IETF Logo Mail Archive

Re: [Webpush] Vapid public key

Costin Manolache <costin@gmail.com> Mon, 21 November 2016 04:02 UTC

Return-Path: <costin@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCB39129567 for <webpush@ietfa.amsl.com>; Sun, 20 Nov 2016 20:02:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bjR3WGr2oBCf for <webpush@ietfa.amsl.com>; Sun, 20 Nov 2016 20:02:04 -0800 (PST)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D1B7129439 for <webpush@ietf.org>; Sun, 20 Nov 2016 20:02:04 -0800 (PST)
Received: by mail-io0-x234.google.com with SMTP id c21so30356341ioj.1 for <webpush@ietf.org>; Sun, 20 Nov 2016 20:02:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6ZZ4qhhWMEcuJcz15zQQkRb3A7XJG9eFXVa08ShSPqI=; b=nCvD3rhC5NvIvQ2bVxEt7A/lkRI41Rmcj88nxF42At0Tkt1yHUpPwP4n7dXPcn0Kl2 B1xPN323dVUeuqriVnHTMTt61F264mFc0lClCaAR+SMGiXiIRc8AWsAVN4FrPLOGnIge Fdfw3e+H4Kdb88j+frL3USjEMzyojxK44OdzrSik9VmzON7pTJ4EIzU6KZz6EI7aYnA3 R2SuAHExrcPDyNbvPS21FP3AztIbKnqgk2C7hE9feyA5LngxGg1zJ4NA1ZG6TRzGai7a a4DVZl9AOJL/6G2cx4gsp8wlpmQBQ1d/1FGwXXP920ttjJPeYSzNT0xCmUEuvyKYPOLF p+cA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6ZZ4qhhWMEcuJcz15zQQkRb3A7XJG9eFXVa08ShSPqI=; b=iaBestlvvlJQ3TZ6UfzuWPLpoPDjTKblq/89sWgTJRFZeeMGOOHFngZJsrJSApwMLH sEYv7kYrJBMeW0bfEeQCU5XDnyf6JfPcYI06lECo04NxDlhPcELtIPEti2lxW1kzcnlU xm4hy/ZVL1taei147emjbYvEYOmTKuAK6yAkbQngkJqi8PN8MtDZClAbGowjofaQmBTY oAwG9sR0SI8V5H83sYGMiL8hw/kg34cL3NnurS+tpRL8Mf8vL6sI7CumY/ltbIZAS6Ok aN2zAF2iJvfmDUyYDTtREnvjhi7oVPwflFZLlvFHPwGihX4Y+lKB6NOnvKixSCX1Pr/R Q9UQ==
X-Gm-Message-State: AKaTC01SRCu6oYEO1ZKb67AYwXMazKlImhFqBStOpunyv3TKFYetx6nBc+ReiLm3Tp7qMFMYWciaInqTP0osvw==
X-Received: by 10.107.18.208 with SMTP id 77mr9311067ios.195.1479700923559; Sun, 20 Nov 2016 20:02:03 -0800 (PST)
MIME-Version: 1.0
References: <CABkgnnVKd+kAZPD5KirF7NaGMDBSpaO6FR3yE8d+c3ge3-He3w@mail.gmail.com> <CAP8-FqmBUHd5up7Jfo+veFWvL22XiPwGGXNnOW6rm7nxeESU_g@mail.gmail.com> <CABkgnnX4aAjnZyu3morJOLatuuj9k4NSoTpoNtF7YjtRUFQOnQ@mail.gmail.com> <CAP8-Fq=Zd66ZhWm+gYesOpc2NZ-YBpy2+bHdr6O+h1KG2s16uw@mail.gmail.com> <CABkgnnX8bmzsmx0EGJ8h5R4k4i=3KBaLXucekyv98PTz01f9fw@mail.gmail.com> <CABkgnnVvVHMFrbJYgF9GZEumDhvM_kHBf30TdHWxzSzpX1_CTw@mail.gmail.com> <CAP8-Fqn3ji66Ox3dEj_SifEpxgmYZrLWoyYy36PUS0o6eTLZrw@mail.gmail.com> <CABkgnnVaekCff2rxz2CWG9M+s=ud2k7J6ca_bLZRvwF5vZdAww@mail.gmail.com>
In-Reply-To: <CABkgnnVaekCff2rxz2CWG9M+s=ud2k7J6ca_bLZRvwF5vZdAww@mail.gmail.com>
From: Costin Manolache <costin@gmail.com>
Date: Mon, 21 Nov 2016 04:01:52 +0000
Message-ID: <CAP8-Fqn3z=y6chng+0XruesET4VbCqbkcMuPT2GCx_wiOQs6sg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a113eca92ec37450541c7b70f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/gmBIJLBZqqUGad1gZy201dt0ZQ0>
Cc: jr conlin <jconlin@mozilla.com>, "webpush@ietf.org" <webpush@ietf.org>, Peter Beverloo <beverloo@google.com>
Subject: Re: [Webpush] Vapid public key
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2016 04:02:06 -0000

On Sun, Nov 20, 2016 at 5:32 PM Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 20 November 2016 at 02:53, Costin Manolache <costin@gmail.com> wrote:
> > One more small suggestion: one of the pain points ( for me ) is the W3C
> > subscribe taking the
> > vapid pubkey as bytes instead of a string, and having to include the key
> in
> > .js files as a constant.
>
> Your suggestion being that we define a base64url parser.  You can
> include the key in the form Uint8Array.from([4, 5, 6, 6, ...]);  It's
> bigger and you have to work it out once, but it saves shipping a
> converter.
>

Not really - the UA will need to take the uint8[] and convert it to b64 -
since that's what
the push service expects. AFAIK the UA has no use with the vapid public key
in current
protocol (except pass it along in subscribe) - we do not pass the
Authorization header
from push service to UA




>
> Either way, this is probably something to take here:
> https://github.com/w3c/push-api/issues
>
> > Would it be possible to define a .well-known/vapid/... file where the
> public
> > key can be saved ?
> > This may simplify tools, testing ( test env may use test sender keys),
> etc.
> > One problem is that
> > .well-known is at root - so either have
> > /.well-known/vapid/ENCODED_SW_URL.pub or
> > have a less standard .well-known/ in the same directory with the SW.
>
> Now that we are considering removal of Crypto-Key (I'm about to send
> out drafts with that change), I need to work out how to push the keys
> along with the registration.  I don't think that using .well-known
> will give us the right binding to the subscription request though.
>
> Maybe I don't understand the proposal, though.  Can you walk through
> how a client would use this?
>

If client calls subscribe() - the UA will look for .well-known/vapid.pub
and pass it
in the /subscribe request to the push service.

If client calls subscribe( Uint8Array ) - UA will use the explicit key.

It is a bit simpler to just copy the key in a defined location - in
particular if you have
multiple environments. It is possible to do it in code too ( using the URL
to decide
which key to use ). Some people may also like the more declarative
approach.

Not a big deal - but I think it would be nice.

Re. Crypto-Key: my understanding was that there are use cases for it, as a
way to
distribute keys, as discussed in the other thread. Subscribe needs some
header
( or query param ?) to pass the authorized entity to the push service. We
just
don't need it for authorization or encrypted body.

Costin

v2.23.0 | Report a Bug | By Email