Re: [Webpush] Warren Kumari's No Objection on draft-ietf-webpush-encryption-08: (with COMMENT)

Warren Kumari <warren@kumari.net> Wed, 16 August 2017 00:19 UTC

Return-Path: <warren@kumari.net>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91D841323C8 for <webpush@ietfa.amsl.com>; Tue, 15 Aug 2017 17:19:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NSq916PGe7T5 for <webpush@ietfa.amsl.com>; Tue, 15 Aug 2017 17:19:54 -0700 (PDT)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6315213240E for <webpush@ietf.org>; Tue, 15 Aug 2017 17:19:51 -0700 (PDT)
Received: by mail-wm0-x22e.google.com with SMTP id f15so21270687wmg.1 for <webpush@ietf.org>; Tue, 15 Aug 2017 17:19:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=eVQ0PHA2lNhwdVD4UyJCgNW6HY1nnocVTl0+vor6SMA=; b=qNr0bLAMU14YqECG/39dzDNsn+ZfgKukjkugbRPaZZGMeGHrqFxEKbMUE/1kTqGzRO 7mWLkJ/0DKwZZnKaHwKxy2/PTaGPVf16xt4FtZhwClncecHMUhPSVsxexFmlngCuMHBS NDPEYFOXuzcz0YNugen8uD6eQg0jV+dHi1LlbN20jkUru9UoG+d2VQVCq9N0Er180tNJ ZO4nqzy8DhAgV5bElLzh+5K7gKNuOPGViDGt1xDJaNrQdFJcls29+slIcCnXEth5Oe3v k3D83IsIGc1LPBRQ9VVmkOcwrjKxf0CItvmzNA+nAwi9xzwjS+AHh1OcDBmfhmQHrNnz axKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=eVQ0PHA2lNhwdVD4UyJCgNW6HY1nnocVTl0+vor6SMA=; b=SBEZxKU9F7o5XXzWyT8AvcO8yMrFyaYM/+ImrfcmeHppUrXfPqw35lIxpBu637rdKn tZSaH0VHzRI4r1C0lHm15Ee9ljey3vB3OCU4EFHgfRmmZKPMCF7FPWZB4u5hVYcC2NAq FdxNUL76m2mMP7C6vxSnC85xfGm28zsVXoMOAC8SBiIINwdFvo5y3vAbWzqZPnldKZH6 UhyjjS6lsnzhrntzfwAQtrPVmL8fvjpkfdL7Q83cWp0N1LFhG8rrO1HbwkzBV9ULwXcy XgQV8KKdNiMPUQvZyohAM01yq1aFxsbrbtqtJH9SUS/hEG4isHiWtfAK7mJNcChPwpoY fbJA==
X-Gm-Message-State: AHYfb5g03Ba7V7+dY3NC9grhJ3OmY2jD4y8xrzH5PREFBe8Uhs0ScmtK pw+Yv1EAbgu1umL5rVHLoXSH2NdTO/Vp
X-Received: by 10.28.113.203 with SMTP id d72mr137291wmi.109.1502842789815; Tue, 15 Aug 2017 17:19:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.164.135 with HTTP; Tue, 15 Aug 2017 17:19:09 -0700 (PDT)
In-Reply-To: <CABkgnnWoqRd9Y_xeoRh2cXG_GFG617__qeM=8PuLvApO7Vbk4w@mail.gmail.com>
References: <150281999738.21016.2164260159984776251.idtracker@ietfa.amsl.com> <CABkgnnWoqRd9Y_xeoRh2cXG_GFG617__qeM=8PuLvApO7Vbk4w@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 15 Aug 2017 20:19:09 -0400
Message-ID: <CAHw9_i+JpwDKqugKzHixA+WMb9vXpnpBoznAWhtBupyFgxU2HA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: The IESG <iesg@ietf.org>, Tim Chown <tim.chown@jisc.ac.uk>, draft-ietf-webpush-encryption@ietf.org, webpush-chairs@ietf.org, "webpush@ietf.org" <webpush@ietf.org>, Phil Sorber <sorber@apache.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/57KGC_V8FM7FmlqnKgCykGcLlUQ>
Subject: Re: [Webpush] Warren Kumari's No Objection on draft-ietf-webpush-encryption-08: (with COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 00:19:57 -0000

Awesome, thank you, LGTM.

W

On Tue, Aug 15, 2017 at 8:16 PM, Martin Thomson
<martin.thomson@gmail.com>; wrote:
> Hi Warren,
>
> I resolved your nits here:
>   https://github.com/webpush-wg/webpush-encryption/pull/19
>
> On 16 August 2017 at 03:59, Warren Kumari <warren@kumari.net>; wrote:
>> Warren Kumari has entered the following ballot position for
>> draft-ietf-webpush-encryption-08: No Objection
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-webpush-encryption/
>>
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> Firstly, thanks to Tim Chown for his helpful OpsDir review (
>> https://datatracker.ietf.org/doc/review-ietf-webpush-encryption-08-opsdir-lc-chown-2017-08-01/
>> ) and for your response.
>>
>> I only have nits on this document:
>> 1:  I reviewed this and draft-ietf-webpush-vapid together. This document uses
>> title case for "User Agent" (and many other terms), while
>> draft-ietf-webpush-vapid and RFC8030 uses lower-case. Consistency would be nice
>> here.
>>
>> 2: Section 2:
>> "In addition to the reasons described in [I-D.ietf-webpush-protocol], this
>> ensures that the authentication secret is not revealed to unauthorized
>> entities, which can be used to generate push messages that will be accepted by
>> the User Agent." -- this is ambiguous / confusing. It is unclear which which is
>> which. I'd suggest rewording to something like "... to unauthorized entities,
>> which would allow that entities to generate push messages that would be
>> accepted by the User Agent as valid" (or similar)
>>
>> 3: Section 7.  Security Considerations
>> "In particular, any HTTP header fields are not protected by the content
>> encoding scheme." -- I think you may mean "In particular, no HTTP header fields
>> are protected ..." (or similar)
>>
>>
>> _______________________________________________
>> Webpush mailing list
>> Webpush@ietf.org
>> https://www.ietf.org/mailman/listinfo/webpush



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf