Re: [Webpush] Vapid public key
Costin Manolache <costin@gmail.com> Wed, 02 November 2016 18:14 UTC
Return-Path: <costin@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 3304F129AFC
for <webpush@ietfa.amsl.com>; Wed, 2 Nov 2016 11:14:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Od8lrnE1v40g for <webpush@ietfa.amsl.com>;
Wed, 2 Nov 2016 11:14:33 -0700 (PDT)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com
[IPv6:2607:f8b0:4002:c05::234])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 290411297D4
for <webpush@ietf.org>; Wed, 2 Nov 2016 11:14:16 -0700 (PDT)
Received: by mail-yw0-x234.google.com with SMTP id t125so17620852ywc.1
for <webpush@ietf.org>; Wed, 02 Nov 2016 11:14:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=mzduq0gSQNuxNCgUuU7imap9gM1xGIl6yrT5QdH8MNc=;
b=DY8TyqfgElQRsGQt/msGXpuL9KkIXAoMEdug2g+rrGtW2+TNxEUy38W9SUDbZZDU8j
LJ9wKwgLTv24fKyq69sknooIkWRGNAhnFIHP4C6k/TDLQxRyMQU6pD0M5N1hyH0koF9i
6PkasAjdWgZqpCED1pnRg8+v7aZPVlBdJzIggekA1qMmfbRvWtBEs5KP+5yOw86kASM7
uZzU9kmLTHEBGaj2B9Dpr0u1BkhUtblHlP6POfjy1wSxJ3KFFuP+5CU18GifwROfh7We
N7+/HYJfaV4fdvEdiVh6wYN/zLPOQl2I1/puzniozEQ13vz1emfsxvx/YUx8cgGOXOG5
z27A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=mzduq0gSQNuxNCgUuU7imap9gM1xGIl6yrT5QdH8MNc=;
b=Kjtp1JHJrV/ZwJgIh4ROS0HdWv1itVSkyNcDgb0Zce3dpUDmY1NUo1UUJDcwNJ7+TU
3Q8FhSPqd5xSykSuMtf1r6vQyz1zVFDCzNiO+FOmlE8UVNPBvFInqISCkRWMISE7muN9
hBeVVxYY1hZlQJyDiYKN/CUIMroWybBBItAPzy4dh5XRKK9KU1dE5FZWsaz5Ea8MN0ks
7aG4X+bbSMiJnmZBcOqWp4+DoU40ZyecHqhIHBw8xJjdKKzw3C4qL2R5tT+qU1Qi+A0I
xqzAALFnvT0xE9TFZoys+tcez6LtMlRQkQ99WQAhmFgNCvwdKMovUNQlv/AvxGwppmjz
ZaOg==
X-Gm-Message-State: ABUngvdiT5eKRTgj0RAzIM6lsEbEfAs1VRUu5Qhxo0PDq6Zz8aNZhTxOGXjKkLT2lMAx9WYy5N+cfB6/0iiPbQ==
X-Received: by 10.107.2.8 with SMTP id 8mr2127753ioc.83.1478110455400; Wed, 02
Nov 2016 11:14:15 -0700 (PDT)
MIME-Version: 1.0
References: <CABkgnnVKd+kAZPD5KirF7NaGMDBSpaO6FR3yE8d+c3ge3-He3w@mail.gmail.com>
<CAP8-FqmBUHd5up7Jfo+veFWvL22XiPwGGXNnOW6rm7nxeESU_g@mail.gmail.com>
<CABkgnnX4aAjnZyu3morJOLatuuj9k4NSoTpoNtF7YjtRUFQOnQ@mail.gmail.com>
<CAP8-Fq=Zd66ZhWm+gYesOpc2NZ-YBpy2+bHdr6O+h1KG2s16uw@mail.gmail.com>
In-Reply-To: <CAP8-Fq=Zd66ZhWm+gYesOpc2NZ-YBpy2+bHdr6O+h1KG2s16uw@mail.gmail.com>
From: Costin Manolache <costin@gmail.com>
Date: Wed, 02 Nov 2016 18:14:04 +0000
Message-ID: <CAP8-FqkfjQkm-z9HSBHMm3nht8SFBY5G=W82N8BAybbxucdEag@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary=001a11397876a20e81054055686b
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/X4j1OcQ8kvY2K-PjXJC2pNpXyms>
Cc: jr conlin <jconlin@mozilla.com>, "webpush@ietf.org" <webpush@ietf.org>,
Peter Beverloo <beverloo@google.com>
Subject: Re: [Webpush] Vapid public key
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol
<webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>,
<mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>,
<mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 18:14:35 -0000
>From rfc2617 (digest auth):
Authorization: Digest username="Mufasa",
realm="testrealm@host.com".com",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/dir/index.html",
qop=auth,
nc=00000001,
cnonce="0a4f113b",
response="6629fae49393a05397450978507c4ef1",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
On Wed, Nov 2, 2016 at 11:11 AM Costin Manolache <costin@gmail.com> wrote:
> IMHO the main problem with JWK is not size, but the inconsistency - would
> be good for the
> exact string used in subscribe() to also show in Authenticate.
>
> Any problem with using auth-param:
>
> Authorization: webpush JWTTOKEN, id=PUBKEY
>
> Costin
>
> On Tue, Nov 1, 2016 at 10:59 PM Martin Thomson <martin.thomson@gmail.com>
> wrote:
>
> On 2 November 2016 at 16:10, Costin Manolache <costin@gmail.com> wrote:
> > Authorization: webpush PUBLICKEY:JWT_TOKEN
>
> The grammar (RFC 7235) is:
>
> credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
> token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
>
> With JWT, we've opted to use the "token68" form (also shown here).
> Given that base64url takes '-', '_', and '.', we could separate on
> '/'. '/' is a valid base64 (the non-url-safe variant) character, but
> we could split on that.
>
> For existing implementations, you would have to accept that you are
> going to have to sniff for this, or we could use a new auth-scheme. I
> think that sniffing should be workable given that you won't have a
> Crypto-Key header field.
>
> And before I forget, the ugliest option of all is to use JWK inside
> the JWT. Here's an example of a JWK:
>
>
> {"crv":"P-256","ext":true,"key_ops":["verify"],"kty":"EC","x":"20zCfUuIs0NGtaVxENI4VH0YyJOUuxp973BTZTfhe1A","y":"WEMWyistS_sD6gGLN4IISWdIMQxZoCHAhlZ8zkmcVUI"}
>
> The ext and key_ops fields can be omitted safely - I just pulled this
> straight out of webcrypto - though it's still even bigger than you
> might like.
>
>
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key jr conlin
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key jr conlin
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key jr conlin
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key jr conlin
- Re: [Webpush] Vapid public key Martin Thomson