Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Internet Engineering Task Force / 107 / 25 Mar 2020
Internet Engineering Task Force / 107 / 25 Mar 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: IETF107-WPACK-20200325-1949

Description

WPACK meeting session at IETF 107
2020/03/25 1949

https://datatracker.ietf.org/meeting/107/proceedings

A

Can you guys see the slides, yup.

B

Begin hmm all right, great okay,.

A

To slideshow welcome to W PAC, sorry for the problems I'd reuse, this before on this machine and I have no idea what happened so in any event, we're actually a working group. So that's great! Thank you very much. My name is Sean. My other co-chair is.

A

David Lawrence David Lawrence, so I'm going to run the slides today of my laptop Dave's, going to manage the queue as I guess, as he mentioned, let's get into it. So this is the meeting tips that you've probably been staring at for lap ten minutes, while I cuts around with my laptop. Please make sure your video is off meet your microphone unless you're speaking use your headsets. To avoid echo, please use the WebEx chat only to join the mic.

A

You please add your name to the virtual blue sheets and join the jabber for other various back-channel discussion. Here's the note! Well, please make sure you understand that we are recording this. Let's be calm, Concord Easter to everybody.

A

Hopefully you've seen a couple of these because you've been dialing into other session. Here's a request: we got Ted volunteer to do a the jabber session, but we don't have a minute taker or did I miss that.

A

You nobody has yet volunteer all right. So then we have the pause. While we wait for someone to volunteer I would love to be able to see the.

A

To see the list, people but unfortunately I'm fooling, show fullscreen with anyone. Wanna volunteer.

C

I'm Shepard peekaboo, you said yes right.

A

Thank you. Cw is Oh Peter whoo, okay, thank you, Peter, all right great. So again, the other thing is that we do is when at the microphone or when you come off me, please make sure to state your name and let's keep it professional. So here's our agenda basically put this together. We had we weren't quite a working group, so we were going to do administrivia and then do some use cases and jump into the protocol.

A

The chair is actually think that we could maybe agenda bash these cases out of the jar out of this now, because, basically, we were just going to read the Charter, so we're not sure that we really need this, and maybe we could give this five minutes back. Considering that I ate 10 minutes trying to futz around my laptop. Are there any objections to that.

A

All right, great, so I guess what we're going to do is we're going to jump right into the web bundle and see if we can find that there it is.

A

All right, Jeffrey, let me know when you need me.

D

To.

D

Next slide, when I need the next to it, and that confirms they even hear me: okay, so I'm Jeffery, askin thanks everyone for coming thanks thanks to the chairs for volunteering to chair. This is kind of a description of the work that we've done and the the design sketch that we have in this bundle of exchanges draft none of this is final I'll describe at the end. What Chrome has implemented so far, but treat that as a prototype as a way to gather evidence rather than kind of solidifying? What what has to happen?

D

Okay, go to the next slide.

D

So the general semantics of a bundle are that it's a sequence of bytes or a file that might be retrieved from a URL might be stored on local disk kind of whatever it contains a set which sometimes I've been thinking out of the cache of HTTP like resources. Each resource like an HTTP, is addressed by a URL and there's some support in the in the format for content negotiation right now expressed with Mark Nottingham's variants headers, but that has changed at least once in the evolution of the format and could change again to select representations.

D

There's also some bundle wide metadata. The bundle starts with a prime with a or L of a primary resource, which is used by a client. If someone navigates to the bundle they actually load that primary resource. If the client can't parse the whole bundle it can redirect to that resource, so that's kind of the required bit of metadata and then there's there's another field where you can stick the ARL of a wreath of an internal resource, that's something like a web app manifest or the ePub packaged document, or some other manifest like metadata format.

D

That that can allow allow the client to do something more intelligent with the contents of the bundle next slide.

D

See a resource inside a bundle is addressed by a full URL. So there's there, some Authority inside that that URL, the resource might be authoritative for the URL and HCP, defines or uses this notion of an authoritative response and there's there's several conditions that might cause the resource to be authoritative. The one that I think is it's pretty safe is if the bundle was retrieved from the same thing, HTTP origin and if you're familiar with service workers, you, you might have heard of the of a path restriction there.

D

We said the same path restriction here, other ways of establishing Authority, we'll talk about.

D

Presentation next slide.

D

So now we have this kind of goal to have a format. There's a lot of formats out there. We need to make sure that we're not just kind of adding to the pile that there's that either we reuse an existing one or there's some compelling reason to design something new and right now. I think there's compelling reasons to design something new, but we should always be kind of.

D

As we refine the needs in this working group, we should always be paying attention to the possibility that that will eliminate a requirement and that will allow us to reuse something next slide you so some of the properties of the current design we're trying to make it secure, trying to make it extensible we're trying to make it usable in a random-access way and to load the content in a streaming way and I'll describe the what those mean in the next couple slides. So next slide.

D

So we want to make the format secure, which means minimizing the probability of implementation errors. This isn't about kind of the cryptography involved. This is about kind of memory, safety and and ease of implementation.

D

So, for instance, zip allows implementations to read to make at least two kinds of mistakes in picking what the name of a resources they can. They can read it from the resource header instead of the global index, and they can pick the the first instead of the last of the last, instead of the first copy of a name from that that index and that has caused secure security vulnerabilities. So we don't want. We don't want to do that. We want to make the format easy to parse.

D

Don't don't have a lot of kind of choices in the format which would increase implementation complexity. I! Don't claim that that the format is kind of meets this goal perfectly, but it's it's kind of a design goal that that we trade-off that we should trade-off a kind of changes in the format against next slide.

D

The current format is extensible by adding new metadata sections. This is similar to a bunch of other formats like being and japheth, and the current support for signatures are done as an extension, section, they're kind of a side side piece of the format, rather than integrated into the whole thing next slide, so we want it to be random access.

D

That is, we want to minimize the number of bytes that we have to read in order to to pull out an arbitrary resource, instead of requiring that that you always read a prefix of the format next slide.

D

We also want to be able to stream a load of the resource, so read as few bytes from the prefix, as as you can before, you can start using the first sources within Buttle the the index, that's in there to support random access compromises, this goal sum, but it seems to be acceptable so far, but we can certainly revisit it next slide.

D

One one property that we don't have is that assert is to allow a server to stream the generation of a bundle and the Charter, also kind of. Does it's not explicitly but intentionally skip this possible property in order to get it, we would have to to get rid of of at least one of the other properties.

D

So there's there's several ways to do it, but but we have to sacrifice something, and if people want that, then we we should talk about making one of these sacrifices and pick the sacrifice we want to make. So next slide.

D

So one of the questions run into in using bundled is how do we? How do we name the contents of the bundle so on this slide is, is a sketch of a URL scheme or URI scheme that that might work. It includes both the URL of the bundle and the URL of the of the resource inside the bundle structured in a way that that the the important parts wind up in the in what a web browser would parts of the origin.

D

There's a question of whether we can use the package colon, slash, slash URL, where we have to use back into colon that that I think will we'll discuss more in the future, and then we we want to assign a web origin to all of these resources. My initial thought had been to assign the origin as the URL.

D

It's also possible to do an origin based on the content of the of the resource and it's important to avoid having to hash the whole things that we, we probably would use something like Martin, Thompson's, Merkel integrity, hash system. But again, that's that's something that we can work out in the future. The critical thing is that we need a way to to address the contents and end a web origin for those contents.

D

um Let's see next slide you, so these are. These are partially in for some use cases in chromium, it's currently possible to navigate to a bundle and there's a web dev article describing how you do that and giving some some demos we're working on being able to load sub resources from a bundle. So this is things like provide all the images on a page in one download or provide a JavaScript module tree in one file. This.

D

This is intended as as a possible output format for things like web pack and parcel jf, and so that we're prototyping that and measuring what the what the effect is and we'd love to get more input on kind of what what you want us to test and kind of help with with trying this out and figuring out what what works and what doesn't work next slide.

D

So there's a bunch of questions. This is probably not all of them, so one one piece of skepticism we've gotten is within a bundle. Do we actually need things to be named by full URLs, or can we name them by just paths?

D

Do we actually need content negotiation inside a bundle or could we could we use just a URL and then a response and assume that that the representation at a URL is unique?

D

Should we separate the streamable format from the random-access format? So if we have either two different formats or or two options within the format, it can, let us be a little more optimal for both at the cost of implementation complexity, and the question is whether that's worth it and then that the urls and origins for the resources still still meet a lot of design and and people who know about urls.

D

It would be nice to tell us whether we've got it right or whether there's a better way to do it. I, don't think we're trying to come to any firm conclusions at this meeting. This is just kind of things to start talking about looking for stuff to pay attention to and looking for people to to help draft a kind of the answers to these questions.

D

So that's that's the last slide for this. We should we should talk.

C

Chris for Lucas, hey Jeffrey, um you said something about random access, I'm, trying to figure out what, though desirable random access properties you have are on, namely uh so I heard. You say that you should be able to. You know access a subsection on without having like scrutiny, it skims the entire. You know the entire bundle or at least who, on average, half the bundle on and I thought.

C

I heard you say something about being able to use pieces of subsections without reading the entire subsection um did I hear you correctly II, let's see so they say.

D

You know.

C

Got a bundle like a pot pathetic image halfway through right, I want.

D

To get rid.

C

Of the image right, um what.

D

Point do you think I should going to use the image right, so the design so far has been that you should be able to go straight to an image, and then you should. You should have to read the prefix of the image to start to start using it, um and if these, if these things are have some sort of integrity attached, I've been using Martin Thompson's Merkel integrity to allow you to read just the first chunk before you start using it.

D

If there's no integrity and no signature, you could probably you can probably just read the first byte and use that I have not in trying to let you read kind of the last half and then use just that last half there are there potentially some use cases around video that and kind of very large resources that might benefit from that. But what I've heard from people who do video is that they're already used to chopping up the videos into small files, and so it's it's not a requirement to that use case. Great I, actually, don't.

C

See the I agree, immoral trees pretty much the way you have to do the dual pieces, but I don't actually get in your spec. Is that just missing or am I just not reading very carefully the.

D

So the only the only time you actually use the Merkle trees is when you're checking the integrity or authenticity of this thing, and so so the bat shows up in the signatures section, but not in the mental bundles, bundling work.

C

Okay, I'll skip through it, but I understand what you're trying to contend is not whether it's important to be able to start processing sub components before we're getting entire second opponent. That's probably we accept that.

B

Adds the.

C

Stan show to show complexity suicide if we think it's valuable or not. Okay,.

B

Thanks yeah.

D

It it seems to be valuable for at the very least, HTML resources, so so I'm lobbying for for considering it valuable but I'm happy to get more feedback on that yeah.

C

Obviously, otherwise you have to sort it off the thing for side effects, yeah.

A

Marie, please hey.

E

Quick, can you expand a bit on what that second bullet means still coming up to speed here a little bit and that's the only one that stood out to me is.

D

Right, so you could have several different representations at one URL, using I'm using the HTTP terminology, which is not not Universal. So that is, if you have both like an image and an a HTML page at the same URL that you use the accept header to pick between or if you have two different languages at the same URL that you use except language to pick between or gzip than and bz2 or or whatever do we want to support that?

D

Or do we want to force people who produce bundles to just assign different URLs to the different, the different kinds of resources or representations at a single URL.

E

Okay, since it was a terminology, then.

A

Okay, Thank You Jeffrey. That was the end of the my cue so from a chairs perspective understanding. This is the early days of the working group. What we're looking at trying to figure out what this track is, whether this is kind of a good starting spot for the working group to begin its work, so we're not going to do that call immediately, but that's how people should be thinking about looking at this draft because there's not not something that really else is coming along.

A

um This is essentially like what we're trying to fix between the two so and then in the coming weeks and months. I guess people should think about whether this is a draft where we want to start from.

A

There's here hang on Martin. As of the final planting.

F

Market, yes, so that there's a bunch of things here that Jeffrey covered that I'm I'm, not certain fit within the respec or we might have to make some decisions about whether it fits within the spec. Oh absolutely that matter as it's currently framed, I, don't.

E

Know that.

F

We really have enough time here to talk about whether it's appropriate to have some concept of your eyes or identification for these things integrated. We obviously just had a discussion about how integrity interacts with this sort of thing. That too I think is an important discussion to have, but it may be a separate thing who.

A

Knows, oh no Martin, I, absolutely agree, I! Think what we have is this draft and how we would carve it up at what parts stay I want parts down. Is the discussion we're going to have in the coming weeks and months all right all right, I'm going to switch over here.

C

Sorry I think I'm back in the queue as okay I was on Air Patrol again. um Yeah I think that the there's a conceptual sort of question here, which is what the relationship of is of the stuff in the bundle to stuff outside the bump neck, okay, and make that partly dictates. You know Martin's question about like the URLs and part.

C

There are things so like, hypothetically speaking, you know um you know as a concrete example, you say well, you know I've got like a web page um and then it's got a bunch of like you know and like I said, one classic way to build an app right is you've got like a giant like tar ball of like supporting garbage, and then you have like a master web page which loads it up and often like.

C

If you like, using Django or something, then you like, pull in you know like interpolate, JavaScript, terribly values into the rest of web page slash, it has to be like has to be like um you know, online generated, but everything else could be static right, and so so one when a super important question is like diz stuff. In the bundle into the cache- and they get referenced by references in that in that and that generated thing and I think that's probably the that's probably the use case function that force factors.

C

How you reason about, like some of the questions were, was raising.

C

As you think of this is like oh, this is like a thing like a book, and it doesn't have like it's like self-contained, or should we think of this? As a thing that is like you know is like kind of like were like needs to be put.

A

um Right Jeffrey: did you want to address that I see you yeah and yourself to.

D

The cube, sorry I wasn't sure if I was like standing at the front of the room or in the mic, you you're still basically at the front of the room. You can address the um yeah. So so my my goal has been to to make it possible that I, you you take the stuff in a bundle and you kind of trusted, as as coming from the from the authoritative server and for four things at the same pass or things within things under the same path that that seems pretty safe.

D

But it is something that we'll have to have to come to consensus on on whether we actually want to do it for, for a lot of the pure, bundling use cases, I think we do I think it is useful to stick it in the cash and treat it and let it interact with stuff outside the bundle.

G

Okay, yo odd voice. Please.

G

Yes, so I think that it's basically essential for some of the use cases to to be able to interact with the resources that are in the bundle outside of it and I'm. Mostly thinking about the role of slash webpack, you case, where we able to be able to bundle different JavaScript resources, instead of, what's currently being done by tools. Turning the image. One big chunk.

G

So in order for us to get benefits from that use of web bundles, I think we would need to have them be addressable outside of the bundle.

A

You.

A

Jeffrey any comments on that I we'll wrap up this and move on to the next presentation. Unless you want to respond that.

D

Set matches by the leaf okay.

A

So Shawn is brain up. The next.

D

Yeah, so we've we've had a little bit of discussion on the list for a counterproposal to the designed exchanges draft and this this is kind of a reframing of what what the signed exchanges draft does in the context of bundles and and in the context of what what pieces are, are contentious. So this is this is a way of establishing Authority for for a resource inside a bundle that is based on signatures.

D

So let's go to the next slide, so.

D

Two of the goals that we that we established for.

D

In the Charter were that we should be able to establish kind of a user level, authenticity of content and that users should should have a continuous experience between things. They got offline and things that they do online.

D

So, let's go to the next slide.

D

So authenticity is the way that I'm talking about it is that the user gets a piece of content while they're offline, they may might get it from their friend. They might get it maybe from a web server, that's closer to them or that they've already been interacting with rather than going directly to the origin, and they need to know what, where the content came from in a in a way that they they understand, they need to know whether they can trust the content and and there's a caveat here.

D

There was a presentation at enigma conf last year that URLs are not actually good at expressing authenticity to users. Users, don't don't really understand what what a URL means, but then what we have and we're fixing them for the online case, so so providing them for the offline case would would at least get that to parity with with what we're doing well online next slide. Please.

D

The continuity of experience is about a user who gets a piece of content while they're offline. They use it some they they save some some local state.

D

Maybe they compose an email in there in this email application they got on offline or or they draw a picture or whatever, and then they go online and they want to be able to send this with that state over the internet, which means that the state needs to be accessible to the to the online version of the app and then they go back offline and they get a new version and then they they want to keep editing the content that they created using this new version, and then they go back online and they want to send it to the online origin again and so on and so having having a sorry go to the next slide, then so that the solution that that I've been proposing is to have someone find the content with with some some private key check.

D

Have existing certificate authorities check that that the person who owns that private key is the same one who owns a particular domain and then give the give the thing they find an origin of that domain, so give them? If you, if you know how to find things as a domain, then your content can be can be trusted as that domain next slide.

D

So this has this has a bunch of downsides. In addition to the to the upsides, it allows off paths attackers. It means that users might might continue using content that the author would like to have revoked. There's a pile of security considerations in the draft there's a logistical problem within updating the signatures. So next slide.

D

So normally an attacker who gets a TLS private key that they shouldn't have still has some logistical challenges in actually attacking people with it they have to. They have to intercept the users, DNS requests or or somehow yet get on the path between the user and the actual site. If you get a sign exchange private key, you avoid all of those challenges you can just attack. People next slide.

D

Content set that is out of date, or that is buggy in some way, can conceal use. So a signature proves that that the signer vouch for it at some point. A TLS proves that they're vouching for it.

D

Now we limit signatures to seven days to a maximum seven days to partially avoid this problem, but it's not complete and it also introduces a whole pile of other problems, one of which I will talk about on the next slide, so that seven day limit means that you have to refine content about every three days that that gives you give the distributor three days or so to pass it on to users and allows users to have about a day of clock, skew which is distressingly common, and then there needs to be some structure for you for clients to grab updated signatures so that they can send it to their peers within this.

D

Within that couple day, time frame, and- and we really like to be able to avoid that somehow so so, we've got this kind of relatively simple to think about system in which kind of. If you find something, then it can act with you and there's this pile of downsides, and so I want to take questions on the next slide about kind of any details of this.

D

But then Martin's going to talk about a counterproposal that I think is complimentary in a lot of ways, and so we we can then talk about the the trade-offs after after his presentation, any questions.

A

You.

A

Nothe my queue has been cleared so now, as you can stow last call before we move on to the next.

A

Okay, Martin, it looks like Europe.

F

So I apologize for not being able to keep up with the Java chat and Geoffrey at the same time, so I may have missed something there. There's a bunch of questions here that I think are really important, and I probably should have had some comments on that last one. But anyway this is I, guess an alternative rephrase reframing of the the problem space next slide. Please.

F

Okay, so as a bit of a review, the current web security model depends on TLS connections. We have these things called service workers that aim to support the transition from an online state to an offline state. Often that's just a periodic thing, so people use them to deal with temporary glitches in in connectivity.

F

There's not a lot of sites that use this capability. We see that web service workers use for push messaging and not a lot of, but the premise there is that you have some sort of online connectivity with an origin before you. You have any ability to go offline, but there are emerging drivers now for real offline solutions. So we have a ton of people who aren't online much and that's much of much of the world.

F

Unfortunately, and there's also this interest in new content, delivery methods- and here we're talking about things like amp and whatnot next, please.

F

So the basic problem is that we want to enable content to arrive by some method other than a terrorised connection to the origin, and we want to make that content usable from that point without having gone online, and but there goes Shawn if at some point that person comes online again in the future, then we want the content to be more usable and obviously, if you're offline, a bunch of things, you cannot do, and it would be nice if those things were were then available using all of the context that you might have built up.

F

While you are offline, so think about that in terms of I've got an email, client and I can compose some emails to send to people that then get sent when I return online next picture.

F

So the basic problem here that we're dealing with is that stuff that you do while offline will accumulate State and that that state is what we're going to be talking about here is being important. The web's for communications.

H

Primarily,.

F

And we have to assume that, if we're using the web and these these things are web applications or websites we're using them offline, it means that we want to come and do some communication some later point. It doesn't make a whole lot of sense to have. Essentially this be a an application delivery platform with no future possibility of online communication. We already have plenty of alternatives in that space.

F

So when we talk about the possibility of future communication, we have to consider what the effects of actions with that bundle are.

F

While you're offline have on the beta online state, so next page.

F

So, as Jeffrey talked about the authority, question is kind of key to this. Someone can't connect. How do we, how do we connect this online notion of authority to the notion that we have here of applying something or other if we talked about using signatures? I, don't know that that's entirely necessary, but it certainly has some some value.

F

I'll, probably get back to the point about the difference between what we tell people the origin is and what we tell.

F

What we consider the authority to be, and that's something that we're just working through now on a list I think next page.

F

So obviously, there's a bunch of things that we absolutely lose during the offline transition.

F

Jeffrey talked about a bunch of other things that are a little less obvious that we lose as a consequence of having a design like this, and one of those things might be, though, yeah I'm really sorry about the phone thing.

F

The and now Joe, thank you if you've lost me and so other things like constructing the bundle has to has to be done in such a way as you lose certain personalization properties, because bundles will be potentially shipped to multiple people and having personal information in bundles is something that we have to be careful to avoid, and obviously, while you're offline, you can't do things like communicate with other people and and talk to servers that sort of thing there's a bunch of other questions about how much we can afford to sacrifice.

F

Jeffrey talked about what it is that we display in the the page in terms of origin and there's a bunch of really hard questions there. That need need some consideration. It's a next page I think I might skip over this a little bit. This is essentially my one page summary of the signed exchanges thing you take a bunch of stuff, you sign it and then it becomes part of a real online origin.

F

There's a bunch of problems with that potentially. But that's that's where it's at and next slide goes through. Some of these it's hard to know what safe to sign.

F

We have potential diversification of the wave in which we determine what authority means and Geoffrey talked about this a little bit as well, because we diversified with potentially a week and what it means to have authority and there's a bunch of things that you have to do in order to to work through that the revocation status and and so forth is quite quite challenging. One of the major problems identified there was content.

F

Has this limited, lifetim I think we're talking about seven days, which actually, in practice turns into quite a usable usability problem in the sense that you can't have offline content? That's good for very long because of things like clock, skew and various other padding. You only have a couple of days worth of usage, there's a bunch of other minor things that go along with that as well, but anyway, to the proposal. Next slide.

F

So um the idea is to give content its own origin, distinct from the online origin that it might aspire to be part of, and distinct from the origin that may have delivered that content.

F

The bun will have to identify the target origin, there's some bunch of reasons why you might want to do that sort of thing and at the time when you come online again or you decide to come online, because some of these things are discretionary rather than simply in consequence of not having an internet connection, you ask the target origin whether it wants to automate it wants to accept the the content and it can reject that, which is an important thing. Next slide please.

F

So this is obviously very drafty and sketchy, but you would say, give a bundle. New type of origin I used the named information, your eye scheme here, because that was already available, but obviously there's a bunch of other ways. We could slice this up, but here we have a different type of origin and browsers know how to deal with origins. So we can treat this like any other origin.

F

The content could even make HTTP requests, although if you are truly offline, then that's unlikely to work and you can associate state with all of these things and what you can access all of the standard api's with these things. Okay, next, please.

F

So in designating a target, the bundle identifies where it wants its information to go and it then initiates a transfer to that to URL, and so the browser fetches that URL asks that URL essentially issues a challenge and if the site answers the challenge correctly, then it the site navigates to that online origin, but takes along with it all of the state and all the content that was contained in the bundle. So anything that's been built up over time. We would go along with that transition.

F

So if your you had composed an email to send that email would then be available to send and the the online origin of the target origin can actually send the email for you because now you're online next, please.

F

So the draft has this concept of aliasing origins, because we now have potentially multiple bundles that are in in play. This I think sort of emerged organically from the design I.

H

Don't.

F

Know that this is something that I'm committed to, but it seemed like a neat way to solve some of the problems. Essentially when you, when you have a transfer from the offline thing to the online thing, the origin that you had previously now becomes an alias for the for the thing that was, it was transferring information to, and so that allows you to do things like well. If people were previously talking to the offline origin, then those messages will be seamlessly routed to the online version at the same I.

F

Don't know if this is absolutely necessary, but at the same convenient yes, our next page, please. So there are two ways in which you might fail to transition. If you fail a transfer that that is because you're offline or the server gives you a server failure, error or something along those lines, then the content and all the state associated with it just sort of remains in the offline origin that you add in the content.

F

But if the server fails, the challenge and returns a positive response to your request, but doesn't provide you with a clear indication that it understands there. The requests that you made of it, then, what happens is that all of the state that you might want to transfer it doesn't transfer and you just navigate to the to the target URL and lose any of their continuity and.

E

That allows a server.

F

To reject the things that were present in the in the bundle, so let's say you have a situation where the bundle had some JavaScript that to have across our request forgery bug in there.

F

You discover that the server can in the future then say: I, don't want to accept that content and by rejecting that it doesn't expose itself to any of the problems that that that script might have caused problems that an attacker might have exploited as a result of that next page, please so, there's a bunch of limitations here, I think we're going to talk through some of the more difficult ones.

F

Probably the more interesting one is that content isn't really attributed to an origin that people understand. That is only a potential. The the target origin is is potential only, and that means that you can't do things like show that target in the URL bar. You can't say that this is a particular website. Example com. You have some sort of a big gibberish that you want to show someone which doesn't really work from user usability perspective.

F

The transition to online takes a round trip. If you look at the signed exchanges proposal, one of the advantages, I guess is that in particularly the amp use case, you have a distributor, can take a bundle of content. Give that to you, you render it all up and they say go and the transition to something that looks to be online is virtually immediate, there's no back and forth to the server, whereas this requires that you go back to to the server the state transfer.

F

Stuff is kind of non-trivial, particularly when you consider the possibility for a particular target origin to have multiple bundles outstandings have a bundle for every user news, article on a site and every single one of them had state accumulated with that merging all of the information is quite challenging and there's been probably a bunch of other things that I haven't, thought of, and there's a few other things in the draft next slide, please so just to go through the the amp case. In a little bit more detail, you can imagine that.

F

Sorry, let's suppose, back up a little bit M networks by your visit a distributed page. They have a link or a bunch of links to to content from other sites, but they don't want those other sites to be communicated with.

F

They essentially tell the the browser not to communicate with those sites, but they provide them with a bundle of content that is for those sites. The browser can then do things like pre-rendering that content and building it up. If you look at the way that the content origins, work actually proposes, this work is those those things would operate in an offline origin by choice for the book for the purposes of preparing that content for for display.

F

But this is a very short period of time, because once someone clicks on the link and follows into that offline origin, the transfer to an online origin would then be effectively immediate. So the state, the accumulation problem, isn't so much of a big deal. In this case, we only have to worry about the the transition to to being a in an online origin, so there might be a one round-trip time. While you talk to the server and check things, but it would immediately then flip across to the target origin.

F

So in a sense, this case is much easier to handle than having a fully offline experience, but there are a bunch of usability problems to go along with that. One I think that's all the slides I had we got to the next one. We have a nice pattern and that's all and I think blood than the Florida questions. Yeah, don't worry about.

A

That.

F

Slide we'll get into that later.

A

Okay, Larry math Center, please.

I

Can you hear me yes here, you're good um I'm interested in some other use. Cases like take the example of PDF get a package of things that are attentive to our injury. Of course it has a paged imaging model which is inappropriate for the web, but otherwise you could take some clue from APA a PDF file. When you sit into someone you were the person. Maybe you gathered the information from a web page.

I

You want it to be laid out dynamically at the client at the recipient site, but what you're signing is the year when you sign a PDF file, you're signing the presentation of the package rather than this, some individual transaction and said I think they carried over into this useful yeah.

F

I don't see, PDF has been needing any particularly special mechanism. That's an interesting.

I

To have had that the youth case that is currently for pedia of taking a web page and archiving it and are taking a web page and signing it as their final urgent and that that would be an interesting kind of replacement, and the other thing is that, if you do people do this with data : you or URL, they have data that they want to be part of the package and I'd like to see this physics was released, the goals obsolete and just to think through. What is the origin of a data?

I

It should be the same as the origin of the original content that which is embedded. Oh.

F

That's that's an interesting question: I'm not up to speed on on how those are handled on the web, but I think that's that's worth looking into Thanks and.

I

Then, to other use cases that I'm not sure are as quite as strong. Well, the multi-part related forum, a to Mel and multi-part form. Data for file. Uploads are other instances of packaging that you want packaging to be whatever word every fact does to be able to do absolutely because the way that's it. Thank you.

A

Thank You Larry Mark Nottingham, please hi. Can you hear me yeah.

J

Here you won round trip, okay, so in my incredibly simplistic brain I, think of web packaging as okay. You, you package something up and you head to someone and you extend its lifetime. Work can be used by signing it.

J

You get seven days and then you can extend that buy more time playing around up to seven days and then this one I hand you something and it is magically given a separate identity in that transfer where it sits, you know hash-based and then, if I want to associate it back with the origin, it's again you know I do some magic in then I can flip it over and it's part of that origin and then I think, that's a very, very high level about right and I get up.

J

What sitting to me about all of this is that both of these kind of feel like something which I'm more familiar with, which is web caching and in web caching. I can still use a resource even if I'm not immediately connected to something because I've done it before and I had an explicit cache lifetime. Now I can't handle my cache contents to you, Martin and you, you know then be able to use them as it came from the origin but I'm still using it without a direct.

J

You know connection to the origin and that's that's authenticated by TLS, and so the observation that I guess I'm getting to is that in the caching world one thing we've found is: is that choosing a TTL is really hard and people get it wrong a lot, and it has a lot of effects on how level and performance but availability a lot of the things and that's the granularity of a single resource and both of these solutions do at the granularity of a whole bundle of resources, so I'm just experiencing fear.

J

That's that's all.

F

And this is the the fear of of the work of the working group on the phrase mark. Yes, my.

A

Care that they're so comforting hugs all around and Ben Schwartz hi. This is ben schwartz.

B

I wanted to first say that a lot of the security problems you're talking about at least sound, like they are solved by a distributor whitelisting of some sort. That is, if you're worried about things like the stolen key attacks, that, if you, if you can make a long-term delegation to our trust, certian to a distributor.

H

That.

B

Might that might help solve that or the other comment I'll make is. It seems like this. It might be possible to do this date transfer as a cross origin post to the target.

H

Origin and.

B

Essentially, handle the rest of the state transfer entirely in application logic, and if you don't want to actually post all of the state across the wire, maybe the target origin can have a service worker that takes it locally. Yeah.

F

That's that's an interesting suggestion, but I do seriously contemplate that approach, but one of the things that's come out in the discussions is that there's there's a lot of case cases where you can just do things like take an index DB database and drop it across and you don't have to put special code in the the origin to handle that case. I was using database X I continue to use database X after the transfer.

F

That's fine I know that no one else, no other bundles or no other resources on this on this origin will be mucking with that content. So this is this is safe for me to do. It gets a little more interesting when you have multiple potential bundles, interacting with the same database, which is why the the transfer exists. But, yes, it does have some some complexities involved.

A

Where'd, you go your mic working been on to what in land please hello.

K

What's my from router, so I think you really can punt on the state achieve some. If you provide the mechanism to get the state and Noah bundle meet it, then the application developer can decide is, is too old to merge, or it is still merger Bowl, either server, side or client side depend on how they're doing that already. The other thing is with terms of layering I. Think you really want this, because if you have a web application, where you have some JavaScript, that's really setting everything up.

K

You have another layer of JavaScript and CSS s display they changed it to display shouldn't you. Might you probably don't want that to affect the validity of data stored in the lower layer, so I think it's for making sort of cosmetic changes. You really really would like layering to be easy.

F

Alright, thanks awesome.

G

You are boys, please just a question regarding the so since the origin is hash based does that mean we have to process the entire bundle before we know what the origin is and.

F

Right, so that's a good question off one of the things that I'd imagine doing here was using the progressive hash based stuff the different I've been working on. He says it's my work, I say that he's allowed to claim that as well, which which essentially says that you you can use one of the you can use the advertised hash of the content prior to actually knowing the whole content and receiving the entire bundle. Obviously you need to validate that, but you can potentially do that as well. Okay,.

F

And.

A

Then Erika spoiler, please.

C

Howdy um so um Martin I guess um you know that III Meyer the period this proposal um I think offline, I email, you a sort of hybrid proposal on this, where things are named, not by content hashes but by I'm signature, but by finisher keys on the D I. Think that has some of the properties of each these proposals on in particular. It allows you to like you know it allows you to upgrade the to means.

H

To be a state across.

C

Packages as are upgraded, um but then it but then it has some of the same compromised properties of.

H

Course,.

C

A compromise process properties designing pass so um I think it's great to have these two examples on either side of it. But I just want to float that, like the intermediate it has said, you know looser combination, the two properties that woman imagine thinking was good or my not yeah.

F

So I think we're going to get into that into the next in the next Oh grace.

C

I didn't so I didn't see the Jeffrey slides, put a mega edge, mystic yep.

F

It has always been my intent to to sort of show this as the as the extreme position and I just didn't have time to write up the alternative, but is we think that some of the properties of the signing side of this is is quite interesting? Certainly.

C

Not complaining I was too lazy to write it up myself.

C

Marge please, if I already peer to peer enthusiasts, so I, really like a lot of some of what this is doing as I put it into the chat. I think there are definitely cases here where this could be useful, either in the presence of sinkers, like the son, bundles that they are now or to move from kind of a context where you have something which is not signed and be able to treat it. His sign and kind of joining those two contexts would be quite useful.

C

I, don't think, I see the trade-off this is making and that we discussed on the list and it's eliminating the need for sign.

C

Bundles I think we we have in our charter the ability to receive a web package or an entity other than the origin server and have a cognitive experience and State that's kind of a key goal here and for me, that's always meant that you be able to do this in a way or that continuity of state merges with state that's already there and I think we kind of motivated that on the list ended with a simple example and I did with a more dire one, um but I'm I'm really interested to hear whether you're you're willing to pursue this, even if we also continue to go for the signed exchanges, because I personally think that would be useful.

C

But it's not clear to me. What do you think this is? Is it pure alternative or just another contribution to the set of possible outcomes? I.

F

Don't think this is necessarily exclusively that an an alternative to what Jeffrey has proposed I think this is just yeah, eliminating some of the other opportunities that we have for things in this space. I'm going to have to come. Come back to that discussion, we had on the list. I think there are some some interesting pitfall so that creates that taking an approach, that's more toward this end of the space might avoid so I think, there's probably a bunch more iteration.

F

We have to do on the on the discussion there I'm, particularly interested in in the question of how we, how we take attribution and continuity and think about those things, but perhaps a separate concept. I.

C

Really appreciate your willingness to engage in that iteration and I agree with you that that's going to be a key piece to this. So the way I think about this and- and there are 107 people on on the webbing- so certainly somebody hasn't heard me natter about this in the past- is that with this system in place, you get the consequence that the web can continue. The internet is withdrawn and that's something that you know the references to the other bundle protected. Dt ends.

C

A solid is a really interesting thing for those of us who care a lot about your if your cases and in particular, given a possibility that the Internet is withdrawn and in consequence that something outside the users with control, not just they didn't turn on their as cellular their network. So I would really like us to distinguish between cases where that maybe isn't the primary goal, but is still something we can support a little bit more work and cases well or some seek in 30 or other per trade off.

C

We simply can't support it at all and I I appreciate your willingness day to return ah yeah.

F

I think this is a really interesting space to be working in one of the reasons why I hadn't thought so much about the Internet is withdrawn. Being something that this working group was was interested in is that we we sort of have a self-service option for that one in in service workers I'm not sure that I'm especially happy with that solution and adoption of that particular capability sort of indicates that other people aren't either so so they going to talk about it.

A

Okay, just a quick note that we only have a 16 minutes left in this session and still one more ten-minute presentation from Martin and Jeffrey, and then we had 50 minutes of discussion at the end, but we're not going to have that full amount of time. Devon and EKG EKG just took himself out of the queue but Devon. If you could, please make it kind of quick so that we can get Jeffery and one slash resilient, hi.

B

Yeah, can you hear me this is Devon Mullen theis, going to add two nuances. One is the amp. Is the concept that amp is sort of offline by choice for a little bit is mostly true but I? Guess it's it for resources that don't require the authoritative origin. They could kind of race. The state transfer request and the other one a comet.

B

Is that the comment that like because the indexdb migration, if the database X doesn't exist in the authoritative the rotative space that it would be safe to just drop it there I, don't think that would be true for arbitrary and for arbitrary content. There is the potential that kind of databases. X&Amp;Y could conflict in the JavaScript application, though I certainly don't know of any kind of specific cases of that.

F

Yeah but that's a good comment and something we'd have to work through I suspect.

A

All right so we're switching gears to the to a comparison, the I guess. We should really preface to say that, as you can tell from the discussion that the the two proposals are working together, and so it's not necessarily um true that we're going to have a beauty contest, I think we're actually trying to avoid that and I guess. I appreciate the both the opportunity to work together so I'm not sure how Geoffrey and Martin how you guys want to do beat this up. But you guys just want to tell me next slide and I'll.

A

Do that yeah.

D

I think I think I'm going to do most of the talking here, but Martin is welcome to jump in and we'll both answer, questions and stuff yeah. As as Sean said, this is not kind of an either/or question. I think these are complementary approaches and that we will eventually wind up taking some pieces of each. So to recap, with a sign our origin, the content gets its origin based on who signs it with a content origin. It's it's based on the hash of it spice and then some online origin might adopt it later next slide.

D

So there's some risks that are shared by both approaches.

D

We don't want an online origin to adopt personalized content, including cookies, that can cause a set of problems that are described in the signed exchanges draft and you have to bundle a set of resources together to avoid an attacker skewing the versions to break the site and get something that they shouldn't have next slide.

D

So each approach is good at some things and compensates for some of the things. The other approach doesn't do as well. Next slide so signed origins, don't handle liveness very well.

D

They give you that that up to 7 day window in which something might have been revoked, whereas a Content origin by like getting a real-time vouch, they they get you they they solve that problem, and so, if we, instead of giving things a pure final origin, maybe signatures could expire with with a longer time frame, to give kind of a human, understandable notion of where something came from without without letting attackers take advantage of it.

D

Next slide upgrades are for content origins, as I think echo pointed out it's hard to to say that the the version I'm going to release next week should be able to be an upgrade for the version I released today, because you don't know the next week's versions hash, whereas with a signature you you can say that I trust this signer to get my data and then, when it comes back online, we'll check with the with the liveness check I mentioned in the previous slide. So so signatures are probably an important addition to the content origins.

D

Next slide, um then we have the question of what URL to display as Martin described a content. Origin is not human readable. It's that ni, garbage and and a signature from some human, understandable signer, gives you something to put in the URL bar I. Believe Martin may have something to add here about some details of how we decide to trust things, if not obvious, that that kind of a 7 day old signatures is. It is definitely what you want to describe in the URL bar. Yes,.

F

So I think probably the most important thing here is that when, when we do something like a hash based origin or an origin based on a signature key as what what I could suggest, it is that's not human readable. What we're usable at anyway, but there's there's a distinction between the concept of fee of the origin of the browser has in mind and separation of of content and the thing that is displayed to the user and I. Think we can.

F

We can explore the the separation of those states, one of the things that Firefox has had for a long time. That's kind of unique in the browser world is this concept of extended attributes on on origins which allows us to segregate off content from a sense of the same origin into different different compartments. If you will, and so that's a that's, a powerful concept of I think might inform some of the designs eventually.

D

Yeah so next slide have a summary of this presentation and how we have I thought we might mix the two proposals. But let's open the floor to discussion.

A

Okay, actually, this I will be our wrap-up discussion. We do have ten minutes left in the session and at the moment only Eric is in the cute Erica Square Louise howdy. um So.

C

I think I understand the first two columns here, because you would you mind walking to this light.

D

Yeah, so with to solve the problem of liveness it'd, be nice to use kind of origins for it. The reason I mentioned if content origins work is because the state transfer is complicated and we'll have to we'll have to figure out how to design it for upgrades. The signatures are our key, so we we need to do something that that involves identifying a signer who, who is allowed to to get the origins, data and then for URL display. I. Think that we'll want to show something based on the signers origin in the URL bar.

D

Did that make sense.

C

um Well, I think I understood the first two of the first who made that map about lineup Nevada is aspecting the last one thing I'm a little confused on um so I mean I. Think in I mean like in my hypothetical world, so I guess I guess like made it. Let's just try walk through these inner prefer to tell me like anybody else. Is someone I'll just shut up this? If you have nine minutes, um I mean it seems to me they designed exchanges. What happens thanks tkj? Go? They go out.

C

Two minutes then on the inside exchange is what happens. Is you always show like this that, in order to sign up right on it and in um uh on I'm, pretend.

I

For the moment, we're still showing.

C

Urls, even though I hear people want to remove them, the in in in the content version in this sort of intermediate stage, you're kind of problem, because you can, like you know not been adopted, you show some garbage Christ or you show nothing or something, and when it's been adopted, you show you talk to dick writer, where we.

H

In writing, page they're.

C

Okay, um so I think I think those are the only possible as far as I can tell that's, like the only possible way you could like implement like the content that you either either of the sort of content, whether assigning or signing or non-signing content ones and like. Why would you anything else for, like the precise furless I know, changes one so.

D

I think writing busily.

C

Might.

D

Outcomes.

C

You got yeah I'm.

D

Only talking about that intermediate state before you've contacted the origin, and the question is what what do you show there and I think find exchanges have something to offer in figuring out what to show in that intermediate state. Other group got once we've checked online, then you should show the online version right.

C

I mean otherwise I mean for this content record. You got like drop your hands right. um um One thing I think be useful to have on these more than I. Don't like this ended change offline on about this sort of um you know, security, compromised property to this, which I'm not sure I've read about that well on. So, if you guys have something that's sort of like compares to sort of like like sex, F, hos, compromise and and key compromised that'd be helpful. Not maybe I'll do it. We did.

D

Not have anything like that, yet, okay,.

C

On well its own voice of.

D

The list.

C

Before I do then that's and then don't do it, but otherwise I party ticket or crack addicts. They can be useful. Think about because it takes quite so elastic yeah.

A

Okay, Thank You, Daniel, fine Gilmore. This.

H

Is Derek our Gilmore um I am just the more I think about this. I keep finding weird corners of it, which, which I find it really stressing but I'm, going to zoom way out and just one of the youth cases that was mentioned was like a like a email program right that you fetch as a bundle.

H

You use it in an offline state and when you reconnect dear sending messages and I'm just trying to think through what the user experience is there in the liveness, such as composing email and I and I'm going to go, send it when I get back online I get back online and I discover that it is no longer live, no longer fresh.

H

What happened? My emails that I composed.

D

The the current sketch says you lose it I think we'll be able to to refine that to save it kind of the the online origin gets get some way to recover the state, but it's tricky because that state could be arbitrarily compromised, and so the online origin has to be careful not to be compromised by that that state.

H

Yeah, that seems like a very delicate process and then, while I'm, while I'm composing in this offline app, you tell me that, instead of where I used to see you know my email provider, biz I'm I'm, now seeing the the janky incomprehensible non human, readable content, hash.

D

Martin you on a hey cousin.

F

Yeah, so this is this is the hard thing how many people actually look at? What's up there, I don't know. Emily Stark had some research on this one that was kind of interesting, come.

H

On what could be clearer that the fact that people- don't that many people don't use security indicators, doesn't mean we should throw away all security indicators? I mean I was.

E

A big fan of simplifying.

H

Things but to say you had this one handle, and now you have zero handles, because those who didn't use the handle replacement seems seems problematic. I'm, not saying the full URL, but the origin at the very least is is what people are you know? Well, you need to care.

E

About.

F

Yeah, so you need two things: I'm sorry you're broken up and it may be. May just be me, but there's there's really two things here. One is the reputation that you attach to the to the content that you're interacting with and the other one is understanding where it is. The information you're putting in might not end up going and, and those may be separate things, but both of those are important in this context.

H

I would like to tell suggestions that are in the beverage chat right now. They're making me feel a little bit better. One other wrinkle that I wanted to throw in is one of the major problems that we've had with DNS SEC, which is another signed. Records signed content instead of on incentive trick, Sigma meant occation is proof of non-existence and we've got bundles and the items within the bundles themselves. Having URLs- and it's not clear to me if two different bundles could potentially contain resources that are actually the same.

H

Url is one another, and you know the obvious question there. When we're looking at upgraded is which one takes precedence, but then you have another question which is: are we expecting to represent like no such like for a horse, for example, in this.

F

I, don't have a good answer. I'm! Sorry, oh! What's worth taking up light up! Thank you Mike. This up. Please.

L

This is my bishop. I was just going to comment um in terms of the origin display. I commented on Jabar I. Think probably the most sensible one user. Understandable thing is to display that it's from the origin, that as of when it was signed or last validated, and if people are offline- and you told them it's from three weeks ago- they're going to be ok with that because they know they're offline I also think in terms of the transition to online state I.

L

Think it's not just a binary accept-reject, but there's also needs to be a yes, that was mine, but it's old, so I would like your state and I would like you to live this out.

L

You.

A

Thank you, Mike Wendy Seltzer. For the last comment. Please.

K

Shelter here and I was interested in the thanks for these presentations and I'm interested in the tension between control by the origin and and signer and control by the user, and wondering how far were shifting away from the end user. Who wants to do something different from what the packager intended might be able to repurpose the archival use case or the anonymous passing on of content.

K

Just a thought to rap.

F

And a thought is well appreciated. I'm, not sure that we have any really good answer to it. Just yet.

A

Okay, thank you. It's back to Sean for closing comments. We are at find, though so I will say. Thank you all for your participation and Sean gets the last word yeah again. Thank you for, for all of your time. Apologies again for me, clubbing around my laptop eyes, install something for the next time. Let's take it to less folks thanks a lot by all see you at the plenary. Okay,.