Skip to main content

Last Call Review of draft-ietf-webpush-protocol-10

Request Review of draft-ietf-webpush-protocol
Requested revision No specific revision (document currently at 12)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-10-11
Requested 2016-09-29
Authors Martin Thomson , Elio Damaggio , Brian Raymor
I-D last updated 2016-10-20
Completed reviews Secdir Last Call review of -10 by Magnus Nyström (diff)
Opsdir Last Call review of -10 by Dan Romascanu (diff)
Assignment Reviewer Magnus Nyström
State Completed
Request Last Call review on draft-ietf-webpush-protocol by Security Area Directorate Assigned
Reviewed revision 10 (document currently at 12)
Result Ready
Completed 2016-10-20
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes how a user agent can establish a relationship
with a push service (a subscription) and then share that distribution
node information with various applications.

As such, the document is well written and has a comprehensive security
considerations section. The only slight concern I have is related to
the authorization of receiving push messages. The technique used is
essentially bearer tokens (knowledge of a URL). It therefore seems as
if unintended sharing of such a capability URL could cause other user
agents to get access to push notifications. I wonder if the work
around token binding in TLS (holder-of-key tokens) could be applicable
here, at least in the future.

-- Magnus