Re: [Webpush] Vapid public key

Martin Thomson <martin.thomson@gmail.com> Wed, 02 November 2016 03:55 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 012E41294D5 for <webpush@ietfa.amsl.com>; Tue, 1 Nov 2016 20:55:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EFMIRh2a0inD for <webpush@ietfa.amsl.com>; Tue, 1 Nov 2016 20:55:51 -0700 (PDT)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92E9F1293EE for <webpush@ietf.org>; Tue, 1 Nov 2016 20:55:51 -0700 (PDT)
Received: by mail-qk0-x22e.google.com with SMTP id x190so2709468qkb.0 for <webpush@ietf.org>; Tue, 01 Nov 2016 20:55:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc; bh=TQEMvBTuvQGbF8RDiKnRatTOs+x3CaJpZ1D7JSrasik=; b=gCyDMQQhL4ys9H05/c9mK8hlzL1nEntjqAvsFplh3z/UT9zlrTmwD/J8tHA/jXhUdD LQrd3c2oA8qi/+Z0CGLvZVAxF4tR8STRy/A4dHXAaIkMeaEjdWCpGOWt8vVDA0akp9y2 Q1+Oo/0785YjiUt9EjMi5QadkI8uWbed3Det4y99FQGxunnDjMoqrHICLNFtJfB1PCbB TVfVK9M3drt2z3IA0f/n2kmJX5XifNojGGwrXcL6DV0cl9JlocaKWrYUjDnNjs3S4Pr1 V301RCd0c7l28KDBO1qRv+gwQNS8FfykiD2z2tpJq2lUNDhv4J9hX8f90xq92P0UP/9r 3/cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=TQEMvBTuvQGbF8RDiKnRatTOs+x3CaJpZ1D7JSrasik=; b=FvLuRaIsBuN+1stXqaV5Eoars7SApKHQqv2umnkGxQpVHmuB3K+shi4ryGta6L7gmV ZVIZzTY9TX4V5HvXEz4hPUMQ6IfjbX+Y0ZKbzc4QF9r/MHOF/92d2UGKjoNE7Awp1b1P 2nG3CUDCkE2KXsAd93jidm+agFW8Gr2aCo6RCcNmDEPxeZtXAtFHWnmKOl9+6lQufWMi vzBipnL1T2Z0iGKUldQ8fbLJ2W3/A9737hE+QA+rJJaAXko9UkiRQ37CjLTZv2Fyp62r V7YO9hlMnWOXYeKxuLDLQxBsd4pvi1ysrNJi8DXv49NUlB0MRupFJ00jSRSFzwW8kZdV EBeQ==
X-Gm-Message-State: ABUngvcPO/3B0z806v4tIw418gmaC4+hPvlS5/Rs76Ma3uZbWa2pYSmPyUPrg/iadl1zFSc+cGgXo7aeKNJyPQ==
X-Received: by 10.55.155.151 with SMTP id d145mr1262436qke.115.1478058950728; Tue, 01 Nov 2016 20:55:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.7 with HTTP; Tue, 1 Nov 2016 20:55:50 -0700 (PDT)
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 02 Nov 2016 14:55:50 +1100
Message-ID: <CABkgnnVKd+kAZPD5KirF7NaGMDBSpaO6FR3yE8d+c3ge3-He3w@mail.gmail.com>
To: Costin Manolache <costin@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/nI0esUsN-3V623KrjFYLiXhw9lw>
Cc: jr conlin <jconlin@mozilla.com>, "webpush@ietf.org" <webpush@ietf.org>, Peter Beverloo <beverloo@google.com>
Subject: Re: [Webpush] Vapid public key
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 03:55:53 -0000

On 2 November 2016 at 05:02, Costin Manolache <costin@gmail.com> wrote:
> I would also add that some of the bugs we've seen in our implementation
> were related to parsing and passing along the crypto key. Even for
> VAPID I would love to see the sender public key appended to the
> Authorization header somehow instead of in a separate Crypto-Key header.

Putting the public key in the JWT header is probably doable, but it
means double base64 encoding for key. I'd want to hear that people are
OK with it before making a change.

Note that this is probably a net increase in header size (I make it to
be a 22 octet increase, even losing the Crypto-Key header field
entirely).  Header size probably isn't that important on this request
though.