Re: [Webpush] vapid issue 24: supplementary data in tokens
jr conlin <jconlin@mozilla.com> Fri, 01 July 2016 16:08 UTC
Return-Path: <jconlin@mozilla.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 294A212D74F
for <webpush@ietfa.amsl.com>; Fri, 1 Jul 2016 09:08:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=mozilla-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id fDXk-xYX8XIJ for <webpush@ietfa.amsl.com>;
Fri, 1 Jul 2016 09:08:31 -0700 (PDT)
Received: from mail-pa0-x236.google.com (mail-pa0-x236.google.com
[IPv6:2607:f8b0:400e:c03::236])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id BD3D312D754
for <webpush@ietf.org>; Fri, 1 Jul 2016 09:08:25 -0700 (PDT)
Received: by mail-pa0-x236.google.com with SMTP id hl6so40030086pac.2
for <webpush@ietf.org>; Fri, 01 Jul 2016 09:08:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mozilla-com.20150623.gappssmtp.com; s=20150623;
h=subject:to:references:from:message-id:date:user-agent:mime-version
:in-reply-to:content-transfer-encoding;
bh=bCJTMicR4IWAO44ZGIJRMcxiRfNtZMJVgpw945mlTGw=;
b=0hbmgVcqrNGZuNPuSEALhkvkHpJjCKcO31KV9XHY5ZrjbB4dTMp+e46NuXUxb0Xp5w
49IIe5zuAT5/F2+Ky8JPPLeCgdXG0q7dL33dn1Yiu5Q4gEdPjVUBNbGqoCoVvwXvi0YZ
KtwOjgkC4Td5d2FkD1ryOyAHGIp5neau1fTJ/ACA2rYV/fP21W7Kpjnmvhr+WgJCdagq
RksV3lbzUW4nOrz6aj0pQUzk/ZrzkoMOPNc4DsuipnLEdzUb4/ZIXRp5GhA1NNPYga7W
U0mCU+zIH2SrhQv5ygr3tV43b8RVfJ1Ta6A6LnZUBVHtSO7M1o1vcjZUHjFsG3RpJ7eK
HYEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:subject:to:references:from:message-id:date
:user-agent:mime-version:in-reply-to:content-transfer-encoding;
bh=bCJTMicR4IWAO44ZGIJRMcxiRfNtZMJVgpw945mlTGw=;
b=Xr8EdWYXQLmklCwyEI6BolWXT+6lo/4ltlx/UnQtmx99mNgpcCob/70SAWhT91Mr56
IMVhNBjuC2u3iKS6h9lZt2BYjzFZjxa8eQHWvUzh4afIfQzhhJKvrhaV6S80KqWu1DO0
ofbVZJetApp6YW3MalyTq4MIeMAwvN/7fegr1dZ9Rr3hrQkDBRy+rKmkPZFDbjp4Dkz8
lz54kco61LACgMpkNNh0uNhaN8uAdTtmgZR75qk7axz1aQPbA7QeVJ/I9stEeNLHrfR0
vmEmoBp+V0dPxvS2q8I9tLHHqfHFHL3PTTsLICVO2VcvjhgX73THEZwc3LyLELT/1zMj
CC/A==
X-Gm-Message-State: ALyK8tLbiCaut501apl67Q4JE5ip7Z+jOkq1FbdMwSEnwfbd7e6xA1Nk747Ep/J+zpLjOXJL
X-Received: by 10.66.236.69 with SMTP id us5mr32709189pac.69.1467389305202;
Fri, 01 Jul 2016 09:08:25 -0700 (PDT)
Received: from ?IPv6:2620:101:80fc:224:fc9a:7708:25af:1dee?
([2620:101:80fc:224:fc9a:7708:25af:1dee])
by smtp.gmail.com with ESMTPSA id z29sm6813561pff.0.2016.07.01.09.08.24
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 01 Jul 2016 09:08:24 -0700 (PDT)
To: Martin Thomson <martin.thomson@gmail.com>,
"webpush@ietf.org" <webpush@ietf.org>, JR Conlin <jrconlin@mozilla.com>
References: <CABkgnnUkntEq66k+85zATwZHDKNMJ+NR_VZXa_jKCrDhhUSvPw@mail.gmail.com>
From: jr conlin <jconlin@mozilla.com>
Message-ID: <c0903c40-a55d-0d33-267a-eb2ca620b067@mozilla.com>
Date: Fri, 1 Jul 2016 09:08:23 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101
Thunderbird/49.0a2
MIME-Version: 1.0
In-Reply-To: <CABkgnnUkntEq66k+85zATwZHDKNMJ+NR_VZXa_jKCrDhhUSvPw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/LleMutkaZ_yWUwYJrPN0cYak7JU>
Subject: Re: [Webpush] vapid issue 24: supplementary data in tokens
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol
<webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>,
<mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>,
<mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jul 2016 16:08:34 -0000
I think it's absolutely fine to point out the additional claims. It may
also be a good idea to provide some guidance about what name prefix to
use to avoid potential conflicts should this header be compounded like
the Crypto-Key header. (e.g.
"""
Subscription providers may wish to include additional information using
prefixed keys such as
{ "vap_servid": "ami-123", "vap_custid": "abc012", ...}
to assist in quickly isolating and resolving issues with a given feed.
"""
It may also be worth noting that some servers (like apache) limit the
maximum acceptable size of headers to 8K, so it's best not to go too
nuts with the amount of extra data you're storing.
On 6/30/2016 7:02 PM, Martin Thomson wrote:
> JR requests that we allow the inclusion of extra stuff in a vapid token:
>
> https://github.com/webpush-wg/webpush-vapid/issues/24
> As noted in the arguments of #23, there is a need for an "extra data"
> field which would be used by the parties using the VAPID claims. This
> data would contain information useful to the publisher of the claim
> (e.g. the originating server ID, transaction ID, or other possibly
> VAPID consumer opaque data).
>
> This extra data ("vapid-ext" ?) field would allow consistent,
> predictable definition rather than a set of 'one-offs' that may be
> difficult to find or ignored by operators.
> <<<
>
> I think that the general idea is fine. Better this than trying to
> pack the "sub" field with extra stuff.
>
> JR, would it suffice to point out that the
> [private](https://tools.ietf.org/html/rfc7519#section-4.3) (or even
> [public](https://tools.ietf.org/html/rfc7519#section-4.2)) claims can
> be added to the token? Allowing multiple fields gives the application
> server a fair bit more flexibility.
>
> If that's OK, we should point out that this is possible so that push
> services don't lose the extra data because they aren't aware that it
> might exist.
- Re: [Webpush] vapid issue 24: supplementary data … Martin Thomson
- Re: [Webpush] vapid issue 24: supplementary data … jr conlin
- [Webpush] vapid issue 24: supplementary data in t… Martin Thomson