Skip to main content

Last Call Review of draft-ietf-jmap-webpush-vapid-05
review-ietf-jmap-webpush-vapid-05-secdir-lc-dunbar-2024-12-09-00

Request Review of draft-ietf-jmap-webpush-vapid
Requested revision No specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2024-12-06
Requested 2024-11-22
Authors Daniel Gultsch
I-D last updated 2024-12-09
Completed reviews Artart Last Call review of -04 by Thomas Fossati (diff)
Secdir Last Call review of -05 by Linda Dunbar (diff)
Artart Last Call review of -05 by Thomas Fossati (diff)
Genart Last Call review of -05 by Paul Kyzivat (diff)
Assignment Reviewer Linda Dunbar
State Completed
Request Last Call review on draft-ietf-jmap-webpush-vapid by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/b8c3jN0x4yKZ85x5iM5Rjd-di2o
Reviewed revision 05 (document currently at 10)
Result Has issues
Completed 2024-12-09
review-ietf-jmap-webpush-vapid-05-secdir-lc-dunbar-2024-12-09-00
I have reviewed this document as part of the SEC area directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the Security area directors.
Document editors and WG chairs should treat these comments just like any other
last-call comments.

Major issues:
The document does not introduce any new algorithms, protocols, or significant
extensions to JMAP, WebPush, or VAPID. There is a section on Key Rotation
Process which is specified in RFC8292. It seems that the document should be 
"Informational" instead of Standard track, correct?

The security considerations of the document seem to primarily reiterate general
concerns from related RFCs such as JMAP (RFC8620), WebPush (RFC8030), and VAPID
(RFC8292). However, the document appears to lack a detailed exploration of
security issues specific to the integration of VAPID with JMAP WebPush. Below
are potential security risks that deserve some discussion:

- The risk of race conditions if clients and servers are out of sync during the
key rotation process.

- The document does not address the potential risks associated with the
exposure of the urn:ietf:params:jmap:webpush-vapid property in the JMAP
capabilities object.

Best Regards,
Linda Dunbar