#1212: WG Revision: WebTransport
Discussions
Log in to see TAG-private discussions.
Discussed
Apr 6, 2026 (See Github)
Jeffrey: WebTransport, Ehsan is already assigned. anyone else?
Yves: we already reviewed this 4 years ago.
Jeffrey: They made a summary of the changes since then... probably not much to say but will be good to have a second person in the review.
Discussed
Apr 6, 2026 (See Github)
Ehsan assigned.
Discussed
May 11, 2026 (See Github)
Ehsan: Posted my proposed comment, no one else assigned. How does it work?
Hadley: Is any TAG member expected to disagree with you?
Ehsan: Don’t think so… if others could have a look, that would be good.
Hadley: Editorial thoughts, we need to be very clear about what we want them to do. Hearing their thoughts? Requesting changes?
Ehsan: It’s mainly questions from me, I didn’t expect any actions. For the second one, that’s more like a recommendation for the future than something concrete expected from them. At least for now.
Hadley: Recommend you restructure your asks accordingly. Ending with "we look forward to hearing your thoughts." Any thoughts on the actual content?
… Another editorial thought, can you say "can you?" instead of "proponents." You can put your privacy concerns with connection stats and frame it as a question.
Ehsan: Good point. Can also directly post them as an issue.
Hadley: Let’s start with asking a question.
Ehsan: Ok. If anyone has a remark, please reach out to me. Overall, I think this seems fine.
Hadley: In terms of process, you should reach out to Yves.
Ehsan: Will do.
Hadley: As this is not a closing comment, I think you’re doing all the right things. You don’t need to get full consensus for that, as we’re still in exploring mode.
Ehsan: Ok, will get as many responses as possible, in a reasonable time.
(Later:)
Marcos: I may have a look, happy to read stuff.
Comment by @toreini Jun 11, 2026 (See Github)
Hi @wilaw,
The WebTransport proposal is moving in a positive direction and demonstrates maturity, with multi-stakeholder support. This is a promising foundation for further development.
However, there are some concerns that need to be addressed:
-
Certificate Hash as Authentication: It is unclear whether the certificate hash digest is used for authentication. Based on the context, it seems the digest serves as proof of certificate ownership for an already established channel, which justifies its use. The text explicitly states,
certificate verification errors are considered critical (fatal) and cannot be bypassed.
Our concerns are:
- Fallback Mechanism: Can you please clarify which of these scenarios happen in case of certificate error?
- A new TLS handshake (or equivalent) is re-initiated.
- The same digest is resent until verification completes at the server-side through the same established TLS session.
- Bi-Directional Authentication: Given the bi-directional nature of communication, authentication could benefit from a bi-directional approach. While the state-persistence approach (relying on TLS session tickets) is fair, certificate verification errors could make client authentication (and state persistence) non-deterministic. Can you please provide more specifics on this?
- Fallback Mechanism: Can you please clarify which of these scenarios happen in case of certificate error?
-
Privacy Concerns with
WebTransportConnectionStats: The discussions on side-channel passive fingerprinting based onWebTransportConnectionStatsare a reasonable starting point. However, the TAG encourages you to explore more privacy-preserving approaches for presenting fine-grained stats. For example, adopting a tier-based nomination of quantities, similar to the "performance Tiers" in the CPU Performance API, could be a viable solution.
Comment by @jan-ivar Jun 12, 2026 (See Github)
Thanks @toreini for the positive general assessment! But I suspect some misunderstandings in the specific feedback:
It is unclear whether the certificate hash digest is used for authentication ... it seems the digest serves as proof of certificate ownership for an already established channel ... Fallback ... resent until verification completes at the server-side through the same established TLS session.
This sounds like a separate authentication step layered on top of a connection that already exists, with some retry behavior when it fails...
But serverCertificateHashes is not that. It's an option to the TLS connection being created in the first place:
- "If webTransportHashes is not empty, instead of using the default certificate verification algorithm, consider the server certificate valid if it meets the custom certificate requirements and if verifying the certificate hash against webTransportHashes returns true. If either condition is not met, then return failure."
The server doesn't verify the hash — the client does. In TLS authentication, the client checks the server's certificate. The hash just replaces the trust-anchor on the client side.
Its value (and risks) have been discussed at some length already in https://github.com/w3c/webtransport/issues/623. But TL;DR:
The only substantive difference between this and a certificate is that a certificate can be revoked. But, because hashes are downstream of another certificate that can be revoked (the one issued to the site that is making the WebTransport session), the change in risk profile seems tolerable. All of the other things that people tend to think are problems with hashes in this context don't apply, because the client is still entirely dependent on the site that initiates the session. The site is equally capable of spinning up a new DNS name for this, which could be hosted just about anywhere. The advantage of the hash is real: the site doesn't need to get a certificate, which adds real latency to the setup of on-demand services.
This has passed two previous TAG reviews https://github.com/w3ctag/design-reviews/issues/669 https://github.com/w3ctag/design-reviews/issues/389, even before we added CSP support. https://github.com/w3c/webappsec-csp/pull/791
Given the bi-directional nature of communication, authentication could benefit from a bi-directional approach. While the state-persistence approach (relying on TLS session tickets) is fair, certificate verification errors could make client authentication (and state persistence) non-deterministic
This is server authentication, not client authentication. HTTP is also bidirectional, but we have a well-established one-sided authentication model at the TLS layer. This relies on exactly the same arrangement.
The discussions on side-channel passive fingerprinting based on WebTransportConnectionStats are a reasonable starting point. However, the TAG encourages you to explore more privacy-preserving approaches for presenting fine-grained stats. For example, adopting a tier-based nomination of quantities...
This is being addressed with https://github.com/w3c/webtransport/pull/764 and https://github.com/w3c/webtransport/pull/766. PTAL.
The spec could perhaps be clearer about the fact that these stats are things that the server (which is explicitly chosen by the site and is directly aware of the identity of the site when accepting a connection) can measure. The stats API only makes it easier for sites to gather the information. We can add text clarifying that the server already has this info.
Tier-based quantization wouldn't change that, because it'd quantize the client-side copy while the server keeps the full-resolution original.
Please let us know if this clarifies, or if you have other questions.
OpenedMar 26, 2026
Specification
https://www.w3.org/TR/2026/WD-webtransport-20260325/
Explainer
https://github.com/w3c/webtransport/blob/main/explainer.md
Links
The specification
Where and by whom is the work is being done?
Feedback so far
You should also know that...
No response
<!-- Content below this is maintained by @w3c-tag-bot -->Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1212