[Webpush] CALL FOR CONSENSUS: VAPID cut-and-paste protection
Phil Sorber <sorber@apache.org> Fri, 18 August 2017 02:59 UTC
Return-Path: <sorber@apache.org>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5D5113226B for <webpush@ietfa.amsl.com>; Thu, 17 Aug 2017 19:59:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.41
X-Spam-Level:
X-Spam-Status: No, score=-6.41 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WiUd2BldZn_D for <webpush@ietfa.amsl.com>; Thu, 17 Aug 2017 19:59:09 -0700 (PDT)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by ietfa.amsl.com (Postfix) with SMTP id E55D61326E1 for <webpush@ietf.org>; Thu, 17 Aug 2017 19:59:08 -0700 (PDT)
Received: (qmail 63612 invoked by uid 99); 18 Aug 2017 02:59:08 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Aug 2017 02:59:08 +0000
Received: from mail-qk0-f182.google.com (mail-qk0-f182.google.com [209.85.220.182]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id C9ACD1A04D8 for <webpush@ietf.org>; Fri, 18 Aug 2017 02:59:07 +0000 (UTC)
Received: by mail-qk0-f182.google.com with SMTP id a77so46839671qkb.0 for <webpush@ietf.org>; Thu, 17 Aug 2017 19:59:07 -0700 (PDT)
X-Gm-Message-State: AHYfb5hHemWBzufUcUtTGOXSyYg8qEslqWEVJExggQfdiSxXeE0JK36e SRti1ONMDkgyg97EVRIyLuaqTgrk5Q==
X-Received: by 10.55.161.133 with SMTP id k127mr9695382qke.164.1503025146167; Thu, 17 Aug 2017 19:59:06 -0700 (PDT)
MIME-Version: 1.0
From: Phil Sorber <sorber@apache.org>
Date: Fri, 18 Aug 2017 02:58:55 +0000
X-Gmail-Original-Message-ID: <CABF6JR0E+o9hL2uQKyqih2z03adqkH0OXp8f0MNqqdDv-YJPUg@mail.gmail.com>
Message-ID: <CABF6JR0E+o9hL2uQKyqih2z03adqkH0OXp8f0MNqqdDv-YJPUg@mail.gmail.com>
To: "webpush@ietf.org" <webpush@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0772aeed0ea50556fe4fa6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/pDIpvHB5FADAGryccKYkqAo4v-4>
Subject: [Webpush] CALL FOR CONSENSUS: VAPID cut-and-paste protection
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 02:59:11 -0000
This is a call for consensus for an issue relating to draft-ietf-webpush-vapid, which is currently in IESG evaluation. Interested participants should respond no later than Friday, September 1st 2017. During its initial review, one of the Security Area Directors expressed concerns regarding the cryptographic properties of the JWT: https://mailarchive.ietf.org/arch/msg/webpush/HYW9NcUioQo5X2Np-d2hjCzB1Fo Specifically: as implemented, the JWT is merely a bearer token. While the DISCUSS provides a thumbnail sketch of how this could be mitigated, the crux of the issue isn’t the specifics of the implementation, but whether the WG had considered other, more cryptographically secure approaches. Although participants are free to respond in any way they choose, the most useful input would be of one of the following three forms: 1. I believe the working group has already discussed adding such a mechanism and rejected it (with citation to an email discussion or minutes reflecting such discussion). 2. I do not think the working group has discussed the issue before, however I am opposed to changing the mechanism prior to publication because... 3. I do not think the working group has discussed the issue before, and would support bringing the document back to the working group for the purpose of mitigating copy-and-paste attacks. Thank you.
- [Webpush] CALL FOR CONSENSUS: VAPID cut-and-paste… Phil Sorber
- Re: [Webpush] CALL FOR CONSENSUS: VAPID cut-and-p… JR Conlin
- Re: [Webpush] CALL FOR CONSENSUS: VAPID cut-and-p… Costin Manolache
- Re: [Webpush] CALL FOR CONSENSUS: VAPID cut-and-p… Martin Thomson
- Re: [Webpush] CALL FOR CONSENSUS: VAPID cut-and-p… Phil Sorber
- Re: [Webpush] CALL FOR CONSENSUS: VAPID cut-and-p… Martin Thomson