Web Packaging
charter-ietf-wpack-01
Yes
No Objection
Note: This ballot was opened for revision 00-09 and is now closed.
Ballot question: "Do we approve of this charter?"
Alvaro Retana No Objection
Roman Danyliw No Objection
I agree with Ben Kaduk the goal of "Address[ing] the threat model of a website compromised after a user first uses the site." requires clarification.
Éric Vyncke No Objection
(Alexey Melnikov; former steering group member) Yes
(Adam Roach; former steering group member) No Objection
(Alissa Cooper; former steering group member) No Objection
(Barry Leiba; former steering group member) No Objection
(Benjamin Kaduk; former steering group member) (was Block) No Objection
It's not entirely clear to me whether "low latency to load a subresource" fits better as a primary or secondary goal. We say we'll try to have security and privacy properties "as close as practical to TLS 1.3". Do we have a sense for how much distance we are willing to accept (vs. conceding that we cannot uphold our security and privacy requirements and produce something that satisfies the key goals) and still publish? When we say that we will try to "address the threat model of a website compromised after a user first uses the site", I'm not entirely clear on which properties we're trying to preserve in the face of such threats. Regarding the "automatic discovery" non-goal, does this preclude a way for a website to indicate how to retrieve an offline-usable version of a resource when that resource is being fetched "on-line"? Are there other IETF WGs (in addition to W3C and WHATWG) that might have some knowledge about security and privacy models for the web?
(Deborah Brungard; former steering group member) No Objection
(Magnus Westerlund; former steering group member) No Objection
(Martin Vigoureux; former steering group member) No Objection
(Mirja Kühlewind; former steering group member) (was Block) No Objection
Thanks for addressing and clarifying my block points on any transport-related potential touch points! The charter seem fine to me now to move on. I think my old comments below are still valid though (for the record mainly). One editorial comment: I find the chosen form of listing goals rather than writing text that describes the scope of the work not very reader-friendly (at least more the main/key goals). I think text instead of quite short bullet points would be more meaningful and would probably have avoided some of the discussion/confusion we had about this charter. Further I agree with Ben that this part is not very clear and could be better scoped: "Security and privacy properties of using authenticated bundles as close as practical to TLS 1.3 transport of the same resources."
(Suresh Krishnan; former steering group member) No Objection