IETF Logo Mail Archive

Re: [Wpack] Counter-proposal where bundles only contain a single origin

Marcin Rataj <lidel@protocol.ai> Fri, 04 September 2020 12:49 UTC

Return-Path: <lidel@protocol.ai>
X-Original-To: wpack@ietfa.amsl.com
Delivered-To: wpack@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A07813A0BB9 for <wpack@ietfa.amsl.com>; Fri, 4 Sep 2020 05:49:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.047
X-Spam-Level:
X-Spam-Status: No, score=-3.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.948, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protocol.ai
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1vfdGk1wKJaC for <wpack@ietfa.amsl.com>; Fri, 4 Sep 2020 05:49:21 -0700 (PDT)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E3C93A0BB6 for <wpack@ietf.org>; Fri, 4 Sep 2020 05:49:21 -0700 (PDT)
Received: by mail-ej1-x636.google.com with SMTP id z22so8417734ejl.7 for <wpack@ietf.org>; Fri, 04 Sep 2020 05:49:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protocol.ai; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=6YO1o8PdAiORXWls/EJleca7Dm/bCXQGXe/mJprehvE=; b=OHE6UVMdIXDvpJ3IJEsrdq8K+PZz0aG2HDm73xvHRb2QCInC10eQ2mhmwYdbpJKOrI 402kHkwmZ4n7qBCFj4ZPXbsk2FntXk2bDQ+f20SZxTiDrhf6NdPIFP6f9NuXf9N2Dg+a nfaz4Mawnr/1vBBXuz4fYERFIJYnL0ghYhjNq2LWvErqLtP68qxkGy7FrJLwwNR2Q3oT 4+6NObDcqS3FFwJ8mE7KTEcPGCeI/gqO4GJJKcFEBOpjJk2TjAFeN3y69DDUWsbAa/dx OtB9oFTVbxihqV1YDVPykU5MZOkRmxaCPqllFkip72PSwhDa9Cj2C9lM2nf3ARMOOWyU 5/vA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=6YO1o8PdAiORXWls/EJleca7Dm/bCXQGXe/mJprehvE=; b=PEST7tK4u6q+3O0Ey0/OaHrKBtohcSEuvo6Wsk+0NDPzr6OwryQLRgDUQnE2dBs1Fd i2CEUdQPy90a7wkV4OBEEHBGIGF87y9ZbKiGAC0GSkk9+ILoGa1zfWiJJ26/sFxlLH7H kgz3kWaIK10h+VVkFjr3RcUUf13EMmDNmHDmYdoH/cAtYUcd+4A+RdF0E27jVQw2IvNL N3nmUcThZn5349miLcr6tfBhVRQcHLyVbX4FyvmeVvUWNziTwdpEP5ot2z49TB+10JMG HcAnDlsiDv4ryvVUjefkuJ8z8BjDU5fVUs+1DpHyniqHsyIWFq1dy9MkyPsUwVbzKoaC uRBw==
X-Gm-Message-State: AOAM531BEkUQsb5lVG4oGz/GGaM6zP1XZtYLwI8F1oPM77KAI7BHf12N kzItma5Z8I5fr7kkxM7MEzJBzw==
X-Google-Smtp-Source: ABdhPJxbCk7MPcCDBiq08WSmLY2PcQtgvgCGWXbFha3Av/+8WNPd2cdqaccvQu9yS8Q0NCKEFB2XbQ==
X-Received: by 2002:a17:907:374:: with SMTP id rs20mr7462505ejb.135.1599223759562; Fri, 04 Sep 2020 05:49:19 -0700 (PDT)
Received: from [192.168.1.12] (79.191.36.44.ipv4.supernova.orange.pl. [79.191.36.44]) by smtp.gmail.com with ESMTPSA id ly16sm5997757ejb.58.2020.09.04.05.49.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 04 Sep 2020 05:49:19 -0700 (PDT)
To: Jeffrey Yasskin <jyasskin@google.com>, WPACK List <wpack@ietf.org>
Cc: Martin Thomson <mt@mozilla.com>
References: <CANh-dXkC8i6F1gxoD6nTJ4bp=7TVyy1fcN3v1vurj6h4+cZqiQ@mail.gmail.com>
From: Marcin Rataj <lidel@protocol.ai>
Message-ID: <3dd20ca2-5349-d1ee-fa97-9f860553a34b@protocol.ai>
Date: Fri, 04 Sep 2020 14:49:15 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.2.1
MIME-Version: 1.0
In-Reply-To: <CANh-dXkC8i6F1gxoD6nTJ4bp=7TVyy1fcN3v1vurj6h4+cZqiQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/wpack/YF9keKR8H6BYmZNpatW46ajPC5k>
Subject: Re: [Wpack] Counter-proposal where bundles only contain a single origin
X-BeenThere: wpack@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Web Packaging <wpack.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wpack>, <mailto:wpack-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wpack/>
List-Post: <mailto:wpack@ietf.org>
List-Help: <mailto:wpack-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wpack>, <mailto:wpack-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2020 12:51:10 -0000

On 26/08/2020 20:00, Jeffrey Yasskin wrote:
> # URLs for nested bundle resources
>
> ```
> package://distributor.example/bundle.wbn$app/foo.wbn$bar.html
> package:///c:/Users/name/Downloads/bundle.wbn$app/foo.wbn$bar.html
> ```
>
> This fetches the outer bundle by removing everything after the first 
> `$` and:
>
> * If the URL has an authority, replacing the `package:` with `https:`
> * If the URL doesn't have an authority, replacing the `package:` with 
> `file:`.
>
> To allow the outer bundle to be fetched using a third scheme, we would 
> need to add a matching new scheme for addressing inside it.

This proposal sneaks in a controversial change of making the internal 
protocol schemes to be implicit "https:"
It comes at a cost of protocol lock-in, which puts future use cases that 
rely on decentralized content routing and discovery in jeopardy.

For example, it makes it impossible for a resource inside of a bundle to 
use ipfs:// URI (content-addressed protocol) for making network requests 
that:
(1) do not require bundle to point at a specific location of the data 
(heals link rot, improves resilience of a bundle)
(2) provide better integrity guarantees than HTTPS (content-addressing 
means received data can be validated in trust-less manner, based on the 
hash from address itself)

In the interest of supporting distributed use cases, and keeping door 
open for future innovation in this space I suggest changing this 
proposal to avoid implicit defaults of https and always use explicit 
protocol scheme ensure arbitrary URI can be used by user agents in the 
future.

Marcin

v2.23.0 | Report a Bug | By Email