Web & Networks TPAC F2F

13 September 2022


Chris_Needham, CHrisN, DanD, Dapeng, David_Ezell, DavidEzell, DingWei, Dom, Eric, EricMwobobia, EricS, HuaqiSHan, JakeHolland, Jeff, Kunihiko, LarryZhao, LiLin, Louay_Bassbouss, LouayBassbouss, LukeWagner, McCool, MichaelMcCool, MotokiMizusako, PiersO'Hanlon, Song, SOngXu, Sudeep, YanZ, ZoltanKis
cpn, dom

Meeting minutes

Web & Networks IG introduction

DanD: Song from China Mobile, Sudeep from INtel and I (from AT&T) are co-chairs of Web & Networks IG
… Dom is our staff contact

Slideset: https://lists.w3.org/Archives/Public/www-archive/2022Sep/att-0001/W3C_WNIG_TPAC2022_V1.1.pdf

[Slide 1]

DanD: our agenda today will cover an overview of our group's work and progress
… hopefully useful starting point for later reading
… next we'll dive into Edge Use Cases & Requirements
… followed by an open discussion

Web & Networks IG introduction

[Slide 4]

[Slide 5]

[Slide 6]

[slide 7)

[Slide 8]

<sudeep> Link to WNIG Wiki: https://www.w3.org/wiki/Networks

[Slide 9]

[Slide 10]

Jake: breakout scheduled tomorrow on multicast, with focus on security discussions

[Slide 11]

[Slide 12]

<jholland> tomorrow's multicast breakout: https://www.w3.org/events/meetings/527d52eb-f8df-4875-844b-09a27a67d772

Michael: we're mostly focused on edge offload
… maybe this should expand to split browser, but that's not part of what we've doing so far

Client-Edge-Cloud coordination Use Cases and Requirements

Slideset: https://lists.w3.org/Archives/Public/www-archive/2022Sep/att-0002/2022-09-13-WNIG-F2F-Edge.pdf

[Slide 1]

[Slide 2]

[Slide 3]

Michael: our 13 use cases could still be improved from a categorization perspective

[Slide 4]

Michael: some of the main drivers for edge computing are latency and privacy
… e.g. in AR, tracking the environment and overlaying information on the environment needs to happen with very low latency
… cloud is ~10x slower to reach than an edge node
… using edge computing is applicable both for webapps and IoT - I'm also a co-chair of the Web oF things WG

[Slide 5]

Michael: what kind of businesses & users will be using these systems, with what kind of needs & priorities
… what are their business models and why would they do this?
… we will cross-reference these stakeholders with our use cases

[Slide 6]

Michael: these requirements derive from our use cases
… a common requirement is improved performance
… some of the requirements are up for negotiation
… compatibility with existing APIs vs building a new one

[Slide 7]

Michael: 2 proposals: one focused on seamless code sharing baed on WASM, benefitting from the JS/WASM sandbox
… the other is distributed worker, extending the existing threading model in browsers based on Workers
… the comm model they use could be extended to instantiate a worker on a remote machine
… Web of Things has ongoing work on discovery that could be used for compute utility discovery
… Both of these are extended the web model beyond client & server, to a distributed model, some of the resources being location sensitive

<Max__Liu> +

[Slide 8]

DavidE: what is WASM?

Michael: WebAssembly provides a binary representation of machine bytecode, that operates in sandboxed runtime with near native performance
… similar to LLVM

Max: detailed use cases are available in the document

Client-Edge-Cloud coordination Use Cases and Requirements

Max: I also want to mention that we've been focused on use cases & requirements, with only high level initial proposals for solutions
… the purpose is to gather enough interest for this work

Michael: we're trying to establish feasability and the potential path to standardization

<DanD> +

Michael: we need to prioritize requirements (essential vs nice to have)

<DanD> +1

CPN: you mentioned extending a worker to offload compute
… are there solutions out there that could inform what kind of standardization would be helpful?

Michael: Akamai has EdgeWorkers; Fastly runs WASM on the edge
… but they're not using standardized interfaces so can't be deployed seamlessly by developers without adapting to each CDN providers

chris: could this be captured in the document?

Michael: that's what we would want to achieve by cross-referencing stakeholders with use cases / requirements

Chris: I'm not necessarily suggesting to capture in the document, but it's useful information to gather

DanD: thanks for putting this together, and it helps consolidating the many ideas that have been floating around
… the trust model with the edge computing for the Web is a very critical aspect
… things that are in a given administrative domain has a well-defined trust boundary compared to a fully open web setup
… CDNs typically represent content providers, they're an extension of content providers
… what would be the relationship between the ISP and the content provider?
… it's not just technical solutions, this needs to be grounded reality

Michael: does the end user trust the edge computer? does the edge provider trust the code it is running?
… a threat could be drive-by mining that would steal my computing resources
… Sandboxing helps with running untrusted code
… harder to protect the code from the platform - probably best addressed by a social solution

Michael: this could be dealt with in a way similar to permissions e.g. to access camera

DanD: there is also the possibility to extend the same origin policy as long as the edge is seen as an extension to the server
… it's all about who has a relationship with whom
… it's not just the trust, it's also about not abusing the resource

Michael: CORS is designed for developers to delegate access to another developer

Dom: Delegating to the edge, question about trust, when you're using edge resources, the content provider is paying. If it's under user control, does the user pay?
… Are there business models that enable that? We should clarify how the computing delegation would work in practice, don't know if there are examples today

michael: it enables new business models
… today the content provider pays a CDN for edge resources
… if that moves to the user, it could be bundled into an ISP plan

Max: regarding the trust model, it's already covered a bit - it varies across use cases, with different business models
… there are existing B2B models for cloud->edge
… the service provider pays the fee to the edge computing provider
… we should consider the same origin policy of the web architecture
… for consitency

<Zakim> dezell, you wanted to talk about sandboxing

David: re sandboxing - how much thoughts have been put into keyvault / software validation?
… PCI regulations enforced rules in terms of private key generation and management
… how do you prevent a user asked to do something that might be appropriate?
… very hard questions to consider

jholland: the developer-controlled vs user-controlled models
… they're very different use cases with very different control surfaces, different trust model and sandboxing constraints
… there may be some similar aspects
… but they should be approached as different APIs that might be able to share a component

DanD: my suggestion for Michael & Max: we went through use cases and requirements
… there may be an opportunity to look at the different offloading models (developer centric vs user centric)
… the different realms of controls (enterprise vs user)
… I think it would be worth digging more into these questions

McCool: re user vs dev - a user could be an enterprise wanting to do sensitive work on their premises or using their own machine
… e.g. Web Apps doing video processing
… Establishing the right trust model is key

Jake: I would suggest an enterprise capability could operate under a developer centric model, vs a home user

McCool: we should add discussion of this topic in the doc
… there are similar components around workload packaging, sandboxing

Max__Liu: +1 to Dan's suggestion
… we'll put more analysis on this topic in the document

sudeep: the sandboxing and trust models sounds like important topics
… we have the <script> tag that allows to run JS - could it be extended to allow the user to establish trust with the edge node?

McCool: the value of Worker is that they operate in a different thread/memory space, which isn't the case of the <script> tag

Yan: re security model, a user centric trust model is key to forward looking standards

McCool: SOLID is also an interesting approach to manage private data
… managing keys in the LAN doesn't work well with browsers

Yan: I'm also involved in the VC & DID WGs which could help

acl Piers_O_Hanlon

Piers_O_Hanlon: could be useful to distinguish the user data from the code
… privacy around the data that is being processed vs the code that is doing the processing
… one can secure the code or use sub-resource-integrity to ensure it hasn't been tampered with
… the data flows then get processed by that
… homomorphic encryption might provide a useful way to protect the data from the edge

Yan: we use a trust zone to run the code
… for the data, we use VC to preserve the privacy of data itself

McCool: separating data and code fits well with stateless computing models
… with the sandbox, we could control the connections the code can make to avoid it to send the data to any other endpoint

Piers_O_Hanlon: users may have their credentials used by the edge to accomplish tasks on their behalf

McCool: homomorphic processing is probably not ideal if you're looking at performance as a goal

McCool: next step includes discussing the aspects that were raised today around security / trust

DanD: there is also an opportunity to look at the gap analysis
… are the standards identified going to fulfill the needs? or what will it take to make them so?
… incl WASM, CORS
… How can we extend the dialogue? DO we need dedicated calls to help make progress?
… does it have the elevated visibility an activity on its own?

<Zakim> jeff, you wanted to comment on next steps

Jeff: looking at the current editors draft of the use cases doc, it's already a pretty impressive document
… on the balance of making it even better or moving forward with the gap analysis and addressing it
… the weight of the effort needs to shift towards resolving the gap
… this may require cross-meeting with other groups
… figure who should address the gaps and how we ensure progress
… possibly with a new CG

McCool: we need to get more stakeholders at the table
… what can we do to increase engagement?

Max__Liu: we probably need a CG, a dedicated way to focus on how to move forward
… I personally think that before we go to a WG, we can prepare a charter
… or a CG that focuses on the topic, which could be more open to non-W3C members and open source projects
… helps with greater engagement
… key is pushing progress on the work coordination more than on the draft

<Zakim> jeff, you wanted to support Michael's idea about stakeholders

jeff: before reaching out to more stakeholders, we need greater clarity on the next steps (incubation vs WG vs existing groups)
… in terms of stakeholders, there is a long list of stakeholders that used to be but are no longer W3C members that came in the Mobile Initiative days
… we should reach out to them as we're making progress in deploying our action plan

McCool: +1 to outreach
… re CG vs WG - we can't have a WG until we know exactly what deliverables we need
… a CG or an IG focused on doing that would be a useful next step

jeff: we already have the IG

McCool: but the name of the IG doesn't scream "edge computing"

DanD: two different things we're talking: making the story crisper (with doc improvements)
… and gathering input & support, administrative stuff
… they can be done in parallel
… If we need an edge IG, or a CG
… we still need to improve the gap analysis in terms of what other groups need to provide & support
… figure out the incentives for the stakeholders
… we talked about organizing some sort of the workshop to help moving forward

Max: a CG being more open is helpful compared to an IG
… we can also have a liaison with the IG to report back what would happen in the CG
… the CG could have more frequent teleconferences

DanD: Thanks again for showing up and for the very fruitful discussions

Minutes manually created (not a transcript), formatted by scribe.perl version 192 (Tue Jun 28 16:55:30 2022 UTC).


Succeeded: i/[slide 1]/Slideset: https://github.com/w3c/web-networks/raw/main/meetings/W3C_WNIG_TPAC2022_V1.1.pdf

Succeeded: s|https://github.com/w3c/web-networks/raw/main/meetings/W3C_WNIG_TPAC2022_V1.1.pdf|https://lists.w3.org/Archives/Public/www-archive/2022Sep/att-0001/W3C_WNIG_TPAC2022_V1.1.pdf

Succeeded: s/keybox/keyvault/

Succeeded: s/lef/lf

Succeeded: s/ure/ue

Maybe present: chris, CPN, David, DavidE, Jake, jholland, Max, Max__Liu, Michael, Piers_O_Hanlon, Yan