IETF Logo Mail Archive

Re: [Webpush] Vapid public key

Costin Manolache <costin@gmail.com> Wed, 02 November 2016 05:11 UTC

Return-Path: <costin@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A72A1294B5 for <webpush@ietfa.amsl.com>; Tue, 1 Nov 2016 22:11:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wsLOp1KjMCC9 for <webpush@ietfa.amsl.com>; Tue, 1 Nov 2016 22:11:09 -0700 (PDT)
Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D996129436 for <webpush@ietf.org>; Tue, 1 Nov 2016 22:11:09 -0700 (PDT)
Received: by mail-it0-x232.google.com with SMTP id q124so15662931itd.1 for <webpush@ietf.org>; Tue, 01 Nov 2016 22:11:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TGy9aAvne6kTeuV6g6X5LWybxd60qQ3MPf3j+Zazdp8=; b=GS4wMG3XR7UaPjSzNcG62XSqWWO4oXySnZPhoc+2n+9j40g1fsh3PqEbSfY7LJiBRG dvQtxazXi9i5/FSdhfEVFdRFvwWVRyktND7UXuclDS9JTsei0ZUjyHjpgoMymnpeKbid p60L/JgtNqEeOIiesUhLXed/JfRjn4Pm6UxX3xGxFF8WIeUETeuua5CBNJ157jFjVLH0 6iGr7+Qch7sNyR+Zbe99UrrBC8dzq+3yJWuxFgAwXbmVz+t/obSRDJU4fzsTPxQyYPhK efV/sDxXDy34hUU/JU6xtYi+JDt46C0ZSLDgdxY2dPd6RiWsZejnOkrUbR7qyWEatYEh 2tbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TGy9aAvne6kTeuV6g6X5LWybxd60qQ3MPf3j+Zazdp8=; b=EOlwZOkKPBmBwNC1j3KTFwKeT8rThj3O4+iMLrJWNpjs7Sb+65GiDUrQltxT/Vw7c6 Kiu6oKptHOLFdj6NCn3v22Y011nOxjRcfOZJwUXths+0ES5YHooiMbWA7DLaon7ccJpF hseu5oXuiAVX3giyzIYvvnnzyQMNdBMIJuk3mXocOCzrhL9RgkKzGFoW0B+W7Um8BGIY brwkTPL3soSVVzuOxtKj6bp4rBMTGFOoeXQF/IPe34gfmFD8bKQSfT8XUgWi7vI4qyqP akSa/f0h74Jn9GMkyS29wbPPg/KMc0t7vELW/vGo9OxTbLM8Dr5Y8Eou1VZgSjtz+Csl sY9g==
X-Gm-Message-State: ABUngvdC0v6Ll7V2jp8GYO1yF4lVyAmKtTMp2Andbg4iQqfpTeVm9sQIYjMOIKBifGwpAiKruq0Ct8rNb7mg9Q==
X-Received: by 10.107.2.65 with SMTP id 62mr2200367ioc.83.1478063468205; Tue, 01 Nov 2016 22:11:08 -0700 (PDT)
MIME-Version: 1.0
References: <CABkgnnVKd+kAZPD5KirF7NaGMDBSpaO6FR3yE8d+c3ge3-He3w@mail.gmail.com>
In-Reply-To: <CABkgnnVKd+kAZPD5KirF7NaGMDBSpaO6FR3yE8d+c3ge3-He3w@mail.gmail.com>
From: Costin Manolache <costin@gmail.com>
Date: Wed, 02 Nov 2016 05:10:57 +0000
Message-ID: <CAP8-FqmBUHd5up7Jfo+veFWvL22XiPwGGXNnOW6rm7nxeESU_g@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary=001a11396f40fa76d205404a7717
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/cpN4PkqUYtrGGH2j9ODe4VD_wq8>
Cc: jr conlin <jconlin@mozilla.com>, "webpush@ietf.org" <webpush@ietf.org>, Peter Beverloo <beverloo@google.com>
Subject: Re: [Webpush] Vapid public key
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 05:11:10 -0000

Can we do something like:

Authorization: webpush JWT;PUBLICKEY

or even

Authorization: webpush PUBLICKEY:JWT_TOKEN

The public key is the 'identity' of the sender, the JWT token is
authenticating it -
it's common to use USER:SECRET.

I agree having the publickey inside the JWT token - and double b64 - is
ugly, also
it may be easier to verify the signature first, and decode the body after.

Costin

On Tue, Nov 1, 2016 at 8:55 PM Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 2 November 2016 at 05:02, Costin Manolache <costin@gmail.com> wrote:
> > I would also add that some of the bugs we've seen in our implementation
> > were related to parsing and passing along the crypto key. Even for
> > VAPID I would love to see the sender public key appended to the
> > Authorization header somehow instead of in a separate Crypto-Key header.
>
> Putting the public key in the JWT header is probably doable, but it
> means double base64 encoding for key. I'd want to hear that people are
> OK with it before making a change.
>
> Note that this is probably a net increase in header size (I make it to
> be a 22 octet increase, even losing the Crypto-Key header field
> entirely).  Header size probably isn't that important on this request
> though.
>

v2.8.7 | Report a Bug | By Email