Intent to Implement and Ship: draft-ietf-webpush-encryption-08
85 views
Skip to first unread message
Peter Beverloo
May 8, 2017, 1:22:05 PM5/8/17
to blink-dev
Contact emails
Spec
Summary
We currently support the `aesgcm` content coding for encrypted push message payloads, which is based on a previous version of the webpush-encryption draft:
The latest version, draft 8, makes a number of changes to the steps necessary to transform a payload. The content coding of this version is identified as `aes128gcm`. Input for the transformations remains the same. Developers will implement support on their application server.
As part of this change, support for the `aes128gcm` content coding will be advertised in the PushManager.supportedContentEncodings property, assuming that Intent gets approved, enabling phased updates of their server-sided code.
Motivation
We should support the latest version of the encryption scheme. Support is already mandated by the W3C Push API:
Interoperability and Compatibility Risk
Some. The draft is currently in last call phase after which it’ll go out for wider review. httpbis-encryption-encoding-09 was already approved as a Proposed Standard.
We’ll disable support in time for M60 beta in case breaking changes are necessary, but we’re not expecting this.
Edge: No signals
Firefox: Public support (https://bugzilla.mozilla.org/show_bug.cgi?id=1345665)
Safari: No signals
Web developers: No signals
We’ll continue to support both versions for the foreseeable future, and will work with libraries and large partners to help them update to the new format when it’s commonly supported. This should enable a deprecation path later on.
Ongoing technical constraints
None.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
All but Android WebView, where the Push API is not supported.
OWP launch tracking bug
Link to entry on the feature dashboard
Requesting approval to ship?
Yes
Rick Byers
May 11, 2017, 1:00:45 PM5/11/17
to Peter Beverloo, blink-dev
Is there any plan for interoperability testing for IETF protocol specs like this? Our current template includes this section, but I'm not sure exactly how it should apply in the case of a protocol spec. web-platform-test isn't specifically about W3C specs, but what is the testing strategy for this IETF group generally?
Is this feature fully tested by web-platform-tests?
Please link to the test suite. If any part of the feature is not tested by web-platform-tests, please include links to issues, e.g.:
A web-platform-tests issue with the "infra" label explaining why a certain thing cannot be tested. (example)
A spec issue for some change that would make it possible to test. (example)
A Chromium issue to upstream some existing tests. (example)
d...@google.com
May 11, 2017, 2:18:34 PM5/11/17
to blink-dev, Quan Nguyen
Some spec feedback from Quan Nguyen:
I would suggest adding a section about verifying peer's public key is on the private key's curve in ECDH protocol. Without this check, for the curve that they use P-256, it would allow attacker to extract the private key.
Peter, are you a member of the IETF group developing the spec?
Peter, are you a member of the IETF group developing the spec?
Peter Beverloo
May 11, 2017, 2:53:37 PM5/11/17
to Rick Byers, blink-dev
Hi Rick,
I've already filed an issue against web-platform-tests covering the Push API. It briefly talks about a possibility in including the protocol in such tests.
There is no shared test suite for the Web Push Protocol (RFC8030). The semantics that developers are being exposed to are straightforward and, beyond a few bugs in header parsing, we have not seen major issues. There are also features, notably delivery receipts, that none of the push services backing browsers support yet.
Specifically to the encryption draft, the binary and mathematical nature of doing these transformations means that it either works, or it doesn't. This is confirmed through the reference tests included in the drafts, which we have (for -03) and will have (for -08) as unit tests.
Sorry for missing this section in my intents. Since the Intent to Implement template still includes the "requesting approval to ship" bit, perhaps it should be updated to include it.
Thanks,
Peter
Peter Beverloo
May 11, 2017, 2:59:15 PM5/11/17
to d...@google.com, blink-dev, Quan Nguyen
Hi David,
Yes, I am a member of the working group and have relayed Quan's feedback. Thanks! :)
Thanks,
Peter
Chris Harrelson
May 15, 2017, 8:40:45 PM5/15/17
to Peter Beverloo, d...@google.com, blink-dev, Quan Nguyen
LGTM1
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Rick Byers
May 18, 2017, 5:40:37 PM5/18/17
to Chris Harrelson, Peter Beverloo, David Ross, blink-dev, Quan Nguyen
Thanks Peter, LGTM2
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-Ns9D-UPRLB3_sYv7bPGmgPJZ_aH6JVF%3Dr5b8NFN7j-Q%40mail.gmail.com.
Jochen Eisinger
May 22, 2017, 7:13:20 AM5/22/17
to Rick Byers, Chris Harrelson, Peter Beverloo, David Ross, blink-dev, Quan Nguyen
lgtm3
Thanks Peter, LGTM2
LGTM1
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-Ns9D-UPRLB3_sYv7bPGmgPJZ_aH6JVF%3Dr5b8NFN7j-Q%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY-AiwOq4nhNjRzXgyEGZc6-Q7GtUPT4QjWOUa_vWmE0Kw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages