Web Packaging
charter-ietf-wpack-01

I agree with Ben Kaduk the goal of "Address[ing] the threat model of a website compromised after a user first uses the site." requires clarification.

It's not entirely clear to me whether "low latency to load a subresource" fits better
as a primary or secondary goal.

We say we'll try to have security and privacy properties "as close as practical to
TLS 1.3".  Do we have a sense for how much distance we are willing to accept
(vs. conceding that we cannot uphold our security and privacy requirements
and produce something that satisfies the  key goals) and still publish?

When we say that we will try to "address the threat model of a website compromised
after a user first uses the site", I'm not entirely clear on which properties we're trying
to preserve in the face of such threats.

Regarding the "automatic discovery" non-goal, does this preclude a way for a website
to indicate how to retrieve an offline-usable version of a resource when that resource
is being fetched "on-line"?

Are there other IETF WGs (in addition to W3C and WHATWG) that might have some
knowledge about security and privacy models for the web?

Thanks for addressing and clarifying my block points on any transport-related potential touch points! The charter seem fine to me now to move on. I think my old comments below are still valid though (for the record mainly).

One editorial comment: I find the chosen form of listing goals rather than writing text that describes the scope of the work not very reader-friendly (at least more the main/key goals). I think text instead of quite short bullet points would be more meaningful and would probably have avoided some of the discussion/confusion we had about this charter.

Further I agree with Ben that this part is not very clear and could be better scoped:
"Security and privacy properties of using authenticated bundles as close as
practical to TLS 1.3 transport of the same resources."