Thanks Robert. On 28 June 2017 at 14:38, Robert Sparks <rjsparks@xxxxxxxxxxx> wrote: > 1) The draft says that expiry claims MUST NOT be more than 24 hours from the > time of the request. Consider adding some discussion of why 24 hours was chosen > (vs some other arbitrary value), especially given the MUST NOT strength of the > requirement. Frankly, the decision is a little arbitrary, but it's where we landed. It's a balance between competing concerns of reuse and the exposure to theft and abuse that comes with reuse. The overriding reason for a MUST NOT strength is that it allows the server to reject requests with bad claims. I'll add a sentence to the security considerations, which talk about the need for expiration and the implications of the MUST NOT. See https://github.com/webpush-wg/webpush-vapid/pull/40 > 2) The last paragraph of 4.2 says application servers create subscriptions, but > it means to say that user agents do. Martin already addressed when I brought it > up out-of-band with <https://github.com/webpush-wg/webpush-vapid/pull/39/files>. > > 3) The last sentence of the abstract is missing a word. Perhaps s/subscription > a/subscription to a/ ? Fixed, thanks. > 4) Consider using the RFC8174 update to RFC2119. Noted.