[Webpush] CALL FOR CONSENSUS: VAPID cut-and-paste protection

Phil Sorber <sorber@apache.org> Fri, 18 August 2017 02:59 UTC

Return-Path: <sorber@apache.org>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B5D5113226B for <webpush@ietfa.amsl.com>; Thu, 17 Aug 2017 19:59:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.41
X-Spam-Status: No, score=-6.41 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id WiUd2BldZn_D for <webpush@ietfa.amsl.com>; Thu, 17 Aug 2017 19:59:09 -0700 (PDT)
Received: from mail.apache.org (hermes.apache.org []) by ietfa.amsl.com (Postfix) with SMTP id E55D61326E1 for <webpush@ietf.org>; Thu, 17 Aug 2017 19:59:08 -0700 (PDT)
Received: (qmail 63612 invoked by uid 99); 18 Aug 2017 02:59:08 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) ( by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Aug 2017 02:59:08 +0000
Received: from mail-qk0-f182.google.com (mail-qk0-f182.google.com []) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id C9ACD1A04D8 for <webpush@ietf.org>; Fri, 18 Aug 2017 02:59:07 +0000 (UTC)
Received: by mail-qk0-f182.google.com with SMTP id a77so46839671qkb.0 for <webpush@ietf.org>; Thu, 17 Aug 2017 19:59:07 -0700 (PDT)
X-Gm-Message-State: AHYfb5hHemWBzufUcUtTGOXSyYg8qEslqWEVJExggQfdiSxXeE0JK36e SRti1ONMDkgyg97EVRIyLuaqTgrk5Q==
X-Received: by with SMTP id k127mr9695382qke.164.1503025146167; Thu, 17 Aug 2017 19:59:06 -0700 (PDT)
MIME-Version: 1.0
From: Phil Sorber <sorber@apache.org>
Date: Fri, 18 Aug 2017 02:58:55 +0000
X-Gmail-Original-Message-ID: <CABF6JR0E+o9hL2uQKyqih2z03adqkH0OXp8f0MNqqdDv-YJPUg@mail.gmail.com>
Message-ID: <CABF6JR0E+o9hL2uQKyqih2z03adqkH0OXp8f0MNqqdDv-YJPUg@mail.gmail.com>
To: "webpush@ietf.org" <webpush@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0772aeed0ea50556fe4fa6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/pDIpvHB5FADAGryccKYkqAo4v-4>
Subject: [Webpush] CALL FOR CONSENSUS: VAPID cut-and-paste protection
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 02:59:11 -0000

This is a call for consensus for an issue relating to
draft-ietf-webpush-vapid, which is currently in IESG evaluation. Interested
participants should respond no later than Friday, September 1st 2017.

During its initial review, one of the Security Area Directors expressed
concerns regarding the cryptographic properties of the JWT:


Specifically: as implemented, the JWT is merely a bearer token. While the
DISCUSS provides a thumbnail sketch of how this could be mitigated, the
crux of the issue isn’t the specifics of the implementation, but whether
the WG had considered other, more cryptographically secure approaches.

Although participants are free to respond in any way they choose, the most
useful input would be of one of the following three forms:


   I believe the working group has already discussed adding such a
   mechanism and rejected it (with citation to an email discussion or minutes
   reflecting such discussion).


   I do not think the working group has discussed the issue before, however
   I am opposed to changing the mechanism prior to publication because...


   I do not think the working group has discussed the issue before, and
   would support bringing the document back to the working group for the
   purpose of mitigating copy-and-paste attacks.

Thank you.