From nobody Mon Jul 3 08:57:45 2017 Return-Path: X-Original-To: webpush@ietf.org Delivered-To: webpush@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C2D713169F; Mon, 3 Jul 2017 08:57:28 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Stefan Winter To: Cc: webpush@ietf.org, ietf@ietf.org, draft-ietf-webpush-vapid.all@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.55.2 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <149909744835.22804.5791695515985213782@ietfa.amsl.com> Date: Mon, 03 Jul 2017 08:57:28 -0700 Archived-At: Subject: [Webpush] Opsdir last call review of draft-ietf-webpush-vapid-03 X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jul 2017 15:57:29 -0000 Reviewer: Stefan Winter Review result: Has Issues Cryptographic agility is ensured by requiring an all-new protocol in case a different algorithm is used, or any other protocol property is changed (the newly defined auth scheme "vapid" is hard-wired to ECDSA NIST P-256, and there is no version field in the JWT token). Considering that the JWT header and JWK fields describe their signing method, making it cryptographically agile, pinning the algorithm appears to be a strange choice (see the example in 2.4). The last paragraph of Security Considerations remains a mystery to me. What is a "gradual migration"? With no key rollover, any change of key simply breaks all clients with using that key. The last sentence implies that such a hard failure is acceptable. That's a rather simplistic protocol design. The example in 2.4 does not appear to be correct. I cannot decode "t": > base64 --decode eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJodHRwczovL3B1c2guZXhhbXBsZS5uZXQiLCJleHAiOjE0NTM1MjM3NjgsInN1YiI6Im1haWx0bzpwdXNoQGV4YW1wbGUuY29tIn0.i3CYb7t4xfxCDquptFOepC9GAu_HLGkMlMuCGSK2rpiUfnK9ojFwDXb1JrErtmysazNjjvW2L9OkSSHzvoD1oA {"typ":"JWT","alg":"ES256"}base64: ungültige Eingabe From nobody Mon Jul 3 09:23:27 2017 Return-Path: X-Original-To: webpush@ietfa.amsl.com Delivered-To: webpush@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40110129ADA for ; Mon, 3 Jul 2017 09:23:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outer-planes-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NeFBOJgeI_oC for ; Mon, 3 Jul 2017 09:23:23 -0700 (PDT) Received: from mail-yb0-x22c.google.com (mail-yb0-x22c.google.com [IPv6:2607:f8b0:4002:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A219E129482 for ; Mon, 3 Jul 2017 09:23:23 -0700 (PDT) Received: by mail-yb0-x22c.google.com with SMTP id v197so31055382ybv.3 for ; Mon, 03 Jul 2017 09:23:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outer-planes-net.20150623.gappssmtp.com; s=20150623; h=sender:to:from:subject:message-id:date:user-agent:mime-version; bh=k/Pp3ob4geyjENktyuovr7N+LQVeQ5Qt1gpc36fTA3Y=; b=b+I7ffzJ8Q0TU9Psm3eTqiAbtLQoM63RAbP43GYxJuMkGAImllVZuz38Skx5SxoQ4j 30NpFdFv4PTudcHhKK9drt+r6rfHJE3EhdLM3kspZ5FfrLzGC3/OtISczYaPo9FWYCKz t1NEtPkfig2k8xSfchpsHiodBKLZa8BSrW6hUdYI6ZC8J1EyFxVZBVHH/G25m4NzXb4L SEp7D7B/b7XAXDBWl8h7GPDd1GaOQpFC++CA8Re1nVkFZJH9Ev7kCnprlYldpL8zlXBk 3CsklwFIvB2Ftksut8GlXkDbvLG2XfYZBrDGiVnefBJkjXoyVrZQTPPbRe9q7CUu+RN5 Y57A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:to:from:subject:message-id:date :user-agent:mime-version; bh=k/Pp3ob4geyjENktyuovr7N+LQVeQ5Qt1gpc36fTA3Y=; b=YfM8eQjY6A0kbVc8gyXwNK85fo2JfB5dLiRbHzx1bGgwaGZFB9tiP3ZUpeuC06JKPU 24aJv+HvGVB1jx61W0QapyytCtKtor4Nh1bulMH37DzUB58GX6UnvcgUpRxTcKsFyDDx 7QNa8TUYZEQhEsFnO0/XH8UnSXTGyCefdvNVRBRsMFIiDyGJ7K8Petq3x0auSL2MYuAn nVJKQSBpSsHpZCLnyLoqMXsRoxJDtVR1S+VjqCHnLjqjPWdvm1rdU/COXKzMIRaiUcBl xXxJWsCS+jXFikhUP93Swq9bAgiptZy2Pgkj+gQzIkBQt/X70kMBFiukoLdG3ivyN0nr GR9w== X-Gm-Message-State: AKS2vOxUjNnVILqfqQXTaskuAlt2qsusUNSVZxfbpS0Mm1SJFAYD2Vpq Es6skCF6xYbaLbUuDQntNA== X-Received: by 10.37.125.133 with SMTP id y127mr29067019ybc.238.1499099002747; Mon, 03 Jul 2017 09:23:22 -0700 (PDT) Received: from [10.6.23.170] ([128.177.113.102]) by smtp.gmail.com with ESMTPSA id o145sm7145410ywo.39.2017.07.03.09.23.21 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 03 Jul 2017 09:23:22 -0700 (PDT) Sender: Matthew Miller To: webpush@ietf.org From: "Matthew A. Miller" Message-ID: <00c1c3f6-7492-aca6-ee24-54041e35ccc7@outer-planes.net> Date: Mon, 3 Jul 2017 09:23:20 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Thunderbird/54.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="6xDrdHKs3d4nWwhFCTVDdGagvfT4ehsTO" Archived-At: Subject: [Webpush] Last-minute Review of Webpush Encryption X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jul 2017 16:23:25 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --6xDrdHKs3d4nWwhFCTVDdGagvfT4ehsTO Content-Type: multipart/mixed; boundary="EDuMduRI1HT18PfbpsctA1Gau832VSCrK"; protected-headers="v1" From: "Matthew A. Miller" To: webpush@ietf.org Message-ID: <00c1c3f6-7492-aca6-ee24-54041e35ccc7@outer-planes.net> Subject: Last-minute Review of Webpush Encryption --EDuMduRI1HT18PfbpsctA1Gau832VSCrK Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable I was asked to review draft-ietf-webpush-encryption. Overall I think this document is ready; I'd lightly recommend one editorial change and have a callout that borders the line on editorial. In Section 3.4 "Encryption Summary", I think it adds clarity to explicitly stating the "L" inputs for the two final HKDFs. I've submitted PR #12 to that effect. More concerning is that "keyid" is expected to be the "raw" ECDH public key, which is almost certainly not a UTF-8 encoded string; this bends the SHOULD in draft-ietf-httpbis-encryption-encoding. It needs to be called out more explicitly than I see so far, but I don't have any specific text to start with. --=20 - m&m Matthew A. Miller --EDuMduRI1HT18PfbpsctA1Gau832VSCrK-- --6xDrdHKs3d4nWwhFCTVDdGagvfT4ehsTO Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJZWm95AAoJEOz0ck4QngW7IZ4H/16sLH6NGS2VNWnFydQBW1U8 n0T0MXDzwjH0O7IKT59yB1E7nTfnQ7nEKgZpbd/g0baBqR1QOEEV4eA2YOFIZzga vFbBkwhgXRUMpIUzHBHgeLyXuvPdID5JBGdExSPtEEzvtKJABxwmLyMHfXF/jw3I 5b+bTC3s9HZt2CfHRR/J9vqcVqgXdsSLIJo2NimuB30q8i/BBdzJdgDaxfgpzd4Z ptN/lO4kTPUz6vkOAdlaw7oT5r9Axrcf++a56nDdBLv6g5mOYvmaPgcV74l4Q0fR FOGcQvW1S+R4dd2wthQw3YEu2s/ryCzzuPIbuXhhpsrmhRqYXkCspSQgeSLJfrw= =9Rtv -----END PGP SIGNATURE----- --6xDrdHKs3d4nWwhFCTVDdGagvfT4ehsTO-- From nobody Mon Jul 3 10:31:48 2017 Return-Path: X-Original-To: webpush@ietfa.amsl.com Delivered-To: webpush@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF9DF129B77; Mon, 3 Jul 2017 10:31:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.881 X-Spam-Level: X-Spam-Status: No, score=-1.881 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G_XdMFONWs4P; Mon, 3 Jul 2017 10:31:41 -0700 (PDT) Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D2CA1316EA; Mon, 3 Jul 2017 10:31:23 -0700 (PDT) Received: from Orochi.local (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id v63HVKjS097633 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 3 Jul 2017 12:31:21 -0500 (CDT) (envelope-from adam@nostrum.com) X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Orochi.local To: Stefan Winter , ops-dir@ietf.org Cc: webpush@ietf.org, ietf@ietf.org, draft-ietf-webpush-vapid.all@ietf.org References: <149909744835.22804.5791695515985213782@ietfa.amsl.com> From: Adam Roach Message-ID: Date: Mon, 3 Jul 2017 12:31:15 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <149909744835.22804.5791695515985213782@ietfa.amsl.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Archived-At: Subject: Re: [Webpush] Opsdir last call review of draft-ietf-webpush-vapid-03 X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jul 2017 17:31:47 -0000 On 7/3/17 10:57, Stefan Winter wrote: > The example in 2.4 does not appear to be correct. I cannot decode "t": > >> base64 --decode > eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJodHRwczovL3B1c2guZXhhbXBsZS5uZXQiLCJleHAiOjE0NTM1MjM3NjgsInN1YiI6Im1haWx0bzpwdXNoQGV4YW1wbGUuY29tIn0.i3CYb7t4xfxCDquptFOepC9GAu_HLGkMlMuCGSK2rpiUfnK9ojFwDXb1JrErtmysazNjjvW2L9OkSSHzvoD1oA > {"typ":"JWT","alg":"ES256"}base64: ungültige Eingabe > > I'll let the authors respond to your other points; but, as this is simply a mechanical issue, I'll try to clarify the intended syntax (NOTE TO AUTHORS: THERE IS STILL AN ERROR THAT NEEDS FIXING). "t" contains a JWT, which consists of three separate base64 encoded fields, delimited by a "." character: a header, a body, and a signature. The signature, naturally, does not render as something readable when decoded. Thus: # echo eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9 | base64 --decode {"typ":"JWT","alg":"ES256"} # echo eyJhdWQiOiJodHRwczovL3B1c2guZXhhbXBsZS5uZXQiLCJleHAiOjE0NTM1MjM3NjgsInN1YiI6Im1haWx0bzpwdXNoQGV4YW1wbGUuY29tIn0 | base64 --decode {"aud":"https://push.example.net","exp":1453523768,"sub":"mailto:push@example.com # echo i3CYb7t4xfxCDquptFOepC9GAu_HLGkMlMuCGSK2rpiUfnK9ojFwDXb1JrErtmysazNjjvW2L9OkSSHzvoD1oA | base64 --decode | od -tx1 0000000 8b 70 98 6f bb 78 c5 fc 42 0e ab a9 b4 53 9e a4 0000020 2f 46 02 ef c7 2c 69 0c 94 cb 82 19 22 b6 ae 98 0000040 94 7e 72 bd a2 31 70 0d 76 f5 26 b1 2b b6 6c ac 0000060 6b 33 63 8e f5 b6 2f d3 a4 49 21 f3 be 80 f5 0000077 So, there is an error, inasmuch as the body is missing a closing quotation mark and a closing brace; but the base64 encoding is otherwise okay. /a From nobody Mon Jul 3 17:14:17 2017 Return-Path: X-Original-To: webpush@ietfa.amsl.com Delivered-To: webpush@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 398221317FF; Mon, 3 Jul 2017 17:14:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1MA8cOlZKDS; Mon, 3 Jul 2017 17:14:07 -0700 (PDT) Received: from mail-lf0-x22a.google.com (mail-lf0-x22a.google.com [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EECE1317AE; Mon, 3 Jul 2017 17:14:07 -0700 (PDT) Received: by mail-lf0-x22a.google.com with SMTP id t72so528247lff.1; Mon, 03 Jul 2017 17:14:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=LURtEY7WlNeKhgLd435kgVoHEAVVrCBiG6fcdmvoCAI=; b=Dz1CCSZIMV2y4PnfvhA0v4jP/OUR3UFOXjXI5h4eXgvTsjw+LdWPTjQp3VlVlUxbOE yskpmHvvm94hgRnOksPPrMg9OQ2FNX3fbIB0b3to+2rmL+AUJwuzEUS3jsHktFK3zRHA Q0wgic5ndt2BZzcNsmZW47n4JV2lczzVQDIxU8DmZ1NLIftNfiERBsjCf5qO3oPilxdA i1Ei5Kk2gK8V5yevKz3ylrRrRYcgGtvqUh/YwHaiOyXOukkUu66rVhHIhjlrkzeRnywa 4PvWB48/Y+QF4sGolpDQrgMBXTxMRttNAsZ+lzyrXcXnhNCQlqX+hII24HtY042oR+XX qfsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=LURtEY7WlNeKhgLd435kgVoHEAVVrCBiG6fcdmvoCAI=; b=GuOAh0hO/+67+5UcDSDO47pSgxu4xLfdK2eSUprx9Ko0aGeUkoSrrcZoYvMepsFtdj wE3t2uJIH7Xz+xZ4i79RkPmhslM0isYfAWvsWF8Mc1SKi8R7wTedJ0t3IVPONIJlDkmz Yhu/MuVa2l+JqA7MKbj/Nrf2czqiFmL+QF97hrITsUXgPDXbg2pFUAWg/Ez+yD+S0BIB /6nKiurhRBXbe5jSCMDruGxE854RwaVLi1xBuboHLz3E0gT//0QDk8nn5PXeVHuWB2e2 /oGArRWZtSuETPlC2T7K7u/hcGOM9X5QS8GOrQOQvLAMlOcon5gl8oY1bsw+KY4pUw9K LMxQ== X-Gm-Message-State: AIVw1130br6GVDRHirDbonhHxp/zWxYfv41OaAbPiUxfWF+fljNQriTG ssIB/f/ANXQmUZzeJQVvWRA8Dcxw1rev9sE= X-Received: by 10.46.83.7 with SMTP id h7mr1877217ljb.22.1499127245540; Mon, 03 Jul 2017 17:14:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.46.69.84 with HTTP; Mon, 3 Jul 2017 17:14:04 -0700 (PDT) In-Reply-To: References: <149909744835.22804.5791695515985213782@ietfa.amsl.com> From: Martin Thomson Date: Tue, 4 Jul 2017 10:14:04 +1000 Message-ID: To: Adam Roach Cc: Stefan Winter , "ops-dir@ietf.org" , "webpush@ietf.org" , "ietf@ietf.org" , draft-ietf-webpush-vapid.all@ietf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [Webpush] Opsdir last call review of draft-ietf-webpush-vapid-03 X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jul 2017 00:14:09 -0000 On 4 July 2017 at 03:31, Adam Roach wrote: > # echo > eyJhdWQiOiJodHRwczovL3B1c2guZXhhbXBsZS5uZXQiLCJleHAiOjE0NTM1MjM3NjgsInN1YiI6Im1haWx0bzpwdXNoQGV4YW1wbGUuY29tIn0 > | base64 --decode > > {"aud":"https://push.example.net","exp":1453523768,"sub":"mailto:push@example.com I get this: $ echo eyJhdWQiOiJodHRwczovL3B1c2guZXhhbXBsZS5uZXQiLCJleHAiOjE0NTM1MjM3NjgsInN1YiI6Im1haWx0bzpwdXNoQGV4YW1wbGUuY29tIn0 | base64 --decode {"aud":"https://push.example.net","exp":1453523768,"sub":"mailto:push@example.com"}base64: invalid input Which fills me with confidence in the base64 tool. You'll note that the trailing quote and curly brace are present here, but there is an inexplicable error that adding the -i option doesn't remove. I built this using my own implementation and verified it, but you will see that this works too: $ npm install base64url;node -e 'console.log(require("base64url").decode("eyJhdWQiOiJodHRwczovL3B1c2guZXhhbXBsZS5uZXQiLCJleHAiOjE0NTM1MjM3NjgsInN1YiI6Im1haWx0bzpwdXNoQGV4YW1wbGUuY29tIn0"))' {"aud":"https://push.example.net","exp":1453523768,"sub":"mailto:push@example.com"} (note that running this leaves a node_modules lying around). https://www.base64decode.org/ also agrees. From nobody Mon Jul 3 17:20:41 2017 Return-Path: X-Original-To: webpush@ietfa.amsl.com Delivered-To: webpush@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8320612F28E; Mon, 3 Jul 2017 17:20:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vqMgph1vKhhs; Mon, 3 Jul 2017 17:20:30 -0700 (PDT) Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AACFE1317AE; Mon, 3 Jul 2017 17:20:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [134.102.201.11]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id v640KPVk002870; Tue, 4 Jul 2017 02:20:25 +0200 (CEST) Received: from [192.168.217.124] (p5DC7F3A7.dip0.t-ipconnect.de [93.199.243.167]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 3x1l5P1TRGz3ZH7; Tue, 4 Jul 2017 02:20:25 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) From: Carsten Bormann In-Reply-To: Date: Tue, 4 Jul 2017 02:20:23 +0200 Cc: Adam Roach , Stefan Winter , "ops-dir@ietf.org" , draft-ietf-webpush-vapid.all@ietf.org, "ietf@ietf.org" , "webpush@ietf.org" X-Mao-Original-Outgoing-Id: 520820422.828225-aaad11f0fde59b23389472456d56b79e Content-Transfer-Encoding: quoted-printable Message-Id: <93C3F14F-A6B9-4682-9173-7BE10D1A8EA2@tzi.org> References: <149909744835.22804.5791695515985213782@ietfa.amsl.com> To: Martin Thomson X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [Webpush] Opsdir last call review of draft-ietf-webpush-vapid-03 X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jul 2017 00:20:35 -0000 base64 classic seems to need padding and reacts differently on different = versions when that is missing. (I=E2=80=99d like to meet someone who can explain what they were = thinking when they invented padding.) Gr=C3=BC=C3=9Fe, Carsten > On Jul 4, 2017, at 02:14, Martin Thomson = wrote: >=20 > On 4 July 2017 at 03:31, Adam Roach wrote: >> # echo >> = eyJhdWQiOiJodHRwczovL3B1c2guZXhhbXBsZS5uZXQiLCJleHAiOjE0NTM1MjM3NjgsInN1Yi= I6Im1haWx0bzpwdXNoQGV4YW1wbGUuY29tIn0 >> | base64 --decode >>=20 >> = {"aud":"https://push.example.net","exp":1453523768,"sub":"mailto:push@exam= ple.com >=20 > I get this: >=20 > $ echo = eyJhdWQiOiJodHRwczovL3B1c2guZXhhbXBsZS5uZXQiLCJleHAiOjE0NTM1MjM3NjgsInN1Yi= I6Im1haWx0bzpwdXNoQGV4YW1wbGUuY29tIn0 > | base64 --decode > = {"aud":"https://push.example.net","exp":1453523768,"sub":"mailto:push@exam= ple.com"}base64: > invalid input >=20 > Which fills me with confidence in the base64 tool. You'll note that > the trailing quote and curly brace are present here, but there is an > inexplicable error that adding the -i option doesn't remove. >=20 > I built this using my own implementation and verified it, but you will > see that this works too: >=20 > $ npm install base64url;node -e > = 'console.log(require("base64url").decode("eyJhdWQiOiJodHRwczovL3B1c2guZXhh= bXBsZS5uZXQiLCJleHAiOjE0NTM1MjM3NjgsInN1YiI6Im1haWx0bzpwdXNoQGV4YW1wbGUuY2= 9tIn0"))' > = {"aud":"https://push.example.net","exp":1453523768,"sub":"mailto:push@exam= ple.com"} >=20 > (note that running this leaves a node_modules lying around). >=20 > https://www.base64decode.org/ also agrees. >=20 >=20 From nobody Mon Jul 3 17:25:23 2017 Return-Path: X-Original-To: webpush@ietfa.amsl.com Delivered-To: webpush@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8F4E13181B; Mon, 3 Jul 2017 17:25:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3t2UMHmqy5uI; Mon, 3 Jul 2017 17:25:08 -0700 (PDT) Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F16E0131814; Mon, 3 Jul 2017 17:25:03 -0700 (PDT) Received: by mail-lf0-x231.google.com with SMTP id b207so110140455lfg.2; Mon, 03 Jul 2017 17:25:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wLztgpu0/8eTvKnxPAhVAwWpPckYX8N5LsjBQKIOT9A=; b=EJ54BPlgin4ePYYYl7G5pRZ2GDUFRbtXJvxhD3WWhRL9+uLiRmG0TnRr9/NRJw72hS b9I6k13G2nPKkuvElJ3m/0RUyykKbpW1acBHThxzXfM+YQ91IPnoHraXA1kAQnqu0KQx RCqEAenyBC6zlXTR5vPmATqfQJyinre3jFr7qT9V5EdwHALLg1Dewcspnc7LptH08nnL 3FcjXJtxzuac0WqTjdXHVD3ERXBUged1PolLa4R4l32or7k/H7dEGmNNobXQlh/TkpDt DE7zC1bX3j9NvbY0PuPjfele4IbyiaXP9SV2thbLjcWDWQOvMY+XrpffU8RjZ3QFZ/vX yWtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wLztgpu0/8eTvKnxPAhVAwWpPckYX8N5LsjBQKIOT9A=; b=DJcyk6NTDwXgB8hhJu46WkY0VdLgyHB/G40bVIbTLzILdoU6/qnr93E/pimuEuKgCG arouiUsepA1h9Fhz2KACBb8MVewrehnESgepFpk7yQPe0eiKO6lEpZupDwY8EHo2p/g5 xU/LfTFt96tJe+YZvI5cxQOJ5RN2SPdBRk/ZH+Toy6doOShSX1DzuW3+gqnF7OljuGk7 3QeB+wjATT9xN80+BU9bJMHO0sqQFK6cD/BHs5Nabk95GP3eCy90O3e0DZMoDUsWaPhM 5wUuW+vNVgPNQYbXzl0/m0kz2u0cf2uVF9GkDONYu/Rd81Rq/Mn0X1uuGdmRPk9d5KSB /e8A== X-Gm-Message-State: AKS2vOw8qBBHoX57I1MJ1WzYmoDXXj0LKXl5G4X34vixyZvKgNXG4iK+ qZy6f5MWXwkANMsFzrlrzdpRSr1wFQ== X-Received: by 10.46.77.70 with SMTP id a67mr11843344ljb.103.1499127902275; Mon, 03 Jul 2017 17:25:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.46.69.84 with HTTP; Mon, 3 Jul 2017 17:25:01 -0700 (PDT) In-Reply-To: <93C3F14F-A6B9-4682-9173-7BE10D1A8EA2@tzi.org> References: <149909744835.22804.5791695515985213782@ietfa.amsl.com> <93C3F14F-A6B9-4682-9173-7BE10D1A8EA2@tzi.org> From: Martin Thomson Date: Tue, 4 Jul 2017 10:25:01 +1000 Message-ID: To: Carsten Bormann Cc: Adam Roach , Stefan Winter , "ops-dir@ietf.org" , draft-ietf-webpush-vapid.all@ietf.org, "ietf@ietf.org" , "webpush@ietf.org" Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [Webpush] Opsdir last call review of draft-ietf-webpush-vapid-03 X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jul 2017 00:25:12 -0000 On 4 July 2017 at 10:20, Carsten Bormann wrote: > base64 classic seems to need padding and reacts differently on different versions when that is missing. Ahh, another example of insufficient application of Postel's Maxim. Adding "=" fixes this particular problem. From nobody Mon Jul 3 17:38:19 2017 Return-Path: X-Original-To: webpush@ietfa.amsl.com Delivered-To: webpush@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3860012741D; Mon, 3 Jul 2017 17:38:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4XhvvfSiOBmi; Mon, 3 Jul 2017 17:38:15 -0700 (PDT) Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E668213181C; Mon, 3 Jul 2017 17:38:01 -0700 (PDT) Received: by mail-lf0-x22f.google.com with SMTP id t72so683012lff.1; Mon, 03 Jul 2017 17:38:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FQNd6qS0w87venUF2IPOfSzfCtA2bKRfNpUrmwutRgI=; b=UQXSf0PFF0eySNeVdO3cJdI2FmUOyNJrlzYAedyjKqkNl/Kr9lS/lDYejZrqkv/I/S npMuIPb8ALTJMZI4YFLFcCbGs1ljPb91RwBVRlyyEo+8lnw+/AlSvqsRA5ijyRy1yD9J 06GwxJ7sCGpEL6ujZI2P2fZ6+n7KBcnD4Eb7n50Vhzd8Rwgbu1fu9puIKQz7iaCTXsw7 5AmONZ6kdRqifwV6N6acRs3Z8Sj96JJKuwW5tRi9Gqwf5PJlgilntL0qQTBYuNPPVTFo gu8yJ6ek2yplJODBSDToR3bfTRbFGnkLJiJRRwHs30lNf4O3DWGL8YRg5IRbcVc4veo3 DUyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FQNd6qS0w87venUF2IPOfSzfCtA2bKRfNpUrmwutRgI=; b=YDsbe50Gkoh9jh/qoH08tCeUD+KxWMozkyHFFZ3jJTHMemgfZWOLhMD60EhDAb3MMp K/iWV//6/5KG+jcsCXqBTH485cNy78Wfoob16jubuJhWokeBaIDa+dj2xSO5QHaOuG5S 9AbUSOCQjoEWMFvnETTnqiv7KXeYtrqbY0MKEAi6nSI1wJvM5sM2Jl1IUv3Z82SKKycS Yq6WBAmaa03h/hmfR54kCI8gank7LA8r0gtvm2jIlwmyQhGZfgmItp4+UFDIFeY+tS42 iwzoYEFUHsgUNTuMVms1OnYneMFEqP5dcphEXFsv07RxGKFGsZq0vKIEgqwawadQ+8w9 MHRA== X-Gm-Message-State: AIVw113OG8xCpZz7XB0uxic4ozeCCeYq393fyZIAWU/nW/cN8Lqu9oQh mRlNagHkRyAGP9zc5yabNIqHDqxDPDWuxUc= X-Received: by 10.25.27.195 with SMTP id b186mr918593lfb.76.1499128680192; Mon, 03 Jul 2017 17:38:00 -0700 (PDT) MIME-Version: 1.0 Received: by 10.46.69.84 with HTTP; Mon, 3 Jul 2017 17:37:59 -0700 (PDT) In-Reply-To: <149909744835.22804.5791695515985213782@ietfa.amsl.com> References: <149909744835.22804.5791695515985213782@ietfa.amsl.com> From: Martin Thomson Date: Tue, 4 Jul 2017 10:37:59 +1000 Message-ID: To: Stefan Winter Cc: "ops-dir@ietf.org" , "webpush@ietf.org" , draft-ietf-webpush-vapid.all@ietf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [Webpush] Opsdir last call review of draft-ietf-webpush-vapid-03 X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jul 2017 00:38:18 -0000 Trimming ietf@ On 4 July 2017 at 01:57, Stefan Winter wrote: > Cryptographic agility is ensured by requiring an all-new protocol in case a > different algorithm is used, or any other protocol property is changed (the > newly defined auth scheme "vapid" is hard-wired to ECDSA NIST P-256, and there > is no version field in the JWT token). Considering that the JWT header and JWK > fields describe their signing method, making it cryptographically agile, > pinning the algorithm appears to be a strange choice (see the example in 2.4). The problem here isn't that you can't switch to a different cryptographic scheme in the format (clearly you can), but that you don't know that your scheme will be accepted. We opted to rely *solely* on the mechanisms that HTTP provides for this, which means that we can succinctly refer to this scheme as "vapid" with confidence that that encompassed more than just the basic structure. If we wanted to add - say XMSS - we would define a new scheme called "vapid-xmss" and we might use the same basic arrangement. Note that for a time we considered removing the JWT header in the interest of saving those bytes. In the end, we decided that HTTP/2 header compression would suffice. > The last paragraph of Security Considerations remains a mystery to me. What is > a "gradual migration"? With no key rollover, any change of key simply breaks > all clients with using that key. The last sentence implies that such a hard > failure is acceptable. That's a rather simplistic protocol design. The issue of key rollover is dealt with in the section immediately preceding the Security Considerations section (this is from the editor's copy): An application server that needs to replace its signing key needs to request the creation of a new subscription by the user agent that is restricted to the updated key. Application servers need to remember the key that was used when requesting the creation of a subscription. In other words, you migrate to a new key by creating new subscriptions. That doesn't create any hard failures. "Gradual" here refers to making these new subscriptions gradually, rather than all at once. The sentence you refer to: Gradual migration to a new signing key reduces the chances that requests that use the new key will be categorized as abusive. This refers to the fact that if you are a large volume sender of push messages (some large sites send many thousands per second), then changing over all of your subscriptions at the same time might appear as though you suddenly stopped and some unknown party just started a denial of service attack. From nobody Mon Jul 3 21:34:55 2017 Return-Path: X-Original-To: webpush@ietfa.amsl.com Delivered-To: webpush@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75516131652 for ; Mon, 3 Jul 2017 21:34:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJNV_-J6ZoSx for ; Mon, 3 Jul 2017 21:34:52 -0700 (PDT) Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5711C13147B for ; Mon, 3 Jul 2017 21:34:52 -0700 (PDT) Received: by mail-lf0-x230.google.com with SMTP id t72so2373852lff.1 for ; Mon, 03 Jul 2017 21:34:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ru4bhixjW25yQFXTWpBi/mk4h8UBjpcF4zdslKGZ6jA=; b=UmB6K/FxfITwgki6F7fNpWtxAwRmQ+b0W/KwQLjW2m3VNmXubc/ag/ozlf+EkXDCkm iI+1cAD4w57jKMLNZmo3/tijbehlxTyh4KNoEUuHk5cZHMsWyAGCdoc5PaPxWVYKIC2G YJGEUngndYVlNVuVuxFgXS65wG4dT96/Z+lCmVzSnnqcKOphDmpR1F0c2deFzLyRJfkN wBBX1ahu+Tyd4OFFNcuPFM3bQ3rYVU8N/nAD/1ZpSTCBDGyRh13M1Z+1lU5zuOwQKjJ+ SeLv58G/WgcV2uohQ3ShgRbrJZs1XobE1fGE6JNnbrviPIKriQqqHTAtfxc3OCEB/DrM H7xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ru4bhixjW25yQFXTWpBi/mk4h8UBjpcF4zdslKGZ6jA=; b=OmhIXx7AHOWDhhgyF+fMe6DPOWyy4FHZ6Yi2NraK3NEiXIt6hdFlMcorxUEkZJHYRH neVySK8bHZuNgigO++PbJ+uvopEdTuwTUVsTZmVFknpDTkYJBChV1qhEm3+OugojQeFx JjE8v0ISc+VIZ2aK/S7UrQh+q95VAi97nZE85OveeItjgvZNzhOqkzppWe+CRQgZPQ0l b3VMDqfe0AwAecxpByuFuqnH0MVs7x/4x9cPlJ6VbB5FkNi/0xMNGni5Q+0TupJVVLds uYYkBWlG5Vv52i5UQfhnHiF0rc+P+QNySUtPGUxvrxxTTDxEloZJjptBrO8mJt6aWlZf q7Gg== X-Gm-Message-State: AIVw1107yBHeSMbvoJONRuw//BbhwSs9horfWzHdMDK/fciDJltsNyQp OrOgQQyH+5k2xBdwMMb/9aswVrqBwSNYA4Q= X-Received: by 10.25.206.203 with SMTP id e194mr4374756lfg.43.1499142890638; Mon, 03 Jul 2017 21:34:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.46.69.84 with HTTP; Mon, 3 Jul 2017 21:34:50 -0700 (PDT) In-Reply-To: <00c1c3f6-7492-aca6-ee24-54041e35ccc7@outer-planes.net> References: <00c1c3f6-7492-aca6-ee24-54041e35ccc7@outer-planes.net> From: Martin Thomson Date: Tue, 4 Jul 2017 14:34:50 +1000 Message-ID: To: "Matthew A. Miller" Cc: "webpush@ietf.org" Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [Webpush] Last-minute Review of Webpush Encryption X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jul 2017 04:34:54 -0000 On 4 July 2017 at 02:23, Matthew A. Miller wrote: > In Section 3.4 "Encryption Summary", I think it adds clarity to > explicitly stating the "L" inputs for the two final HKDFs. I've > submitted PR #12 to that effect. I see your point, and I agree that this could be clearer, but I didn't really like the unused variables. See https://github.com/webpush-wg/webpush-encryption/pull/13, which you already approved :) > More concerning is that "keyid" is expected to be the "raw" ECDH public > key, which is almost certainly not a UTF-8 encoded string; this bends > the SHOULD in draft-ietf-httpbis-encryption-encoding. It needs to be > called out more explicitly than I see so far, but I don't have any > specific text to start with. I think that a note will help, yes. https://github.com/webpush-wg/webpush-encryption/pull/14 From nobody Mon Jul 10 16:04:53 2017 Return-Path: X-Original-To: webpush@ietfa.amsl.com Delivered-To: webpush@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45A3813193D; Mon, 10 Jul 2017 16:04:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.881 X-Spam-Level: X-Spam-Status: No, score=-1.881 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ctX7Q4jfC8XE; Mon, 10 Jul 2017 16:04:50 -0700 (PDT) Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0624131606; Mon, 10 Jul 2017 16:04:47 -0700 (PDT) Received: from Svantevit.local (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id v6AN4jD2015808 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 10 Jul 2017 18:04:47 -0500 (CDT) (envelope-from adam@nostrum.com) X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Svantevit.local To: webpush@ietf.org, draft-ietf-webpush-encryption.all@ietf.org From: Adam Roach Message-ID: Date: Mon, 10 Jul 2017 18:04:40 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Archived-At: Subject: [Webpush] AD Evaluation: draft-ietf-webpush-encryption X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jul 2017 23:04:52 -0000 Webpush Encryption author -- This is my AD review for draft-ietf-webpush-encryption-08. This document is ready for IETF last call. I have a handful of comments, mostly editorial, that you should treat the same as any other last call comments. The notational conventions section is cute; however, I believe that it would benefit from being brought in line with the more conventional 2119 boilerplate. The final paragraph of section 2.1 uses the word "any" in a rather sweeping fashion, implying that the algorithms, key sizes, and consequent strengths for providing authentication, integrity, and confidentiality are immaterial. I would suggest qualifying this more carefully. The summary in section 3.4 is greatly appreciated. I'm a bit confused about the "salt = random(16)" as something that appears in the "for both" section. As written, this appears to indicate that each side generates their own salt as input to the PRK, which I doubt works (unless there's some black magic at play here that I don't understand). Appendix A would appear to indicate that the Application Server generates this value, and provides it to the "receiver" (user agent?). This is all made somewhat more confusing by the fact that 3.3 defines "salt" (which is the HKDF salt rather than the PRK generation salt) to be equal to the authentication secret, generated by the client. Needless to say, it's pretty easy to get lost in all the salting -- I would suggest some notational distinction between them. Also, please make it clear in Section 3.4 who generates the salt for the PRK. Section 4: s/the some of the length/the sum of the length/ Section 5: "base64url" needs a definition -- I would suggest citing RFC 4648, section 5. The final ciphertext in the appendix appears to contain a spurious space. Please expand the following acronyms upon first use; see https://www.rfc-editor.org/materials/abbrev.expansion.txt for guidance. - UA - User Agent - HMAC - Hashed Message Authentication Code - PRK - Unknown - CEK - content-encryption key /a From nobody Mon Jul 10 17:48:07 2017 Return-Path: X-Original-To: webpush@ietfa.amsl.com Delivered-To: webpush@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D7E8127867; Mon, 10 Jul 2017 17:48:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wL4jJmby01gi; Mon, 10 Jul 2017 17:48:04 -0700 (PDT) Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DCB91241FC; Mon, 10 Jul 2017 17:48:04 -0700 (PDT) Received: by mail-it0-x22a.google.com with SMTP id k192so4319975ith.1; Mon, 10 Jul 2017 17:48:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1SFDNONk0ZeXfZkLUJdFZ2IjZcSULhU17AGnRaZMxfw=; b=MnvgvSM4bgLA2ahorcWK5dOcy4x/AZQ1HRCV6Q+4VIZCoXuxT4k9AsbtAtTihVjD1f xVYMbjP56fkEm/KHr3uJTQ1nnMoo2/tVJXziBWwHQhr+ipqc1WOe8uN7WUGRqBf7LDrg vQ47TlarNN1OY5wBRZITR7VYmxW+udYEXhKNpInBbHeUiC1eV3iwnY+Y9iigoCNdOSG7 pqpWfKIMTz1rh7a4IvCL2DaDtAqapIqGmuiiPpbyOf57cWzkgxK0ePN+Wx/zO85eVsAl 4UZ8+UiObezSC9ojf3njIxkIdr4mzIp2n6VmNn5mUWqH1wmYy2D4UNwHp3cBMO610qKE 7v9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1SFDNONk0ZeXfZkLUJdFZ2IjZcSULhU17AGnRaZMxfw=; b=QeJ1C+qK9P3BmIvUt8rvnAaw0AxtxLd4UN3EbZJIRpTREEL58PhcJneX1V7e6LyWc+ cO8BrHanvkuz7JSFpYV30rDHgYcRIN8+ntnZrRmhCc/fydokEsF1u5sBVAzIe7/yDjt6 qebIVftgQqKI4kPTIP0iK7LpzRaCznm7TgWCxL0i+yhKu4yYeJCdowr1BXWO0in6olkz OK9bqixZVfbJWXXxNFOPwHmOFmb2dUUc3XYoEYQ/aYB1KxbznOjAA0VClV51iKWKg1p1 GYMrzhaMu32gdHt32Xd6rs4l8OTW30u3WHB/+rQ21YTwGHaaKvzQ8VNceHnTdzCXrycx 2dvA== X-Gm-Message-State: AIVw1105tEd8cQ3wJobK0x5bGfMYUcO48Sxb5k/DVEqcQOfdaY2g1pFH UU1evJvhHqdK8t27xgIjL8cvU08bRAyN74o= X-Received: by 10.107.39.205 with SMTP id n196mr5867184ion.37.1499734083864; Mon, 10 Jul 2017 17:48:03 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.164.26 with HTTP; Mon, 10 Jul 2017 17:48:03 -0700 (PDT) In-Reply-To: References: From: Martin Thomson Date: Tue, 11 Jul 2017 10:48:03 +1000 Message-ID: To: Adam Roach Cc: "webpush@ietf.org" , draft-ietf-webpush-encryption.all@ietf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [Webpush] AD Evaluation: draft-ietf-webpush-encryption X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jul 2017 00:48:06 -0000 Thanks Adam, Should you care: https://github.com/webpush-wg/webpush-encryption/pull/15 I can generate a new version and submit it at a time of your choosing if these changes are acceptable. On 11 July 2017 at 09:04, Adam Roach wrote: > The final paragraph of section 2.1 uses the word "any" in a rather sweeping > fashion, implying that the algorithms, key sizes, and consequent strengths > for providing authentication, integrity, and confidentiality are immaterial. > I would suggest qualifying this more carefully. I've changed this to "An authenticated communication mechanism that provides adequate confidentiality and integrity protection, such as HTTPS [...]" > The summary in section 3.4 is greatly appreciated. I'm a bit confused about > the "salt = random(16)" That's an error. I have moved this to the right place. > Section 4: s/the some of the length/the sum of the length/ Not in my copy; I think that Matt fixed this for me already. > Section 5: "base64url" needs a definition -- I would suggest citing RFC > 4648, section 5. How did I miss that... > The final ciphertext in the appendix appears to contain a spurious space. I broke these into 32 character chunks so that line wrapping wouldn't hurt too much, that's all. I'll explain that better. From nobody Tue Jul 11 11:38:21 2017 Return-Path: X-Original-To: webpush@ietf.org Delivered-To: webpush@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 34C7313179B; Tue, 11 Jul 2017 11:38:13 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: The IESG To: "IETF-Announce" X-Test-IDTracker: no X-IETF-IDTracker: 6.55.3 Auto-Submitted: auto-generated Precedence: bulk CC: adam@nostrum.com, Phil Sorber , sorber@apache.org, draft-ietf-webpush-encryption@ietf.org, webpush-chairs@ietf.org, webpush@ietf.org Reply-To: ietf@ietf.org Sender: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-ID: <149979829312.22556.1427412109062721600.idtracker@ietfa.amsl.com> Date: Tue, 11 Jul 2017 11:38:13 -0700 Archived-At: Subject: [Webpush] Last Call: (Message Encryption for Web Push) to Proposed Standard X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jul 2017 18:38:13 -0000 The IESG has received a request from the Web-Based Push Notifications WG (webpush) to consider the following document: - 'Message Encryption for Web Push' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2017-08-01. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract A message encryption scheme is described for the Web Push protocol. This scheme provides confidentiality and integrity for messages sent from an Application Server to a User Agent. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-webpush-encryption/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-webpush-encryption/ballot/ No IPR declarations have been submitted directly on this I-D. From nobody Mon Jul 24 22:02:13 2017 Return-Path: X-Original-To: webpush@ietfa.amsl.com Delivered-To: webpush@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FDFC127241 for ; Mon, 24 Jul 2017 22:02:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KyIcNm7AAnxk for ; Mon, 24 Jul 2017 22:02:10 -0700 (PDT) Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91595126BF3 for ; Mon, 24 Jul 2017 22:02:10 -0700 (PDT) Received: by mail-it0-x22a.google.com with SMTP id v127so45661144itd.0 for ; Mon, 24 Jul 2017 22:02:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=OGasVEzYl0vkzBlzCLvXrTKkcSdi8HqRqN/4ra0d6SA=; b=Cl7yAGEbJBkkV8EXx3Raa4nyZOM0/D38jBlNdXKP8YpQhgbQvHQX7M7Vl7b198q8n3 F1ZcPU3a+3CXwVba2tKnV2csGE/BrSzqn86/6eGw4R6QZiBQgvVQ822gTTSvrb7qwc22 Ni8koa2ITFBrBreC3EVqJ/wfAKUoe9KvIg2ULeH7QzSdERO8SpScjSRBpkfnR4I52lrQ +m5fc3w/t6+85FnfpmT8CFmndBZA52/+0G2Py97+hKyfDAZFt6I5ng4SoohZAusre1lZ AXWkrcMnS3y+AbQlhNUfVYxs3ZTVP9vUQhorGEZpmnKimIJnNiyxXO/wc2q3ZFDeGRRP nwFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=OGasVEzYl0vkzBlzCLvXrTKkcSdi8HqRqN/4ra0d6SA=; b=LGz+CDoT2RNjBfxld2w/uWPEH2vKKP4ZSn5Uy/18RGcruY5iw2VQIm3JwHJlGhu75I SUxF4jtMvbu3UfccIZ50E4kBd2it1UPeGhTWMm4jdr8m4c9dssOzlNgc9ixgC36fqh2o 5Q127OyQXok/BGo+8dScfqnHXGDd8D7WxhiXUUwElwT4dJej1gY5rsO+WAQBKxjAknCD nmXntowrkQyE0tSzpQI7y+yhPY8bfV3QNCNh4hHN5vI549Ri8ZxjKCqnjz4bJOcztHc+ hpI0elEw6XTRztZeC2nZbKONBNzryCqYvXDbIMLVrD+FHliWB8j+5jyTdDrYy0UQ+Rd3 W5ew== X-Gm-Message-State: AIVw113hTysw1yuzCMl8Waji+gJlN2Ux00bCSQwEQj6ZedfAu5mnSQQ9 zI+ykDRbiZ9BEvKaKXgacBPA4R8N5YPqXh0= X-Received: by 10.36.53.70 with SMTP id k67mr9735523ita.79.1500958929766; Mon, 24 Jul 2017 22:02:09 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.164.42 with HTTP; Mon, 24 Jul 2017 22:02:09 -0700 (PDT) From: Martin Thomson Date: Tue, 25 Jul 2017 15:02:09 +1000 Message-ID: To: "webpush@ietf.org" Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: [Webpush] Editorial changes to encryption doc X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2017 05:02:12 -0000 Just to keep everyone here up to date on what is going on, here are the current outstanding changes to the -encryption doc. I believe that all of these are minor and editorial, but I thought that I'd point them out. Adam Roach did a review: https://github.com/webpush-wg/webpush-encryption/pull/15 Frank did a secdir review and found some other errors: https://github.com/webpush-wg/webpush-encryption/pull/16 Finally, I noticed an error when I rebased to RFC 8188: https://github.com/webpush-wg/webpush-encryption/pull/17