[Webpush] Ben Campbell's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)
Ben Campbell <ben@nostrum.com> Wed, 16 August 2017 02:21 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: webpush@ietf.org
Delivered-To: webpush@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F13B1323C1; Tue, 15 Aug 2017 19:21:30 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Ben Campbell <ben@nostrum.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-webpush-vapid@ietf.org, Phil Sorber <sorber@apache.org>, webpush-chairs@ietf.org, sorber@apache.org, webpush@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.58.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <150285009047.12577.1184580798882485308.idtracker@ietfa.amsl.com>
Date: Tue, 15 Aug 2017 19:21:30 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/ON9OniiOr6JggkloB6E2xpnV_5c>
Subject: [Webpush] Ben Campbell's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 02:21:30 -0000
Ben Campbell has entered the following ballot position for draft-ietf-webpush-vapid-03: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-webpush-vapid/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- In section 2: "A push service MAY reject a request with a 403 (Forbidden) status code [RFC7235] if the JWT signature or its claims are invalid." This seems to leave the possibility of simply ignoring an invalid VAPID token or signature. Assuming we are talking about push servers that support VAPID in the first place, that seems dangerous. Wouldn't it be safer in the general case to treat a request with an invalid VAPID token as at least a bit fishy? I don't mean to say that ignoring the token is never the right thing to do. But the MAY seems week without some guidance on what other actions might be reasonable under what circumstances. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Substantive: I agree with Ekr's DISCUSS. -3: "This authentication scheme is intended for use by an application server when using the Web Push protocol [RFC8030], but it could be used in other contexts if applicable." This guidance seems risky without some description of the properties a given context should have for vapid to be appropriate to use. Please consider elaborating, or removing the clause after the comma. "Some implementations permit the same P-256 key to be used for signing and key exchange. An application server MUST select a different private key for the key exchange [I-D.ietf-webpush-encryption] and signing the authentication token." I don't understand the intent here. It seems to say some implementations do this, but MUST not. Does "implementations" refer to VAPID or something else? -4.1: "A push service MUST ignore the body of a request that uses a different media type." This seems to give VAPID a monopoly on adding bodies. It precludes adding other media types in future webpush extensions. Is that the intent? - 4.2: "A push service MUST reject a message that omits mandatory credentials with a 401 (Unauthorized) status code. " This was already stated in section 2. Please avoid repeating normative text, as it creates ambiguity about which text is authoritative, and can complicate future updates. This section seems the more detailed, so perhaps section 2 could avoid the 2119 text. (But see my DISCUSS point on section 2.) - 8.2: [I-D.ietf-webpush-encryption] should be normative, since it is referenced in a MUST level normative requirement in section 3.2. (If that reference is not intended to be normative, then please rephrase the referring sentence.) Editorial: - Abstract: Please mention the name of the mechanism in the abstract. It might also be helpful to mention that there are cryptographic signatures involved. (Same for section 1). In general, the numerous mentions of "this design" tend to be ambiguous about whether we talk of the design in this document rather than that of webpush in general. Once could substitue "VAPID" for many instances. - 1.0: "Additionally, this design also ..." "Additionally" and "also" are redundant - 1.2: Please use the boilerplate from RFC 8174. - 4.1: "The user agent includes the public key of the application server when requesting the creation of a push subscription." I assume this means "A user agent that wishes to create a restricted subscription...". I know the heading says "Creating a restricted subscription", but in general the body text make sense even without the heading. "The public key is then added to the request to create a push subscription. The push subscription request is extended to include a body. The body of the request is a JSON object as described in [RFC7159]. A "vapid" member is added to this JSON object, containing the public key on the P-256 curve, encoded in the uncompressed form [X9.62] and base64url encoded [RFC7515]. The media type of the body is set to "application/webpush-options+json" (see Section 6.3 for registration of this media type)." The actor(s) are obscured by the heavy use of passive voice. - 6.3: Don't we usually list the IESG as the change controller?
- [Webpush] Ben Campbell's Discuss on draft-ietf-we… Ben Campbell
- Re: [Webpush] Ben Campbell's Discuss on draft-iet… Martin Thomson
- Re: [Webpush] Ben Campbell's Discuss on draft-iet… Alexey Melnikov
- Re: [Webpush] Ben Campbell's Discuss on draft-iet… Ben Campbell
- Re: [Webpush] Ben Campbell's Discuss on draft-iet… Martin Thomson
- Re: [Webpush] Ben Campbell's Discuss on draft-iet… Ben Campbell