SECDIR review #16

martinthomson · 2017-07-25T02:16:17Z

No description provided.

beverloo · 2017-07-26T19:40:56Z

draft-ietf-webpush-encryption.md

-authenticated and provides confidentiality and integrity, such as HTTPS
-{{?RFC2818}}, is sufficient.
+an Application Server that can be used to initiate and secure communications for
+key distribution.  Any existing communication mechanism that is authenticated


What about simplifying to "that can be used for key distribution", as the following sentence describes the security aspects of the communication channel?

It might be worthwhile to explicitly mention the endpoint too -- especially if subscription restrictions are not being used, the security aspects of the channel used to communicate the endpoint (which otherwise relies on endpoint secrecy) should be identical.

Yeah, I'll make this "subscription data" instead. Keys are critical, but the rest of the subscription information is similarly important.

martinthomson added 5 commits Jul 25, 2017

Expand on pre-existing relationship

952208e

it's an authentication secret

afd5453

Application Server

9fb279e

PRK_key not PRK_cek, which doesn't exist

3a1b28c

Don't use header fields

ffa71a1

beverloo approved these changes Jul 26, 2017

View changes

Secure all the things

ba87ee0

martinthomson merged commit d495a65 into master Aug 2, 2017
1 check passed

martinthomson deleted the secdir branch Aug 2, 2017

webpush-wg / webpush-encryption Public

SECDIR review #16

SECDIR review #16

martinthomson commented Jul 25, 2017

beverloo Jul 26, 2017

martinthomson Jul 27, 2017

webpush-wg / webpush-encryption Public

SECDIR review #16

SECDIR review #16

Conversation

martinthomson commented Jul 25, 2017

beverloo Jul 26, 2017

Choose a reason for hiding this comment

martinthomson Jul 27, 2017

Choose a reason for hiding this comment