Re: [Webpush] Eric Rescorla's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)

Adam Roach <adam@nostrum.com> Wed, 16 August 2017 02:36 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38C4C13246F; Tue, 15 Aug 2017 19:36:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JlY3MPxlYaG4; Tue, 15 Aug 2017 19:36:06 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD3B1132478; Tue, 15 Aug 2017 19:35:54 -0700 (PDT)
Received: from Svantevit.roach.at (cpe-70-122-154-80.tx.res.rr.com [70.122.154.80]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id v7G2ZlLC035244 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 15 Aug 2017 21:35:48 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-70-122-154-80.tx.res.rr.com [70.122.154.80] claimed to be Svantevit.roach.at
To: Ben Campbell <ben@nostrum.com>, Eric Rescorla <ekr@rtfm.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, draft-ietf-webpush-vapid <draft-ietf-webpush-vapid@ietf.org>, Phil Sorber <sorber@apache.org>, The IESG <iesg@ietf.org>, webpush-chairs@ietf.org, "webpush@ietf.org" <webpush@ietf.org>
References: <150284054989.12518.11340069078773708886.idtracker@ietfa.amsl.com> <CABkgnnXwUpp4A=V6gNXoK+Q6LatCHFoB59+xVd0RxQ96Y5gfaQ@mail.gmail.com> <CABcZeBP1Ej2Dd7rPTn6Sq3uVLA1gPHBSRSQR2Fam_mxJqcQgig@mail.gmail.com> <4125C183-E369-47EA-999A-0080BDF01B4A@nostrum.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <716e5820-e57f-b7c9-b3b4-3cf387409575@nostrum.com>
Date: Tue, 15 Aug 2017 21:35:47 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <4125C183-E369-47EA-999A-0080BDF01B4A@nostrum.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/Rno3JcKXB52SzfSYKsiHpNVHLKE>
Subject: Re: [Webpush] Eric Rescorla's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 02:36:08 -0000

On 8/15/17 9:31 PM, Ben Campbell wrote:
> My knee jerk response is to agree with Ekr. But it’s worth discussing how big of an incompatibility with existing code people are talking about. Are there a lot of deployed services that support vapid? Do people think that existing implementors will choose not to implement/deploy the additional protection?


My inclination is to ask the WG to weigh in on this issue in particular. 
I've received some pretty confident responses indicating that VAPID has 
no issues with crypto-agility. Given that such is the case, it seems 
like the question of how many deployed implementations we have is pretty 
irrelevant: if we can't change crypto schemes at scale, then we 
shouldn't publish this document anyway.

/a