From nobody Fri Sep 1 20:03:13 2017 Return-Path: X-Original-To: webpush@ietfa.amsl.com Delivered-To: webpush@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57DA61343E6 for ; Fri, 1 Sep 2017 20:03:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.019 X-Spam-Level: X-Spam-Status: No, score=-5.019 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5t3YhEDnVaX for ; Fri, 1 Sep 2017 20:03:09 -0700 (PDT) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by ietfa.amsl.com (Postfix) with SMTP id 4DBBF1342F3 for ; Fri, 1 Sep 2017 20:03:09 -0700 (PDT) Received: (qmail 75723 invoked by uid 99); 2 Sep 2017 03:03:08 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 02 Sep 2017 03:03:08 +0000 Received: from mail-qk0-f171.google.com (mail-qk0-f171.google.com [209.85.220.171]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id D895D1A040E for ; Sat, 2 Sep 2017 03:03:06 +0000 (UTC) Received: by mail-qk0-f171.google.com with SMTP id a77so7586538qkb.1 for ; Fri, 01 Sep 2017 20:03:05 -0700 (PDT) X-Gm-Message-State: AHPjjUjwK8EyT85lTucVz0Ke0zvQfujfq8gFRBnuerzZLTL1KXtfJoTL r8A0+HBKV03CmwIhKT2Af5Nr2khJOg== X-Google-Smtp-Source: ADKCNb5t20bwueHSSiWCC6t7h93ugGa7lnPRRy4iqXVzYdzL9yYtkL34lzv5R9EHKPyYB8uU8pRzWLMVd9kqFVzH8VQ= X-Received: by 10.55.79.149 with SMTP id d143mr5361216qkb.144.1504321384506; Fri, 01 Sep 2017 20:03:04 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Phil Sorber Date: Sat, 02 Sep 2017 03:02:53 +0000 X-Gmail-Original-Message-ID: Message-ID: To: "webpush@ietf.org" Content-Type: multipart/alternative; boundary="001a114aa05ec06b8d05582c1dbc" Archived-At: Subject: Re: [Webpush] CALL FOR CONSENSUS: VAPID cut-and-paste protection X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Sep 2017 03:03:11 -0000 --001a114aa05ec06b8d05582c1dbc Content-Type: text/plain; charset="UTF-8" I think that we have consensus on this. Other options were considered by the working group but for various reasons, such as deployment complexity, were ruled out in favor of the JWT bearer token, despite it's sub-optimal security properties. Thanks everyone for the feedback. On Thu, Aug 17, 2017 at 10:17 PM Martin Thomson wrote: > On 18 August 2017 at 12:58, Phil Sorber wrote: > > I believe the working group has already discussed adding such a mechanism > > and rejected it (with citation to an email discussion or minutes > reflecting > > such discussion). > > We did consider options that don't have this unfortunate property. > Client certificates were a strong contender. They would have been > ideal if not for operational challenges. > > Here's the email that I think was pivotal on this subject: > https://mailarchive.ietf.org/arch/msg/webpush/_qwcGCuDekERw5o31t0MjFJGTh8 > > Later there is also: > https://mailarchive.ietf.org/arch/msg/webpush/poGnqtBFlFe3hpzvkiS3Rp5L94g > > There are yet more emails that follow on from this where we discuss > scope of the token and relative costs. The first of those is here: > https://mailarchive.ietf.org/arch/msg/webpush/xrqo-LUb7mrPV6eF1xgyJoqMgCU > > I found the rest of thread instructive as a reminder of what happened, > I had forgotten the details of this discussion. > > I didn't read meeting minutes, the above seems sufficient. > --001a114aa05ec06b8d05582c1dbc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I think that we have consensus on this. Other options= were considered by the working group but for various reasons, such as depl= oyment complexity, were ruled out in favor of the JWT bearer token, despite= it's sub-optimal security properties.

Tha= nks everyone for the feedback.

On Thu, Aug 17, 2017 at 10:17 PM Martin Thomson <martin.thomson@gmail.com> wro= te:
On 18 August 2017 at 12:58, Phi= l Sorber <sorber@= apache.org> wrote:
> I believe the working group has already discussed adding such a mechan= ism
> and rejected it (with citation to an email discussion or minutes refle= cting
> such discussion).

We did consider options that don't have this unfortunate property.
Client certificates were a strong contender.=C2=A0 They would have been
ideal if not for operational challenges.

Here's the email that I think was pivotal on this subject:
https://mailarchive.ietf.or= g/arch/msg/webpush/_qwcGCuDekERw5o31t0MjFJGTh8

Later there is also:
https://mailarchive.ietf.or= g/arch/msg/webpush/poGnqtBFlFe3hpzvkiS3Rp5L94g

There are yet more emails that follow on from this where we discuss
scope of the token and relative costs.=C2=A0 The first of those is here: https://mailarchive.ietf.or= g/arch/msg/webpush/xrqo-LUb7mrPV6eF1xgyJoqMgCU

I found the rest of thread instructive as a reminder of what happened,
I had forgotten the details of this discussion.

I didn't read meeting minutes, the above seems sufficient.
--001a114aa05ec06b8d05582c1dbc-- From nobody Sun Sep 3 16:55:20 2017 Return-Path: X-Original-To: webpush@ietf.org Delivered-To: webpush@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EE09A13247A; Sun, 3 Sep 2017 16:55:13 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: webpush@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.59.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150448291392.527.16520590053957585728@ietfa.amsl.com> Date: Sun, 03 Sep 2017 16:55:13 -0700 Archived-At: Subject: [Webpush] I-D Action: draft-ietf-webpush-encryption-09.txt X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Sep 2017 23:55:14 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web-Based Push Notifications WG of the IETF. Title : Message Encryption for Web Push Author : Martin Thomson Filename : draft-ietf-webpush-encryption-09.txt Pages : 12 Date : 2017-09-03 Abstract: A message encryption scheme is described for the Web Push protocol. This scheme provides confidentiality and integrity for messages sent from an application server to a user agent. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-webpush-encryption/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-webpush-encryption-09 https://datatracker.ietf.org/doc/html/draft-ietf-webpush-encryption-09 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-webpush-encryption-09 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Sun Sep 3 16:55:31 2017 Return-Path: X-Original-To: webpush@ietf.org Delivered-To: webpush@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 016E8126B7E; Sun, 3 Sep 2017 16:55:15 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: webpush@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.59.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150448291496.390.6375938180353447251@ietfa.amsl.com> Date: Sun, 03 Sep 2017 16:55:15 -0700 Archived-At: Subject: [Webpush] I-D Action: draft-ietf-webpush-vapid-04.txt X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Sep 2017 23:55:15 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web-Based Push Notifications WG of the IETF. Title : Voluntary Application Server Identification (VAPID) for Web Push Authors : Martin Thomson Peter Beverloo Filename : draft-ietf-webpush-vapid-04.txt Pages : 14 Date : 2017-09-03 Abstract: An application server can use the method described to voluntarily identify itself to a push service. The "vapid" authentication scheme allows a client to include its an identity in a signed token with requests that it makes. The signature can be used by the push service to attribute requests that are made by the same application server to a single entity. The identification information can allow the operator of a push service to contact the operator of the application server. The signature can be used to restrict the use of a push subscription to a single application server. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-webpush-vapid/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-webpush-vapid-04 https://datatracker.ietf.org/doc/html/draft-ietf-webpush-vapid-04 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-webpush-vapid-04 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Sun Sep 3 17:02:24 2017 Return-Path: X-Original-To: webpush@ietfa.amsl.com Delivered-To: webpush@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E160126B7E for ; Sun, 3 Sep 2017 17:02:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s1mfeZu1dK-k for ; Sun, 3 Sep 2017 17:02:21 -0700 (PDT) Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1388513247A for ; Sun, 3 Sep 2017 17:02:21 -0700 (PDT) Received: by mail-oi0-x22c.google.com with SMTP id h70so3105187oic.1 for ; Sun, 03 Sep 2017 17:02:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dR6OdcYLF4D7P0TXq/+xJA15QFJmndFlnUaHVvs3zsM=; b=vSC3Sff5juqv+hSG3GnE2hYRcyLnLKzBFL7oDTY1iWqZt2E8BlqJIyamGgxTxbWNpx CvcKvPjpkafqVs9YmgHodF7IsBtHqMHkt+mC/vwk/UfNlAJZD2Pmx4S4NEA1Bip+JZCC 7jr31OKoywaROgRYKqMg1XRsxWjqVic9/S6SGlmaItgfC51iFZVFquoNe0h98VZEZ3N+ yGp9ATiDrw928cM7iPiW2DLkBxY/5ABiO78TQgnhpDS1tCtqVhuRQHW5CjHHG9tlydfa GebEv/uFrfvlm34Y6hY/3/IKh9AKNsCFhFURqpYD6UROFtC2vm0qypXX2FG4XVu4abi1 RdTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dR6OdcYLF4D7P0TXq/+xJA15QFJmndFlnUaHVvs3zsM=; b=HEt4PDJh7RaACFxk+LhzzZHEz5UlaQ+iIHs/7qs0lCuM1dNcGUnVUdqwtO1fmeyINa qj2RGRM4zIDuw7wSzmdsVvhvySWyM4esCINmV5vaDj1zIY0TjVKs59pr/wsJFsv2WEh9 jQNM/ewFGCUcsorZfFbUGFMyBocQoH48YbiOvYacPTUri2/Ze5LSpE7+TuiHa4A9AgA5 p/ebFMauJSopWq7XylsXMih8amUlZZYGY8+V/x6naKOUFoZjbWB2GqfSqdbRGGCWj5H1 BweHFmMzuTrEPe+j7uNszCpR7p65EfkIVf+cg4hTK+kseNrHt/mkmqc0lGQVuPzlqojI z8XQ== X-Gm-Message-State: AHPjjUiIz1tjAsEhewMDiC/0WTnWtESNYOERsV0kcHnIzgJCTesL+0oe iJjzFhA9yhoVTpS6/dLPEi4kby/hCu9V X-Google-Smtp-Source: ADKCNb6P7z37ytVpEVifJDjBsVeI7kALxWGVYeHTR87fPkxWEBOP/qeRV5Q+m0udo1ihm+MLw9hhrA/E0FxurcYKj5A= X-Received: by 10.202.170.20 with SMTP id t20mr8212675oie.38.1504483340397; Sun, 03 Sep 2017 17:02:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.14.77 with HTTP; Sun, 3 Sep 2017 17:02:19 -0700 (PDT) In-Reply-To: References: From: Martin Thomson Date: Mon, 4 Sep 2017 10:02:19 +1000 Message-ID: To: Phil Sorber Cc: "webpush@ietf.org" Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [Webpush] CALL FOR CONSENSUS: VAPID cut-and-paste protection X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Sep 2017 00:02:22 -0000 New drafts pushed. Hopefully the IESG is happier this time around :) On Sat, Sep 2, 2017 at 1:02 PM, Phil Sorber wrote: > I think that we have consensus on this. Other options were considered by the > working group but for various reasons, such as deployment complexity, were > ruled out in favor of the JWT bearer token, despite it's sub-optimal > security properties. > > Thanks everyone for the feedback. > > On Thu, Aug 17, 2017 at 10:17 PM Martin Thomson > wrote: >> >> On 18 August 2017 at 12:58, Phil Sorber wrote: >> > I believe the working group has already discussed adding such a >> > mechanism >> > and rejected it (with citation to an email discussion or minutes >> > reflecting >> > such discussion). >> >> We did consider options that don't have this unfortunate property. >> Client certificates were a strong contender. They would have been >> ideal if not for operational challenges. >> >> Here's the email that I think was pivotal on this subject: >> https://mailarchive.ietf.org/arch/msg/webpush/_qwcGCuDekERw5o31t0MjFJGTh8 >> >> Later there is also: >> https://mailarchive.ietf.org/arch/msg/webpush/poGnqtBFlFe3hpzvkiS3Rp5L94g >> >> There are yet more emails that follow on from this where we discuss >> scope of the token and relative costs. The first of those is here: >> https://mailarchive.ietf.org/arch/msg/webpush/xrqo-LUb7mrPV6eF1xgyJoqMgCU >> >> I found the rest of thread instructive as a reminder of what happened, >> I had forgotten the details of this discussion. >> >> I didn't read meeting minutes, the above seems sufficient. > > > _______________________________________________ > Webpush mailing list > Webpush@ietf.org > https://www.ietf.org/mailman/listinfo/webpush > From nobody Thu Sep 28 18:42:55 2017 Return-Path: X-Original-To: webpush@ietf.org Delivered-To: webpush@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D6F89134493; Thu, 28 Sep 2017 18:42:53 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: IETF Meeting Session Request Tool To: Cc: adam@nostrum.com, webpush-chairs@ietf.org, sorber@apache.org, webpush@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.63.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150664937383.14157.5169608560087802178.idtracker@ietfa.amsl.com> Date: Thu, 28 Sep 2017 18:42:53 -0700 Archived-At: Subject: [Webpush] webpush - Not having a session at IETF 100 X-BeenThere: webpush@ietf.org X-Mailman-Version: 2.1.22 List-Id: Discussion of potential IETF work on a web push protocol List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2017 01:42:54 -0000 Phil Sorber, a chair of the webpush working group, indicated that the webpush working group does not plan to hold a session at IETF 100. This message was generated and sent by the IETF Meeting Session Request Tool.