[Webpush] Kathleen Moriarty's No Objection on draft-ietf-webpush-vapid-03: (with COMMENT)

Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com> Tue, 15 August 2017 18:50 UTC

Return-Path: <Kathleen.Moriarty.ietf@gmail.com>
X-Original-To: webpush@ietf.org
Delivered-To: webpush@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 460A5132256; Tue, 15 Aug 2017 11:50:24 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-webpush-vapid@ietf.org, Phil Sorber <sorber@apache.org>, webpush-chairs@ietf.org, sorber@apache.org, webpush@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.58.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <150282302424.20984.16954614287039839165.idtracker@ietfa.amsl.com>
Date: Tue, 15 Aug 2017 11:50:24 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/T6B6K_fcC0-Dban_8gKjfo0VcVw>
Subject: [Webpush] Kathleen Moriarty's No Objection on draft-ietf-webpush-vapid-03: (with COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 18:50:24 -0000

Kathleen Moriarty has entered the following ballot position for
draft-ietf-webpush-vapid-03: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-webpush-vapid/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thanks for your work on this draft.

In section 3, it seems that you are just signing the JWK and that seems fine
from the text and the purpose listed - origin server authentication.

Then in section 3.2, there's a reference to I-D.ietf-webpush-encryption saying,
"An application server MUST select a different
   private key for the key exchange".  This makes me think that encryption is
   used as well, but I think it would be helpful to see the point made more
   clear here or in the security considerations section.  Is confidentiality
   provided/required or just integrity for this draft?