Re: [secdir] Secdir review of draft-ietf-webpush-protocol

Martin Thomson <> Wed, 19 October 2016 04:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C9C8D12946B; Tue, 18 Oct 2016 21:21:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id httJZR55bG4p; Tue, 18 Oct 2016 21:21:03 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 52A0C129466; Tue, 18 Oct 2016 21:21:03 -0700 (PDT)
Received: by with SMTP id o68so17679796qkf.3; Tue, 18 Oct 2016 21:21:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=gX06tHvC06M+L7wo876rLBdkQEnFUi3i7rCmjDw0/Yo=; b=F82APmze9qVQ3zFa/3vp7r2bn8YwwprUJPKKGm75T4vIAR7weowywPbhL+kW4XaT0j paqZSBg9cWFlCMBEkXvbG52UQ02UXojL8F4ifpT8MXXcXyUkE19s8afY0lBEqrPJmjGy DHHeqHiUMXcu5Q1oLeGkfsSdJ3bkQnOK+xcLVInQGX1Ny8+xmmiz/zb/7zpCz5C6uxTA mnra7IjCWJOJT8n0v9m7Rqi0GMpOZX+uAzF0+dt2kgCjtuotRbI8hGAj1seuwajDzXOp QgVuyfjWQYCBQ+Qh79uvVUWBiYMKDh0UrU4aEk47ZPE2eOh8aqxgaEhhNmFkCzqYutw3 sxUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=gX06tHvC06M+L7wo876rLBdkQEnFUi3i7rCmjDw0/Yo=; b=kC+1P0inyANqSZ481aqHg+2Wi2+YqDLa7bZF7JoepeiM2YSvYenXlEtaONrKB7T0jf jQdnQF9gwbTo2gI1aSbPRNA6/Bu96qCrADZxXUcWGOqreDL4fzyEJBaK8fO6hgX9pzXa bagIMVT5ZQujB5UWDI8QmXiPAHCCbprynWfYfi8uWVXmo/9MVl9SumYMbc6PX6yTp6c4 EAnxcLvshMfCefNIzXAXBYjX3y4IeyP10WN1uw6KvhWWa+SDqbdmkB6jx7cbkd+9VvxL WTZzdHhk4FRYHc790RjObV316h9OyFke5pAdawmmBHwuJQ3FZJihhOXyK1TkAqSYnex2 1lAg==
X-Gm-Message-State: AA6/9Rktkm6/JcZtKnAC43Tfq7/OEm0xsHVZ6sFMlHLP8bGriOkv6ZjFVA3vsYRYR4muN/n/u1tZR6kp8FsyMA==
X-Received: by with SMTP id d15mr3981284qke.115.1476850862412; Tue, 18 Oct 2016 21:21:02 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Tue, 18 Oct 2016 21:21:01 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Martin Thomson <>
Date: Wed, 19 Oct 2016 15:21:01 +1100
Message-ID: <>
To: =?UTF-8?Q?Magnus_Nystr=C3=B6m?= <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc:, "" <>
Subject: Re: [secdir] Secdir review of draft-ietf-webpush-protocol
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Oct 2016 04:21:05 -0000

Thanks for the review Magnus.

On 14 October 2016 at 16:06, Magnus Nyström <> wrote:
> The only slight concern I have is related to
> the authorization of receiving push messages. The technique used is
> essentially bearer tokens (knowledge of a URL). It therefore seems as
> if unintended sharing of such a capability URL could cause other user
> agents to get access to push notifications. I wonder if the work
> around token binding in TLS (holder-of-key tokens) could be applicable
> here, at least in the future.

You will be pleased to know then that we have additional work in the
pipeline that uses JWT to strengthen things.  It's not perfect in that
there is a chance of replay (the token is valid for multiple
requests), but that was a security/operational considerations