It's difficult to trust attribution to another origin

[jyasskin]

https://w3c.github.io/dpubwg-charter/#scope says,

A Web Publication may be portable, and it may be hosted at some other origin. However, it must preserve information about its original origin and identity, so that references to a portable copy can be reconciled with the original publication, and so that the other origin can make informed choices about how much trust to grant to the publication.

If a publication is hosted at another origin, and you want trust decisions to be based on the original origin, we'd need a proof that the publication actually came from the original origin, which is non-trivial. We're trying to solve this as part of https://github.com/dimich-g/webpackage, and hopefully you'll just be able to take advantage of that, but if you want to include it in this scope too, you should also explicitly call out that you'll need to work with the Web Application Security WG or maybe the Web Security IG to make sure it's right.

Otherwise, might be straightforward to just treat copied publications as new content in their new origin with an attribution that isn't trusted by the UA.

[iherman]

@jyasskin, you are right. I have created a new pull request (#64) which now includes an additional liaison to the Web App Sec WG:

Porting a Web Publication, hosting the publication at some other origin, may raise security issues.
The Publishing Working Group will have to work closely with the Web Application Security WG to ensure that the approaches developed by that Working Group are adopted by Web Publication, and any additional work done by the Publication Working Group are in line with general Web Application Security.

Would that work for you? Note that there is an "automatic" liaison with the Web Sec IG already as part of the horizontal reviews (and listed in the intro paragraph of the coordination section of the charter)

[jyasskin]

Yep, that's great.