Re: [Webpush] Alexey Melnikov's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)

Alexey Melnikov <aamelnikov@fastmail.fm> Tue, 15 August 2017 17:10 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBB6313228D; Tue, 15 Aug 2017 10:10:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.718
X-Spam-Level:
X-Spam-Status: No, score=-2.718 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=LfqGMUGy; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=nhshvkIu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id guBuezYLgssS; Tue, 15 Aug 2017 10:10:37 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2B9813238E; Tue, 15 Aug 2017 10:10:35 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 413EE20899; Tue, 15 Aug 2017 13:10:28 -0400 (EDT)
Received: from web5 ([10.202.2.215]) by compute7.internal (MEProxy); Tue, 15 Aug 2017 13:10:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=zjZA+K4GIj7x7msXF45vciz0sxaa+ ABolkiK6KhhTOQ=; b=LfqGMUGyLyDo6hJIif4dZ5rFEWb0aF/EIKYSGjKFVqUGS 7lOe873kWXL+R95rJm0ihRZxae6kwHyiyPf/0imh+Orj/lPLSq/wiolM3NfiUjYm puyRF5d3AbrLponKMC2NLhOmyEJ6h8omALcupMJBJoHBsZZJXRC3vOr+ifJOHivo 2bZmY+kp0C5J1hGK3BwdJx9ifcGaYnLO+egAyi4s0C8qtcaH003pyYF+Ir79Yyes WWmsngUXfPh5l0jCPtXGfRUiuKNhWxFG9I9emucluiky/+74p67SizK9pvC0yvhd V/IXNrCgfHbl7XPvxxXw87nJWPdf6xN0LNd7QnbSQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=zjZA+K 4GIj7x7msXF45vciz0sxaa+ABolkiK6KhhTOQ=; b=nhshvkIu8IUnYj49u41N33 nMcR9NkTEz2Mu5YWULwTUrvsSq3qWfNyz5rk0siRScgellixz7xcak7yRsIb+aKt IT8sloQGsN8jVexK1Rp6h0l0i5LjIiglvvax4aLkm4UsY5Pa0aR4Fjz6c9SirdOG fk17iey5cAhf1HSLwAWS1DE9qpXhHHjkOWp67jCqt77Kd7jILDTD+x0wL05ST8qT T0wdK2dmkTlKjBDZRz+RtPMP9QttJSxU7YaXUsNKxYmlk7H3nW2U9Ny2feWUkYkB 3ovdyZYBViGadu05dW7kb8GuAI3f95z6YeFmKMDHq2ovw+tAamp7gKqF7xeoCJ3w ==
X-ME-Sender: <xms:BCuTWdiWy-QFZnSakBS4ayg4UkYd0k_TFrCjBWHeLujbEVK8PV35xA>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 1D08A9E2AC; Tue, 15 Aug 2017 13:10:28 -0400 (EDT)
Message-Id: <1502817028.2069722.1074294944.009E9EE6@webmail.messagingengine.com>
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: Phil Sorber <sorber@apache.org>, Martin Thomson <martin.thomson@gmail.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-webpush-vapid" <draft-ietf-webpush-vapid@ietf.org>, webpush-chairs@ietf.org, webpush@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_150281702820697220"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-ff6d44b3
References: <150161732457.12184.5254423236791059887.idtracker@ietfa.amsl.com> <CABkgnnXNAtcJcEQ9pJx=Pi_nOBX6THFQOuoLZLJa0NmKPezk6w@mail.gmail.com> <1502789815.1179459.1073844136.43E95545@webmail.messagingengine.com> <CABF6JR3t2WOjBkKjpK5QhPqu4sYxakimNfG7U4gYGyJa32ZR8w@mail.gmail.com>
In-Reply-To: <CABF6JR3t2WOjBkKjpK5QhPqu4sYxakimNfG7U4gYGyJa32ZR8w@mail.gmail.com>
Date: Tue, 15 Aug 2017 18:10:28 +0100
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/PIM4wKHhUA7xZfuL_mASaZ0mnQ4>
Subject: Re: [Webpush] Alexey Melnikov's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 17:10:41 -0000

On Tue, Aug 15, 2017, at 04:40 PM, Phil Sorber wrote:
> On Tue, Aug 15, 2017 at 3:37 AM Alexey Melnikov
> <aamelnikov@fastmail.fm>; wrote:>> On Wed, Aug 2, 2017, at 01:14 AM, Martin Thomson wrote:
>>  > On 2 August 2017 at 05:55, Alexey Melnikov
>>  > <aamelnikov@fastmail.fm>>>;  > wrote:
>>  > > Firstly, "optjons" above should be "options". Secondly, the MIME
>>  > > type>>  > > registration of application/webpush-options+json says that the
>>  > > MIME type has no>>  > > parameters, yet you use charset above. So which is it?
>>  >
>>  > As Phil notes, the first was corrected already, the second is in
>>  > c867529 on GitHub.  I'll push a new version at Adam's instruction.>> 
>>  I prefer a new draft.
> 
> Understood. The plan is to do that right after the telechat.
>  
>>  
>> What is the URL for the github? I couldn't find it on a quick glance.>> 
> 
> This is the repo:
> https://github.com/webpush-wg/webpush-vapid
> 
> This is a diff of the last draft to current master:
> https://github.com/webpush-wg/webpush-vapid/compare/draft-ietf-webpush-vapid-03...master
I can clear my DISCUSS based on these changes.

>  
>> > > In Section 3, 3rd para:
>>  > >
>>  > >    This authentication scheme does not require a challenge.
>>  > >    Clients are>>  > >    able to generate the Authorization header field without any
>>  > >    additional information from a server.  Therefore, a challenge
>>  > >    for>>  > >    this authentication scheme MUST NOT be sent in a WWW-
>>  > >    Authenticate>>  > >    header field.
>>  > >
>>  > > Does this mean that there is no way to discover whether a
>>  > > particular server>>  > > supports "vapid" HTTP authentication scheme?
>>  >
>>  > Not directly.  There was a plan to expose this via the User
>>  > Agent, but>>  > we didn't reach a conclusion:
>>  > https://github.com/w3c/push-api/pull/262>>  >
>>  > Another document could override this as well, I suppose.  The
>>  > "MUST>>  > NOT" exists primarily because we don't define a challenge.
>> 
>>  I think all authentication schemes should be discoverable in
>>  WWW-Authenticate, as it is a part of HTTP authentication framework.>> 
>>  I think it would be good to clarify whether inclusion of "vapid" in>>  WWW-Authenticate without a challenge is allowed. The way your
>>  MUST NOT>>  is worded makes me think that this is something that a server
>>  implementor can do accidentally. As there is no challenge data,
>>  I don't>>  see how this can happen anyway.