Re: [w3c/push-api] Add a list of authentication schemes (#262) from Peter Beverloo on 2017-06-19 (public-webapps-github@w3.org from June 2017)

From: Peter Beverloo <notifications@github.com>
Date: Mon, 19 Jun 2017 13:25:08 -0700
To: w3c/push-api <push-api@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/push-api/pull/262/review/44958556@github.com>

beverloo commented on this pull request.

Thanks! I'm a bit in two minds about this. On one hand I can see the value, the implementation cost _most likely_ is low and modulo a few more details it's simple enough.

On the other hand, the property describes capabilities of the push service, not the user agent. Since they can update independently, a UA is now expected to synchronise the available authentication schemes with the push service it has chosen. (Either though an occasional handshake or by aligning release schedules.) That's OK for us, but may not be equally feasible for everyone.

/cc @ShijunS FYI

> @@ -688,6 +689,11 @@
         when requesting the sending of a <a>push message</a> from the <a>push service</a>.
       </p>
       <p>
+        The <dfn data-dfn-for="PushManager">supportedAuthenticationSchemes</dfn> attribute exposes
+        the sequence of supported authentication schemes that can be used by <a>applications

nit: s/applications/application/

> @@ -688,6 +689,11 @@
         when requesting the sending of a <a>push message</a> from the <a>push service</a>.
       </p>
       <p>
+        The <dfn data-dfn-for="PushManager">supportedAuthenticationSchemes</dfn> attribute exposes
+        the sequence of supported authentication schemes that can be used by <a>applications
+        servers</a> to authenticate with the <a>push service</a>.
+      </p>

Can we list at least "vapid" (and ideally require it -- is that feasible?), but ideally also explain what sort of other values one might expect in this array? Would Chrome include a `x-google-gcm` or similar if a proprietary mechanism were available?

> @@ -868,7 +874,11 @@
           key is used to generate an authentication token.
         </p>
         <p>
-          If present, the value of <a data-link-for=
+          If present, the value of the <code><a data-link-for=
+          "PushSubscriptionOptions">applicationServerKey</a></code> needs to be valid according to
+          one of the supported authentication schemes (see <code><a data-link-for=
+          "PushManager">supportedAuthenticationSchemes</a></code>). For the "vapid" scheme defined
+          in [[!WEBPUSH-VAPID]], the value of <a data-link-for=

This now implies that `applicationServerKey` can contain non-P-256 values too. That creates a conflict in the algorithm at 8.5.2, and makes the paragraph just before this one ambiguous: it mentions _an elliptic curve_, but what about other sort of values?

> @@ -688,6 +689,11 @@
         when requesting the sending of a <a>push message</a> from the <a>push service</a>.
       </p>
       <p>
+        The <dfn data-dfn-for="PushManager">supportedAuthenticationSchemes</dfn> attribute exposes
+        the sequence of supported authentication schemes that can be used by <a>applications
+        servers</a> to authenticate with the <a>push service</a>.
+      </p>

Also, does `vapid` refer to the latest version of the draft, or the previous one (still using `Crypto-Key`) that still has more implementations?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/push-api/pull/262#pullrequestreview-44958556

Received on Monday, 19 June 2017 20:25:40 UTC