the CDM and received and presented in the web
browser? This will effectively add DRM to any web content. The EME
solution requires JS to complete the player and this along with the DOM
gives all the flexibility to implement this. Add a JS engine to the CDM
and there goes even more of the web. Add HTML rendering support to the
CDM and it's game over, and Mozilla are making it happen.
Jim
_______________________________________________
governance mailing list
governance@lists.mozilla.org
https://lists.mozilla.org/listinfo/governance
