Re: [Webpush] Alexey Melnikov's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)

Alexey Melnikov <aamelnikov@fastmail.fm> Tue, 15 August 2017 09:36 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FBFE132076; Tue, 15 Aug 2017 02:36:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=D2evsDSi; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=MFDNipZ8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LeLTJV41-RXV; Tue, 15 Aug 2017 02:36:56 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5FDA13203D; Tue, 15 Aug 2017 02:36:56 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 12047219DE; Tue, 15 Aug 2017 05:36:56 -0400 (EDT)
Received: from web5 ([10.202.2.215]) by compute7.internal (MEProxy); Tue, 15 Aug 2017 05:36:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=HjNdWLLcZLO4PTiapYY7j37T/8PPS Br9KHoFE3HbOSY=; b=D2evsDSih3I7aIxIN+xocc3oBkmIi767aD06qz7Cn+jAe zRXD8vUMeOD3nm/C8d0bFCy6oUChiDU2+ANuEW6pzx+gkY/74rilCIIz5vmFcLRV TfctMRHQUsEFZ6Yxq4Q3ngNiw8LfmHUp6zin5maPK64RSKMd9NbOuVd8Cwl93dFB l6E8OW3laWo5hZ93O3X43HYjuuOQQyu2OcRMygjwfb8VwQk9uI6aPZy21+i8wOrF 4rYdbydnSBxo4G5NA+Ztmr8m26HIPPXN2noWxNXhnEaVhfkZJ/ZxFbimwjvUgVS8 Sh/JZWAg8RlCHPSAUCvwNRZ/QUt4/TyiWMMKz1OaQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=HjNdWL LcZLO4PTiapYY7j37T/8PPSBr9KHoFE3HbOSY=; b=MFDNipZ8r/ndfl9STIpIiF 3PJsfabi2W4nCW9WrdUM5V6q2ONxPILe3KXKZh6Fh/K7n13cSKWLnqZtkQzM7UJG YCx8PiItErz/efW7Ble4qbgQirwCELHOxQwOsxaL3nec2vHX9h+KqpUAyizNiJMK D7SmOLJgQBoaMNZ46+q/BXJq/jy8aK6RSiZwIqKFRLFrsMOnSnOBd0div16ASLA3 TCs2NQv56nBS3oZq1SnIHsEdhLlayC+U9YpeaK1OeyLO5dg+43zDPyvcbMydWCp9 bE/PwEdeuV90Wxtapb5ZXgmpNNbzmzZT8l++UHAJO7kBRonrzvg+VYn1hfElRBtw ==
X-ME-Sender: <xms:uMCSWU2_aoFV5yvq48tuvlPuRWZ8hn6RrCyj3DhUbUT4QmnzPsanoA>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id E53BC9E270; Tue, 15 Aug 2017 05:36:55 -0400 (EDT)
Message-Id: <1502789815.1179459.1073844136.43E95545@webmail.messagingengine.com>
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-webpush-vapid" <draft-ietf-webpush-vapid@ietf.org>, Phil Sorber <sorber@apache.org>, webpush-chairs@ietf.org, webpush@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-ff6d44b3
References: <150161732457.12184.5254423236791059887.idtracker@ietfa.amsl.com> <CABkgnnXNAtcJcEQ9pJx=Pi_nOBX6THFQOuoLZLJa0NmKPezk6w@mail.gmail.com>
Date: Tue, 15 Aug 2017 10:36:55 +0100
In-Reply-To: <CABkgnnXNAtcJcEQ9pJx=Pi_nOBX6THFQOuoLZLJa0NmKPezk6w@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/0Y1dsBlybdkVUf92PzwRu1bRYq8>
Subject: Re: [Webpush] Alexey Melnikov's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 09:36:58 -0000

On Wed, Aug 2, 2017, at 01:14 AM, Martin Thomson wrote:
> On 2 August 2017 at 05:55, Alexey Melnikov <aamelnikov@fastmail.fm>;
> wrote:
> > Firstly, "optjons" above should be "options". Secondly, the MIME type
> > registration of application/webpush-options+json says that the MIME type has no
> > parameters, yet you use charset above. So which is it?
> 
> As Phil notes, the first was corrected already, the second is in
> c867529 on GitHub.  I'll push a new version at Adam's instruction.

I prefer a new draft.

What is the URL for the github? I couldn't find it on a quick glance.

> > In Section 3, 3rd para:
> >
> >    This authentication scheme does not require a challenge.  Clients are
> >    able to generate the Authorization header field without any
> >    additional information from a server.  Therefore, a challenge for
> >    this authentication scheme MUST NOT be sent in a WWW-Authenticate
> >    header field.
> >
> > Does this mean that there is no way to discover whether a particular server
> > supports "vapid" HTTP authentication scheme?
> 
> Not directly.  There was a plan to expose this via the User Agent, but
> we didn't reach a conclusion: https://github.com/w3c/push-api/pull/262
> 
> Another document could override this as well, I suppose.  The "MUST
> NOT" exists primarily because we don't define a challenge.

I think all authentication schemes should be discoverable in
WWW-Authenticate, as it is a part of HTTP authentication framework.

I think it would be good to clarify whether inclusion of "vapid" in
WWW-Authenticate without a challenge is allowed. The way your MUST NOT
is worded makes me think that this is something that a server
implementor can do accidentally. As there is no challenge data, I don't
see how this can happen anyway.