Re: [Webpush] AD Evaluation: draft-ietf-webpush-encryption

Martin Thomson <martin.thomson@gmail.com> Tue, 11 July 2017 00:48 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D7E8127867; Mon, 10 Jul 2017 17:48:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wL4jJmby01gi; Mon, 10 Jul 2017 17:48:04 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DCB91241FC; Mon, 10 Jul 2017 17:48:04 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id k192so4319975ith.1; Mon, 10 Jul 2017 17:48:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1SFDNONk0ZeXfZkLUJdFZ2IjZcSULhU17AGnRaZMxfw=; b=MnvgvSM4bgLA2ahorcWK5dOcy4x/AZQ1HRCV6Q+4VIZCoXuxT4k9AsbtAtTihVjD1f xVYMbjP56fkEm/KHr3uJTQ1nnMoo2/tVJXziBWwHQhr+ipqc1WOe8uN7WUGRqBf7LDrg vQ47TlarNN1OY5wBRZITR7VYmxW+udYEXhKNpInBbHeUiC1eV3iwnY+Y9iigoCNdOSG7 pqpWfKIMTz1rh7a4IvCL2DaDtAqapIqGmuiiPpbyOf57cWzkgxK0ePN+Wx/zO85eVsAl 4UZ8+UiObezSC9ojf3njIxkIdr4mzIp2n6VmNn5mUWqH1wmYy2D4UNwHp3cBMO610qKE 7v9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1SFDNONk0ZeXfZkLUJdFZ2IjZcSULhU17AGnRaZMxfw=; b=QeJ1C+qK9P3BmIvUt8rvnAaw0AxtxLd4UN3EbZJIRpTREEL58PhcJneX1V7e6LyWc+ cO8BrHanvkuz7JSFpYV30rDHgYcRIN8+ntnZrRmhCc/fydokEsF1u5sBVAzIe7/yDjt6 qebIVftgQqKI4kPTIP0iK7LpzRaCznm7TgWCxL0i+yhKu4yYeJCdowr1BXWO0in6olkz OK9bqixZVfbJWXXxNFOPwHmOFmb2dUUc3XYoEYQ/aYB1KxbznOjAA0VClV51iKWKg1p1 GYMrzhaMu32gdHt32Xd6rs4l8OTW30u3WHB/+rQ21YTwGHaaKvzQ8VNceHnTdzCXrycx 2dvA==
X-Gm-Message-State: AIVw1105tEd8cQ3wJobK0x5bGfMYUcO48Sxb5k/DVEqcQOfdaY2g1pFH UU1evJvhHqdK8t27xgIjL8cvU08bRAyN74o=
X-Received: by 10.107.39.205 with SMTP id n196mr5867184ion.37.1499734083864; Mon, 10 Jul 2017 17:48:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.164.26 with HTTP; Mon, 10 Jul 2017 17:48:03 -0700 (PDT)
In-Reply-To: <b459a2d7-7bd3-a53d-9cdc-8126c9cc2ef9@nostrum.com>
References: <b459a2d7-7bd3-a53d-9cdc-8126c9cc2ef9@nostrum.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 11 Jul 2017 10:48:03 +1000
Message-ID: <CABkgnnWoLOY0SsgCeTcMFhnuaan=UOLaaX6WBKJesp-WCBmeJQ@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: "webpush@ietf.org" <webpush@ietf.org>, draft-ietf-webpush-encryption.all@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/rESAOVPNjapZE6bn_gVOlMnZYy4>
Subject: Re: [Webpush] AD Evaluation: draft-ietf-webpush-encryption
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2017 00:48:06 -0000

Thanks Adam,

Should you care: https://github.com/webpush-wg/webpush-encryption/pull/15

I can generate a new version and submit it at a time of your choosing
if these changes are acceptable.

On 11 July 2017 at 09:04, Adam Roach <adam@nostrum.com>; wrote:
> The final paragraph of section 2.1 uses the word "any" in a rather sweeping
> fashion, implying that the algorithms, key sizes, and consequent strengths
> for providing authentication, integrity, and confidentiality are immaterial.
> I would suggest qualifying this more carefully.

I've changed this to "An authenticated communication mechanism that
provides adequate confidentiality and integrity protection, such as
HTTPS [...]"

> The summary in section 3.4 is greatly appreciated. I'm a bit confused about
> the "salt = random(16)"

That's an error.  I have moved this to the right place.

> Section 4: s/the some of the length/the sum of the length/

Not in my copy; I think that Matt fixed this for me already.

> Section 5: "base64url" needs a definition -- I would suggest citing RFC
> 4648, section 5.

How did I miss that...

> The final ciphertext in the appendix appears to contain a spurious space.

I broke these into 32 character chunks so that line wrapping wouldn't
hurt too much, that's all.  I'll explain that better.