IETF Logo Mail Archive

Re: [Webpush] Vapid public key

Martin Thomson <martin.thomson@gmail.com> Thu, 03 November 2016 00:49 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B04F12961A for <webpush@ietfa.amsl.com>; Wed, 2 Nov 2016 17:49:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z6QLUw9bzzir for <webpush@ietfa.amsl.com>; Wed, 2 Nov 2016 17:49:53 -0700 (PDT)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E7DA129705 for <webpush@ietf.org>; Wed, 2 Nov 2016 17:49:52 -0700 (PDT)
Received: by mail-qk0-x230.google.com with SMTP id q130so39436823qke.1 for <webpush@ietf.org>; Wed, 02 Nov 2016 17:49:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Tys07pPzW9qMLxr+5HSkEWJ6b2NFtMrWvIlV3+Ill8A=; b=H2lSENKtLa4+kUS7rnn9wAzhUf207UbIcDS6LykkfoH/rpK5hYjasYZHc3eCGmE8Jr Gn1QN3rojiTs57lNUvUqBHBdAKlUSbsNYkKJ7vPT0yPGk1bvoF/HQFCbSjHKsESt+i4n SuAadzaRdxqMwao07MNlI3riF8Kks/E/r+xmbjpUAUTCEjX5Tc98CWunEMwHrGFSaMRK Ng0H2iLkvPE0w8Tkd4tLJLRJrUrLHMRA1dwgEtXRagC3p9CQiEBdhoayLxJpO1yU7M4i odIe48OY55BCPnrH9lqJjMJBQIfZiiinHs70iA36mu/D0rmVz0PTpuOW+Djf2KcMYQz8 LlUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Tys07pPzW9qMLxr+5HSkEWJ6b2NFtMrWvIlV3+Ill8A=; b=V0KVfcz8LgjbXwgkK019dEiObSHC+r2cbgktdkKy3/w3gLOSTWjQqGLyod3DoFIORl 3wG5QW145BoylOJjLIIr4JwhYSqxzHKd9FYnu4F2YBLc9688pz+cAxSx9R1MQTMsO80u Ooy7EAcMbMCSm76SKPfOooUWLaTXDcqaz0LEshbzIUCvlwsFhwvnMSezJDB/KnfumJ5S lcT9MJJRAi0/9XtMVEm14VKsQnWnESA8q8/ORwO0uo/vCicELHYUZtJYEexjpVmGshF/ 49ld6wDdjyPvFiT8om4iCmITEZoDPiIbI1o9Rk+ylqjtRjJiraVlrxZ4F7VE82B+oE5n NhlQ==
X-Gm-Message-State: ABUngvejyHsd6O00WSUUKQGeL1vVzyyzKwA1M6GMOEz/8TqPnFvyoJAQOAhwvJsFuTW845YneeQvJ0k1fHwqbw==
X-Received: by 10.55.12.2 with SMTP id 2mr5401772qkm.68.1478134191304; Wed, 02 Nov 2016 17:49:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.7 with HTTP; Wed, 2 Nov 2016 17:49:50 -0700 (PDT)
In-Reply-To: <CAP8-FqkhniWyD9UDxbV3nh=d04A=otMzOPHTOxac=edjzYpVww@mail.gmail.com>
References: <CABkgnnVKd+kAZPD5KirF7NaGMDBSpaO6FR3yE8d+c3ge3-He3w@mail.gmail.com> <CAP8-FqmBUHd5up7Jfo+veFWvL22XiPwGGXNnOW6rm7nxeESU_g@mail.gmail.com> <CABkgnnX4aAjnZyu3morJOLatuuj9k4NSoTpoNtF7YjtRUFQOnQ@mail.gmail.com> <CAP8-Fq=Zd66ZhWm+gYesOpc2NZ-YBpy2+bHdr6O+h1KG2s16uw@mail.gmail.com> <CAP8-FqkfjQkm-z9HSBHMm3nht8SFBY5G=W82N8BAybbxucdEag@mail.gmail.com> <4538eada-c406-fa72-fec1-1c26bb225a1f@mozilla.com> <CAP8-FqkhniWyD9UDxbV3nh=d04A=otMzOPHTOxac=edjzYpVww@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 03 Nov 2016 11:49:50 +1100
Message-ID: <CABkgnnWgvFam8jUaSAmPSxiAYBOqsyRdbT+DMPQ86u3eOgo3KQ@mail.gmail.com>
To: Costin Manolache <costin@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/N_na2p7GpeL2vHBEBZ4aPVQqG2U>
Cc: jr conlin <jconlin@mozilla.com>, "webpush@ietf.org" <webpush@ietf.org>, Peter Beverloo <beverloo@google.com>
Subject: Re: [Webpush] Vapid public key
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2016 00:49:55 -0000

Well, I haven't revised VAPID recently (it missed the cutoff due to a
rush on -encryption).  I have an open PR, and now these changes.  I'll
add this to the pile.  (I think that I'd phrase this slightly
differently, but it's reasonable to point out that this new
authentication scheme is available to the UA and PS).

https://github.com/webpush-wg/webpush-vapid/issues/27

On 3 November 2016 at 07:22, Costin Manolache <costin@gmail.com> wrote:
> Apologies for any bad memories related to implementing digest auth :-)
>
> If we are updating the vapid spec - I would like to ask for one more change:
>
> "A UA may also authenticate with VAPID when making a subscribe request. If
> subscribe was
> authenticated with VAPID, all subsequent subscribe, unsubscribe, ack or
> monitor requests
> associated with the same pushset MUST be authenticated with VAPID with same
> public key"
>
> I know subscribe/monitor are over SSL - but I think it improves a bit the
> security, and the device
> already needs to have code to handle EC for the e2e encryption. The main
> concern is
> an attacker 'acking' or unsubscribing - since the messages are e2e encrypted
> they can't read it.
>
> Costin
>
> On Wed, Nov 2, 2016 at 12:43 PM jr conlin <jconlin@mozilla.com> wrote:
>>
>> On 11/2/2016 11:14 AM, Costin Manolache wrote:
>>
>> From rfc2617 (digest auth):
>>
>> Authorization: Digest username="Mufasa",
>>                  realm="testrealm@host.com",
>>                  nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
>>                  uri="/dir/index.html",
>>                  qop=auth,
>>                  nc=00000001,
>>                  cnonce="0a4f113b",
>>                  response="6629fae49393a05397450978507c4ef1",
>>                  opaque="5ccc069c403ebaf9f0171e9517f40e41"
>>
>> No "favoriteDrink"?
>>
>> /me fights back his x.500 PTSD.
>>
>

v2.23.0 | Report a Bug | By Email