search

w3c / pwpub

W3C packaged Web Publications
https://w3c.github.io/pwpub/
Other
15 stars 9 forks source link

Review WebPackage PWP use cases #23

Open BigBlueHat opened 6 years ago

BigBlueHat commented 6 years ago

Copied from https://tools.ietf.org/html/draft-yasskin-webpackage-use-cases-00#section-2.2.1

2.2.  Nice-to-have

2.2.1.  Packaged Web Publications

   The W3C's Publishing Working Group [7], merged from the International
   Digital Publishing Forum (IDPF) and in charge of EPUB maintenance,
   wants to be able to create publications on the web and then let them
   be copied to different servers or to other users via arbitrary
   protocols.  See their Packaged Web Publications use cases [8] for
   more details.

   Associated requirements:

   o  Indexed by URL: Resources on the web are addressed by URL.

   o  Signing as an origin: So that readers can be sure their copy is
      authentic and so that copying the package preserves the URLs of
      the content inside it.

   o  Downgrade prevention: An early version of a publication might
      contain incorrect content, and a publisher should be able to
      update that without worrying that an attacker can still show the
      old content to users.

   o  Metadata: A publication can have copyright and licensing concerns;
      a title, author, and cover image; an ISBN or DOI name; etc.; which
      should be included when that publication is packaged.

   Other requirements are similar to those from Offline installation:

   o  Random access: To avoid needing a long linear scan before using
      the content.

   o  Compress stored packages: So that more content can fit on the same
      storage device.

   o  Request headers: If different users' browsers have different
      capabilities or preferences, the "accept*" headers are important
      for selecting which resource to use at each URL.

   o  Response headers: The meaning of a resource is heavily influenced
      by its HTTP response headers.

   o  Signing uses existing TLS certificates: So a publisher doesn't
      have to spend lots of money buying a specialized certificate.

   o  Cryptographic agility: Today's algorithms will eventually be
      obsolete and will need to be replaced.

Yasskin                   Expires March 3, 2018                 [Page 6]

Internet-Draft Use Cases and Requirements for Web Packages   August 2017

   o  Certificate revocation: The publisher's certificate might be
      compromised or mis-issued, and an attacker shouldn't then get an
      infinite ability to mint packages.

If you feel one of these warrants it's own (possibly lengthy) discussion, please create a new issue for it.

Additionally, there may be other use cases in this document that may related to PWP. Please surface those as/if/when you find them.

Thanks! 🎩