[dispatch] A packaging format for the web

Jeffrey Yasskin <jyasskin@chromium.org> Thu, 15 June 2017 19:09 UTC

Return-Path: <jyasskin@google.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 285C7127866 for <dispatch@ietfa.amsl.com>; Thu, 15 Jun 2017 12:09:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com header.b=BuRcKFBE; dkim=pass (1024-bit key) header.d=chromium.org header.b=oOMnxCKd
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id N5kTI_EPdsv8 for <dispatch@ietfa.amsl.com>; Thu, 15 Jun 2017 12:09:40 -0700 (PDT)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5374127078 for <dispatch@ietf.org>; Thu, 15 Jun 2017 12:09:39 -0700 (PDT)
Received: by mail-wm0-x234.google.com with SMTP id d64so1873136wmf.1 for <dispatch@ietf.org>; Thu, 15 Jun 2017 12:09:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to :content-transfer-encoding; bh=jahQD+LSz2yRrXtf7YIGgAtIj8yS005nsvKKbsoZNmk=; b=BuRcKFBEWECTRJ8oP7Qal/lEOPiyuqUrSQiFkzV5ETCfFKpBlHHdR3UVdwmJ1Dsm6B RFZ6gOcI+4pTacI22fGtK2nnrQZy1YBmqkqdaZRRQuj92zcwscjvEWc7CswrdqlYFhHI 2kJR0b45P/V3dCY2Ero1pLD9ZGs0NgvJh4yt9Ie3e/CEm8A3l6l76eIxy9U9vVE2SR8k /I6i1QXDbTcxVBRCDr/23ABwatHvtsp/MjJCw/WshCJQCGbug/lCv1RTQHVywx1n5h/q qvkbNKQppObSIBP8kIgckYP+d4x5xURt7oKUCbewiz31VO443r8PM7m7B3yhu998gT86 7Cpg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:from:date:message-id:subject:to :content-transfer-encoding; bh=jahQD+LSz2yRrXtf7YIGgAtIj8yS005nsvKKbsoZNmk=; b=oOMnxCKd2XnHSBwUU2WVSlU0PKQGhtqQrEEyjCOrze0gQJ3/+w55krMUKB41U6lHqO YFbmmPvExhhUE9CXzX7aUMkwsmdiiElj3ZD01Qke/Tlfige6vv0tIzQIhYfNGWjSYqlx z/IkzzZADF48W6r3r6OzP2NW+5L1sPByAGz5Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:content-transfer-encoding; bh=jahQD+LSz2yRrXtf7YIGgAtIj8yS005nsvKKbsoZNmk=; b=Z/N2PK9eKmlMmrRHe95AAQ6TrTnbrrGEnmiNb6aHiMfb549sL8EoKXp1rPpd5LAX0R Bf02W/bNQctC/AM5VAwSVN2iyPwctiJ5WI8ZXPQWgIcqmHV26YDkn7DqsLQUQCG9L+jY wuduZ6OderXZkvUZzOE1DzNPFY6KvFnuO192OpJSOV0aPj4WEogxRhC7hotDqhCtItah d0d42gbG97pUJnLxnxdauUsHQi1vtUXKmoXcxuU5CxYR3VJZSf0jTYw9hNcrnvqn+6Yz Ros+cX9PhSLBxntlsqU2/eVHvC7Irz9S/N5Z81rIKm7wv8vapUB2cwBwe/qy1dOOUMsu Skgw==
X-Gm-Message-State: AKS2vOxL+Q2NQ3EySSrXdIyzeQnqyLEFGu015w4b5nrMO0vzPUOmJ/Rx FZc99yc0s4w6YzaqduKH3pGrpgyas4FY9PsevA==
X-Received: by with SMTP id m19mr4601183wmi.92.1497553777627; Thu, 15 Jun 2017 12:09:37 -0700 (PDT)
MIME-Version: 1.0
Sender: jyasskin@google.com
Received: by with HTTP; Thu, 15 Jun 2017 12:09:16 -0700 (PDT)
From: Jeffrey Yasskin <jyasskin@chromium.org>
Date: Thu, 15 Jun 2017 12:09:16 -0700
X-Google-Sender-Auth: -_necepPs9e3GG7-_ex1SUUYUdg
Message-ID: <CANh-dXkpbBGF-5ZM9ZbZsULUYaP-ECxNy4EfLk25zmg3qFvd6g@mail.gmail.com>
To: dispatch@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/NQ0deHSsRvt4BL4alk_WYVnhhvo>
Subject: [dispatch] A packaging format for the web
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jun 2017 19:09:42 -0000

Hello Dispatch,

TL;DR: We're bringing the work at https://github.com/WICG/webpackage
to the IETF.

People would like to use content offline and in other situations where
there isn’t a direct connection to the server where the content
originates. However, it's difficult to distribute and verify the
authenticity of applications and content without a connection to the
network. The W3C has addressed running applications offline with
Service Workers (https://www.w3.org/TR/service-workers-1/), but not
the problem of distribution.

* People with expensive or intermittent internet connections are used
to sharing files via P2P links and shared SD cards. They should be
able to install web applications they received this way. Installing a
web application requires a TLS-type guarantee that it came from and
can use data owned by a particular origin.

* Verification of the origin of the content isn't always necessary.
For example, users currently share screenshots and MHTML documents
with their peers, with no guarantee that the shared content is
authentic. However, these formats have low fidelity (screenshots)
and/or aren't interoperable (MHTML). We'd like an interoperable format
that lets both publishers and readers package such content for use in
an untrusted mode.

* CDNs want to re-publish other origins' content so readers can access
it more quickly or more privately. Currently, to attribute that
content to the original origin, they need the full ability to publish
arbitrary content under that origin's name. There should be a way to
let them attribute only the exact content that the original origin

We think a packaging format can help satisfy these use cases. This
format likely also has other uses, and we should try to support such
use cases as long as they don't compromise the offline use cases. For
example, packages may help optimize transferring online content or let
third-parties assert properties of the package via cross-signatures.

The Chromium project has started work on this sort of packaging format
within the W3C's WICG, at https://github.com/WICG/webpackage. We have
a list of use cases, some goals and explicit non-goals, and a draft
for the format itself. We believe the IETF is the ideal place to
standardize the format, and in parallel we'll specify within the W3C
how browsers should load it. I'll be writing an initial internet-draft
in the next couple weeks, in time to bring it to IETF 99.

We'd appreciate being directed to the appropriate place within the
IETF to do this work.

Jeffrey Yasskin

P.S. I'll be on vacation from June 16-23; I'll reply intermittently
during that time but mostly once I get back.