Reviewer: Thomas Fossati Review result: Ready with Issues The document defines a new capability for JMAP servers to advertise the key they can use to authenticate WebPush notifications using VAPID. It is short and very clear. It is ready for publication modulo a couple of easily fixable issues: 1. "The P-256 public key [...] encoded in URL-safe base64 [...]" The format of the P-256 public key should be better specified. Is https://www.rfc-editor.org/rfc/rfc8292.html#section-3.2 what it's used for? If so, you could either reference the section, or extract the relevant bits (e.g., "ECDSA public key [FIPS186] in uncompressed form [X9.62] that is encoded using base64url encoding [RFC7515].”) 2. The registration template has a Security Consideration field which is missing from the request. Nits: * that is compatible [-to-]{+with+} WebPush * To [-faciliate that-]{+facilitate that,+} the client * MUST authenticate [-that-]{+the+} POST request * advertised in the [-capabilites-]{+capabilities+} object * the sessionState [-in accordance with-]{+per+} [RFC8620]. * contain an updated sessionState, [-that-]{+which+} refers to * This specification requests IANA to register {+a new capability in+} the JMAP [-Capability for VAPID-]{+Capabilities registry {{?IANA.jmap}}+} with the following data: -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
