Last Call Review of draft-ietf-jmap-webpush-vapid-04
review-ietf-jmap-webpush-vapid-04-artart-lc-fossati-2024-11-22-01
Request | Review of | draft-ietf-jmap-webpush-vapid |
---|---|---|
Requested revision | No specific revision (document currently at 05) | |
Type | Last Call Review | |
Team | ART Area Review Team (artart) | |
Deadline | 2024-12-06 | |
Requested | 2024-11-22 | |
Authors | Daniel Gultsch | |
I-D last updated | 2024-11-22 | |
Completed reviews |
Artart Last Call review of -04
by Thomas Fossati
(diff)
Artart Last Call review of -05 by Thomas Fossati |
|
Assignment | Reviewer | Thomas Fossati |
State | Completed | |
Request | Last Call review on draft-ietf-jmap-webpush-vapid by ART Area Review Team Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/art/k97TGwi8PCBBp7pb8UzmfpMQAWA | |
Reviewed revision | 04 (document currently at 05) | |
Result | Ready w/issues | |
Completed | 2024-11-22 |
review-ietf-jmap-webpush-vapid-04-artart-lc-fossati-2024-11-22-01
[Fixing the garbled text, apologies.] The document defines a new JMAP capability for JMAP servers to advertise the key they can use to authenticate WebPush notifications using VAPID. It is short and very clear. It is ready for publication modulo a couple of easily fixable issues: 1. "The P-256 public key [...] encoded in URL-safe base64 [...]" The format of the P-256 public key should be better specified. Is https://www.rfc-editor.org/rfc/rfc8292.html#section-3.2 what it's used for? If so, reference the section, or extract the relevant bits (e.g., "ECDSA public key [FIPS186] in uncompressed form [X9.62] that is encoded using base64url encoding [RFC7515].”) 2. The registration template has a Security Consideration field which is missing from the request. Nits: * that is compatible [-to-]{+with+} WebPush * To [-faciliate that-]{+facilitate that,+} the client * MUST authenticate [-that-]{+the+} POST request * advertised in the [-capabilites-]{+capabilities+} object * the sessionState [-in accordance with-]{+per+} [RFC8620]. * contain an updated sessionState, [-that-]{+which+} refers to * This specification requests IANA to register {+a new capability in+} the JMAP [-Capability for VAPID-]{+Capabilities registry {{?IANA.jmap}}+} with the following data: