Re: [Webpush] CALL FOR CONSENSUS: VAPID cut-and-paste protection

Phil Sorber <sorber@apache.org> Sat, 02 September 2017 03:03 UTC

Return-Path: <sorber@apache.org>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57DA61343E6 for <webpush@ietfa.amsl.com>; Fri, 1 Sep 2017 20:03:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.019
X-Spam-Level:
X-Spam-Status: No, score=-5.019 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5t3YhEDnVaX for <webpush@ietfa.amsl.com>; Fri, 1 Sep 2017 20:03:09 -0700 (PDT)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by ietfa.amsl.com (Postfix) with SMTP id 4DBBF1342F3 for <webpush@ietf.org>; Fri, 1 Sep 2017 20:03:09 -0700 (PDT)
Received: (qmail 75723 invoked by uid 99); 2 Sep 2017 03:03:08 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 02 Sep 2017 03:03:08 +0000
Received: from mail-qk0-f171.google.com (mail-qk0-f171.google.com [209.85.220.171]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id D895D1A040E for <webpush@ietf.org>; Sat, 2 Sep 2017 03:03:06 +0000 (UTC)
Received: by mail-qk0-f171.google.com with SMTP id a77so7586538qkb.1 for <webpush@ietf.org>; Fri, 01 Sep 2017 20:03:05 -0700 (PDT)
X-Gm-Message-State: AHPjjUjwK8EyT85lTucVz0Ke0zvQfujfq8gFRBnuerzZLTL1KXtfJoTL r8A0+HBKV03CmwIhKT2Af5Nr2khJOg==
X-Google-Smtp-Source: ADKCNb5t20bwueHSSiWCC6t7h93ugGa7lnPRRy4iqXVzYdzL9yYtkL34lzv5R9EHKPyYB8uU8pRzWLMVd9kqFVzH8VQ=
X-Received: by 10.55.79.149 with SMTP id d143mr5361216qkb.144.1504321384506; Fri, 01 Sep 2017 20:03:04 -0700 (PDT)
MIME-Version: 1.0
References: <CABF6JR0E+o9hL2uQKyqih2z03adqkH0OXp8f0MNqqdDv-YJPUg@mail.gmail.com> <CABkgnnVJU0n+z342_eEZingxA+VWh30FHADRcS5gdbUeJ0X07g@mail.gmail.com>
In-Reply-To: <CABkgnnVJU0n+z342_eEZingxA+VWh30FHADRcS5gdbUeJ0X07g@mail.gmail.com>
From: Phil Sorber <sorber@apache.org>
Date: Sat, 02 Sep 2017 03:02:53 +0000
X-Gmail-Original-Message-ID: <CABF6JR2oc37-EewzeOKJ9gQZ-AcqyXQYLWc4h5G8zhab2oY37A@mail.gmail.com>
Message-ID: <CABF6JR2oc37-EewzeOKJ9gQZ-AcqyXQYLWc4h5G8zhab2oY37A@mail.gmail.com>
To: "webpush@ietf.org" <webpush@ietf.org>
Content-Type: multipart/alternative; boundary="001a114aa05ec06b8d05582c1dbc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/IdgRJRIEsW2KBRkis2145HdAhmo>
Subject: Re: [Webpush] CALL FOR CONSENSUS: VAPID cut-and-paste protection
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Sep 2017 03:03:11 -0000

I think that we have consensus on this. Other options were considered by
the working group but for various reasons, such as deployment complexity,
were ruled out in favor of the JWT bearer token, despite it's sub-optimal
security properties.

Thanks everyone for the feedback.

On Thu, Aug 17, 2017 at 10:17 PM Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 18 August 2017 at 12:58, Phil Sorber <sorber@apache.org> wrote:
> > I believe the working group has already discussed adding such a mechanism
> > and rejected it (with citation to an email discussion or minutes
> reflecting
> > such discussion).
>
> We did consider options that don't have this unfortunate property.
> Client certificates were a strong contender.  They would have been
> ideal if not for operational challenges.
>
> Here's the email that I think was pivotal on this subject:
> https://mailarchive.ietf.org/arch/msg/webpush/_qwcGCuDekERw5o31t0MjFJGTh8
>
> Later there is also:
> https://mailarchive.ietf.org/arch/msg/webpush/poGnqtBFlFe3hpzvkiS3Rp5L94g
>
> There are yet more emails that follow on from this where we discuss
> scope of the token and relative costs.  The first of those is here:
> https://mailarchive.ietf.org/arch/msg/webpush/xrqo-LUb7mrPV6eF1xgyJoqMgCU
>
> I found the rest of thread instructive as a reminder of what happened,
> I had forgotten the details of this discussion.
>
> I didn't read meeting minutes, the above seems sufficient.
>