You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An application server MUST include exactly one entry in each of the Encryption and Crypto-Key header fields.
This removes a number of edge-cases and simplifies implementations. However, draft-ietf-webpush-vapid-00 defines:
Note that with push message encryption I-D.ietf-webpush-encryption, this results in two values in the Crypto-Key header field, one with the a "p256dh" key and another with a "p256ecdsa" key.
Which is a violation of the former.
Semantically it makes most sense for these to be distinct values since they're intended for different audiences. I'll propose a PR limiting webpush-encryption to one Crypto-Key entry having a dh value instead.
The text was updated successfully, but these errors were encountered:
Because life is complicated, there are some libraries that are using ";" and creating a single parameter set containing both ECE and VAPID parameters, e.g.
dh=abc123...;p256ecdsa=efg876...;keyid=label
Because of "quirks" in both the mozilla and FCM handlers, this works.
It may be beneficial if legacy push servers continue to support this behavior while libraries and applications that depend on them transition to any new division format.
draft-ietf-webpush-encryption-02 defines:
This removes a number of edge-cases and simplifies implementations. However, draft-ietf-webpush-vapid-00 defines:
Which is a violation of the former.
Semantically it makes most sense for these to be distinct values since they're intended for different audiences. I'll propose a PR limiting webpush-encryption to one Crypto-Key entry having a
dh
value instead.The text was updated successfully, but these errors were encountered: