IETF Logo Mail Archive

Re: [Webpush] Vapid public key

Martin Thomson <martin.thomson@gmail.com> Wed, 02 November 2016 05:59 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C18A5129513 for <webpush@ietfa.amsl.com>; Tue, 1 Nov 2016 22:59:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nXMe-JzeNLDF for <webpush@ietfa.amsl.com>; Tue, 1 Nov 2016 22:59:57 -0700 (PDT)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 528B71293F2 for <webpush@ietf.org>; Tue, 1 Nov 2016 22:59:57 -0700 (PDT)
Received: by mail-qk0-x22f.google.com with SMTP id q130so6626100qke.1 for <webpush@ietf.org>; Tue, 01 Nov 2016 22:59:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cUP52mPmThxEoLbdFeenVspcRt08AaBgp9LPmd7uqk8=; b=Ula72xJOAyZwzOY8DaRauFDvHuOWVrWCdFFgdbetE43AkKnEIUSME5XbY7nN8dt5V6 w2CzP2YCm2QC77cZ2hG72Pmd5AERLHg/rU0THSRoXiwb+BUP9cqatEyk3/RljDvGRoLd DRBCClZnl2Ty2S4sJURyPV8W/GN2ITe6MIKopHL/+A48G15dziNMeSFB9WO8K9/1i4+p nZIMipkrpaUGZ9+gmAxNxXQsL+dIoMV/c1xb167TEmOG/5R2ABEI17OtL8q8YS1z8BO0 bGOXvoX7gvw5sy1AVMlErkXTdL+31VRZsdMYnUF0acLrUfEXO7QWt2NBzbxyxWncUWye 0FPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cUP52mPmThxEoLbdFeenVspcRt08AaBgp9LPmd7uqk8=; b=J++pjDjHT8KSZvYAysrAce7OHhvXqGhAWKmtWnC7bpmECyM0G7ZdCOwE1XyLOyeeBn ASlPnDL50ig8ihgGJ6/x7uwSJB/kHIUfNvf1UiyNDfWEq8Wwazo3ZHU808yP39WWWfA0 BLPz2wbZGtWO0jZf/zWDFCdfET/XLbPWrRq22SMk/U1tWSB/xweoqMnQVkJC6LhvLtd4 GNXIiQdgRz6lWL/pfOv3o0ZT+cWiyEh17swo1cDrPNPB6OKcuH6HThAOkFFs8Fk+0zMl cUmFL5CdYWpQlFQ34b+fuysA6pN0WTOJVQFX8NNVAoFmQPkec9hJ1HHNhCWTrhxlARHJ Lv0A==
X-Gm-Message-State: ABUngvfytehGJ9ElyfLeSX8/vEFUT2rdWLnRYz0XyfDLDzfm9XsNvEtOiVFSGmfr5vQitUIdTCCO522kcNCvgA==
X-Received: by 10.55.12.2 with SMTP id 2mr1557364qkm.68.1478066396486; Tue, 01 Nov 2016 22:59:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.7 with HTTP; Tue, 1 Nov 2016 22:59:55 -0700 (PDT)
In-Reply-To: <CAP8-FqmBUHd5up7Jfo+veFWvL22XiPwGGXNnOW6rm7nxeESU_g@mail.gmail.com>
References: <CABkgnnVKd+kAZPD5KirF7NaGMDBSpaO6FR3yE8d+c3ge3-He3w@mail.gmail.com> <CAP8-FqmBUHd5up7Jfo+veFWvL22XiPwGGXNnOW6rm7nxeESU_g@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 02 Nov 2016 16:59:55 +1100
Message-ID: <CABkgnnX4aAjnZyu3morJOLatuuj9k4NSoTpoNtF7YjtRUFQOnQ@mail.gmail.com>
To: Costin Manolache <costin@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/xHdO-c3QSKgfdin1ivdR3aG5RXo>
Cc: jr conlin <jconlin@mozilla.com>, "webpush@ietf.org" <webpush@ietf.org>, Peter Beverloo <beverloo@google.com>
Subject: Re: [Webpush] Vapid public key
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 05:59:59 -0000

On 2 November 2016 at 16:10, Costin Manolache <costin@gmail.com> wrote:
> Authorization: webpush PUBLICKEY:JWT_TOKEN

The grammar (RFC 7235) is:

     credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
     token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="

With JWT, we've opted to use the "token68" form (also shown here).
Given that base64url takes '-', '_', and '.', we could separate on
'/'.  '/' is a valid base64 (the non-url-safe variant) character, but
we could split on that.

For existing implementations, you would have to accept that you are
going to have to sniff for this, or we could use a new auth-scheme.  I
think that sniffing should be workable given that you won't have a
Crypto-Key header field.

And before I forget, the ugliest option of all is to use JWK inside
the JWT.  Here's an example of a JWK:

{"crv":"P-256","ext":true,"key_ops":["verify"],"kty":"EC","x":"20zCfUuIs0NGtaVxENI4VH0YyJOUuxp973BTZTfhe1A","y":"WEMWyistS_sD6gGLN4IISWdIMQxZoCHAhlZ8zkmcVUI"}

The ext and key_ops fields can be omitted safely - I just pulled this
straight out of webcrypto - though it's still even bigger than you
might like.

v2.23.0 | Report a Bug | By Email