Re: [Webpush] Vapid public key
Costin Manolache <costin@gmail.com> Mon, 21 November 2016 04:02 UTC
Return-Path: <costin@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCB39129567 for <webpush@ietfa.amsl.com>; Sun, 20 Nov 2016 20:02:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bjR3WGr2oBCf for <webpush@ietfa.amsl.com>; Sun, 20 Nov 2016 20:02:04 -0800 (PST)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D1B7129439 for <webpush@ietf.org>; Sun, 20 Nov 2016 20:02:04 -0800 (PST)
Received: by mail-io0-x234.google.com with SMTP id c21so30356341ioj.1 for <webpush@ietf.org>; Sun, 20 Nov 2016 20:02:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6ZZ4qhhWMEcuJcz15zQQkRb3A7XJG9eFXVa08ShSPqI=; b=nCvD3rhC5NvIvQ2bVxEt7A/lkRI41Rmcj88nxF42At0Tkt1yHUpPwP4n7dXPcn0Kl2 B1xPN323dVUeuqriVnHTMTt61F264mFc0lClCaAR+SMGiXiIRc8AWsAVN4FrPLOGnIge Fdfw3e+H4Kdb88j+frL3USjEMzyojxK44OdzrSik9VmzON7pTJ4EIzU6KZz6EI7aYnA3 R2SuAHExrcPDyNbvPS21FP3AztIbKnqgk2C7hE9feyA5LngxGg1zJ4NA1ZG6TRzGai7a a4DVZl9AOJL/6G2cx4gsp8wlpmQBQ1d/1FGwXXP920ttjJPeYSzNT0xCmUEuvyKYPOLF p+cA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6ZZ4qhhWMEcuJcz15zQQkRb3A7XJG9eFXVa08ShSPqI=; b=iaBestlvvlJQ3TZ6UfzuWPLpoPDjTKblq/89sWgTJRFZeeMGOOHFngZJsrJSApwMLH sEYv7kYrJBMeW0bfEeQCU5XDnyf6JfPcYI06lECo04NxDlhPcELtIPEti2lxW1kzcnlU xm4hy/ZVL1taei147emjbYvEYOmTKuAK6yAkbQngkJqi8PN8MtDZClAbGowjofaQmBTY oAwG9sR0SI8V5H83sYGMiL8hw/kg34cL3NnurS+tpRL8Mf8vL6sI7CumY/ltbIZAS6Ok aN2zAF2iJvfmDUyYDTtREnvjhi7oVPwflFZLlvFHPwGihX4Y+lKB6NOnvKixSCX1Pr/R Q9UQ==
X-Gm-Message-State: AKaTC01SRCu6oYEO1ZKb67AYwXMazKlImhFqBStOpunyv3TKFYetx6nBc+ReiLm3Tp7qMFMYWciaInqTP0osvw==
X-Received: by 10.107.18.208 with SMTP id 77mr9311067ios.195.1479700923559; Sun, 20 Nov 2016 20:02:03 -0800 (PST)
MIME-Version: 1.0
References: <CABkgnnVKd+kAZPD5KirF7NaGMDBSpaO6FR3yE8d+c3ge3-He3w@mail.gmail.com> <CAP8-FqmBUHd5up7Jfo+veFWvL22XiPwGGXNnOW6rm7nxeESU_g@mail.gmail.com> <CABkgnnX4aAjnZyu3morJOLatuuj9k4NSoTpoNtF7YjtRUFQOnQ@mail.gmail.com> <CAP8-Fq=Zd66ZhWm+gYesOpc2NZ-YBpy2+bHdr6O+h1KG2s16uw@mail.gmail.com> <CABkgnnX8bmzsmx0EGJ8h5R4k4i=3KBaLXucekyv98PTz01f9fw@mail.gmail.com> <CABkgnnVvVHMFrbJYgF9GZEumDhvM_kHBf30TdHWxzSzpX1_CTw@mail.gmail.com> <CAP8-Fqn3ji66Ox3dEj_SifEpxgmYZrLWoyYy36PUS0o6eTLZrw@mail.gmail.com> <CABkgnnVaekCff2rxz2CWG9M+s=ud2k7J6ca_bLZRvwF5vZdAww@mail.gmail.com>
In-Reply-To: <CABkgnnVaekCff2rxz2CWG9M+s=ud2k7J6ca_bLZRvwF5vZdAww@mail.gmail.com>
From: Costin Manolache <costin@gmail.com>
Date: Mon, 21 Nov 2016 04:01:52 +0000
Message-ID: <CAP8-Fqn3z=y6chng+0XruesET4VbCqbkcMuPT2GCx_wiOQs6sg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a113eca92ec37450541c7b70f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/gmBIJLBZqqUGad1gZy201dt0ZQ0>
Cc: jr conlin <jconlin@mozilla.com>, "webpush@ietf.org" <webpush@ietf.org>, Peter Beverloo <beverloo@google.com>
Subject: Re: [Webpush] Vapid public key
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2016 04:02:06 -0000
On Sun, Nov 20, 2016 at 5:32 PM Martin Thomson <martin.thomson@gmail.com> wrote: > On 20 November 2016 at 02:53, Costin Manolache <costin@gmail.com> wrote: > > One more small suggestion: one of the pain points ( for me ) is the W3C > > subscribe taking the > > vapid pubkey as bytes instead of a string, and having to include the key > in > > .js files as a constant. > > Your suggestion being that we define a base64url parser. You can > include the key in the form Uint8Array.from([4, 5, 6, 6, ...]); It's > bigger and you have to work it out once, but it saves shipping a > converter. > Not really - the UA will need to take the uint8[] and convert it to b64 - since that's what the push service expects. AFAIK the UA has no use with the vapid public key in current protocol (except pass it along in subscribe) - we do not pass the Authorization header from push service to UA > > Either way, this is probably something to take here: > https://github.com/w3c/push-api/issues > > > Would it be possible to define a .well-known/vapid/... file where the > public > > key can be saved ? > > This may simplify tools, testing ( test env may use test sender keys), > etc. > > One problem is that > > .well-known is at root - so either have > > /.well-known/vapid/ENCODED_SW_URL.pub or > > have a less standard .well-known/ in the same directory with the SW. > > Now that we are considering removal of Crypto-Key (I'm about to send > out drafts with that change), I need to work out how to push the keys > along with the registration. I don't think that using .well-known > will give us the right binding to the subscription request though. > > Maybe I don't understand the proposal, though. Can you walk through > how a client would use this? > If client calls subscribe() - the UA will look for .well-known/vapid.pub and pass it in the /subscribe request to the push service. If client calls subscribe( Uint8Array ) - UA will use the explicit key. It is a bit simpler to just copy the key in a defined location - in particular if you have multiple environments. It is possible to do it in code too ( using the URL to decide which key to use ). Some people may also like the more declarative approach. Not a big deal - but I think it would be nice. Re. Crypto-Key: my understanding was that there are use cases for it, as a way to distribute keys, as discussed in the other thread. Subscribe needs some header ( or query param ?) to pass the authorized entity to the push service. We just don't need it for authorization or encrypted body. Costin
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key jr conlin
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key jr conlin
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key Martin Thomson
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key jr conlin
- Re: [Webpush] Vapid public key Costin Manolache
- Re: [Webpush] Vapid public key jr conlin
- Re: [Webpush] Vapid public key Martin Thomson