15:00:15 RRSAgent has joined #tt 15:00:15 logging to https://www.w3.org/2020/04/02-tt-irc 15:00:16 RRSAgent, make logs Public 15:00:17 Meeting: Timed Text Working Group Teleconference 15:01:29 Agenda: https://github.com/w3c/ttwg/issues/105 15:01:41 Previous meeting: https://www.w3.org/2020/03/26-tt-minutes.html 15:02:19 scribe: nigel 15:02:32 Present: Gary, Nigel, Pierre, Atsushi 15:02:58 cyril_ has joined #tt 15:03:36 Present+ Cyril 15:04:37 Topic: This meeting 15:05:31 Nigel: Today, we have a few IMSC issues, TTML2 IR, and starting at 1600 UTC, a joint 15:05:38 .. session with some members of the PING. 15:06:12 scribe: cyril_ 15:06:13 pal has joined #tt 15:06:38 Present+ Andreas 15:06:43 nigel: pierre are you able to join for the 2nd hour? 15:06:45 pal: yes 15:07:02 nigel: any AOB? 15:07:23 Topic: IMSC 1.2 15:07:33 nigel: there were a couple of editorial PRs 15:07:41 ... probably better to run them on the call 15:07:47 ... I added them to our agenda 15:07:55 atai has joined #tt 15:08:04 Topic: Note that the user can influence the document processing context 15:08:23 gitub https://github.com/w3c/imsc/pull/527 15:08:33 github: https://github.com/w3c/imsc/pull/527 15:08:38 glenn has joined #tt 15:09:49 nigel: if you go the PR, the preview and diff now appeared 15:10:10 ... there is one note added to the D.2 appendix: MAUR considerations 15:10:21 ... I provided some review comments that are now resolved 15:10:32 ... I just want to make sure that more people look at it 15:10:40 pal: ideally the main commenter 15:10:52 ... I don't think we can merge this until the main commenter's review 15:11:07 nigel: we need to make sure we have consensus among us also 15:11:18 Present+ Glenn 15:12:06 q? 15:12:23 ... if it sounds good, we'll just go ahead with this text 15:12:29 ... I'll go back to the APA 15:12:44 pal: we actually need them to participate 15:12:59 ... I'm not happy merging this until we have clear feedback from them 15:13:14 nigel: agree, we can prompt the person or the group with the text that we agree on 15:13:58 ... the commenter who raised it is W3C staff 15:14:20 atsushi: my personal opinion would be to ping them on GitHub 15:15:16 glenn: I would recommend closing due to lack of response 15:16:18 nigel: I will reach out to the commenter 15:16:42 nigel: nobody seems to have any other comment on it 15:17:23 SUMMARY: TTWG is happy with the current proposal and would like review by APA WG @michael-n-cooper 15:17:50 Topic: Address A11Y comments related to WCAG 2.1 15:18:02 github: https://github.com/w3c/imsc/pull/526 15:18:18 nigel: this PR is closing a couple of things 15:18:30 pal: I think there are things we need to talk about 15:18:53 pal: there is the issue raised by the APA related to updating reference to WCAG 2.1 15:18:56 ... that's issue 15:19:04 ... and also rewriting appendix D.1 15:20:05 ... and reference success criteria instead of interpreting and indicate how to best address them with IMSC 15:20:27 ... in the process of doing this, Nigel raised the question on an example provided in Appendix D.1 15:20:49 ... Nigel reviewed it, suggested some changes 15:21:00 ... I went back in time to find the history of this paragraph 15:21:06 ... many eons ago 15:21:19 ... I'm really reluctant to change it 15:21:30 ... because we spent so much time on it and it's only an example 15:21:38 ... my preference would be to add one more example 15:21:54 nigel: I'm not sure how it came as part of my review 15:22:03 ... maybe because the changes are big 15:22:20 ... I think the text came from J Birch after some debate 15:22:40 pal: What I've done editorially is to label it as an example 15:22:53 ... if there is another example, we should add it 15:23:02 ... but we should not touch the example anymore 15:23:26 nigel: it wasn't very clear what functional information means 15:23:41 ... it doesn't seem to mention that you can use styling attributes to achieve the same thing 15:24:06 ... it does not refer to using ttm:role to identify the kind of thing that the text is representing 15:24:17 ... simply leaving the text as is in the PR and adding another example could work 15:24:26 pal: I'm happy to review proposed example 15:24:31 nigel: I will provide one 15:25:55 nigel: I like the "suggestion" feature in the current PR, it's a new GitHub feature 15:26:43 pal: I have a question out to the commenter 15:27:05 ... I have asked a question on issue 521 and 522, 21 days ago and still waiting 15:27:21 nigel: we can't proceed because we are waiting for some answer 15:27:37 pal: 524 we said we will not make changes for it, we should close it 15:27:50 nigel: we can just leave that open because we took out the milestone 15:28:14 pal: so it's only 521 and 522 for which we are waiting for answers 15:28:33 nigel: back on 526, we have a way forward to resolve my comments 15:28:42 ... I encourage everybody to have a look at it 15:28:48 ... I think it will resolve the APA comments 15:29:04 pal: it could be a good template to solving the PING comments 15:29:15 ... if they could come up with guidelines 15:29:20 ... that we can reference 15:29:22 nigel: agree 15:29:27 q? 15:29:44 Topic: imsc/rec 15:30:19 nigel: we had a conversation about it last week 15:30:34 ... atsushi needed to take that to the team 15:30:40 ... and I wanted to know where we are 15:30:54 atsushi: I thought to ask next week 15:31:08 nigel: because of our decision policy 15:31:28 atsushi: I thought this was a recommendation from someone that we need to be secure on it 15:31:47 nigel: it's true that with our decision policy, someone could comment on it, but unlikely 15:32:18 atsushi: I was advised to wait some time after request to setup some difference link 15:32:33 ... to avoid misoperation on our W3C systems side 15:32:39 ... maybe Philippe's suggestion 15:32:49 nigel: I did not notice this 15:33:04 ... if you need time before making the change, fine but let us know 15:33:38 atsushi: could happen next week 15:33:43 nigel: sounds good 15:34:03 Topic: TTML2 2nd Edition Implementation Report 15:34:19 nigel: there has been some activity by Glenn 15:34:24 ... I did some review 15:34:29 ... we are moving forward 15:34:38 ... no particular test need agenda time 15:34:53 glenn: the only one that might is the one on line height and font strategy 15:34:59 nigel: 252 15:36:53 cyril has joined #tt 15:37:00 scribe: cyril 15:37:43 glenn: the previous one having to do with fontStrategySelection, a presentation test 15:37:51 ... that was put in TTML2 1ed 15:38:00 -> https://github.com/w3c/ttml2-tests/blob/master/presentation/valid/ttml2-prstn-font-selection-strategy.xml 15:38:19 glenn: it's about the impact of font strategy selection on line height 15:38:37 nigel: and that previous test has a description 15:38:50 ... and because there is combined character it would be clear what will happen 15:39:15 glenn: that test that preexisted and this one rely on something that cannot be interoperably tested 15:39:52 nigel: in the original test, we made the assumption that the default font did not support combining characters 15:40:32 ... we never verified that such a font exists 15:40:46 glenn: you had asked if we could construct such a font 15:40:53 ... technically, yes, but that is some work 15:41:00 ... I haven't signed up for 15:41:09 nigel: I've never done such things 15:41:18 ... we should be reaching out to Vlad 15:41:31 glenn: there are tools in the Adobe Font Toolset that I've used in the past 15:41:50 ... there are ASCII representation of the OpenType font that you can create 15:42:01 ... and use these tools to "compile" the font 15:42:23 ... I haven't signed up for the time to do that 15:42:41 glenn: the impetus is on the implementer to do that as part of their test setup 15:45:29 nigel: by relying on a font provided with an implementation, we can go ahead with this test 15:45:42 ... in the same way that we did the 1st edition test on font selection strategy 15:46:01 ... there is an action to adjust the test still 15:46:05 ... that's marked in the issue 15:46:15 ... line break present so that line height can be verified 15:46:28 ... it would be good that having done that your implementation passes 15:46:50 glenn: other than that I don't have other comments 15:53:13 Topic: end of meeting 15:53:23 nigel: we have no other business 15:53:32 ... let's end this part of the meeting 15:53:39 ... 5 min break until we start 15:57:27 rrsagent, make minutes v2 15:57:27 I have made the request to generate https://www.w3.org/2020/04/02-tt-minutes.html nigel 16:01:14 atai has left #tt 16:01:24 atai has joined #tt 16:02:37 npdoty has joined #tt 16:03:32 Topic: Meeting with PING 16:06:49 nigel: Thank you again for the feedback you gave us on IMSC 16:07:02 ... we could look at the details of the specific issues 16:07:10 ... one thing that came through is 16:07:25 ... that if there is a privacy issue of fetching things on the web 16:07:33 ... why is that issue specific to IMSC 16:08:04 pal: Nigel posed the problem correctly 16:08:11 I’d be interested to learn about the accessibility approach as well, just as we are learning the most productive ways to conduct horizontal reviews and address those issues 16:08:15 ... there is a generic privacy and security issue 16:08:29 ... true across most if not all W3C specifications 16:08:49 ... it'd be a lot better if these generic considerations were captured in a single document 16:09:06 ... so that other don't repeat the same text, the same mitigation, ... 16:09:26 ... has there been a discussion to have a generic document, just like APA WG did for accessibility? 16:10:03 pete: PING has authored a questionnaire 16:10:12 ... and a fingerprinting guideline document 16:10:18 ... because we are an interest group 16:10:20 Present+ Nick_Doty, Pete_Snyder 16:10:25 ... we cannot make anything normative 16:10:42 ... it's very difficult to speak in very general case 16:10:47 ... because many specs are different 16:11:12 pal: reading the long threat, is that the vulnerability that has been identified here is a generic fetch vulnerability 16:11:40 npdoty: there is maybe a more general threat 16:11:51 ... we do have documentation in the fetch spec for that 16:11:55 pes has joined #tt 16:12:06 ... but more specifically, because of font and implementation of fallbacks 16:12:17 ... you can learn information about a client 16:12:27 ... that's fairly specific to TTML 16:12:32 pal: and CSS 16:12:46 npdoty: maybe CSS (but have a different way of specifying) and HTML 16:12:53 ... we need to understand how fallback are done 16:13:13 ... if you just used CSS, then there would not be any need to document anything 16:13:42 pal: the corollary to that is: is it the only issue identified? 16:13:51 npdoty: Jeffrey did a review of TTML 16:13:56 https://github.com/w3c/ttml2/issues/1189 16:13:56 ... don't remember which edition 16:14:03 nigel: TTML2 2nd editio 16:14:17 npdoty: he opened an issue with a series of fingerprinting versions 16:14:36 ... and in the process we opened secure transport issues 16:14:44 pal: should we do it in TTML? 16:15:04 npdoty: I opened the issue on IMSC because there was a change compared to the previous edition 16:15:13 ... but it'd be good in TTML 16:15:35 nigel: we had some other feedback about accessibility from APA 16:15:43 ... and they produce a set of requirements 16:16:02 ... and we had a section restating that, and based on the feedback we received 16:16:20 ... we will change that to say: given requirement X, this is how you can do it in IMSC 16:16:34 ... it'd be great to have privacy requirements 16:16:44 ... and we would say how to achieve them in IMSC 16:17:01 ... if we had an ability to do that, that would be super useful 16:17:09 ... don't know if this is applicable to Privacy 16:17:19 npdoty: that would be a good goal 16:17:33 ... ongoing work in the PING is trying to get more granular and specific 16:17:47 ... if we can define that precisely, it would be easier for other specs 16:17:55 ... we are not yet quite at that level of precision 16:18:15 ... the document I edited gives guidelines to evaluate and some indication on how to mitigate 16:18:26 ... but different specs have different ways of solving the problem 16:18:47 ... we were not sure how IMSC fits in the web platform 16:19:02 ... is it implemented by a Web browser, follows same origin ... 16:19:15 pal: you're going to find implementations that span the whole range 16:19:29 ... from polyfills to embedded devices and web platform 16:19:38 glenn: the answer depends who you ask 16:20:06 ... the browser community, like Google, that it's not part of the Web platform, for historical reasons 16:20:28 ... the response to that is that for people who need to use TTML in the web, they have to use polyfills 16:20:36 ... or use server-side mechanisms 16:20:46 pal: it's broader than that 16:20:51 ... there are Android native apps 16:20:56 glenn: yes, wide range of responses 16:21:03 nigel: I agree 16:21:13 ... different people define the web platform differently 16:21:26 pal: the pragmatic issue we have is 16:21:34 ... if we agree on the attack vector (fetching) 16:21:47 ... fetching taking into account locally installed fonts 16:21:54 ... the next step is what are the mitigations 16:22:00 ... what do we write in the spec 16:22:09 ... point to "Mitigating ..." 16:22:17 +q 16:22:17 ... how do we close this issue? 16:22:37 pes: deciding on mitigation, we can provide guidance 16:22:48 ... but it takes the expertise of this group to decide 16:23:01 ... you can look at the CSS WG response 16:23:13 ... it's a little bit outside of PING jurisdiction 16:23:25 q+ 16:23:29 pal: from an editor standpoint, we need to close the issue 16:23:32 -q 16:23:38 ... what would it take to close it to your satisfaction 16:23:46 npdoty: we have 3 issues open 16:23:51 ... 2 on TTML and 1 on IMSC 16:24:12 ... I agree with Pete that since you understand the diverse set of implementations 16:24:22 ... you're in the best place to decide on the mitigation 16:24:35 ... a good goal would be to have similar mitigation to what we are working on in CSS 16:24:44 ... or at least point to that 16:25:08 ... we don't want to have to be in the situation where this is solved in CSS and not in TT 16:25:12 ... we have seen that in other groups 16:25:23 pal: this document is going to rec soon 16:25:37 ... where is the concrete mitigation we can point to? 16:25:46 npdoty: you can choose one from the CSS WG 16:25:59 ... or if you are not ready, just note that for implementers 16:26:11 ... so that they know about that 16:26:21 pal: I'm looking for a reference 16:26:26 q+ to mention the idea that we don't allow font fetching to be conditional at all in TTML2 and IMSC 16:26:31 q+ 16:26:39 q- 16:26:58 q+ 16:27:04 re: mitigating browser fingerprinting, guidance doc is: https://w3c.github.io/fingerprinting-guidance/ 16:27:15 nigel: thanks for the link 16:27:24 q? 16:27:47 nigel: is there a specific place in the CSS thread to point to 16:28:03 pes: no, the thread is not done, so nothing to point to 16:28:08 draft proposal to eliminate font-fingerprinting is ongoing here: https://github.com/w3cping/font-anti-fingerprinting 16:28:32 pes: I don't think there is a solution that you can point to 16:28:47 ... it's not a copy/paste answer 16:28:49 q- 16:28:49 q+ 16:29:22 nigel: the question about whether there is a vector here seems to come from the notion that the decision to fetch a remote font resource or not 16:29:29 ... is conditional on installed font 16:29:38 ... but in TTML and IMSC that semantics is not defined 16:30:04 ... my assumption had been that if some text in a document makes use of a matching font which points to an external URL 16:30:23 ... unconditionally, regardless of what is installed, the implementation must fetch it 16:30:31 ... it might not be clear in the text 16:30:35 q+ 16:30:38 yes, that sounds like a feasible mitigation 16:30:39 q+ glenn 16:30:42 ... but if it were, would that solve the concern ? 16:30:51 ack nige 16:30:51 nigel, you wanted to mention the idea that we don't allow font fetching to be conditional at all in TTML2 and IMSC 16:30:54 (im just agreeing with nick) 16:30:55 q- 16:31:24 ack pal 16:31:29 pal: on the specific proposed mitigation 16:31:42 ... I'm not sure that sufficient or wise because that would prevent caching 16:31:50 nigel: I did not say anything about caching 16:32:03 ... cache is not relevant for fingerprinting but maybe I'm wrong 16:32:06 q+ 16:32:23 pal: the second you share any resource you give information to an attacker 16:32:30 ... could be as subtle as timing, location ... 16:32:38 ... not sure there is a silver bulllet, specific to IMSC 16:33:19 glenn: were you asking if we made lazy vs eager fetching in the spec would be a solution? 16:33:35 nigel: not sure I would characterize it as lazy vs. eager 16:33:36 unconditional as opposed to conditional 16:33:48 ... when you would do it is different from if you do it 16:34:02 nigel: in CSS, the font might not get fetched if installed 16:34:21 ... but in TTML, we would dereference and use that, no dependency on installed font 16:34:34 glenn: I can't imagine that we would specify that 16:34:53 scribe: nigel 16:35:00 cyril: It could be a note to implementers, 16:35:20 .. saying that if they are worried about fingerprinting then they could do that. 16:35:24 Glenn: Sure. 16:35:31 that’s true right now, but it’s not described, so implementers would have to discover the problem and the mitigation all individually 16:35:34 .. I would object to trying to nail that down in the spec. 16:35:34 privacy is not an issue that can be pitched to implementors; w3c specs need to be private by default / definition 16:35:45 .. I would not object to adding informative language, but getting 16:35:52 .. agreement on that language might be problematic. 16:36:04 .. We could always give carte blanche to any informative language because 16:36:11 .. it doesn't matter, but on the other hand we've spent months 16:36:21 .. on informative language in other cases. 16:37:01 Nigel: To clarify, Glenn, you would object to language that prohibits dereferencing 16:37:25 s/dereferencing// 16:37:29 not lazy vs eager, but unconditional vs conditional (as in nigel’s proposed mitigation) 16:38:01 .. conditionally dereferencing on the basis of installed fonts? 16:38:21 Glenn: I'd object to normative language that nails down fetching semantics. 16:38:38 q+ on whether relying on other web platform specs or specifically not doing that 16:38:47 .. I would also require careful scrutiny about referencing anything from CSS WG, 16:38:55 .. and check if it has buy-in from browser vendors. 16:39:15 Cyril: 2 points. 16:39:27 .. 1. If we want to be pragmatic and publish, maybe one proposal. 16:39:37 .. Would it be acceptable to move this IMSC issue to TTML2 so we can address all 16:39:44 .. the privacy issues in the context of TTML2 in general? 16:39:56 .. 2. More broadly, this group also defines WebVTT so should we have a generic 16:40:05 .. timed text privacy document and refer to it from all the specs? 16:40:09 ack 16:40:14 ack cyril 16:40:32 Glenn: Could we publish that as an informative note? Doing so would take some time 16:40:38 q+ 16:40:44 .. and would delay matters. That may be something for 3rd Ed for TTML2. 16:41:01 .. We could only make small tweaks to 2nd Ed in whichever appendix it is. 16:41:05 ack glenn 16:41:17 .. If you wanted something that all the docs refer to informatively you could publish 16:41:20 .. a WG Note. 16:41:25 q- 16:41:40 Pete: I take the point that every network request reveals something about the 16:41:52 .. requestor, but there's a difference. For an image file, your browser doesn't check 16:42:19 .. to see if it is present. 16:42:32 .. In this case whether or not the browser makes the request reveals something about 16:42:43 .. the environment. It's more specific than just network requests are revealing. 16:42:55 .. I can understand why this is frustrating to the group, but if your spec is producing a 16:43:07 .. new way to get fonts relative to the rest of the web platform then it is your responsibility 16:43:19 .. to define the privacy aspects of the functionality. 16:43:35 .. In general informative text is not a satisfactory way to address privacy concerns 16:43:50 .. for exactly the reason stated, that they don't make any requirements on implementations. 16:43:53 q? 16:44:05 q+ glenn 16:45:01 Nick: To expand on Pete's second point there, we're coming back to the same question 16:45:11 .. we had earlier on about what the level of innovation is compared to the rest of 16:45:27 .. the web platform. I've heard some suggestions that these things are generic, so we should 16:45:39 .. just do whatever everyone else does, but also suggestions that behaviour about how 16:45:52 .. the markup is used will not be defined, or that we will not refer to CSS. 16:46:05 .. I guess that will be a regular question that comes up - is this relying on CSS and Fetch 16:46:12 .. or if it is not then it will need separate review. 16:46:22 .. I do think there are different levels of mitigation. 16:46:37 .. The first might be noting it so implementers are aware of the risks based on how 16:46:55 .. the implementation is done, but I think Pete is wise to point out that we have had 16:46:57 q- 16:47:03 .. problems arising from that. That would be the first step though. 16:47:23 Pierre: My proposed course of action is a) move this issue to TTML2 because it is not 16:47:34 .. specific to IMSC. And my proposal in TTML2 would be to note the potential privacy 16:47:46 .. issue introduced by resource fetching, specifically font fetching, and suggest one 16:47:49 q+ 16:48:01 .. potential mitigation, which is to suggest unconditional fetching. I'd like to hear if 16:48:07 .. anyone strongly objects to this. 16:48:08 q? 16:48:09 cyril: I agree 16:48:15 Nigel: I agree 16:48:18 q- 16:48:20 I object to non-normative mitigations 16:48:34 Glenn: As long as that's a mitigation suggestion up to the implementer that's fine. 16:48:39 for the reason stated here, that “non normative text doesnt matter” (someone in this groups on words) 16:48:41 ack glenn 16:49:07 Glenn: The other comment I had earlier for Pete was in response to requiring it to be normative, 16:49:18 .. I firmly believe that W3C does not implement these specifications, and it does not 16:49:31 .. certify implementations or test implementations. It does not mandate behaviour 16:49:31 thats WHATWG 16:49:43 .. or these sorts of things, so I would certainly not agree with what you said about 16:49:48 .. making these sort of things normative. 16:50:00 .. Different groups in W3C might have different positions or opinions, but TTWG has 16:50:13 .. defined a markup language that has been widely adopted in various industries. 16:50:25 .. The web platform has at various points made use of TTML and many other industries 16:50:38 .. have also, and have chosen to create other specifications adding further normative 16:50:54 .. language about the use of TTML. If others want to add normative requirements in other 16:51:06 .. specifications then they can do so. One has to make layering and abstraction decisions 16:51:21 .. about where to put such language. So far we have not done so in TTML and I don't expect 16:51:22 q+ 16:51:27 q- 16:51:35 .. to in the future. That's my current opinion. 16:52:05 Pete: Not sure how to respond - W3C is a member org and our HR role is to make sure 16:52:08 .. that things stay private! 16:52:11 that discussion can be ongoing, but I hope we don’t get to the general practice of having a separate spec for the privacy-preserving way of implementing each spec 16:53:29 .. More constructively perhaps, in the spec, if you say that when being implemented, 16:53:44 .. as part of the web platform, then it should do X, Y and Z things to resolve fonts, and 16:54:01 .. should not create new privacy harming paths, and when implemented as part of other 16:54:11 i second nicks point above 16:54:13 .. platforms it should do what those platforms do to preserve privacy. 16:54:19 q? 16:54:26 ack pal 16:54:43 Pierre: As Glenn pointed out it is going to be very hard for the TTML spec to tell browsers 16:54:55 is your group defining functionality that browsers are supposed to implement? 16:54:57 .. what do. We can try to suggest mitigations, but I don't think it is realistic. 16:55:08 Glenn: We can put generic language suggesting something of that sort. 16:55:15 I’d be +1 on moving the issue to ttml, since it applies to ttml as well. i might recommend that imsc refer to the ongoing issue 16:55:24 Pierre: That was my recommendation, to clearly state the attack vector but it is not 16:55:33 .. reasonable for us to tell web browsers normatively what to do. 16:55:40 q+ 16:55:41 .. Even if I agreed with that, I don't think it's realistic. 16:55:48