Re: [Webpush] I-D Action: draft-ietf-webpush-vapid-00.txt
Brian Raymor <Brian.Raymor@microsoft.com> Wed, 27 April 2016 21:59 UTC
Return-Path: <Brian.Raymor@microsoft.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 3FEE512D55D
for <webpush@ietfa.amsl.com>; Wed, 27 Apr 2016 14:59:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id DSPa6JYIIb2h for <webpush@ietfa.amsl.com>;
Wed, 27 Apr 2016 14:59:23 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com
(mail-by2on0111.outbound.protection.outlook.com [207.46.100.111])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 527FE12D558
for <webpush@ietf.org>; Wed, 27 Apr 2016 14:59:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=Qb0YSy/yMXtAwTVLVXfJ4sw0sYWmRRCuPNCkPxFl2+E=;
b=GJdQBOoRcNxVlDKYOfJd3WF0Reytk2Uh7rIINYkd2Jwb/RWU+/2IrrlXDFDUrALRDSwAV2TfKzCWRkwfzL68vc7s4TyihJGyPDNDtdRE1vr0va3g3/g3CBbUCiptzg5I0ECkOvO0LvHVaRypJKq7efy6N/m0z9VXs8/cQxRQdPQ=
Received: from CO2PR03MB2407.namprd03.prod.outlook.com (10.166.93.137) by
CO2PR03MB2406.namprd03.prod.outlook.com (10.166.93.136) with Microsoft SMTP
Server (TLS) id 15.1.477.8; Wed, 27 Apr 2016 21:59:21 +0000
Received: from CO2PR03MB2407.namprd03.prod.outlook.com ([10.166.93.137]) by
CO2PR03MB2407.namprd03.prod.outlook.com ([10.166.93.137]) with mapi id
15.01.0477.012; Wed, 27 Apr 2016 21:59:21 +0000
From: Brian Raymor <Brian.Raymor@microsoft.com>
To: "webpush@ietf.org" <webpush@ietf.org>
Thread-Topic: [Webpush] I-D Action: draft-ietf-webpush-vapid-00.txt
Thread-Index: AQHRle3Bw9J4rIfKlE6K8+Hj7N0q4J+ecv2g
Date: Wed, 27 Apr 2016 21:59:21 +0000
Message-ID: <CO2PR03MB24071E0BAC97F4840193F9EB83640@CO2PR03MB2407.namprd03.prod.outlook.com>
References: <20160414013409.17397.8843.idtracker@ietfa.amsl.com>
In-Reply-To: <20160414013409.17397.8843.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed)
header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [131.107.174.100]
x-ms-office365-filtering-correlation-id: a3ff02ac-814e-45b9-079b-08d36ee73025
x-microsoft-exchange-diagnostics: 1; CO2PR03MB2406;
5:2Dmt4cNNQBsykPmrXXw9qaZAZ61fVf6mo7LA2EySJjo6u+ugPyoVQIM9oU9FpZL23GKjsEK+hZU2emW1hOD5SbTKofju+B3qHhF4HxGyvktlCY32b6GqztvpAz9JxqHOkK3UZtCvwP81vu3cDqI9Cw==;
24:dOBg5Y4y8a4lZpwWtZokQczD1N7IklWTMf4pGAC04RnzK3Hv7J4mG8fsI+SBCBk5gWqHVjwTQQv1cOXOcoLG6Dv3O7EOPTi+H/XeFLip2HU=;
7:w6k+yd0QmTD3mQ6biOCCc7eVmZ9jwa5+FsdkefC5X4nw8y7uWYF84fMNS8uAMAPYZcMFD9Qkk9S0rPb3sv9MO0/qLaUud95QG0k8ng/98VJzbaI5cQfItk1766SEhOPbw7FISMX+3JEO4q6qorXTTO/L57Y8p3XIFgviyncJ61eRvxegd/EsOjZF4lSYsuA8e5cf/pG2pY6hqFqjZhhkmw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CO2PR03MB2406;
x-o365eop-header: O365_EOP: Allow for Unauthenticated Relay
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges
(Engineering ONLY)
x-microsoft-antispam-prvs: <CO2PR03MB24063CBD895673F3506B621183640@CO2PR03MB2406.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0;
RULEID:(9101521072)(61425038)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038);
SRVR:CO2PR03MB2406; BCL:0; PCL:0; RULEID:; SRVR:CO2PR03MB2406;
x-forefront-prvs: 0925081676
x-forefront-antispam-report: SFV:NSPM;
SFS:(10019020)(6009001)(2950100001)(2900100001)(15975445007)(11100500001)(5004730100002)(8990500004)(5005710100001)(10290500002)(2351001)(10400500002)(99286002)(10090500001)(230783001)(106116001)(1730700002)(77096005)(3660700001)(110136002)(33656002)(189998001)(5003600100002)(5002640100001)(54356999)(86362001)(50986999)(76176999)(107886002)(87936001)(9686002)(92566002)(450100001)(19580395003)(5008740100001)(81166005)(122556002)(2501003)(102836003)(74316001)(3280700002)(586003)(2906002)(6116002)(76576001)(5640700001)(66066001)(1096002)(1220700001)(3846002);
DIR:OUT; SFP:1102; SCL:1; SRVR:CO2PR03MB2406;
H:CO2PR03MB2407.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Apr 2016 21:59:21.2512 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR03MB2406
Archived-At: <http://mailarchive.ietf.org/arch/msg/webpush/OaA_RZlBEQb-1y8lisgd0VzNA0U>
Subject: Re: [Webpush] I-D Action: draft-ietf-webpush-vapid-00.txt
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol
<webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>,
<mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>,
<mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2016 21:59:25 -0000
I've reviewed vapid-00. My earlier editorial comments were all addressed.
Martin plans to move vapid-00 to a repo in the webpush-wg. In the interim:
Abstract
Editorial:
An application server is further able [to] include additional
information [that] the operator of a push service can use to contact the
operator of the application server.
1. Introduction
By the same measure, requesting the creation of a subscription for push message receipts
has no prior authentication.
This will need to be updated when webpush-05 is published. There is no longer an explicit
request to create such a subscription. It's created implicitly as the result of requesting a
push message delivery with receipts.
2. 1 Application Server Self-Identification
Application servers SHOULD generate and maintain a signing key pair
usable with elliptic curve digital signature (ECDSA) over the P-256
curve [FIPS186].
What is the rationale for SHOULD rather than MUST?
2.2. Example
Authorization: Bearer
Is this intended to be WebPush rather than OAuth Bearer (RFC6750)?
Push-Receipt: https://push.example.net/r/3ZtI4YVNBnUUZhuoChl6omU
When webpush-05 is published, this can be updated to:
Prefer: respond-async
and a reference to RFC7240 added.
*This* equates to a JWT with the header and body shown in Figure 2.
"This" meaning the value of the Authorization header?
Issue: The first part of the JWT is effectively fixed. Would be it
acceptable to require *that that* segment is omitted from the header
field?
What is "that segment"?
3. WebPush Authentication Scheme
Editorial:
Therefore, this authentication scheme MUST NOT be used with [t]he
5.2 Using Restricted Subscriptions
There are multiple references to a *token* that I do not understand:
When a push subscription has been associated with an application
server, the request for push message delivery MUST include proof of
possession for the associated private key or *token* that was used when
creating the push subscription.
...
A push subscription that is not restricted to a particular key MAY
still validate a *token* that is present, except for the last check. A
push service MAY then reject a request if the *token* is found to be
invalid.
- [Webpush] I-D Action: draft-ietf-webpush-vapid-00… internet-drafts
- Re: [Webpush] I-D Action: draft-ietf-webpush-vapi… Brian Raymor