[Webpush] Feedback on draft-thomson-webpush-http2-02
"Brian Raymor (MS OPEN TECH)" <Brian.Raymor@microsoft.com> Fri, 13 February 2015 02:46 UTC
Return-Path: <Brian.Raymor@microsoft.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D41D1A0AF8 for <webpush@ietfa.amsl.com>; Thu, 12 Feb 2015 18:46:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2pMTJqxD0aj for <webpush@ietfa.amsl.com>; Thu, 12 Feb 2015 18:46:40 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0708.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:708]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0895E1A1A66 for <webpush@ietf.org>; Thu, 12 Feb 2015 18:46:40 -0800 (PST)
Received: from BY2PR0301MB0647.namprd03.prod.outlook.com (25.160.63.14) by BY2PR0301MB0647.namprd03.prod.outlook.com (25.160.63.14) with Microsoft SMTP Server (TLS) id 15.1.87.13; Fri, 13 Feb 2015 02:46:23 +0000
Received: from BY2PR0301MB0647.namprd03.prod.outlook.com ([25.160.63.14]) by BY2PR0301MB0647.namprd03.prod.outlook.com ([25.160.63.14]) with mapi id 15.01.0087.013; Fri, 13 Feb 2015 02:46:23 +0000
From: "Brian Raymor (MS OPEN TECH)" <Brian.Raymor@microsoft.com>
To: "webpush@ietf.org" <webpush@ietf.org>
Thread-Topic: Feedback on draft-thomson-webpush-http2-02
Thread-Index: AdBHKFp8U9Vp+oxdSPGQKU6/2NUTHA==
Date: Fri, 13 Feb 2015 02:46:23 +0000
Message-ID: <BY2PR0301MB06475155A1F8C74271D4330B83230@BY2PR0301MB0647.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2601:8:9500:ee:8d5d:b0f5:119c:64d6]
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BY2PR0301MB0647;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:; SRVR:BY2PR0301MB0647;
x-forefront-prvs: 0486A0CB86
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(46102003)(92566002)(86612001)(110136001)(33656002)(19580395003)(76576001)(99286002)(77156002)(229853001)(40100003)(62966003)(450100001)(2351001)(107886001)(122556002)(74316001)(2900100001)(87936001)(2656002)(2501002)(230783001)(102836002)(15975445007)(86362001)(50986999)(54356999); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR0301MB0647; H:BY2PR0301MB0647.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Feb 2015 02:46:23.7514 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR0301MB0647
Archived-At: <http://mailarchive.ietf.org/arch/msg/webpush/e-VQNS11XJi4ltIMYBZzeaulkJU>
Subject: [Webpush] Feedback on draft-thomson-webpush-http2-02
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Feb 2015 02:46:43 -0000
We plan to attend the IETF 92 meeting and to share proposals prior to the March 9th cut-off date.
1.1. Conventions and Terminology
Minor - recommend consistent use of "user agent" throughout the draft. There are also references to "client" or "device". For example:
> "the device creates a registration resource"
> "A client sends a POST"
Section 2. Overview
The diagram illustrates "Provide Subscription" between the UA and its Application Server, but there are no further details in the draft. While the expectation is that this is left unspecified by the protocol, further details could be outlined - similar to the text for Push Server discovery and authorization?
Section 3. Subscription
> The push server includes the "registration" link relation in a Location header field.
> HTTP/1.1 201 Created
> ....
> Link: </monitor/1G_GIPMorg_n-IrQvqZr6g>;
> rel="urn:ietf:params:push:reg"
> Location: https://push.example.net/reg/1G_GIPMorg_n-IrQvqZr6g
In the sample response, should the Location header and the Registration Link paths correspond:
Link: </monitor/1G_GIPMorg_n-IrQvqZr6g>;
...
Location: https://push.example.net/monitor/1G_GIPMorg_n-IrQvqZr6g
Section 5. Requesting Push Message Delivery
This could be removed since it is simply implementation guidance?
> A push service that does not store messages can stream the payload of
> push messages to the user agent. Flow control SHOULD be used to
> limit the state commitment for delivery of large messages.
We plan to propose an optional payload to support parameters such as:
* time-to-live
* multicast
* delivery receipt
Section 6. Receiving Push Messages
No error conditions/behaviors are defined for cases such as an invalid :path in the PUSH_PROMISE?
> ... This request also triggers the delivery
> of all push messages that the push service has stored but not yet
> delivered.
Could details of the response be further clarified?
> A user agent can request the last push message for a "subscription"
> resource by sending GET requests to its URI.
What is the scenario for this case? Is it related to collapsible messages?
Section 7.2 Push Message expiration
It would be useful for the Application Server to be able to send a hint to the Push Server for time-to-live. This is a common feature in existing implementations.
> ... Stored push messages
> SHOULD include a Last-Modified header field (see Section 2.2 of
> [RFC7232]) indicating when delivery was requested by an application
> server.
Why is a SHOULD preferred rather than a MUST?
Section 7.3 Registration and Subscription Expiration
> If a user agent has an outstanding request to the
> "registration" resource (see Section 6), this can be signaled by
> returning a 400-series response code, such as 410 (Gone). A push
> service uses server push to indicate that a subscription has expired;
> a pushed 400-series status code for the subscription resource signals
> the termination of a subscription.
What status code does an Application Server receive for expirations and terminations?
> A user agent can request that a registration or subscription be
> removed by sending a DELETE request to the corresponding URI.
If the registration is deleted, then are the related subscriptions also deleted?
Section 7.4 Implications for Application reliability
> An application developer might find it tempting to create alternative
> mechanisms for message delivery in case the push service fails to
> deliver a critical message.
> ...
> Applications are encouraged to instead provide a means to detect
> situations where push messages were not delivered and recover
> gracefully. For instance, an application server might include a
> sequence number in push messages; a gap in the sequence can then be
> used to trigger some form of state resynchronization.
It may be difficult to maintain a per-application sequence counter at scale. This also introduces complexity into the user agent. As noted above, our preference is for the protocol to support delivery receipts.
Section 8.1 Confidentiality from Push Server Access
> The Web Push API codifies this practice by requiring that each push
> subscription created by the browser be bound to a browser generated
> encryption key.
This should include the [API] informative reference? Is the W3C consensus still pending:
* Force confidentiality and integrity protection (encryption) #55 (https://github.com/w3c/push-api/issues/55)
* Add an Encryption Key array to the PushRegistration interface #89
(https://github.com/w3c/push-api/pull/89)
and is it useful to reference in the protocol?
8.4. Denial of Service Considerations
> End-to-end confidentiality mechanisms, such as those in [API],
Similar comment as in Section 8.1.
Brian Raymor
Senior Program Manager
Microsoft Open Technologies, Inc.
A subsidiary of Microsoft Corporation
- [Webpush] Feedback on draft-thomson-webpush-http2… Brian Raymor (MS OPEN TECH)
- Re: [Webpush] Feedback on draft-thomson-webpush-h… Martin Thomson