Re: [Webpush] Vapid public key
jr conlin <jconlin@mozilla.com> Wed, 02 November 2016 15:32 UTC
Return-Path: <jconlin@mozilla.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 224C3129699
for <webpush@ietfa.amsl.com>; Wed, 2 Nov 2016 08:32:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=mozilla.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id hERaVWWft1dL for <webpush@ietfa.amsl.com>;
Wed, 2 Nov 2016 08:32:02 -0700 (PDT)
Received: from mail-pf0-x229.google.com (mail-pf0-x229.google.com
[IPv6:2607:f8b0:400e:c00::229])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 653D612963A
for <webpush@ietf.org>; Wed, 2 Nov 2016 08:32:02 -0700 (PDT)
Received: by mail-pf0-x229.google.com with SMTP id n85so13833697pfi.1
for <webpush@ietf.org>; Wed, 02 Nov 2016 08:32:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google;
h=subject:to:cc:references:from:message-id:date:user-agent
:mime-version:in-reply-to:content-transfer-encoding:content-language;
bh=un/7ukZgcxwAgjlYhXN59Y6UBsO6nMJXJOkIaOSD75I=;
b=bHQbeV7g3LMBmzrBro/l1TE2EKcYcED9zLzjQ+OAe0cW62VgAnv7ek50kOnKts+6zh
IWE5IZ9hI0uOQKT+I+gA8RMDDucbaJmpoHCi+MDihgB4m9RnpExx7w8ItDss72U7bmwE
u/E3eg7ZcYkmCTCMSv84dFAHzHQh554UpGdsQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:subject:to:cc:references:from:message-id:date
:user-agent:mime-version:in-reply-to:content-transfer-encoding
:content-language;
bh=un/7ukZgcxwAgjlYhXN59Y6UBsO6nMJXJOkIaOSD75I=;
b=aZz0f6gms3giMwyYBt28i5k7BxjsfGmEaPLBVxljwK+/A0xD/ACjTiD6fkdgHsrKfE
AZpWmdhYevA5tyn+flBTt8cvtrSYC0M/ljJVaWkps5QaCtgwdTaTkwjVRTthDbQF/O3m
qknClcpUXPp8JLPZF30aLGQCArMZjYZSW7zs8mfZtx4xLH4h2pfV0NiFOev6oCiKD1AR
57fqyj1hUryPNX00xMxQ0l/Xy4Jjist4twdZoFIAdoe/GZZE4lxBSGbMoOFT063XnodY
akbz7nga8K9UlPRyBeJjm6mAHygIVZ1aeCLI7LWGG8+WpI63WEoD7VzTFrA7oKLQmbum
Cp7A==
X-Gm-Message-State: ABUngvckM8zX316mW6KJZCETtYUBGxi9Nf2VaYnK9ltar0Vqr/lEAj3mmv1cXmo5r5U14gzF
X-Received: by 10.98.155.9 with SMTP id r9mr7962687pfd.71.1478100721642;
Wed, 02 Nov 2016 08:32:01 -0700 (PDT)
Received: from ?IPv6:2620:101:80fc:224:ad46:b789:568d:ff0?
([2620:101:80fc:224:ad46:b789:568d:ff0])
by smtp.gmail.com with ESMTPSA id yx8sm5656152pac.29.2016.11.02.08.32.00
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 02 Nov 2016 08:32:00 -0700 (PDT)
To: Martin Thomson <martin.thomson@gmail.com>,
Costin Manolache <costin@gmail.com>
References: <CABkgnnVKd+kAZPD5KirF7NaGMDBSpaO6FR3yE8d+c3ge3-He3w@mail.gmail.com>
<CAP8-FqmBUHd5up7Jfo+veFWvL22XiPwGGXNnOW6rm7nxeESU_g@mail.gmail.com>
<CABkgnnX4aAjnZyu3morJOLatuuj9k4NSoTpoNtF7YjtRUFQOnQ@mail.gmail.com>
From: jr conlin <jconlin@mozilla.com>
Message-ID: <7299b268-1bbb-e04f-55d3-da1294583785@mozilla.com>
Date: Wed, 2 Nov 2016 08:32:00 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101
Thunderbird/51.0a2
MIME-Version: 1.0
In-Reply-To: <CABkgnnX4aAjnZyu3morJOLatuuj9k4NSoTpoNtF7YjtRUFQOnQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/1kehujHbMUzEdeK51jcY9L2rbNg>
Cc: "webpush@ietf.org" <webpush@ietf.org>, Peter Beverloo <beverloo@google.com>
Subject: Re: [Webpush] Vapid public key
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol
<webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>,
<mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>,
<mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 15:32:05 -0000
I'm ok with making the new auth scheme: 2/PUBLICKEY/JWT_TOKEN While this would break older libraries (ick) it would at least allow servers to easily determine if this is a new form rather than an older version. I'll also add that many libraries have a limit to the length of the header line they're willing to accept. For instance, python's twisted library tops out header lines at 16384 characters, and a 16K limit is pretty common for others. https://twistedmatrix.com/documents/current/api/twisted.protocols.basic.LineReceiver.html We're currently far short of that, but remember that people will be putting extra values inside of their JWT so that Ops teams can properly coordinate, and those values will be re-encoded as base64. So it's quite possible that folks could bump up against that limit. On 11/1/2016 10:59 PM, Martin Thomson wrote: > On 2 November 2016 at 16:10, Costin Manolache <costin@gmail.com> wrote: >> Authorization: webpush PUBLICKEY:JWT_TOKEN > The grammar (RFC 7235) is: > > credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ] > token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"=" > > With JWT, we've opted to use the "token68" form (also shown here). > Given that base64url takes '-', '_', and '.', we could separate on > '/'. '/' is a valid base64 (the non-url-safe variant) character, but > we could split on that. > > For existing implementations, you would have to accept that you are > going to have to sniff for this, or we could use a new auth-scheme. I > think that sniffing should be workable given that you won't have a > Crypto-Key header field. > > And before I forget, the ugliest option of all is to use JWK inside > the JWT. Here's an example of a JWK: > > {"crv":"P-256","ext":true,"key_ops":["verify"],"kty":"EC","x":"20zCfUuIs0NGtaVxENI4VH0YyJOUuxp973BTZTfhe1A","y":"WEMWyistS_sD6gGLN4IISWdIMQxZoCHAhlZ8zkmcVUI"} > > The ext and key_ops fields can be omitted safely - I just pulled this > straight out of webcrypto - though it's still even bigger than you > might like.
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key jr conlin
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key jr conlin
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key jr conlin
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key jr conlin
- Re: [Webpush] Vapid public key Martin Thomson