Kenneth, Tess, and David volunteer, milestone set for 2 weeks

Tess: [venue] - going to IETF ... have they talked to the IAB?

David: they are proposing a split standardization thing...

Dan: f2f? special guest?

Tess: a good thing to use f2f time... I'm less worried about it then bundling signed exchanges...

Rossen: we should see what parts belong to "us" and see what feedack we can provide...

Dan: should we get a guest joining? I will invite people...

Tess: Neither David nor I have looked at this since the f2f, hence no progress.

Peter: We can push this to next week.

[bumped to next week, David to take a look at it

Tess: Ken and I looked at this at a breakout - and I raised some concerns that they haven't addressed. Things have changed a bit since then. Concern I raised: bundles are attempting to address some of the downsides of AMP - one of those being the default rendinering of AMP is to have a fake address bar. We don't like that. Could be described as deceptive. The question is how do you display the package URL for an unsigned bundle in the browser. If the publisher and package URL are different you could display the package URL directly (opaque), the publisher's origin (promoting the deceptive practice) or the distributor URL (encourages existing package - the fake URL bar). Doesn't look like they replied to that. Also it looks like some things have changed - one issue got closed.

... this is the document that replaces that open issue: https://github.com/WICG/webpackage/blob/master/explainers/bundle-urls-and-origins.md

... I will review.

Rossen: So any time you have publisher / distributor difference - you're creating an easy to exploit vector for phishing. That's terrible.

Tess: the key is this is for unsigned.

Dan: what are the use cases?

Tess: suppose you're a professor and you're putting together a bundle of article - you have no authority to make a signed exchange for any of these things...

Dan: what about use of some mechanism e.g. a University server or a letsencrypt / equiv ..

Tess: the publisher signes it - not the distributor.

Tess: you load a web page adn want to share it with your friend over p2p - like bluetooth.

Dan: once again in that case there should be a warning on the receiver's device...

Tess: yes - maybe we should ask the people invlolved about this kind of UI...

Rossen: how does the UA detect this ?

Tess: either for all unsigned bundles - or all bundles of unsigned exchanges where the distbutor origin is not the publisher origin.

Dan: isn't this putting the cart before the horse?

Tess: so far in the web we only use UI like that for insecure things... Might be a hard sell that this should get such a warning.

Rossen: unless the proof is there that this concern is not a concern. At this point I am way more leaning towards requiring - pushing back on that basis - from the PoV... \

Dan: [leaves a comment]

Peter: could we eliminate the idea of unsigned bundles by making it a requirement to sign the bundle - even if it's self-signed? If we just always require that every bundle is signed by whoever made it - might shift the problem.

... also - if I download something over TLS can I store something from the TLS session such that I include the cert fromt he original site such that a 3rd party could verify that this came from the original site - and thereby preserve the provenance of the original data. Maybe a future extension to TLS? Surfacing more of the handshaking to the parts of the browser that would generate a bundle.

Tess: it's weird that this is separate from TLS and existing mechanisms...

[bumped]

Discussion of jyasskin's reply, Rossen and Tess posting followups.

Rossen: We had few rounds of review for this proposal. The main feedback to the authors was that if they were to separate cross vs same origin unsigned bundles the progress will be faster. Furhter, none of the concerns we raised as of Aug 17 were addressed. ... Propose marking as Waiting for Author Feedback and moving on.

All: Agreed.

Ken: After talking to Daniel Ehrenberg it appears so that there is a new bundles proposal called "Resource Bundles". From the conversation it seems this will be a superset of the signed/unsigned bundles and will most likely obsolete this proposal. ... Let's add a comment to this in the issue and move on to the next one.

Rossen: This is pending external feedback, since October 2020. Let's mark it as stalled.

Tess: WFM

Stalled - waiting for feedback