Re: [Webpush] Alexey Melnikov's No Objection on draft-ietf-webpush-vapid-03: (with COMMENT)

Alexey Melnikov <aamelnikov@fastmail.fm> Wed, 16 August 2017 08:42 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28452132656; Wed, 16 Aug 2017 01:42:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Level:
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=P21gOeRc; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=mveI1Rw8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F8wglE1O-tAK; Wed, 16 Aug 2017 01:42:39 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3840132641; Wed, 16 Aug 2017 01:42:39 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id E324E210F0; Wed, 16 Aug 2017 04:42:37 -0400 (EDT)
Received: from frontend1 ([10.202.2.160]) by compute7.internal (MEProxy); Wed, 16 Aug 2017 04:42:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=oriPyOGPAfysKVtSjU +j7GuZ+POD8O5IOH8X9CBABVc=; b=P21gOeRcoAyZC3ehhJUK/A7uBWFPUKKjfB Yu2qqUxT+2RsF9rtoQIR6OqWfyH1yeshF+TWhUhpz0RjSQpSX7DJTygXPO4uFFjs u9vMRWKEvcOUlG6e83Lk3c2kG9t4uJjY3ZARYnSEGT00n4yIpUXACYtnK2sHHQ4X GVFRHopGZ/FcBHajo8SJgHGLphbvR9EFdoz5QSY7suqStZOy2uQcGP57V8F6T8qc mzKXQd3lSZEizW2J51PLUw0URimo5AU4rvyQxCmqYf+Hd1whuorG8XLfg3e3LRim XrvEEAcgepx2k5xMQTD6gmmYq+8pVrlrib0BCHF20GsBqFLmfvCA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s= fm1; bh=oriPyOGPAfysKVtSjU+j7GuZ+POD8O5IOH8X9CBABVc=; b=mveI1Rw8 a73kXRwIDwHwD4uRcAznk6r2qkEzp4PSga099WCSgK3Gr3RNbJoCNKBNWeuObwyx oRxmh5NdiVd+zoiYUzo1RZ2MLZaUOU3SVKMgx3nDZHmsPXVpVqehD1TrMhIZPMBE ea98a73P8VhaMW0aQvVVs3jiuQecjWuhLYNBlSQ3dpHun5Ac4qPJY/5vc78zRzOA UWzrBq9faDVU0VRgYtC6w7zG/17xre5jQ6ErgS4wjQfjE2t3endkFkY7/olgAg/a s7nsN9ZNNlkc36rSSM8YUVQyc3o5ZGjK4+Q6HQ0uLA22DEVppaOchtuIuUT9JVA1 0iMYkGMZLzH1bg==
X-ME-Sender: <xms:fQWUWanTs0TolQ9LTIyeVJ4erp3yYSSJ3nqZ5Ie2SoCxWcaG-wcz3Q>
X-Sasl-enc: uiW/U1KIzAOFyp4CHmdE1Nqnh6yVjxA3S4uF9Q0K5uKL 1502872957
Received: from [192.168.0.6] (cpc121086-nmal24-2-0-cust54.19-2.cable.virginm.net [77.97.145.55]) by mail.messagingengine.com (Postfix) with ESMTPA id 933E87E8C7; Wed, 16 Aug 2017 04:42:37 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Alexey Melnikov <aamelnikov@fastmail.fm>
X-Mailer: iPad Mail (14F89)
In-Reply-To: <CABkgnnWut8YgFoCe0=Htm7FHHPV=x24AmYU=Ztdc==4DgmWoSA@mail.gmail.com>
Date: Wed, 16 Aug 2017 09:44:11 +0100
Cc: Costin Manolache <costin@gmail.com>, The IESG <iesg@ietf.org>, draft-ietf-webpush-vapid <draft-ietf-webpush-vapid@ietf.org>, webpush-chairs@ietf.org, "webpush@ietf.org" <webpush@ietf.org>, Phil Sorber <sorber@apache.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3E387AA4-840C-4B05-8534-3DFE1228B2F0@fastmail.fm>
References: <150281715482.21106.3346502830630897599.idtracker@ietfa.amsl.com> <CAP8-Fq=aFgGzEL3foLNEU+SeYnXB8_QSdpKWa=QKgBuvomBCQw@mail.gmail.com> <CABkgnnWut8YgFoCe0=Htm7FHHPV=x24AmYU=Ztdc==4DgmWoSA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/MV7_QXbT5h0CuIyQRfvCKWwbBuk>
Subject: Re: [Webpush] Alexey Melnikov's No Objection on draft-ietf-webpush-vapid-03: (with COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 08:42:42 -0000

Hi Martin,

> On 16 Aug 2017, at 02:24, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> We have previously discussed the problem of discovering whether a
> server supports a particular authentication scheme.  On the API side,
> we didn't resolve to make a change that would add a mechanism similar
> to what we use for content coding (see
> https://github.com/w3c/push-api/pull/262 for that discussion).  This
> is approximately what Costin is talking about here.
> 
> What has changed since that time is that I have learned that some push
> services *require* authentication.
> 
> For that reason, though it adds delays to sending when authentication
> fails, I'm inclined to add a challenge.  It would be empty, but it
> would allow a server to insist on authentication in a transparent way.
> 
> It IS easy to define: https://github.com/webpush-wg/webpush-vapid/pull/42

Just returning auth-scheme with no parameter is exactly what I was talking about. I like this change.
> 
>> On 16 August 2017 at 03:56, Costin Manolache <costin@gmail.com> wrote:
>> IMHO out-of-band discovery may be sufficient - in webpush it is implicit or
>> can be part of the
>> subscribe handshake. If VAPID is used with an API the supported auth may be
>> part of the API
>> schema/discovery.
>> 
>> I think in future it may be valuable to add an optional certificate - either
>> as an extra header or parameter -
>> to allow authentication without a database RT. In such mode a mechanism to
>> discover supported
>> roots may be needed - however it can also be done out-of-band.
>> 
>> B
>> 
>> Costin
>> 
>> 
>> On Tue, Aug 15, 2017 at 10:12 AM, Alexey Melnikov <aamelnikov@fastmail.fm>
>> wrote:
>>> 
>>> Alexey Melnikov has entered the following ballot position for
>>> draft-ietf-webpush-vapid-03: No Objection
>>> 
>>> When responding, please keep the subject line intact and reply to all
>>> email addresses included in the To and CC lines. (Feel free to cut this
>>> introductory paragraph, however.)
>>> 
>>> 
>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>>> for more information about IESG DISCUSS and COMMENT positions.
>>> 
>>> 
>>> The document, along with other ballot positions, can be found here:
>>> https://datatracker.ietf.org/doc/draft-ietf-webpush-vapid/
>>> 
>>> 
>>> 
>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
>>> 
>>> I have cleared my DISCUSS based on changes in git.
>>> 
>>> I am looking forward to continuing discussion about advertising support
>>> for the
>>> "vapid" authentication scheme in WWW-Authenticate:
>>> 
>>> In Section 3, 3rd para:
>>> 
>>>   This authentication scheme does not require a challenge.  Clients are
>>>   able to generate the Authorization header field without any
>>>   additional information from a server.  Therefore, a challenge for
>>>   this authentication scheme MUST NOT be sent in a WWW-Authenticate
>>>   header field.
>>> 
>>> Does this mean that there is no way to discover whether a particular
>>> server
>>> supports "vapid" HTTP authentication scheme?
>>> 
>>> 
>>> _______________________________________________
>>> Webpush mailing list
>>> Webpush@ietf.org
>>> https://www.ietf.org/mailman/listinfo/webpush
>> 
>>