Skip to main content

Last Call Review of draft-ietf-jmap-webpush-vapid-04
review-ietf-jmap-webpush-vapid-04-artart-lc-fossati-2024-11-22-01

Request Review of draft-ietf-jmap-webpush-vapid
Requested revision No specific revision (document currently at 05)
Type Last Call Review
Team ART Area Review Team (artart)
Deadline 2024-12-06
Requested 2024-11-22
Authors Daniel Gultsch
I-D last updated 2024-11-22
Completed reviews Artart Last Call review of -04 by Thomas Fossati (diff)
Artart Last Call review of -05 by Thomas Fossati
Assignment Reviewer Thomas Fossati
State Completed
Request Last Call review on draft-ietf-jmap-webpush-vapid by ART Area Review Team Assigned
Posted at https://mailarchive.ietf.org/arch/msg/art/k97TGwi8PCBBp7pb8UzmfpMQAWA
Reviewed revision 04 (document currently at 05)
Result Ready w/issues
Completed 2024-11-22
review-ietf-jmap-webpush-vapid-04-artart-lc-fossati-2024-11-22-01
[Fixing the garbled text, apologies.]

The document defines a new JMAP capability for JMAP servers to advertise
the key they can use to authenticate WebPush notifications using VAPID.

It is short and very clear.

It is ready for publication modulo a couple of easily fixable issues:

1. "The P-256 public key [...] encoded in URL-safe base64 [...]"

The format of the P-256 public key should be better specified.

Is https://www.rfc-editor.org/rfc/rfc8292.html#section-3.2 what it's
used for?  If so, reference the section, or extract the relevant bits
(e.g., "ECDSA public key [FIPS186] in uncompressed form [X9.62] that is
encoded using base64url encoding [RFC7515].”)

2. The registration template has a Security Consideration field which is
missing from the request.

Nits:

* that is compatible [-to-]{+with+} WebPush

* To [-faciliate that-]{+facilitate that,+} the client

* MUST authenticate [-that-]{+the+} POST request

* advertised in the [-capabilites-]{+capabilities+} object

* the sessionState [-in accordance with-]{+per+} [RFC8620].

* contain an updated sessionState, [-that-]{+which+} refers to

* This specification requests IANA to register {+a new capability in+}
  the JMAP [-Capability for VAPID-]{+Capabilities registry
  {{?IANA.jmap}}+} with the following data: