IETF Logo Mail Archive

Re: [Webpush] Voluntary Application Server Identification -02

Martin Thomson <martin.thomson@gmail.com> Thu, 11 February 2016 10:41 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFF191ACEC9 for <webpush@ietfa.amsl.com>; Thu, 11 Feb 2016 02:41:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OPmZwzjMl7cY for <webpush@ietfa.amsl.com>; Thu, 11 Feb 2016 02:41:37 -0800 (PST)
Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2860C1ACEAD for <webpush@ietf.org>; Thu, 11 Feb 2016 02:41:37 -0800 (PST)
Received: by mail-ig0-x234.google.com with SMTP id xg9so32312107igb.1 for <webpush@ietf.org>; Thu, 11 Feb 2016 02:41:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=OHfELDsm2WQ26gJbr0twep09vjjjSe5Zs2R/8h2P5/M=; b=vL6Gm843HxV3T1XaHpTHaCLbvyhxMrV57S3e2L/gLZLHH6+SNHrJZ3QNvPzKFNGW3J 8+/4wYBCyStJKc1GnV5+CL35A+mGz3MOMusbIQ4U63EmawYBkBlY8gxOw5tWU7nidfaO YzEcEOEb1/LGH9HQ9JhHPrCR9RHm30tsU5/rRPIWI/HWgRyDB0EmR8kXmjIr8+DwY8Z2 hbzFuMARGmcOeaVP5WWGQBbwE3NnLatiAij+p7t7IbSfi9XTu+5UYhd7iG41h09LxKDg 10h73cj+SIGM64w0OUrWLYvKZKhON/B73QDZdp5vF+XYCQ3ZQ1OuEX07Jv+xf/HUMpML MwKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=OHfELDsm2WQ26gJbr0twep09vjjjSe5Zs2R/8h2P5/M=; b=alqicT8cYNkYswrJKsdyJJIcFKIBuvM5Q8A6Afkem7svhtgSvzSi4mb9ESRwx/ohux nyY48To/mzDxHq6DnmNOUML4e0motLKuhewMshb+WfawB+lOQqrcbxYlATQsm1oM9fyy DdOxasKv7lhIIjTZ26NCOfQ48Kdb4Cw7jsSUh41QOm0Ffp9Lum9lJqIK4pr9dr1KjbrT +sIqEqLMFYZWalD9o+d3U+uQJ+yuR+/txA68ISoiF/OT0MxBiHV2mgZzpLBiLb8ZZyRt AU+P9frg427LwNzhdGIuiR9JqZyA7u6tfZLbpSazVAgHejOm0asdl6oWE8/SOrrjcK7a 7a6A==
X-Gm-Message-State: AG10YOQyx58GCUlveDBRy3R5+AWniXJdoY1T5zBsVs1BZAG5Hc5LGI31IPlQXZ/lXJgtMNtLnj+jngrvDRSvSQ==
MIME-Version: 1.0
X-Received: by 10.50.20.73 with SMTP id l9mr15833376ige.58.1455187296515; Thu, 11 Feb 2016 02:41:36 -0800 (PST)
Received: by 10.36.53.79 with HTTP; Thu, 11 Feb 2016 02:41:36 -0800 (PST)
In-Reply-To: <CAP8-Fq=cENBD-qP0xGV789S0rWmUKZ0pkyenQbbts3t4nKfooA@mail.gmail.com>
References: <CABkgnnXMA1do2jLoNuALz5V+416RELu=FWyEj8nExC+xn3vnpw@mail.gmail.com> <CALt3x6=T7+PDBRYfBeSNuCABi824Vpno9N+2Y7Jg=5pYUxBvCw@mail.gmail.com> <CAP8-FqkTteuTU8JpqWCr-7LB9niM4ng26U8gomWrc=zvp4xJ5w@mail.gmail.com> <7f44560b-5b3e-fa6c-47de-b10fd6265379@mozilla.com> <CAP8-Fq=cENBD-qP0xGV789S0rWmUKZ0pkyenQbbts3t4nKfooA@mail.gmail.com>
Date: Thu, 11 Feb 2016 21:41:36 +1100
Message-ID: <CABkgnnXbSaGjPm1NPccnZ+vTRzbYR7Y59N4DRMUuF9xA2_vsmA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Costin Manolache <costin@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/webpush/NPWmbOxRenHM3RHnhlk4Y4oEha8>
Cc: JR Conlin <jconlin@mozilla.com>, "webpush@ietf.org" <webpush@ietf.org>, Peter Beverloo <beverloo@google.com>
Subject: Re: [Webpush] Voluntary Application Server Identification -02
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2016 10:41:38 -0000

On 11 February 2016 at 17:25, Costin Manolache <costin@gmail.com> wrote:
> The key used in register() needs to be included in the push request -
> technically we can work around this, by having the
> push service store the key - but by having it in the push header it can
> reduce the storage ( the push service can
> only store a hash of the key, or can include a hash of the key in the
> registration token, so no storage - assuming the registration is
> encrypted/signed).

Yes, I have this in the draft actually: (see the editor's note here:
https://martinthomson.github.io/webpush-vapid/#using-restricted-subscriptions)

I am absolutely OK with rejecting idiot attempts to use the same EC
key for key exchange and signing.  That I am happy to put in the draft
with a MUST on it.

Like Costin, I'm confused about the need to restate the first point.
The whole purpose of including a key in the subscription is to limit
pushes to application servers that have the corresponding private key.
See https://martinthomson.github.io/webpush-vapid/#using-restricted-subscriptions
and https://github.com/w3c/push-api/pull/182

v2.8.7 | Report a Bug | By Email