IETF Logo Mail Archive

[Webpush] Non-blocking comments on -05

Peter Beverloo <beverloo@google.com> Tue, 31 May 2016 19:40 UTC

Return-Path: <beverloo@google.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD85112D7F2 for <webpush@ietfa.amsl.com>; Tue, 31 May 2016 12:40:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.126
X-Spam-Level:
X-Spam-Status: No, score=-4.126 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y2rH5ZeRuxgv for <webpush@ietfa.amsl.com>; Tue, 31 May 2016 12:40:31 -0700 (PDT)
Received: from mail-lf0-x22c.google.com (mail-lf0-x22c.google.com [IPv6:2a00:1450:4010:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C052F12D63E for <webpush@ietf.org>; Tue, 31 May 2016 12:40:30 -0700 (PDT)
Received: by mail-lf0-x22c.google.com with SMTP id w16so85688036lfd.2 for <webpush@ietf.org>; Tue, 31 May 2016 12:40:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=4P+n1e8sW1nbZ4m36ntZjKdiBrbr6jQSYPtLRvB0UFU=; b=WGwAETLLmv0a243+0AihvGEqCin9C8fFnt7iCKx0wkl7bFzregDvno1J2GXp15eZw2 JKNAgYbwDvo6EsjDm8j59VGUaKWZXfFsZ8ru8FBYtcapIhTp3mK8RFe5yyjchY0iocB7 99/24buNST8saUbFNYcjo06FxnjNV8jp/cRlGkYX9Ny+sT8RvaO/gb7eTnN8UO2P8bbX gQqKbJWE1D4IiB1kLeTfUOiLnZ4x3yHfs9AEPgJN8Mgsq2sf2Ibspqyl9evqS8O0yWS7 IWPEYZ6SFXwLxf9rr62EBfpdyLehQqlYqtIEWb8T3IAq+bLuvQsJBMXwC1XvbGNBexoL UXHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4P+n1e8sW1nbZ4m36ntZjKdiBrbr6jQSYPtLRvB0UFU=; b=GgtaDqEN47HXCuSOAozUgj0Q9HznRM2LPjYI4QAGPSZ6dbNtmeVBG3Nc31wjmTQ2HU a18uuJFdoVIFakC7x+iZKFAEOoBV/mH7C5JqGrn8JrChLe6uHras6EnaVIBW5kCqgsfw 1+YnB2lck/fBCW8Qj8VPrl1Q0ixEljVPIYm0uEFoIXCmNOOKmet2Fg3t1mnEn5Wz+Cix 2vGB0Oj2z0UUPL2uMGEwWT2Y4cSIE7pmGN9EWS9WF4gQCWxFvk3pMiG+WukAxO1Mb4gZ cbtKELWPlTk0mzcu3Jvu9SCbVLaS6tgtmCHav763QjCVJDr3xqWzfDdB4c1klQOyY+PS iUJQ==
X-Gm-Message-State: ALyK8tL9WcL1KESMyGoJ1Lp7/tBEtT1Tn/ZH/4/EPUE8ZIypt2td+g4NakwV/319JxatD4fnbsE+UOGj4mouP/7D
X-Received: by 10.25.16.219 with SMTP id 88mr64007lfq.21.1464723628726; Tue, 31 May 2016 12:40:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.167.82 with HTTP; Tue, 31 May 2016 12:40:27 -0700 (PDT)
From: Peter Beverloo <beverloo@google.com>
Date: Tue, 31 May 2016 20:40:27 +0100
Message-ID: <CALt3x6=_yc9TegOut_g+6W5fvhP7sfW+_gwRZnEVFA5PNgER6Q@mail.gmail.com>
To: "webpush@ietf.org" <webpush@ietf.org>
Content-Type: multipart/alternative; boundary=001a11402d9c95f1310534288bae
Archived-At: <http://mailarchive.ietf.org/arch/msg/webpush/XLayVO08LLY4XL6VnIAVYU1EFLM>
Subject: [Webpush] Non-blocking comments on -05
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2016 19:40:34 -0000

Hi Martin, Brian, Elio,

As an implementer I can only express my gratitude for the fantastic
creating and editing of the standard you have done - thank you *so* much!

I have a few last-minute comments, none of which have to be blocking for
the WGLC. I'll acknowledge agreement in Shida's thread momentarily.

    1) Page 11, "A push message with zero TTL...push messages."

This section is very loose in defining whether or not delivery receipts
should be send for messages with TTL 0. In effect, behaviour of the Web
Push services out there today may strong-arm future services by
establishing developer expectations.

Have we considered not sending receipts for messages with TTL=0 at all?

    2) Page 21, "this can be signaled by returning a 400-series status
       code, such as 410 (Gone)."

This is the only ambiguous status code reference in the standard. What is
the reason for not settling on 404 or 410?

The example of 410 for expiring subscriptions here is different from the
404 mentioned in 7.1 (Page 20), it would be good to make that consistent.


I also have a few editorial comments:

    - Page 3, "Requesting the delivery of events is particularly important
      for the W3C Push API."

It is not explained why it is particularly important. Is this assumed
knowledge of the reader? I would suggest the following addition:

"...for the W3C Push API as the developer may have to request push message
delivery from any number of push services."

    - Page 4, definition of "application server"

Nothing precludes an application from not needing a server side at all. I
don't think we should change the term, but perhaps we can consider
slightly rephrasing the definition as:

"The component of an application that *usually* runs on a server and
requests the delivery of a push message."

    - Page 7, "Confidentiality protection and application server
      authentication MUST be used to ensure that this URI is not disclosed
      to unauthorized recipients (Section 8.3)."

Is it appropriate for the standard to dictate a MUST here when the
distribution method is defined to be application-specific? (I do agree
with the premise.)

    - Page 7, "[subscription sets] can represent a significant efficiency
      improvement for a push service."

There are significant improvements for many types of user agents as well,
so I would suggest rephrasing as "... improvements for push services and
user agents."

    - Page 8, "The push message is included in the body of the request."

While covered by Section 8.1 in the Operational Considerations, given the
strong focus on security and privacy considerations throughout the rest
of the standard I think it would be appropriate to mention the strong
preference for encryption here?

    - Page 11, page 13: s/acknowledgement receipts/delivery receipts/.

    - Page 12, 13: Both "update" and "replace" are used to describe the
      same operation. I don't think that consistently using "replace"
      would change the meaning of this section- could we?


One final thing that I'm on the fence about is that the push service MUST
NOT forward the Urgency value to the user agent. I can see uses, but also
concerns in the scenario of a compromised or malicious push service. Is
this the reason behind the strong language?

Thanks,
Peter

v2.8.7 | Report a Bug | By Email