[secdir] [new-work] WG Review: Web Packaging (wpack)
The IESG <iesg@ietf.org> Fri, 07 February 2020 18:54 UTC
Return-Path: <new-work-bounces@ietf.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 160281208FA; Fri, 7 Feb 2020 10:54:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1581101649; bh=49Jj5Z1OPKA5Oka0igYz+K+h6EyAh/I/JP8WDN1+UTQ=; h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=LLtpEctvFGVZHo7SJAVo5eMi7GYypyz0v63x2UNsI19f7ynPTkyvBoN8sP5994WGA eVpyPy193dy1idGEGVsCky+WTo8s5HLa09pN9+pd65ImSwrrjwoRpv9ja3lbKeBpIn H4JmiAGzOFdM9y8DZ05/DixWjKtqNunyBVPIlYLA=
X-Mailbox-Line: From new-work-bounces@ietf.org Fri Feb 7 10:54:05 2020
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6678412022D; Fri, 7 Feb 2020 10:53:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1581101637; bh=49Jj5Z1OPKA5Oka0igYz+K+h6EyAh/I/JP8WDN1+UTQ=; h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=lm3KY4VwGAJd/mcRUTXCGflmG5GDfAZAJhkBEImZrDkRgPX2IjNrh62EwPb0IIYJ+ xDtK+vz3I5lQuh7viD8mz8mKmrDbA/9b8c8CjVNCqZ/UWtndr8eXDV2e08gIiHNZG+ RMZBqb/rQ6CmWa8QtPsMwB6QweRPSO6DTrtgMr7U=
X-Original-To: new-work@ietf.org
Delivered-To: new-work@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C19F71200F4 for <new-work@ietf.org>; Fri, 7 Feb 2020 10:53:50 -0800 (PST)
MIME-Version: 1.0
From: The IESG <iesg@ietf.org>
To: new-work@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.117.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply_to: <iesg@ietf.org>
MIME-Version: 1.0
Message-ID: <158110163078.11714.14396802134469098484.idtracker@ietfa.amsl.com>
Date: Fri, 07 Feb 2020 10:53:50 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/new-work/SlLT3oB6m946g9DwT88ltRSoVnU>
X-BeenThere: new-work@ietf.org
X-Mailman-Version: 2.1.29
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: new-work-bounces@ietf.org
Sender: new-work <new-work-bounces@ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ra7zQJXEm3Ms56gNGzyxpVvGULI>
X-Mailman-Approved-At: Tue, 11 Feb 2020 10:49:16 -0800
Subject: [secdir] [new-work] WG Review: Web Packaging (wpack)
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2020 18:54:13 -0000
A new IETF WG has been proposed in the Applications and Real-Time Area. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by 2020-02-17. Web Packaging (wpack) ----------------------------------------------------------------------- Current status: BOF WG Chairs: Sean Turner <sean+ietf@sn3rd.com> Assigned Area Director: Alexey Melnikov <aamelnikov@fastmail.fm> Applications and Real-Time Area Directors: Adam Roach <adam@nostrum.com> Alexey Melnikov <aamelnikov@fastmail.fm> Barry Leiba <barryleiba@computer.org> Mailing list: Address: wpack@ietf.org To subscribe: https://www.ietf.org/mailman/listinfo/wpack Archive: https://mailarchive.ietf.org/arch/browse/wpack/ Group page: https://datatracker.ietf.org/group/wpack/ Charter: https://datatracker.ietf.org/doc/charter-ietf-wpack/ The WPACK working group will develop a specification for a web packaging format that efficiently bundles multiple HTTP representations. It will also specify a way for the publisher to sign these resources such that a user agent can trust that they came from their claimed web origins. Key goals for WPACK are: * Efficient storage across a range of resource combinations. Three use cases to be supported are: a client-generated snapshot of a complete web page, a web page's tree of JavaScript modules, and a selection of the whole web for peer-to-peer distribution in a country when access to authoritative servers is unavailable. * The ability to create a snapshot of a web page without the cooperation of its publisher. * The ability to use a web app online or offline, with assurance of its publisher, after a package of it was received from a peer. * Low latency to load a subresource from a package, whether the package is signed or unsigned, and whether the package is streamed or loaded from random-access storage. * Being extensible and crypto agile. * Security and privacy properties of using signed bundles as close as practical to TLS 1.3 transport of the same resources. Where properties do change, the group will document exactly what changed and how affected people, including content publishers and users, can compensate. Part of this is analyzing how the shift from transport security to object security changes the security properties of the web's existing features. * Specifying constraints on how clients load the formats without describing specific loading algorithm to help achieve the above goals. The packaging format will also aim to achieve the following secondary goals as long as they don't compromise or delay the above properties. * Optimizations in encoding and processing when only a single resource (as opposed to a collection thereof) is being packaged * Support signed statements about subresources beyond just assertions that they're accurate representations of particular URLs. * Address the threat model of a website compromised after a user first uses the site. * Support books being published in the format. * Optimize transport of large numbers of small same-origin resources. * Allow publishers to efficiently combine sub-packages from other publishers. The following goals are out of scope under this charter: * DRM (Digital Rights Management) * A way to distribute the private portions of a website. For example, WPACK might define a way to distribute a messaging application but wouldn't define a way to distribute individual messages without a direct connection to the messaging application's origin server. * Defining the details of how web browsers load the formats and interact with any protocols we define here, aside from the constraints mentioned above. * A way to automatically discover the URL for an accessible package that includes specific content. Note that consensus is required both for changes to the initially proposed protocol mechanisms and for their retention. In particular, because something is in an initial working group draft does not imply that there is consensus around the feature or around how it is specified. Relationship to Other WGs and SDOs WPACK will work with the W3C and WHATWG to identify the existing security and privacy models for the web, and to ensure those SDOs can define how this format is used by web browsers. The WPACK working group will work closely with the HTTPbis working group, in particular WPACK will attempt to reuse HTTPBIS work on HTTP signing. Milestones: Jun 2020 - Working group adoption of use cases document (will not be published as an RFC) Jun 2020 - Working group adoption of bundling document Jun 2020 - Working group adoption of security analysis document Jun 2020 - Working group adoption of privacy analysis document Jun 2020 - Working group adoption of signing document Sep 2021 - Submit the Bundling document to IESG Mar 2022 - Submit the Privacy analysis document to IESG Mar 2022 - Submit the Security analysis document to IESG Mar 2022 - Submit the Signing document to IESG _______________________________________________ new-work mailing list new-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work