[Webpush] Alexey Melnikov's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)

Alexey Melnikov <aamelnikov@fastmail.fm> Tue, 01 August 2017 19:55 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: webpush@ietf.org
Delivered-To: webpush@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A2CCB132311; Tue, 1 Aug 2017 12:55:24 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-webpush-vapid@ietf.org, Phil Sorber <sorber@apache.org>, webpush-chairs@ietf.org, sorber@apache.org, webpush@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.58.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <150161732457.12184.5254423236791059887.idtracker@ietfa.amsl.com>
Date: Tue, 01 Aug 2017 12:55:24 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/I8swdhH2C20Pb9e_HiTb4ObEEHQ>
Subject: [Webpush] Alexey Melnikov's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 19:55:25 -0000

Alexey Melnikov has entered the following ballot position for
draft-ietf-webpush-vapid-03: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


The following is a nit, but I think it is important that it gets fixed:

In Section 4.1:

   The example in Figure 3 shows a restriction to the key used in
   Figure 1.  Extra whitespace is added to meet formatting constraints.

   POST /subscribe/ HTTP/1.1
   Host: push.example.net
   Content-Type: application/webpush-optjons+json;charset=utf-8

Firstly, "optjons" above should be "options". Secondly, the MIME type
registration of application/webpush-options+json says that the MIME type has no
parameters, yet you use charset above. So which is it?

   Content-Length: 104

   { "vapid": "BA1Hxzyi1RUM1b5wjxsn7nGxAszw2u61m164i3MrAIxH
               F6YK5h4SDYic-dRuU_RCPCfA5aq9ojSwk5Y2EmClBPs" }


In Section 3, 3rd para:

   This authentication scheme does not require a challenge.  Clients are
   able to generate the Authorization header field without any
   additional information from a server.  Therefore, a challenge for
   this authentication scheme MUST NOT be sent in a WWW-Authenticate
   header field.

Does this mean that there is no way to discover whether a particular server
supports "vapid" HTTP authentication scheme?