Re: [Webpush] Alexey Melnikov's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)
Alexey Melnikov <aamelnikov@fastmail.fm> Tue, 15 August 2017 17:10 UTC
Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBB6313228D; Tue, 15 Aug 2017 10:10:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.718
X-Spam-Level:
X-Spam-Status: No, score=-2.718 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=LfqGMUGy; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=nhshvkIu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id guBuezYLgssS; Tue, 15 Aug 2017 10:10:37 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2B9813238E; Tue, 15 Aug 2017 10:10:35 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 413EE20899; Tue, 15 Aug 2017 13:10:28 -0400 (EDT)
Received: from web5 ([10.202.2.215]) by compute7.internal (MEProxy); Tue, 15 Aug 2017 13:10:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=zjZA+K4GIj7x7msXF45vciz0sxaa+ ABolkiK6KhhTOQ=; b=LfqGMUGyLyDo6hJIif4dZ5rFEWb0aF/EIKYSGjKFVqUGS 7lOe873kWXL+R95rJm0ihRZxae6kwHyiyPf/0imh+Orj/lPLSq/wiolM3NfiUjYm puyRF5d3AbrLponKMC2NLhOmyEJ6h8omALcupMJBJoHBsZZJXRC3vOr+ifJOHivo 2bZmY+kp0C5J1hGK3BwdJx9ifcGaYnLO+egAyi4s0C8qtcaH003pyYF+Ir79Yyes WWmsngUXfPh5l0jCPtXGfRUiuKNhWxFG9I9emucluiky/+74p67SizK9pvC0yvhd V/IXNrCgfHbl7XPvxxXw87nJWPdf6xN0LNd7QnbSQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=zjZA+K 4GIj7x7msXF45vciz0sxaa+ABolkiK6KhhTOQ=; b=nhshvkIu8IUnYj49u41N33 nMcR9NkTEz2Mu5YWULwTUrvsSq3qWfNyz5rk0siRScgellixz7xcak7yRsIb+aKt IT8sloQGsN8jVexK1Rp6h0l0i5LjIiglvvax4aLkm4UsY5Pa0aR4Fjz6c9SirdOG fk17iey5cAhf1HSLwAWS1DE9qpXhHHjkOWp67jCqt77Kd7jILDTD+x0wL05ST8qT T0wdK2dmkTlKjBDZRz+RtPMP9QttJSxU7YaXUsNKxYmlk7H3nW2U9Ny2feWUkYkB 3ovdyZYBViGadu05dW7kb8GuAI3f95z6YeFmKMDHq2ovw+tAamp7gKqF7xeoCJ3w ==
X-ME-Sender: <xms:BCuTWdiWy-QFZnSakBS4ayg4UkYd0k_TFrCjBWHeLujbEVK8PV35xA>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 1D08A9E2AC; Tue, 15 Aug 2017 13:10:28 -0400 (EDT)
Message-Id: <1502817028.2069722.1074294944.009E9EE6@webmail.messagingengine.com>
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: Phil Sorber <sorber@apache.org>, Martin Thomson <martin.thomson@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-webpush-vapid <draft-ietf-webpush-vapid@ietf.org>, webpush-chairs@ietf.org, webpush@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_150281702820697220"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-ff6d44b3
References: <150161732457.12184.5254423236791059887.idtracker@ietfa.amsl.com> <CABkgnnXNAtcJcEQ9pJx=Pi_nOBX6THFQOuoLZLJa0NmKPezk6w@mail.gmail.com> <1502789815.1179459.1073844136.43E95545@webmail.messagingengine.com> <CABF6JR3t2WOjBkKjpK5QhPqu4sYxakimNfG7U4gYGyJa32ZR8w@mail.gmail.com>
In-Reply-To: <CABF6JR3t2WOjBkKjpK5QhPqu4sYxakimNfG7U4gYGyJa32ZR8w@mail.gmail.com>
Date: Tue, 15 Aug 2017 18:10:28 +0100
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/PIM4wKHhUA7xZfuL_mASaZ0mnQ4>
Subject: Re: [Webpush] Alexey Melnikov's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 17:10:41 -0000
On Tue, Aug 15, 2017, at 04:40 PM, Phil Sorber wrote: > On Tue, Aug 15, 2017 at 3:37 AM Alexey Melnikov > <aamelnikov@fastmail.fm> wrote:>> On Wed, Aug 2, 2017, at 01:14 AM, Martin Thomson wrote: >> > On 2 August 2017 at 05:55, Alexey Melnikov >> > <aamelnikov@fastmail.fm>>> > wrote: >> > > Firstly, "optjons" above should be "options". Secondly, the MIME >> > > type>> > > registration of application/webpush-options+json says that the >> > > MIME type has no>> > > parameters, yet you use charset above. So which is it? >> > >> > As Phil notes, the first was corrected already, the second is in >> > c867529 on GitHub. I'll push a new version at Adam's instruction.>> >> I prefer a new draft. > > Understood. The plan is to do that right after the telechat. > >> >> What is the URL for the github? I couldn't find it on a quick glance.>> > > This is the repo: > https://github.com/webpush-wg/webpush-vapid > > This is a diff of the last draft to current master: > https://github.com/webpush-wg/webpush-vapid/compare/draft-ietf-webpush-vapid-03...master I can clear my DISCUSS based on these changes. > >> > > In Section 3, 3rd para: >> > > >> > > This authentication scheme does not require a challenge. >> > > Clients are>> > > able to generate the Authorization header field without any >> > > additional information from a server. Therefore, a challenge >> > > for>> > > this authentication scheme MUST NOT be sent in a WWW- >> > > Authenticate>> > > header field. >> > > >> > > Does this mean that there is no way to discover whether a >> > > particular server>> > > supports "vapid" HTTP authentication scheme? >> > >> > Not directly. There was a plan to expose this via the User >> > Agent, but>> > we didn't reach a conclusion: >> > https://github.com/w3c/push-api/pull/262>> > >> > Another document could override this as well, I suppose. The >> > "MUST>> > NOT" exists primarily because we don't define a challenge. >> >> I think all authentication schemes should be discoverable in >> WWW-Authenticate, as it is a part of HTTP authentication framework.>> >> I think it would be good to clarify whether inclusion of "vapid" in>> WWW-Authenticate without a challenge is allowed. The way your >> MUST NOT>> is worded makes me think that this is something that a server >> implementor can do accidentally. As there is no challenge data, >> I don't>> see how this can happen anyway.
- [Webpush] Alexey Melnikov's Discuss on draft-ietf… Alexey Melnikov
- Re: [Webpush] Alexey Melnikov's Discuss on draft-… Phil Sorber
- Re: [Webpush] Alexey Melnikov's Discuss on draft-… Martin Thomson
- Re: [Webpush] Alexey Melnikov's Discuss on draft-… Phil Sorber
- Re: [Webpush] Alexey Melnikov's Discuss on draft-… Alexey Melnikov
- Re: [Webpush] Alexey Melnikov's Discuss on draft-… Phil Sorber
- Re: [Webpush] Alexey Melnikov's Discuss on draft-… Alexey Melnikov