Re: Color Management for iPad? / securiry issues
Re: Color Management for iPad? / securiry issues
- Subject: Re: Color Management for iPad? / securiry issues
- From: Tom Lianza <email@hidden>
- Date: Tue, 09 Aug 2011 10:09:01 -0400
- Thread-topic: Color Management for iPad? / securiry issues
Hi to all,
>
> Tom, is your intention as an member of the ICC board, that W3C should
> change the existing web standards for mobile devices, by not allowing
> ICC-profiles to be embedded in content, which is rendered on the client
> side ?
>
Of course not, but I don't make the rules. Also, I would like to see the
existing W3C standard that dictates the processing of embedded ICC profiles.
If it is in the standard, then there is nothing that needs to be done on the
part of the ICC. Please point that part of the standard out to me....
On another point, we need to carefully distinguish my personal positions
from official ICC positions. I do not normally speak about ICC positions
without being very specific. As a matter of fact, the bylaws actually forbid
an officer from making public comment without prior review by the steering
committee.
My personal opinion: given the current state of color management on the web,
whether on the desktop or mobile platform, any image that has embedded
profile should be considered malformed and the profile should be ignored. A
user should carefully process the image to sRGB prior to inclusion on the
web content, making note of the potential artifacts that are introduced by
the lack of, or poor implementation of display color management on the
platform.
Now my opinion as Co Chair of the ICC: There has been a demand from
portions of the user community to have fully implemented color management on
the web for both desktop and mobile devices. I have proposed to the
steering committee that we have a meeting between users, web developers and
the ICC membership with the goal to produce a set of ICC approved guidelines
for implementation of color management in the world wide web. I would ask
you as a committed user to put together a paper that outlines your needs, in
detail, for presentation to the development community and the ICC consortium
membership. I would also ask you to consider how one would manage color
managed printing from the web. How does one manage multiple displays and
images spanning multiple displays? How does one handle the V2-v4
inconsistencies and of course there is the issue of Black Point
Compensation. Absent a clearly defined web workflow, we will simply create
more confusion and a very bad user experience. I am trying to avoid
steering the ICC into areas that can lead to very bad outcomes unless the
workflow is strictly defined and specified. That "definition thing" has not
been one of the traditional strengths of the ICC.
Part of my role as Co Chair of the ICC is to aid in the implementation of
color management as required by the membership and market. I am willing to
do this even if I sometimes feel like a cheerleader on the deck of the
Titanic.
Regards,
Tom
On 8/9/11 4:21 AM, "Jan-Peter Homann" <email@hidden> wrote:
> Hello to all,
> Like Graeme, Toms arguments concerning ICC-profiles and security issues
> for mobile devices are not convincing me:
>
> 1) W3C Standards are allowing explicitly the usage of ICC-profiles in
> documents for the web
> 2) Basic ICC support in Browsers for desktop systems like e.g. Safari
> and exist since two years
>
> Tom, is your intention as an member of the ICC board, that W3C should
> change the existing web standards for mobile devices, by not allowing
> ICC-profiles to be embedded in content, which is rendered on the client
> side ?
>
> Regards
> Jan-Peter
>
> Am 09.08.11 01:27, schrieb Graeme Gill:
>> Tom Lianza wrote:
>> Hi,
>>
>>> There are two distinct issues here. On the server side, one assumes that
>>> the builder of the web page is responsible for content so security per se is
>>> not that much of an issue, except that the ICC profile allows for
>>> proprietary tags so by definition, there is a potential issue with unknown
>>> BINARY data and a potential for downstream corruption.
>> I don't really see this. Proprietary tags exist within the tag framework,
>> and can/will be ignored.
>>
>>> On the client side,
>>> if you are going to execute a fully color managed workflow inside the
>>> application, the web application/browser, must interact with specific client
>>> generated data, this is a security no-no. There are fairly well defined
>>> mechanisms for accepting specific client data (desktop physical extent, etc)
>>> that is absolutely necessary for the browser to run. Opening and capturing
>>> an ICC profile is NOT one of those secure API's.
>> Sorry, I'm not really following you. There is no need for client
>> data like a source ICC profile to be taken within a secure context (kernel).
>> System services for such things can (should!) run as user mode.
>> It isn't that difficult to parse an ICC profile in secure manner
>> (ie. avoiding any possibility of buffer or integer overflow) if
>> the right approach is taken.
>>
>>> different APIs for color management, so the code that was specifically
>>> designed to be non-OS specific suddenly becomes very specific. If you look
>>> into the WebKit code, you will see some of the specific issues. It can be
>>> handled on a platform, by platform basis, but it is quite a bit of work.
>> That seems to be the story with color though, programmers are lazy about it.
>> They're lazy in understanding it, lazy in using API's that exist,
>> and lazy in standardising it. If all you are dealing with is RGB display
>> systems,
>> and the hardware folks have made them (sort of) respond a bit like sRGB,
>> then it's tempting simply to ignore the whole thing (which seems what's
>> happened with iOS).
>>
>> Graeme Gill.
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Colorsync-users mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>> nt.de
>>
>> This email sent to email@hidden
>>
>
The information contained in this e-mail and any accompanying attachments may contain information that is privileged, confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. The company accepts no liability for any damage caused by any virus transmitted by this email or any attachments.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Colorsync-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden