[minutes] TPAC meeting Sep 13


The minutes of our TPAC meeting on September 13 are available at:

and copied as text below.


                         Web & Networks TPAC F2F

13 September 2022

    [2]Agenda. [3]IRC log.

       [2] https://www.w3.org/wiki/Networks/TPAC2022
       [3] https://www.w3.org/2022/09/13-web-networks-irc


           Chris_Needham, CHrisN, DanD, Dapeng, David_Ezell,
           DavidEzell, DingWei, Dom, Eric, EricMwobobia, EricS,
           HuaqiSHan, JakeHolland, Jeff, Kunihiko, LarryZhao,
           LiLin, Louay_Bassbouss, LouayBassbouss, LukeWagner,
           McCool, MichaelMcCool, MotokiMizusako, PiersO'Hanlon,
           Song, SOngXu, Sudeep, YanZ, ZoltanKis



           cpn, dom


     1. [4]Web & Networks IG introduction
     2. [5]Web & Networks IG introduction
     3. [6]Client-Edge-Cloud coordination Use Cases and

Meeting minutes

   Web & Networks IG introduction

    DanD: Song from China Mobile, Sudeep from INtel and I (from
    AT&T) are co-chairs of Web & Networks IG
    … Dom is our staff contact

    Slideset: [7]https://lists.w3.org/Archives/Public/www-archive/


    [8][Slide 1]


    DanD: our agenda today will cover an overview of our group's
    work and progress
    … hopefully useful starting point for later reading
    … next we'll dive into Edge Use Cases & Requirements
    … followed by an open discussion

   Web & Networks IG introduction

    [9][Slide 4]


    [10][Slide 5]


    [11][Slide 6]


    [slide 7)

    [12][Slide 8]


    <sudeep> Link to WNIG Wiki: [13]https://www.w3.org/wiki/

      [13] https://www.w3.org/wiki/Networks

    [14][Slide 9]


    [15][Slide 10]


    Jake: breakout scheduled tomorrow on multicast, with focus on
    security discussions

    [16][Slide 11]


    [17][Slide 12]


    <jholland> tomorrow's multicast breakout: [18]https://


    Michael: we're mostly focused on edge offload
    … maybe this should expand to split browser, but that's not
    part of what we've doing so far

   Client-Edge-Cloud coordination Use Cases and Requirements

    Slideset: [19]https://lists.w3.org/Archives/Public/www-archive/


    [20][Slide 1]


    [21][Slide 2]


    [22][Slide 3]


    Michael: our 13 use cases could still be improved from a
    categorization perspective

    [23][Slide 4]


    Michael: some of the main drivers for edge computing are
    latency and privacy
    … e.g. in AR, tracking the environment and overlaying
    information on the environment needs to happen with very low
    … cloud is ~10x slower to reach than an edge node
    … using edge computing is applicable both for webapps and IoT -
    I'm also a co-chair of the Web oF things WG

    [24][Slide 5]


    Michael: what kind of businesses & users will be using these
    systems, with what kind of needs & priorities
    … what are their business models and why would they do this?
    … we will cross-reference these stakeholders with our use cases

    [25][Slide 6]


    Michael: these requirements derive from our use cases
    … a common requirement is improved performance
    … some of the requirements are up for negotiation
    … compatibility with existing APIs vs building a new one

    [26][Slide 7]


    Michael: 2 proposals: one focused on seamless code sharing baed
    on WASM, benefitting from the JS/WASM sandbox
    … the other is distributed worker, extending the existing
    threading model in browsers based on Workers
    … the comm model they use could be extended to instantiate a
    worker on a remote machine
    … Web of Things has ongoing work on discovery that could be
    used for compute utility discovery
    … Both of these are extended the web model beyond client &
    server, to a distributed model, some of the resources being
    location sensitive

    <Max__Liu> +

    [27][Slide 8]


    DavidE: what is WASM?

    Michael: WebAssembly provides a binary representation of
    machine bytecode, that operates in sandboxed runtime with near
    native performance
    … similar to LLVM

    Max: detailed use cases are available in the document

    [28]Client-Edge-Cloud coordination Use Cases and Requirements

      [28] https://w3c.github.io/edge-computing-web-exploration/

    Max: I also want to mention that we've been focused on use
    cases & requirements, with only high level initial proposals
    for solutions
    … the purpose is to gather enough interest for this work

    Michael: we're trying to establish feasability and the
    potential path to standardization

    <DanD> +

    Michael: we need to prioritize requirements (essential vs nice
    to have)

    <DanD> +1

    CPN: you mentioned extending a worker to offload compute
    … are there solutions out there that could inform what kind of
    standardization would be helpful?

    Michael: Akamai has EdgeWorkers; Fastly runs WASM on the edge
    … but they're not using standardized interfaces so can't be
    deployed seamlessly by developers without adapting to each CDN

    chris: could this be captured in the document?

    Michael: that's what we would want to achieve by
    cross-referencing stakeholders with use cases / requirements

    Chris: I'm not necessarily suggesting to capture in the
    document, but it's useful information to gather

    DanD: thanks for putting this together, and it helps
    consolidating the many ideas that have been floating around
    … the trust model with the edge computing for the Web is a very
    critical aspect
    … things that are in a given administrative domain has a
    well-defined trust boundary compared to a fully open web setup
    … CDNs typically represent content providers, they're an
    extension of content providers
    … what would be the relationship between the ISP and the
    content provider?
    … it's not just technical solutions, this needs to be grounded

    Michael: does the end user trust the edge computer? does the
    edge provider trust the code it is running?
    … a threat could be drive-by mining that would steal my
    computing resources
    … Sandboxing helps with running untrusted code
    … harder to protect the code from the platform - probably best
    addressed by a social solution

    Michael: this could be dealt with in a way similar to
    permissions e.g. to access camera

    DanD: there is also the possibility to extend the same origin
    policy as long as the edge is seen as an extension to the
    … it's all about who has a relationship with whom
    … it's not just the trust, it's also about not abusing the

    Michael: CORS is designed for developers to delegate access to
    another developer

    Dom: Delegating to the edge, question about trust, when you're
    using edge resources, the content provider is paying. If it's
    under user control, does the user pay?
    … Are there business models that enable that? We should clarify
    how the computing delegation would work in practice, don't know
    if there are examples today

    michael: it enables new business models
    … today the content provider pays a CDN for edge resources
    … if that moves to the user, it could be bundled into an ISP

    Max: regarding the trust model, it's already covered a bit - it
    varies across use cases, with different business models
    … there are existing B2B models for cloud->edge
    … the service provider pays the fee to the edge computing
    … we should consider the same origin policy of the web
    … for consitency

    <Zakim> dezell, you wanted to talk about sandboxing

    David: re sandboxing - how much thoughts have been put into
    keyvault / software validation?
    … PCI regulations enforced rules in terms of private key
    generation and management
    … how do you prevent a user asked to do something that might be
    … very hard questions to consider

    jholland: the developer-controlled vs user-controlled models
    … they're very different use cases with very different control
    surfaces, different trust model and sandboxing constraints
    … there may be some similar aspects
    … but they should be approached as different APIs that might be
    able to share a component

    DanD: my suggestion for Michael & Max: we went through use
    cases and requirements
    … there may be an opportunity to look at the different
    offloading models (developer centric vs user centric)
    … the different realms of controls (enterprise vs user)
    … I think it would be worth digging more into these questions

    McCool: re user vs dev - a user could be an enterprise wanting
    to do sensitive work on their premises or using their own
    … e.g. Web Apps doing video processing
    … Establishing the right trust model is key

    Jake: I would suggest an enterprise capability could operate
    under a developer centric model, vs a home user

    McCool: we should add discussion of this topic in the doc
    … there are similar components around workload packaging,

    Max__Liu: +1 to Dan's suggestion
    … we'll put more analysis on this topic in the document

    sudeep: the sandboxing and trust models sounds like important
    … we have the <script> tag that allows to run JS - could it be
    extended to allow the user to establish trust with the edge

    McCool: the value of Worker is that they operate in a different
    thread/memory space, which isn't the case of the <script> tag

    Yan: re security model, a user centric trust model is key to
    forward looking standards

    McCool: SOLID is also an interesting approach to manage private
    … managing keys in the LAN doesn't work well with browsers

    Yan: I'm also involved in the VC & DID WGs which could help

    acl Piers_O_Hanlon

    Piers_O_Hanlon: could be useful to distinguish the user data
    from the code
    … privacy around the data that is being processed vs the code
    that is doing the processing
    … one can secure the code or use sub-resource-integrity to
    ensure it hasn't been tampered with
    … the data flows then get processed by that
    … homomorphic encryption might provide a useful way to protect
    the data from the edge

    Yan: we use a trust zone to run the code
    … for the data, we use VC to preserve the privacy of data

    McCool: separating data and code fits well with stateless
    computing models
    … with the sandbox, we could control the connections the code
    can make to avoid it to send the data to any other endpoint

    Piers_O_Hanlon: users may have their credentials used by the
    edge to accomplish tasks on their behalf

    McCool: homomorphic processing is probably not ideal if you're
    looking at performance as a goal

    McCool: next step includes discussing the aspects that were
    raised today around security / trust

    DanD: there is also an opportunity to look at the gap analysis
    … are the standards identified going to fulfill the needs? or
    what will it take to make them so?
    … incl WASM, CORS
    … How can we extend the dialogue? DO we need dedicated calls to
    help make progress?
    … does it have the elevated visibility an activity on its own?

    <Zakim> jeff, you wanted to comment on next steps

    Jeff: looking at the current editors draft of the use cases
    doc, it's already a pretty impressive document
    … on the balance of making it even better or moving forward
    with the gap analysis and addressing it
    … the weight of the effort needs to shift towards resolving the
    … this may require cross-meeting with other groups
    … figure who should address the gaps and how we ensure progress
    … possibly with a new CG

    McCool: we need to get more stakeholders at the table
    … what can we do to increase engagement?

    Max__Liu: we probably need a CG, a dedicated way to focus on
    how to move forward
    … I personally think that before we go to a WG, we can prepare
    a charter
    … or a CG that focuses on the topic, which could be more open
    to non-W3C members and open source projects
    … helps with greater engagement
    … key is pushing progress on the work coordination more than on
    the draft

    <Zakim> jeff, you wanted to support Michael's idea about

    jeff: before reaching out to more stakeholders, we need greater
    clarity on the next steps (incubation vs WG vs existing groups)
    … in terms of stakeholders, there is a long list of
    stakeholders that used to be but are no longer W3C members that
    came in the Mobile Initiative days
    … we should reach out to them as we're making progress in
    deploying our action plan

    McCool: +1 to outreach
    … re CG vs WG - we can't have a WG until we know exactly what
    deliverables we need
    … a CG or an IG focused on doing that would be a useful next

    jeff: we already have the IG

    McCool: but the name of the IG doesn't scream "edge computing"

    DanD: two different things we're talking: making the story
    crisper (with doc improvements)
    … and gathering input & support, administrative stuff
    … they can be done in parallel
    … If we need an edge IG, or a CG
    … we still need to improve the gap analysis in terms of what
    other groups need to provide & support
    … figure out the incentives for the stakeholders
    … we talked about organizing some sort of the workshop to help
    moving forward

    Max: a CG being more open is helpful compared to an IG
    … we can also have a liaison with the IG to report back what
    would happen in the CG
    … the CG could have more frequent teleconferences

    DanD: Thanks again for showing up and for the very fruitful

Received on Monday, 19 September 2022 13:43:07 UTC