Re: [Webpush] Voluntary application server identification

Peter Beverloo <> Tue, 24 November 2015 16:45 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 169751B2CC2 for <>; Tue, 24 Nov 2015 08:45:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.963
X-Spam-Status: No, score=-1.963 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vmEOxAI3RZuQ for <>; Tue, 24 Nov 2015 08:45:07 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BA21D1B2CA3 for <>; Tue, 24 Nov 2015 08:45:06 -0800 (PST)
Received: by lfdl133 with SMTP id l133so28366039lfd.2 for <>; Tue, 24 Nov 2015 08:45:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=OExRWCuXsxL4BLA2E4Yod9P9LaKBeTtY88ID7yGXUjU=; b=FyFKhnKLZ8p9FP2AOJltIkh/HRG4ocucPIpdrORMPRgsdaHVv0QpV+Coa0lpJp/Okv cjI/evDwvm9Ryp5K+aFzxasbxcHLpvoaG7gA9RWMZ9S1Br8TYQVxMl7XOfC6DVDvJzKK pe08EV9EXplh1M11Vccejh2lAKaDz6haCoOmMEuwVH0dqFweZTiZS0Mz3PtjBn90I74S ieiEgbEwltTQ69So4AKitEPXu5wg3D8GRuD4NjvEafDrjn/BA5gdnRikFZMNt6CV7nsv HXDtMZpb7yDiXfVlppum57FqY7WS4P/50vYK5pHoKgAS1ntunGhGjYyZNDNGJm0Vll5h HAzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=OExRWCuXsxL4BLA2E4Yod9P9LaKBeTtY88ID7yGXUjU=; b=PBlLcWf63fI5YTnfmyRBPbH1aHBlzufQDOvrzqNzHV9rzCX1bxLVWzpvO8a4UHm5OI RdT+uYylkNLK1Nquc2G1IwyH5JeVc9C9fW+izVsDkl9LfXDDYqM+Wmy69s601VcA5QxZ MiJbLVb6dKP3Wj7rzlvgzHP1+lRbgB8OriZNy4qkwGkMWQP+2OoPit5ran6AcDdLEBUC Xkgd00iI+5UXs7E8MTqZpI0uGjvnB3bWZTX9z2dnaS+WhVz7RqTI3ccyXf8+ubdfn8oS Q2T0Qz+0CfvXlvL+CXdsk6v1Jcuo9johKOSrILvVl3COoDEarI0Er+FbuO6e68uyHJvA QN+g==
X-Gm-Message-State: ALoCoQmQRdU0HmVDXV9qof5lH9qE1ZZUiTyr0rQ7ZV5baoLOE6/pZ4kQmHpfD/EH6q5uXsNIqHFm
MIME-Version: 1.0
X-Received: by with SMTP id k202mr14544088lfe.161.1448383504815; Tue, 24 Nov 2015 08:45:04 -0800 (PST)
Received: by with HTTP; Tue, 24 Nov 2015 08:45:04 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Tue, 24 Nov 2015 16:45:04 +0000
Message-ID: <>
From: Peter Beverloo <>
To: Martin Thomson <>
Content-Type: multipart/alternative; boundary=001a1141189c4de5e605254c109c
Archived-At: <>
Cc: "" <>
Subject: Re: [Webpush] Voluntary application server identification
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Nov 2015 16:45:09 -0000

Hi Martin,

Thank you for writing this up.

Something that server identification would enable is the ability for
subscriptions to be associated with a given application server, i.e.
not only relying on endpoint secrecy.

The proposed solution, having a TLS client certificate, has the benefit
that the certificate's public key could serve as a token for this
association. Not all alternative solutions have similar shareable tokens.

Both server identification and subscription association are important for
us, and, at least initially, mechanisms that we will mandate use of. If
this proposal works for everybody, we may have to consider a status code
through which the push service can indicate this.

(I realize that this, unfortunately, stands in contrast to your statement
that requiring authentication is unwanted. I personally believe that the
benefits of authentication outweigh the privacy implications - self
signed certificates w/o data fields only act as a persistent token. I see
no problem with other push services not mandating this, of course.)

Let me produce a similar proposal, building on yours, to further explore
subscription association.


On Mon, Nov 23, 2015 at 11:43 PM, Martin Thomson <>

> I did a little write up of the options that I think are most likely
> solutions for issue #44:
> (Submission as an I-D is imminent.)
> All the relevant considerations are covered in the draft.  I started
> out by describing a single option, but realized that addressing the
> alternatives was probably wise.  In doing so, I think that some
> combination of alternatives might not be as crazy as I first thought.
> Some are clearly less good.  In particular, request signing has been
> proposed, but I think that putting a signature validation on the
> critical path is not a great idea.  The other options are much better
> in this regard.
> _______________________________________________
> Webpush mailing list