IETF Logo Mail Archive

Re: [Webpush] Stephen Farrell's Discuss on draft-ietf-webpush-protocol-11: (with DISCUSS and COMMENT)

Brian Raymor <Brian.Raymor@microsoft.com> Fri, 14 October 2016 20:00 UTC

Return-Path: <Brian.Raymor@microsoft.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96164129499; Fri, 14 Oct 2016 13:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D_PCe32rdYyV; Fri, 14 Oct 2016 13:00:41 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0123.outbound.protection.outlook.com [104.47.32.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ACE41293DF; Fri, 14 Oct 2016 13:00:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=wbAzB8BK1E6DoYIL8wBHI72mc0HdAPU0q5rMxWUI+cY=; b=oEbiUqVPI5TbzouI11DhXoRPrOyrl/1Qj7GtwWcPTifG1VTx9lUqh8Evdx0UmdLb7QLFKQlH2+YOPt6H/Jm0KhR5MMwTa3Ng10pmYHRVy5pTzaaltiALAC/3qoNGttD+82x1LMUJHUuTlQndRPX6EabJ8CDb1tGSBhRQ2x5Jey0=
Received: from CY1PR03MB2380.namprd03.prod.outlook.com (10.167.8.6) by CY1PR03MB2377.namprd03.prod.outlook.com (10.166.207.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.12; Fri, 14 Oct 2016 20:00:40 +0000
Received: from CY1PR03MB2380.namprd03.prod.outlook.com ([10.167.8.6]) by CY1PR03MB2380.namprd03.prod.outlook.com ([10.167.8.6]) with mapi id 15.01.0659.020; Fri, 14 Oct 2016 20:00:40 +0000
From: Brian Raymor <Brian.Raymor@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's Discuss on draft-ietf-webpush-protocol-11: (with DISCUSS and COMMENT)
Thread-Index: AQHSJiwPJMwjYoplfkyn6wgWsrTwWqCoSZig
Date: Fri, 14 Oct 2016 20:00:39 +0000
Message-ID: <CY1PR03MB2380AE2A057528E2B17FA0B083DF0@CY1PR03MB2380.namprd03.prod.outlook.com>
References: <CY1PR03MB238089D350CD6A78DB9E80BE83DF0@CY1PR03MB2380.namprd03.prod.outlook.com> <5816348f-015a-beca-a5e6-3883fff02aab@cs.tcd.ie>
In-Reply-To: <5816348f-015a-beca-a5e6-3883fff02aab@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Brian.Raymor@microsoft.com;
x-originating-ip: [174.61.159.182]
x-ms-office365-filtering-correlation-id: 24d9cfc1-5b82-4b3a-c85b-08d3f46cc5c6
x-microsoft-exchange-diagnostics: 1; CY1PR03MB2377; 7:dfflr3GMiJdeDQZEoBf3rrweNDuEWtd2fqFsmYUjcped7Pc0cgeusuv8NXbsnZRifeSm0yAZq8FXgJGzwCzla4JZQBPkB5tRvceLcukRjYq1y036NYPgWGSni09C+G7PThncwPnMMrkILBW4yO9QUw2itP1e0k3pjUl/k6H8fbB1yZUP8vTjHAtxt4ZQt+JLDE/UutyMCaekYKActCUslO18hzNfHnvtxwatlIyBoj/xfuFBqGCaWqxrDsDUkfflHin0PWmrgtJmJZ/k7zkOj01AAE3ccvsAXeBFIdmEEHpOTHg/ZBbeHbnDmLZspOwQ9fvZuIanSGAK7FkJVBRl9mW38kg56Wr2Xx1xdPY3I+RILiuDgLKsddynafvEvJhR
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR03MB2377;
x-microsoft-antispam-prvs: <CY1PR03MB2377CECEB28AD4038C86B1E383DF0@CY1PR03MB2377.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(35073007944872)(788757137089);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:CY1PR03MB2377; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB2377;
x-forefront-prvs: 0095BCF226
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(199003)(189002)(54356999)(74316002)(3660700001)(86362001)(2900100001)(2950100002)(11100500001)(101416001)(77096005)(97736004)(189998001)(5001770100001)(50986999)(76176999)(106116001)(106356001)(68736007)(76576001)(105586002)(10090500001)(10400500002)(10290500002)(99286002)(5005710100001)(8990500004)(5660300001)(15975445007)(33656002)(7696004)(66066001)(122556002)(9686002)(5002640100001)(86612001)(3280700002)(230783001)(305945005)(102836003)(92566002)(19580395003)(8936002)(2906002)(6116002)(3846002)(81166006)(7736002)(586003)(4326007)(81156014)(7846002)(8676002)(87936001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR03MB2377; H:CY1PR03MB2380.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Oct 2016 20:00:39.8483 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB2377
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/OypXwshRmVXCJF4uCrl738eBd84>
Cc: "draft-ietf-webpush-protocol@ietf.org" <draft-ietf-webpush-protocol@ietf.org>, Shida Schubert <shida@ntt-at.com>, "webpush-chairs@ietf.org" <webpush-chairs@ietf.org>, "webpush@ietf.org" <webpush@ietf.org>
Subject: Re: [Webpush] Stephen Farrell's Discuss on draft-ietf-webpush-protocol-11: (with DISCUSS and COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 20:00:43 -0000

Hi Stephen,

> So what's not clear to me is how webpush works with the SOP
> and whether there's anything more that needs to be said about
> that in the document. For example, you sensibly recommend
> running the push service on port 1001 but none of the examples
> mention that port in the Host or :authority values shown.
> This may all be clear to someone who's very familiar with
> alt-svc though, (but it wasn't clear to me:-), which might
> be fine, but I'm not sure. As an example, is the application
> that is pushing the messages required to know that the
> push service is or is not using port 1001?

Alternative services have not been a source of confusion in the working group.
There have been no related questions on the mailing list that I can recall or find.

The SOP question feels more relevant to RFC7838 than WebPush (hence our confusion
yesterday).

Perhaps excerpting a few references will help clarify that perception:

   https://tools.ietf.org/html/rfc7838

   An alternative service can be used to interact with the resources on
   an origin server at a separate location on the network, possibly
   using a different protocol configuration.  Alternative services are
   considered authoritative for an origin's resources, in the sense of
   [RFC7230], Section 9.1 ...

   Alternative services do not replace or change the origin for any
   given resource; in general, they are not visible to the software
   "above" the access mechanism.  The alternative service is essentially
   alternative routing information that can also be used to reach the
   origin in the same way that DNS CNAME or SRV records define routing
   information at the name resolution level ...

   This means that clients using an alternative service can change the
   host, port, and protocol that they are using to fetch resources, but
   these changes MUST NOT be propagated to the application that is using
   HTTP; from that standpoint, the URI being accessed and all
   information derived from it (scheme, host, and port) are the same as
   before.

   Importantly, this includes its security context; in particular, when
   TLS [RFC5246] is used to authenticate, the alternative service will
   need to present a certificate for the origin's host name, not that of
   the alternative.  Likewise, the Host header field ([RFC7230],
   Section 5.4) is still derived from the origin, not the alternative
   service (just as it would if a CNAME were being used).

Also see mnot's blog for a quick introduction:

https://www.mnot.net/blog/2016/03/09/alt-svc

    So, to use an alternative, a client needs to have what we call “reasonable assurances”
    that it has the authority to do so. In this specification, we define one way to do that;
    the alternative needs to present a TLS certificate that’s valid for the origin
    – not the alternative! – hostname.

Hope that helps,

...Brian

v2.23.0 | Report a Bug | By Email