Skip to main content

Last Call Review of draft-ietf-webpush-vapid-03

Request Review of draft-ietf-webpush-vapid
Requested revision No specific revision (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-07-03
Requested 2017-06-19
Authors Martin Thomson , Peter Beverloo
I-D last updated 2017-06-28
Completed reviews Opsdir Last Call review of -03 by Stefan Winter (diff)
Genart Last Call review of -03 by Joel M. Halpern (diff)
Secdir Last Call review of -03 by Robert Sparks (diff)
Assignment Reviewer Robert Sparks
State Completed
Request Last Call review on draft-ietf-webpush-vapid by Security Area Directorate Assigned
Reviewed revision 03 (document currently at 04)
Result Has nits
Completed 2017-06-28
Summary: Ready (with nits)

This document provides a mechanism for an application server to voluntarily
identify itself to a push server using JWT. The draft is easy to follow. The
security properties of this mechanism are clearly and thoroughly discussed.

There are some minor nits:

1) The draft says that expiry claims MUST NOT be more than 24 hours from the
time of the request. Consider adding some discussion of why 24 hours was chosen
(vs some other arbitrary value), especially given the MUST NOT strength of the

2) The last paragraph of 4.2 says application servers create subscriptions, but
it means to say that user agents do. Martin already addressed when I brought it
up out-of-band with <>.

3) The last sentence of the abstract is missing a word. Perhaps s/subscription
a/subscription to a/ ?

4) Consider using the RFC8174 update to RFC2119.