Re: [Webpush] Alexey Melnikov's No Objection on draft-ietf-webpush-vapid-03: (with COMMENT)

Costin Manolache <costin@gmail.com> Tue, 15 August 2017 17:56 UTC

Return-Path: <costin@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44CE6126B6E; Tue, 15 Aug 2017 10:56:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gOjYx2AHlTwl; Tue, 15 Aug 2017 10:56:51 -0700 (PDT)
Received: from mail-pg0-x233.google.com (mail-pg0-x233.google.com [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62DE6120713; Tue, 15 Aug 2017 10:56:51 -0700 (PDT)
Received: by mail-pg0-x233.google.com with SMTP id v189so9905342pgd.2; Tue, 15 Aug 2017 10:56:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Xgu6T4Vc/QuqXhtKugMcZjMYDSCw089heSer/DQ5i8k=; b=TG2maLQG2TiHMQTdGv2yP2c0C2TTnod4Zw337J9fB2g0H55h5TXEhRQ7vnm6rjr1XH tfAxujPbh0YYpEFG/iJSGkQzqm0KZj517XFZ02B3tJtDGozyT7h51A9AV6nNWMnDtZqs whDIgyKitcc0Vs5EUOT8StwJNrswElEMBLepM/rGCpDaWl3lLsQXtvfFyt42pYCe33sa Dgz5vvYmpZDorbSR+JUR+dT4006MtEiFAsw4KnpmEiIZFnMZbbEianraoqITeLJhlSBJ gGih8fO3oyJrUKT8JZpQURpNRR385cIAv/+s00/u1R8+8/HY/qvXCcjhBwE9dKj+tHp/ GdNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Xgu6T4Vc/QuqXhtKugMcZjMYDSCw089heSer/DQ5i8k=; b=k3SvxXk7fwdHlth5sj6IB7V1F0RewU7PL45ZEeTiMp1yF+u+8AWMphVFHFcyxJ5ETe iwnFiYrqYjc2HCQGoQ31Tn6i3gOI2pGa/KNocZ0ZTlNZ6DqbeGPT6UD5YJ8puFUiQYrZ P2nXhPCy46DOESqQGZOqHYOsQO7YyE25GzWe3Ugsm2k4Q1o9OHEjohlRglgkyXWWNgHq gg2/uxltgjAiNn24C1Fndy5hXQcTTDcKiO7QAVIQek4Mw1r2YTiB2Tm9YpI8UsBX8jtt q4CUYY5MfxP0aRtAGuvAd6NSxA0PFoc1bAHCVgj/9lhmK8dIYWoGg9HkP7vHyAZ+d6Dc 0O0w==
X-Gm-Message-State: AHYfb5gkdEXXF6J57ppLeLy+e5YW/JjOTXfdhKJTa8Y7gLwpwFVRzH7A 9zw8/K0WSh8Q2v+ZHD90T6s9eAzioSIK
X-Received: by 10.98.223.68 with SMTP id u65mr28459777pfg.98.1502819810841; Tue, 15 Aug 2017 10:56:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.138.76 with HTTP; Tue, 15 Aug 2017 10:56:50 -0700 (PDT)
In-Reply-To: <150281715482.21106.3346502830630897599.idtracker@ietfa.amsl.com>
References: <150281715482.21106.3346502830630897599.idtracker@ietfa.amsl.com>
From: Costin Manolache <costin@gmail.com>
Date: Tue, 15 Aug 2017 10:56:50 -0700
Message-ID: <CAP8-Fq=aFgGzEL3foLNEU+SeYnXB8_QSdpKWa=QKgBuvomBCQw@mail.gmail.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>
Cc: The IESG <iesg@ietf.org>, draft-ietf-webpush-vapid@ietf.org, webpush-chairs@ietf.org, "webpush@ietf.org" <webpush@ietf.org>, sorber@apache.org
Content-Type: multipart/alternative; boundary="94eb2c14fdbcfc99140556ce80ed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/Bh8EjoRfoiC67WF6WBgCbl3a1S0>
Subject: Re: [Webpush] Alexey Melnikov's No Objection on draft-ietf-webpush-vapid-03: (with COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 17:56:53 -0000

IMHO out-of-band discovery may be sufficient - in webpush it is implicit or
can be part of the
subscribe handshake. If VAPID is used with an API the supported auth may be
part of the API
schema/discovery.

I think in future it may be valuable to add an optional certificate -
either as an extra header or parameter -
to allow authentication without a database RT. In such mode a mechanism to
discover supported
roots may be needed - however it can also be done out-of-band.

B

Costin


On Tue, Aug 15, 2017 at 10:12 AM, Alexey Melnikov <aamelnikov@fastmail.fm>;
wrote:

> Alexey Melnikov has entered the following ballot position for
> draft-ietf-webpush-vapid-03: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-webpush-vapid/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> I have cleared my DISCUSS based on changes in git.
>
> I am looking forward to continuing discussion about advertising support
> for the
> "vapid" authentication scheme in WWW-Authenticate:
>
> In Section 3, 3rd para:
>
>    This authentication scheme does not require a challenge.  Clients are
>    able to generate the Authorization header field without any
>    additional information from a server.  Therefore, a challenge for
>    this authentication scheme MUST NOT be sent in a WWW-Authenticate
>    header field.
>
> Does this mean that there is no way to discover whether a particular server
> supports "vapid" HTTP authentication scheme?
>
>
> _______________________________________________
> Webpush mailing list
> Webpush@ietf.org
> https://www.ietf.org/mailman/listinfo/webpush
>