[Webpush] Comments on draft-thomson-webpush-encryption
Peter Beverloo <beverloo@google.com> Fri, 16 October 2015 14:35 UTC
Return-Path: <beverloo@google.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F37B1B2C67 for <webpush@ietfa.amsl.com>; Fri, 16 Oct 2015 07:35:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.788
X-Spam-Level:
X-Spam-Status: No, score=-0.788 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_22=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gb-nxpzQG88P for <webpush@ietfa.amsl.com>; Fri, 16 Oct 2015 07:35:35 -0700 (PDT)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF5311B2C61 for <webpush@ietf.org>; Fri, 16 Oct 2015 07:35:34 -0700 (PDT)
Received: by lbbes7 with SMTP id es7so12235658lbb.2 for <webpush@ietf.org>; Fri, 16 Oct 2015 07:35:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Hj6s0kFnRqvi1suq2ban/3rzGVJpU0ZvJyJbFIU6Hxs=; b=cN/iM6RsM60r4gmNVDSUYErLCXfBmG4c92eNgE81RVsw9kliQozJx+v4rpm8+2EkwK UCiXm5k4CHs/vJPEka3Alt64qwR7D6JR7Upa4iKOZS15M1zOqo9M+hoV4SE8xg1tj9WP Kcba3oFA5hASE53LxorNlcj/JZeAEPdsusc2sOwxWPLRPAK2YJiilsOqcWx/+v2VNNgR qkhzT5lNuVmE1Bdsdm1nWxoorkXZv3FDYu/51AbdybxW55qdWsVEFf7HmGOBvSWCJeuA kKk572RPnxyIG8pTMqK7fJx/3Bq79P2aM3ySwR9VUwDy7FC77ct8IrzgP3sJplUsgcnS q4CA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=Hj6s0kFnRqvi1suq2ban/3rzGVJpU0ZvJyJbFIU6Hxs=; b=i3n8eLbj+px70Y4W72Hl8I1uSgnVXlXjikfVn6WA5uC/vaXn+9W39jJ5fBMCmh4vw0 5ydKtJMwxco/fhWOFq5jcuABOU7XIYEKObshNYyJTyZokVRtQ8yIx/VedW5GVflKWagr j0K1viakKQXsBGMhjKqkfGQXrZfNTyt8you+/QZnN0vT/qrXsvCjK/G7PZL3TrXEkjGn VguTjabewq+Skq3mmLvhbH9edVJPqQRpsQxRFbpgOc6kWlVMb9RwjNKhIZz5Ic1k4jtb 7ivWbHxiluPmFsecE4I/jyqO5+4TJOFbSZ3k+bcLuY5XVRWYTKIa4pNdGlh/7221261m 2kfA==
X-Gm-Message-State: ALoCoQk06mBhy7cMg+GZBMY/8Q6y2xjz6RDo5zieAqOJ/OXWslsEomO7VbL9b223QtXNbtfQh2h9
MIME-Version: 1.0
X-Received: by 10.112.130.225 with SMTP id oh1mr8473650lbb.69.1445006132963; Fri, 16 Oct 2015 07:35:32 -0700 (PDT)
Received: by 10.25.21.98 with HTTP; Fri, 16 Oct 2015 07:35:32 -0700 (PDT)
Date: Fri, 16 Oct 2015 15:35:32 +0100
Message-ID: <CALt3x6mvOu_B8AS4LnjDkSEsiKzLuiMbdr_jhesF7kdUqYnbvA@mail.gmail.com>
From: Peter Beverloo <beverloo@google.com>
To: "webpush@ietf.org" <webpush@ietf.org>
Content-Type: multipart/alternative; boundary="047d7b343d3241406b052239b5a9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/webpush/6L-mdeMH_68vUSbxCsY8srv3w90>
Subject: [Webpush] Comments on draft-thomson-webpush-encryption
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 14:35:37 -0000
Hi all -
There are a number of concerns I have about thomson-webpush-encryption[1]
after implementing support for the draft in Chrome, most of which are
related to the generic nature of thomson-http-encryption[2].
The tl;dr is that while I believe that using the "aesgcm128" HTTP content
encoding with a single record is good, removing our dependencies on other
parts of thomson-http-encryption would significantly simplify webpush.
(To start off on a slight tangent, after further discussion with Mozilla
we have agreed to support P-256, despite our strong, standing preference
for using Curve25519.)
(1) Allowing multiple values for the Content-Encoding header.
For efficiency reasons, an implementation may use alternative protocols
for the push service <--> user agent connection that are not HTTP-based.
This is the case for Chrome (and Android), where messages may be received
outside of the network stack and content decryption happens by using
the header values in combination with an aes128gcm encoding. Supporting
multiple values, e.g. encryption and compression, would be problematic.
Would it be reasonable to require a single value of "aes128gcm"?
(2) Separation of the Encryption and Encryption-Key headers.
Given that thomson-webpush-encryption mandates use of a single encryption
record, an implementation only _needs_ the "salt" parameter from the
Encryption header, and the "dh" parameter from the Encryption-Key header.
The "rs" header can be implied, but could still be used to validate the
single-record requirement.
The fact that both headers support comma-separated lists also seems
unnecessary for use with thomson-webpush-encryption.
Introducing yet another header it not great, but it would allow us to
provide a concise, to-the-point header only having "salt" and "dh"
parameters, in which the "rs" can be implied from the message's body.
(2a) Ambiguity about the meaning of the "keyid" parameter.
Under what circumstances would the subscription id for which a message is
received not be sufficient for selecting the keys, i.e. when would there
be multiple key pairs per subscription?
Is this an artifact of having the required data spread over two headers
that both allow comma-separated lists, to match a "salt" with a "dh"?
(2b) Disallowing use of explicit keys (for now).
thomson-http-encryption also allows use of the "key" parameter for
providing an explicit key. While this could be useful for broadcasts in
the future, we should explicitly disallow this until we get there.
Thanks,
Peter
[1] https://tools.ietf.org/html/draft-thomson-webpush-encryption-01
[2] https://tools.ietf.org/html/draft-thomson-http-encryption-01
- [Webpush] Comments on draft-thomson-webpush-encry… Peter Beverloo
- Re: [Webpush] Comments on draft-thomson-webpush-e… Martin Thomson
- Re: [Webpush] Comments on draft-thomson-webpush-e… Peter Beverloo
- Re: [Webpush] Comments on draft-thomson-webpush-e… Martin Thomson