[Webpush] Warren Kumari's No Objection on draft-ietf-webpush-encryption-08: (with COMMENT)

Warren Kumari <warren@kumari.net> Tue, 15 August 2017 17:59 UTC

Return-Path: <warren@kumari.net>
X-Original-To: webpush@ietf.org
Delivered-To: webpush@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7538F126B6E; Tue, 15 Aug 2017 10:59:57 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Warren Kumari <warren@kumari.net>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-webpush-encryption@ietf.org, Phil Sorber <sorber@apache.org>, webpush-chairs@ietf.org, sorber@apache.org, webpush@ietf.org, tim.chown@jisc.ac.uk
X-Test-IDTracker: no
X-IETF-IDTracker: 6.58.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <150281999738.21016.2164260159984776251.idtracker@ietfa.amsl.com>
Date: Tue, 15 Aug 2017 10:59:57 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/XVv6uTPiJgeZQmBcXH5SN2Owcr0>
Subject: [Webpush] Warren Kumari's No Objection on draft-ietf-webpush-encryption-08: (with COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 17:59:57 -0000

Warren Kumari has entered the following ballot position for
draft-ietf-webpush-encryption-08: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-webpush-encryption/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Firstly, thanks to Tim Chown for his helpful OpsDir review (
https://datatracker.ietf.org/doc/review-ietf-webpush-encryption-08-opsdir-lc-chown-2017-08-01/
) and for your response.

I only have nits on this document:
1:  I reviewed this and draft-ietf-webpush-vapid together. This document uses
title case for "User Agent" (and many other terms), while
draft-ietf-webpush-vapid and RFC8030 uses lower-case. Consistency would be nice
here.

2: Section 2:
"In addition to the reasons described in [I-D.ietf-webpush-protocol], this
ensures that the authentication secret is not revealed to unauthorized
entities, which can be used to generate push messages that will be accepted by
the User Agent." -- this is ambiguous / confusing. It is unclear which which is
which. I'd suggest rewording to something like "... to unauthorized entities,
which would allow that entities to generate push messages that would be
accepted by the User Agent as valid" (or similar)

3: Section 7.  Security Considerations
"In particular, any HTTP header fields are not protected by the content
encoding scheme." -- I think you may mean "In particular, no HTTP header fields
are protected ..." (or similar)