[Last-Call] Secdir last call review of draft-ietf-jmap-webpush-vapid-05

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reviewer: Linda Dunbar
Review result: Has Issues

I have reviewed this document as part of the SEC area directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the Security area directors.
Document editors and WG chairs should treat these comments just like any other
last-call comments.

Major issues:
The document does not introduce any new algorithms, protocols, or significant
extensions to JMAP, WebPush, or VAPID. There is a section on Key Rotation
Process which is specified in RFC8292. It seems that the document should be 
"Informational" instead of Standard track, correct?

The security considerations of the document seem to primarily reiterate general
concerns from related RFCs such as JMAP (RFC8620), WebPush (RFC8030), and VAPID
(RFC8292). However, the document appears to lack a detailed exploration of
security issues specific to the integration of VAPID with JMAP WebPush. Below
are potential security risks that deserve some discussion:

- The risk of race conditions if clients and servers are out of sync during the
key rotation process.

- The document does not address the potential risks associated with the
exposure of the urn:ietf:params:jmap:webpush-vapid property in the JMAP
capabilities object.

Best Regards,
Linda Dunbar


-- 
last-call mailing list -- last-call@xxxxxxxx
To unsubscribe send an email to last-call-leave@xxxxxxxx




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux