[secdir] Secdir last call review of draft-ietf-webpush-vapid-03

Robert Sparks <rjsparks@nostrum.com> Wed, 28 June 2017 21:38 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id F2DDC12EC71; Wed, 28 Jun 2017 14:38:45 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Robert Sparks <rjsparks@nostrum.com>
To: secdir@ietf.org
Cc: webpush@ietf.org, ietf@ietf.org, draft-ietf-webpush-vapid.all@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.55.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149868592596.7659.3988919152591675113@ietfa.amsl.com>
Date: Wed, 28 Jun 2017 14:38:45 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/TGjYoT8kUI2obwfcRBwGvvGFH-I>
Subject: [secdir] Secdir last call review of draft-ietf-webpush-vapid-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jun 2017 21:38:46 -0000

Reviewer: Robert Sparks
Review result: Has Nits

Summary: Ready (with nits)

This document provides a mechanism for an application server to voluntarily
identify itself to a push server using JWT. The draft is easy to follow. The
security properties of this mechanism are clearly and thoroughly discussed.

There are some minor nits:

1) The draft says that expiry claims MUST NOT be more than 24 hours from the
time of the request. Consider adding some discussion of why 24 hours was chosen
(vs some other arbitrary value), especially given the MUST NOT strength of the
requirement.

2) The last paragraph of 4.2 says application servers create subscriptions, but
it means to say that user agents do. Martin already addressed when I brought it
up out-of-band with <https://github.com/webpush-wg/webpush-vapid/pull/39/files>.

3) The last sentence of the abstract is missing a word. Perhaps s/subscription
a/subscription to a/ ?

4) Consider using the RFC8174 update to RFC2119.