Re: [Webpush] Application server authentication new years edition

Martin Thomson <martin.thomson@gmail.com> Fri, 08 January 2016 19:25 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 432741B2B32 for <webpush@ietfa.amsl.com>; Fri, 8 Jan 2016 11:25:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8FBUl4m1C_hH for <webpush@ietfa.amsl.com>; Fri, 8 Jan 2016 11:25:20 -0800 (PST)
Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68B111B2B29 for <webpush@ietf.org>; Fri, 8 Jan 2016 11:25:20 -0800 (PST)
Received: by mail-ig0-x22e.google.com with SMTP id mw1so79899926igb.1 for <webpush@ietf.org>; Fri, 08 Jan 2016 11:25:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=v3hq4cTIQ/UbNDW4TPfrFxW+hUhs0zKK4ZKwHcZPleM=; b=wIbCEP0OuhkvbF7J75WRzOXr30WI7uXySEBbQSy1JK2KuXAfCSdIgb2jaAMo3LPMsM 8um/LZK8YunLV/EynjBTPv1PtQKBQ0ZmoK0O/koao5I1JyB9yv4FNxcspOrZyRbfAxBX 8Pgt86DkXs89jU6SeGQ8UkfeS+3plDjH9RcwWgEiPWPBvPiosGAq4Os5C5Jt0Xq2r2NF RYD/MclrVKD2eOyVk8Va9N4T8jd5YTw+Dhy/yw5hFLq+c20pFIn5KEVQPmqYN+oBEF5p Iswjqq7GBCtShQeGOyYa8RgiHbHlllfjRL1DWQkwWAObLKHTUCesHoqm/7gS64VyF0Qb 9gyA==
MIME-Version: 1.0
X-Received: by 10.50.143.103 with SMTP id sd7mr615569igb.58.1452281119792; Fri, 08 Jan 2016 11:25:19 -0800 (PST)
Received: by 10.36.149.130 with HTTP; Fri, 8 Jan 2016 11:25:19 -0800 (PST)
In-Reply-To: <CAP8-FqkFuqrGtH8CWgOEBvYUMCN=BUVp1LEKig9ADOwLEkcLXQ@mail.gmail.com>
References: <CABkgnnXBHXfY6Gz-FKGVUUoOwyJo9zaw1rWceSqVp94FypDbJA@mail.gmail.com> <CAP8-Fq=PhUcj5aaE6dvF2_+-HmVrGDyk41QBzkVxiNMxUakoag@mail.gmail.com> <CABkgnnUYkuu9pjuqLDhiWLNWzkr9ZfYRNny4ZvSKRTWie2bQyA@mail.gmail.com> <CAP8-FqnSqtMb5bT14tkycYXOOP+Xmoa9SMjuP5KkeN_ri+_NVQ@mail.gmail.com> <CABkgnnU0CP-fGpEfqLo01ZVdjT3dNVeb3MSufO1P8T2W63dNVw@mail.gmail.com> <CAP8-FqkF9X+_CjSyXB10621L0=b756REjXsbRfsL8rT6nuh9pw@mail.gmail.com> <CABkgnnW7oRTZRKDQcxf9=0f-mxKfctQQTrR5zY6q4qJtL_cPjw@mail.gmail.com> <CAP8-Fqnage13JQiz8Qkvrho-e8DWcw8p_NLd_xux+uQALwD7og@mail.gmail.com> <CABkgnnVwCSmu8zJ3vZa=5wgQ9K49GHMJsov6L8MWBsZJ41-sQg@mail.gmail.com> <CAP8-FqkFuqrGtH8CWgOEBvYUMCN=BUVp1LEKig9ADOwLEkcLXQ@mail.gmail.com>
Date: Sat, 9 Jan 2016 06:25:19 +1100
Message-ID: <CABkgnnVkB6kyMx_51RSaOpp-4-WhpQPsmpPrvr9ZFKiN7AqZYw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Costin Manolache <costin@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/webpush/InxGnr3Zdel5RnPFx3ROi3s3xno>
Cc: Ben Bangert <bbangert@mozilla.com>, Costin Manolache <costin@google.com>, "webpush@ietf.org" <webpush@ietf.org>
Subject: Re: [Webpush] Application server authentication new years edition
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2016 19:25:24 -0000

On 8 January 2016 at 19:06, Costin Manolache <costin@gmail.com>; wrote:
> It shouldn't be mandatory - just recommended that subscribe indicates who is
> authorized
> to send.
>
> A push service that doesn't require authentication can just ignore it.

I don't think that ignoring is a good option.  I think that the user
agent should be able to expect that the push service is enforcing
access control if it provides an application server key.