Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

For @ekr #43

Closed
wants to merge 6 commits into from
Closed

For @ekr #43

wants to merge 6 commits into from

Conversation

martinthomson
Copy link
Collaborator

@martinthomson martinthomson commented Aug 16, 2017

This doesn't address the suggested alternative design.

ekr
ekr reviewed Aug 16, 2017
View changes
draft-ietf-webpush-vapid.md
It's not shouting, when they are capitalized, they have the special meaning
described in {{!RFC2119}}.
When they are capitalized, they have the special meaning described in
{{!RFC2119}}.
Copy link

@ekr ekr Aug 16, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not just cite RFC 8174

beverloo
beverloo approved these changes Aug 17, 2017
View changes
draft-ietf-webpush-vapid.md
payloads. In situations where usage of a subscription can be limited to a
single application server, the ability to associate a subscription with the
application server could reduce the impact of a data leak.
Additionally, the design of RFC 8030 relies on maintaining the secrecy of push
Copy link
Collaborator

@beverloo beverloo Aug 17, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should RFC 8030 be a reference?

draft-ietf-webpush-vapid.md
request for push message delivery MUST include proof of possession for the
associated private key that was used when creating the push subscription.
request for push message delivery MUST include a JWT signed by the private key
that was used when creating the push subscription.
Copy link
Collaborator

@beverloo beverloo Aug 17, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it correct to refer to the private key that was used to create the subscription, when that is done using a public key that was derived from the private key?

What about:

When a push subscription has been restricted to an application server, the
request for push message delivery MUST include a valid JWT signed by the
private key paired with the public key used when creating the push subscription.

@martinthomson
Copy link
Collaborator Author

@martinthomson martinthomson commented Aug 30, 2017

Merged manually after resolving conflicts.

@martinthomson martinthomson deleted the ekr-comment branch Aug 30, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekr ekr

@beverloo beverloo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@martinthomson @beverloo @ekr