Definition of CDM and security/privacy

[plehegar]

Section contains "The CDM MUST NOT make direct out-of band network requests.". However, that part is highly relevant when reading security and privacy sections. Should this part of the CDM definition moved closer to those sections?

[jdsmith3000]

I believe this refers to the following text:

All messages and communication to and from the CDM, such as between the CDM and a license server, MUST be passed through the user agent. The CDM MUST NOT make direct out-of band network requests. All messages and communication other than those described in Direct Individualization MUST be passed through the application via the APIs defined in this specification. Specifically, all communication that contains application-, origin-, or content-specific information or is sent to a URL specified by the application or based on its origin, MUST pass through the APIs. This includes all license exchange messages.

I suggest this be relocated to section 8.1 and move the other section 8 implementation sections down one decimal. It sets high level requirements that affect all messaging touched on in lower sections.

The Note could remain in the definition, since it clarifies that the CDM "component" may not be treated as separate from the user agent. It is relevant to the networking access requirements as well though.

[jdsmith3000]

I'm working on the PR for issue #408. To me, it makes sense to append this requirement directly below or as part of the "CDM Constraints" section I'm inserting as Section 8.1. I can pick this up in that PR, if others agree.

[jdsmith3000]

I'm proceeding with a combined pull request for issue-407 and issue-408.