Last Call Review of draft-ietf-jmap-webpush-vapid-05
review-ietf-jmap-webpush-vapid-05-secdir-lc-dunbar-2024-12-09-00
Request | Review of | draft-ietf-jmap-webpush-vapid |
---|---|---|
Requested revision | No specific revision (document currently at 10) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2024-12-06 | |
Requested | 2024-11-22 | |
Authors | Daniel Gultsch | |
I-D last updated | 2024-12-09 | |
Completed reviews |
Artart Last Call review of -04
by Thomas Fossati
(diff)
Secdir Last Call review of -05 by Linda Dunbar (diff) Artart Last Call review of -05 by Thomas Fossati (diff) Genart Last Call review of -05 by Paul Kyzivat (diff) |
|
Assignment | Reviewer | Linda Dunbar |
State | Completed | |
Request | Last Call review on draft-ietf-jmap-webpush-vapid by Security Area Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/secdir/b8c3jN0x4yKZ85x5iM5Rjd-di2o | |
Reviewed revision | 05 (document currently at 10) | |
Result | Has issues | |
Completed | 2024-12-09 |
review-ietf-jmap-webpush-vapid-05-secdir-lc-dunbar-2024-12-09-00
I have reviewed this document as part of the SEC area directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Security area directors. Document editors and WG chairs should treat these comments just like any other last-call comments. Major issues: The document does not introduce any new algorithms, protocols, or significant extensions to JMAP, WebPush, or VAPID. There is a section on Key Rotation Process which is specified in RFC8292. It seems that the document should be "Informational" instead of Standard track, correct? The security considerations of the document seem to primarily reiterate general concerns from related RFCs such as JMAP (RFC8620), WebPush (RFC8030), and VAPID (RFC8292). However, the document appears to lack a detailed exploration of security issues specific to the integration of VAPID with JMAP WebPush. Below are potential security risks that deserve some discussion: - The risk of race conditions if clients and servers are out of sync during the key rotation process. - The document does not address the potential risks associated with the exposure of the urn:ietf:params:jmap:webpush-vapid property in the JMAP capabilities object. Best Regards, Linda Dunbar