Re: [Webpush] Application server authentication new years edition

jr conlin <> Wed, 06 January 2016 16:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 858D01A8827 for <>; Wed, 6 Jan 2016 08:33:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jkY-ZILJjcEv for <>; Wed, 6 Jan 2016 08:33:26 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400e:c00::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 929A31A02BE for <>; Wed, 6 Jan 2016 08:33:26 -0800 (PST)
Received: by with SMTP id 78so244588443pfw.2 for <>; Wed, 06 Jan 2016 08:33:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=yuVkzOU+kSr00A6aYwwQJh1ZTmi6PNkDVkBjI0DMNPA=; b=TTLL2vaw6q9OvvmjOMMXGQx32jTeymjhwlNwhIK1tyCfpVV3pMgBx+IKtWBE0Fiibl Pk+0n8v/pJMvPOp+kKVdwHHeTwtNV3SuM9bStpkk0dBnAGjBy8tB+ZR5ahsPrFsRUdaM Mh1YPXQ1EFmX+JnaDxBCmmviv4Lp8cvpLxmjBdnPQc6A4yx+aBYc67cvNPwYRS4eZDw3 WYUUk/5oAJ/ZtsQ9howN8OFBcuSgHq+MNKt2Zzr+d9YE0TCfn7/kuxTex0GB7sByIh7s o9G+jmctzS4qAuvpVhx915Vfc/zifADuQv1vVUzegEdueWpbWs4L0BEX2nMNHsgaxDER Ecqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=yuVkzOU+kSr00A6aYwwQJh1ZTmi6PNkDVkBjI0DMNPA=; b=GxHal/wOWXctRQ7awVhCzeb4GbZcoOI/VLzqG1xCd9qwusrmbaGAYo28SEybhkOGs/ O0LQhLUyrWebVg95Q2ehr69XM4YcW2d+55JIEO32uSI/bMSV75tmg+7d3IK5CWh5B29R ZIv+jF4vvgtShDma//XqzgzOAerTEh1qFWkVAyMkHB8cg4nFwRuAfVzQw/2qk4wFY+zf XPyWGKGJjaxEnDv9+/CXcBhaTALpfU2wVE42TNemhmcvqLKdiGb9Dcg7hrI/GQ+6lKTO 3Fsr3Vvyy0c44NIN8d5YMmtYRfi1g0yw2U2kR82Bc2I9juexwD6wJzed30eqORe6Mzvs kq6A==
X-Gm-Message-State: ALoCoQmg+IH7+2bChDiMbj/reUd6y/rJQAJKIL/ihuA8V9TVxnBLf3NAuWablH4kx6qIEdN2rLyHBPdeg2vi5Zu6H7ZdOZHScw==
X-Received: by with SMTP id v83mr125079867pfi.127.1452098006111; Wed, 06 Jan 2016 08:33:26 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id a15sm115883836pfj.31.2016. for <> (version=TLSv1/SSLv3 cipher=OTHER); Wed, 06 Jan 2016 08:33:25 -0800 (PST)
References: <> <> <>
From: jr conlin <>
Message-ID: <>
Date: Wed, 6 Jan 2016 08:33:26 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Webpush] Application server authentication new years edition
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 06 Jan 2016 16:33:29 -0000

On 01/06/2016 01:16 AM, Martin Thomson wrote:
> On 6 January 2016 at 15:55, Costin Manolache <> wrote:
>> For authentication:  2.1(certificate) would be my preference, and is a well
>> known and established
>> mechanism, followed by 2.6, 2.3.
> Both 2.1 (certs) and 2.6 (token binding) require access to the TLS
> connection.  Token binding has the added concern that it is a new
> mechanism that might not be well deployed.
> When I inquired, certs did seem possible, but Mozilla folks (JR can
> speak to this better than I), had some operational concerns.  JWT
> hoists the authentication information up into HTTP, which was a lot
> easier to manage.
We are currently deployed on Amazon Web Services (AWS) using Elastic 
Load Balancers (ELBs) to terminate TLS connections for both cost and 
performance reasons. The ELBs act as a simple proxy, consume the 
certificate and provide no certificate information. AWS has no plans to 
modify ELB software to relay the cert information as part of the proxied 
connection. It is not possible for any AWS based service to use any cert 
information to show authentication, since it is impossible to get that