IETF Logo Mail Archive

Re: [Webpush] Voluntary Application Server Identification -02

JR Conlin <jconlin@mozilla.com> Wed, 10 February 2016 22:30 UTC

Return-Path: <jconlin@mozilla.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39C201B30D0 for <webpush@ietfa.amsl.com>; Wed, 10 Feb 2016 14:30:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h4Dwgqe6GGE2 for <webpush@ietfa.amsl.com>; Wed, 10 Feb 2016 14:30:07 -0800 (PST)
Received: from mail-pa0-x22c.google.com (mail-pa0-x22c.google.com [IPv6:2607:f8b0:400e:c03::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FC061B30D5 for <webpush@ietf.org>; Wed, 10 Feb 2016 14:30:06 -0800 (PST)
Received: by mail-pa0-x22c.google.com with SMTP id fl4so6709080pad.0 for <webpush@ietf.org>; Wed, 10 Feb 2016 14:30:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla-com.20150623.gappssmtp.com; s=20150623; h=from:subject:to:references:cc:organization:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=ybpeTQsJpsjstnIRzp9XUIdCLCjYiTKG/B7OUzi/AVE=; b=fVrQgbYa9DXovehHe4ox/dlsPY9vcwOHWidtB19a3eyYmaaiZ1Z1pZDvjsWfS6y8qG K2xCZzaltTqx0aAb7B5LD7Lx+282xfP9znFwAlVmD6Gtm0axm5OY9Y3Bdcm7qQG913Ab SqvLI4jn9HJVHYvQPhd95kZXeTRrm3H6nHPD0YwYru2TS8QUMvFLymwViMrn2AjgnA06 9LTncFTiGBa9PrNwbtfAn1WyQEtJdgUoJb/DS/4dAktc2L/tZjjkYR6TGfm6kM7zxUR4 Y7E/8Smn8kWRvZ4pSO3d5Ba72gOAK/bZ41T0h7dOROSNcjK3gI21tW1s9ldip2KJ151c 3yjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:to:references:cc:organization :message-id:date:user-agent:mime-version:in-reply-to:content-type; bh=ybpeTQsJpsjstnIRzp9XUIdCLCjYiTKG/B7OUzi/AVE=; b=kgl0hSuSgkpNzpRGTjqf/T9gGSCL7yAsvWfK/x/JhVo23E2GNZcXeEDkZnu1LOhhg1 2S9ARQEtJvaezkiLhQfivr8HRmn7MOdwbEw1Qy6slR07VYTtzUJpyW870PD4fTarrt21 JDFLu7/cq38ZLcNI01RasrLCFPVGEaIOb7JamXVKyI0eoVdRiQDqkiOL4d1DjM2gTAtE apa6QDYoPfU6MgZha/My+TypzDpeL61OTrCXMhQaQD/cyZ1fWZQ5hcSe9titpYbp56xf ea0ovgqCZAhn55A7wzTkWTMzijtKZnaivY3AD00iSgZBIsVqmJzsb9CBIytPNzh7EDRd fuQw==
X-Gm-Message-State: AG10YOQVZysI/J+nQzUlVS+XxkB5Z1jQ8hT706BJcXzvzcXAeocT4u4BsHn8p2f6W00ptZZC
X-Received: by 10.67.22.166 with SMTP id ht6mr62472099pad.9.1455143406553; Wed, 10 Feb 2016 14:30:06 -0800 (PST)
Received: from ?IPv6:2620:101:80fc:224:4953:821e:b31b:6d71? ([2620:101:80fc:224:4953:821e:b31b:6d71]) by smtp.gmail.com with ESMTPSA id wt2sm7413766pac.48.2016.02.10.14.30.05 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 10 Feb 2016 14:30:05 -0800 (PST)
From: JR Conlin <jconlin@mozilla.com>
X-Google-Original-From: JR Conlin <jrconlin@mozilla.com>
To: Costin Manolache <costin@gmail.com>, Peter Beverloo <beverloo@google.com>
References: <CABkgnnXMA1do2jLoNuALz5V+416RELu=FWyEj8nExC+xn3vnpw@mail.gmail.com> <CALt3x6=T7+PDBRYfBeSNuCABi824Vpno9N+2Y7Jg=5pYUxBvCw@mail.gmail.com> <CAP8-FqkTteuTU8JpqWCr-7LB9niM4ng26U8gomWrc=zvp4xJ5w@mail.gmail.com>
Organization: mozilla
Message-ID: <7f44560b-5b3e-fa6c-47de-b10fd6265379@mozilla.com>
Date: Wed, 10 Feb 2016 14:30:04 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Thunderbird/46.0a2
MIME-Version: 1.0
In-Reply-To: <CAP8-FqkTteuTU8JpqWCr-7LB9niM4ng26U8gomWrc=zvp4xJ5w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------5D2F9DDFA5637A02677815FB"
Archived-At: <http://mailarchive.ietf.org/arch/msg/webpush/wuS8Mk8ULfNPFSC-CWu3-Uyzj7k>
Cc: Martin Thomson <martin.thomson@gmail.com>, "webpush@ietf.org" <webpush@ietf.org>
Subject: Re: [Webpush] Voluntary Application Server Identification -02
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2016 22:30:11 -0000

While talking with Kit, I'd like to present a set of rules (I was going
to call them best practices, but really, that's like saying "Do not lick
high voltage lines" is a best practice.)

1) If a site registers a public key as part of a subscription request,
that key is used to validate the JWT. Invalid JWTs result in a 401.

2) If a site registers a public key, it should NOT include the public
key as part of the Crypto-Key header in the Push request (since this
increases the chance that the key is inadvertently disclosed.)
I'm not sure how or if we should signal that back to the App Servers.

3) If the Crypto-Key:p256ecdsa == Crypto-Key:p256dh, that will return a
401. (it's just math kids, you can pick different coordinate sets, for
free.)

Seem reasonable?

On 2/1/2016 12:33 PM, Costin Manolache wrote:
> +1
>
> Costin
>
> On Mon, Feb 1, 2016 at 10:43 AM, Peter Beverloo <beverloo@google.com
> <mailto:beverloo@google.com>> wrote:
>
>     Thank you for publishing the draft, Martin!
>
>     While I'm not sure how much significance it carries since I'm
>     listed as an editor, I do of course support the draft as the
>     resolve to Issue 44.
>
>     Server authentication and subscription association are important
>     problems to us, and, pending any further feedback from the working
>     group, we plan to adopt the proposed solution in our implementations.
>
>     Thanks,
>     Peter
>
>     On Mon, Feb 1, 2016 at 1:56 AM, Martin Thomson
>     <martin.thomson@gmail.com <mailto:martin.thomson@gmail.com>> wrote:
>
>         I have just posted a new version of the draft, taking the recent
>         feedback from discussions into account.
>
>         https://tools.ietf.org/html/draft-thomson-webpush-vapid-02
>
>         This includes only the JWT option, with a lot more of the details
>         fleshed out.  I've implemented it in order to create the
>         example, and
>         that is dead simple to do.
>
>         I think that this is the answer we want for issue 44 [44]. 
>         Does the
>         group agree? Is this worth adopting?
>
>         [44] https://github.com/webpush-wg/webpush-protocol/issues/44
>
>         _______________________________________________
>         Webpush mailing list
>         Webpush@ietf.org <mailto:Webpush@ietf.org>
>         https://www.ietf.org/mailman/listinfo/webpush
>
>
>
>     _______________________________________________
>     Webpush mailing list
>     Webpush@ietf.org <mailto:Webpush@ietf.org>
>     https://www.ietf.org/mailman/listinfo/webpush
>
>
>
>
> _______________________________________________
> Webpush mailing list
> Webpush@ietf.org
> https://www.ietf.org/mailman/listinfo/webpush

v2.8.7 | Report a Bug | By Email