Last Call Review of draft-ietf-webpush-vapid-03
review-ietf-webpush-vapid-03-secdir-lc-sparks-2017-06-28-00
| Request | Review of | draft-ietf-webpush-vapid |
|---|---|---|
| Requested rev. | no specific revision (document currently at 04) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2017-07-03 | |
| Requested | 2017-06-19 | |
| Draft last updated | 2017-06-28 | |
| Completed reviews |
Genart Last Call review of -03 by Joel Halpern
(diff)
Opsdir Last Call review of -03 by Stefan Winter (diff) Secdir Last Call review of -03 by Robert Sparks (diff) |
|
| Assignment | Reviewer | Robert Sparks |
| State | Completed | |
| Review | review-ietf-webpush-vapid-03-secdir-lc-sparks-2017-06-28 | |
| Reviewed rev. | 03 (document currently at 04) | |
| Review result | Has Nits | |
| Review completed: | 2017-06-28 |
Review
review-ietf-webpush-vapid-03-secdir-lc-sparks-2017-06-28
Summary: Ready (with nits) This document provides a mechanism for an application server to voluntarily identify itself to a push server using JWT. The draft is easy to follow. The security properties of this mechanism are clearly and thoroughly discussed. There are some minor nits: 1) The draft says that expiry claims MUST NOT be more than 24 hours from the time of the request. Consider adding some discussion of why 24 hours was chosen (vs some other arbitrary value), especially given the MUST NOT strength of the requirement. 2) The last paragraph of 4.2 says application servers create subscriptions, but it means to say that user agents do. Martin already addressed when I brought it up out-of-band with <https://github.com/webpush-wg/webpush-vapid/pull/39/files>. 3) The last sentence of the abstract is missing a word. Perhaps s/subscription a/subscription to a/ ? 4) Consider using the RFC8174 update to RFC2119.