Re: [Webpush] Alexey Melnikov's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)

Phil Sorber <sorber@apache.org> Tue, 15 August 2017 15:47 UTC

Return-Path: <sorber@apache.org>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94DD9132339 for <webpush@ietfa.amsl.com>; Tue, 15 Aug 2017 08:47:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.419
X-Spam-Level:
X-Spam-Status: No, score=-6.419 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jj39K9gUWumH for <webpush@ietfa.amsl.com>; Tue, 15 Aug 2017 08:47:53 -0700 (PDT)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by ietfa.amsl.com (Postfix) with SMTP id 2F4B51321F1 for <webpush@ietf.org>; Tue, 15 Aug 2017 08:47:53 -0700 (PDT)
Received: (qmail 23034 invoked by uid 99); 15 Aug 2017 15:41:12 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 15 Aug 2017 15:41:12 +0000
Received: from mail-qt0-f178.google.com (mail-qt0-f178.google.com [209.85.216.178]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 73E101A041A; Tue, 15 Aug 2017 15:41:11 +0000 (UTC)
Received: by mail-qt0-f178.google.com with SMTP id s6so6360000qtc.1; Tue, 15 Aug 2017 08:41:11 -0700 (PDT)
X-Gm-Message-State: AHYfb5huNaKYI9NfGiseUooqKzOp4L7ak7WQOxeEdNtQLDuLHH5eIItW iwUis/FavrsLYNeyHvzcxuGiXcU9uQ==
X-Received: by 10.200.54.210 with SMTP id b18mr41020086qtc.145.1502811669711; Tue, 15 Aug 2017 08:41:09 -0700 (PDT)
MIME-Version: 1.0
References: <150161732457.12184.5254423236791059887.idtracker@ietfa.amsl.com> <CABkgnnXNAtcJcEQ9pJx=Pi_nOBX6THFQOuoLZLJa0NmKPezk6w@mail.gmail.com> <1502789815.1179459.1073844136.43E95545@webmail.messagingengine.com>
In-Reply-To: <1502789815.1179459.1073844136.43E95545@webmail.messagingengine.com>
From: Phil Sorber <sorber@apache.org>
Date: Tue, 15 Aug 2017 15:40:59 +0000
X-Gmail-Original-Message-ID: <CABF6JR3t2WOjBkKjpK5QhPqu4sYxakimNfG7U4gYGyJa32ZR8w@mail.gmail.com>
Message-ID: <CABF6JR3t2WOjBkKjpK5QhPqu4sYxakimNfG7U4gYGyJa32ZR8w@mail.gmail.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>, Martin Thomson <martin.thomson@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-webpush-vapid <draft-ietf-webpush-vapid@ietf.org>, webpush-chairs@ietf.org, webpush@ietf.org
Content-Type: multipart/alternative; boundary="001a113ad3bebcd5aa0556cc9bec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/VRf0Xd2Cb1MRZcIdVHXDeAA3dqc>
Subject: Re: [Webpush] Alexey Melnikov's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 15:47:55 -0000

On Tue, Aug 15, 2017 at 3:37 AM Alexey Melnikov <aamelnikov@fastmail.fm>
wrote:

> On Wed, Aug 2, 2017, at 01:14 AM, Martin Thomson wrote:
> > On 2 August 2017 at 05:55, Alexey Melnikov <aamelnikov@fastmail.fm>
> > wrote:
> > > Firstly, "optjons" above should be "options". Secondly, the MIME type
> > > registration of application/webpush-options+json says that the MIME
> type has no
> > > parameters, yet you use charset above. So which is it?
> >
> > As Phil notes, the first was corrected already, the second is in
> > c867529 on GitHub.  I'll push a new version at Adam's instruction.
>
> I prefer a new draft.


Understood. The plan is to do that right after the telechat.


>
>
What is the URL for the github? I couldn't find it on a quick glance.
>
>
This is the repo:
https://github.com/webpush-wg/webpush-vapid

This is a diff of the last draft to current master:
https://github.com/webpush-wg/webpush-vapid/compare/draft-ietf-webpush-vapid-03...master


> > > In Section 3, 3rd para:
> > >
> > >    This authentication scheme does not require a challenge.  Clients
> are
> > >    able to generate the Authorization header field without any
> > >    additional information from a server.  Therefore, a challenge for
> > >    this authentication scheme MUST NOT be sent in a WWW-Authenticate
> > >    header field.
> > >
> > > Does this mean that there is no way to discover whether a particular
> server
> > > supports "vapid" HTTP authentication scheme?
> >
> > Not directly.  There was a plan to expose this via the User Agent, but
> > we didn't reach a conclusion: https://github.com/w3c/push-api/pull/262
> >
> > Another document could override this as well, I suppose.  The "MUST
> > NOT" exists primarily because we don't define a challenge.
>
> I think all authentication schemes should be discoverable in
> WWW-Authenticate, as it is a part of HTTP authentication framework.
>
> I think it would be good to clarify whether inclusion of "vapid" in
> WWW-Authenticate without a challenge is allowed. The way your MUST NOT
> is worded makes me think that this is something that a server
> implementor can do accidentally. As there is no challenge data, I don't
> see how this can happen anyway.
>