Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detail Security Considerations Section #281

Open
simoneonofri opened this issue Feb 13, 2025 · 1 comment
Open

Detail Security Considerations Section #281

simoneonofri opened this issue Feb 13, 2025 · 1 comment
Labels
security-needs-resolution Issue the security Group has raised and looks for a response on.

Comments

@simoneonofri
Copy link

simoneonofri commented Feb 13, 2025
edited
Loading

This issue refers to the security review requested in this issue w3c/vibration#49

Please include in Security Considerations section:

  • An explanation on why this spec includes the TTML2 Security Considerations, to be auto-consitent
  • Please refer also to Threats/Attacks related to XML
  • Draft the Threat Model for the Integrity as with the one we worked togheter in the Issue, considering the Threats considered.

Please add this before it becomes REC, so it's not blocking the various steps to CR.

Thank you
@simoneonofri simoneonofri added the security-needs-resolution Issue the security Group has raised and looks for a response on. label Feb 13, 2025
@w3cbot w3cbot mentioned this issue Feb 13, 2025
Open
@css-meeting-bot
Copy link
Member

The Timed Text Working Group just discussed Detail Security Considerations Section w3c/dapt#281, and agreed to the following:

  • SUMMARY: Draft a pull request addressing the issue
The full IRC log of that discussion <nigel> Subtopic: Detail Security Considerations Section #281
<nigel> github: https://github.com//issues/281
<cpn> Nigel: The reviewer asked why the spec includes the TTML2 security considerations. That seems fine
<cpn> ... Also, refer to threats or attacks related to XML
<cpn> ... I think we have protections by refusing to allow things like XML entities
<cpn> ... These should already be described in TTML
<cpn> ... We can say something, to show we've considered it
<cpn> ... Also, discussion of the threat model
<cpn> ... Subresource integrity was mentioned as something to check. A URL to an external resource, e.g, an audio clip, you could put a cryptographic hash in the source document, then the player computes the hash and compares
<cpn> ... In the discussion, I pointed out that would be annoying during authoring, but as a final step in publication it could be useful
<cpn> ... Not against it in principle, but it feels like solving a problem I haven't seen in the real world. But maybe others have...
<cpn> ... We can consider whether to add to the spec or not
<cpn> Cyril: How is this different to issue 282, which is also about the integrity model?
<cpn> Nigel: 281 is about drafting the threat model, and 282 is about a mechanism for identifying such an attack has happened
<cpn> ... I think it all makes sense. Any other thoughts or comments?
<cpn> (nothing)
<nigel> SUMMARY: Draft a pull request addressing the issue

@plehegar plehegar mentioned this issue Feb 14, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security-needs-resolution Issue the security Group has raised and looks for a response on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simoneonofri @css-meeting-bot