Re: [Webpush] CALL FOR CONSENSUS: VAPID cut-and-paste protection

Martin Thomson <martin.thomson@gmail.com> Mon, 04 September 2017 00:02 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E160126B7E for <webpush@ietfa.amsl.com>; Sun, 3 Sep 2017 17:02:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s1mfeZu1dK-k for <webpush@ietfa.amsl.com>; Sun, 3 Sep 2017 17:02:21 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1388513247A for <webpush@ietf.org>; Sun, 3 Sep 2017 17:02:21 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id h70so3105187oic.1 for <webpush@ietf.org>; Sun, 03 Sep 2017 17:02:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dR6OdcYLF4D7P0TXq/+xJA15QFJmndFlnUaHVvs3zsM=; b=vSC3Sff5juqv+hSG3GnE2hYRcyLnLKzBFL7oDTY1iWqZt2E8BlqJIyamGgxTxbWNpx CvcKvPjpkafqVs9YmgHodF7IsBtHqMHkt+mC/vwk/UfNlAJZD2Pmx4S4NEA1Bip+JZCC 7jr31OKoywaROgRYKqMg1XRsxWjqVic9/S6SGlmaItgfC51iFZVFquoNe0h98VZEZ3N+ yGp9ATiDrw928cM7iPiW2DLkBxY/5ABiO78TQgnhpDS1tCtqVhuRQHW5CjHHG9tlydfa GebEv/uFrfvlm34Y6hY/3/IKh9AKNsCFhFURqpYD6UROFtC2vm0qypXX2FG4XVu4abi1 RdTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dR6OdcYLF4D7P0TXq/+xJA15QFJmndFlnUaHVvs3zsM=; b=HEt4PDJh7RaACFxk+LhzzZHEz5UlaQ+iIHs/7qs0lCuM1dNcGUnVUdqwtO1fmeyINa qj2RGRM4zIDuw7wSzmdsVvhvySWyM4esCINmV5vaDj1zIY0TjVKs59pr/wsJFsv2WEh9 jQNM/ewFGCUcsorZfFbUGFMyBocQoH48YbiOvYacPTUri2/Ze5LSpE7+TuiHa4A9AgA5 p/ebFMauJSopWq7XylsXMih8amUlZZYGY8+V/x6naKOUFoZjbWB2GqfSqdbRGGCWj5H1 BweHFmMzuTrEPe+j7uNszCpR7p65EfkIVf+cg4hTK+kseNrHt/mkmqc0lGQVuPzlqojI z8XQ==
X-Gm-Message-State: AHPjjUiIz1tjAsEhewMDiC/0WTnWtESNYOERsV0kcHnIzgJCTesL+0oe iJjzFhA9yhoVTpS6/dLPEi4kby/hCu9V
X-Google-Smtp-Source: ADKCNb6P7z37ytVpEVifJDjBsVeI7kALxWGVYeHTR87fPkxWEBOP/qeRV5Q+m0udo1ihm+MLw9hhrA/E0FxurcYKj5A=
X-Received: by 10.202.170.20 with SMTP id t20mr8212675oie.38.1504483340397; Sun, 03 Sep 2017 17:02:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.14.77 with HTTP; Sun, 3 Sep 2017 17:02:19 -0700 (PDT)
In-Reply-To: <CABF6JR2oc37-EewzeOKJ9gQZ-AcqyXQYLWc4h5G8zhab2oY37A@mail.gmail.com>
References: <CABF6JR0E+o9hL2uQKyqih2z03adqkH0OXp8f0MNqqdDv-YJPUg@mail.gmail.com> <CABkgnnVJU0n+z342_eEZingxA+VWh30FHADRcS5gdbUeJ0X07g@mail.gmail.com> <CABF6JR2oc37-EewzeOKJ9gQZ-AcqyXQYLWc4h5G8zhab2oY37A@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 4 Sep 2017 10:02:19 +1000
Message-ID: <CABkgnnXS8M=3aHgOMkiiNjcF+jhcQTVeSFAaRYj18C0xmCWuNA@mail.gmail.com>
To: Phil Sorber <sorber@apache.org>
Cc: "webpush@ietf.org" <webpush@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/dpcd_Rpnk__OSgnG8IUC_BvEJno>
Subject: Re: [Webpush] CALL FOR CONSENSUS: VAPID cut-and-paste protection
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Sep 2017 00:02:22 -0000

New drafts pushed.  Hopefully the IESG is happier this time around :)

On Sat, Sep 2, 2017 at 1:02 PM, Phil Sorber <sorber@apache.org>; wrote:
> I think that we have consensus on this. Other options were considered by the
> working group but for various reasons, such as deployment complexity, were
> ruled out in favor of the JWT bearer token, despite it's sub-optimal
> security properties.
>
> Thanks everyone for the feedback.
>
> On Thu, Aug 17, 2017 at 10:17 PM Martin Thomson <martin.thomson@gmail.com>;
> wrote:
>>
>> On 18 August 2017 at 12:58, Phil Sorber <sorber@apache.org>; wrote:
>> > I believe the working group has already discussed adding such a
>> > mechanism
>> > and rejected it (with citation to an email discussion or minutes
>> > reflecting
>> > such discussion).
>>
>> We did consider options that don't have this unfortunate property.
>> Client certificates were a strong contender.  They would have been
>> ideal if not for operational challenges.
>>
>> Here's the email that I think was pivotal on this subject:
>> https://mailarchive.ietf.org/arch/msg/webpush/_qwcGCuDekERw5o31t0MjFJGTh8
>>
>> Later there is also:
>> https://mailarchive.ietf.org/arch/msg/webpush/poGnqtBFlFe3hpzvkiS3Rp5L94g
>>
>> There are yet more emails that follow on from this where we discuss
>> scope of the token and relative costs.  The first of those is here:
>> https://mailarchive.ietf.org/arch/msg/webpush/xrqo-LUb7mrPV6eF1xgyJoqMgCU
>>
>> I found the rest of thread instructive as a reminder of what happened,
>> I had forgotten the details of this discussion.
>>
>> I didn't read meeting minutes, the above seems sufficient.
>
>
> _______________________________________________
> Webpush mailing list
> Webpush@ietf.org
> https://www.ietf.org/mailman/listinfo/webpush
>