idnits 2.17.00 (12 Aug 2021)

/tmp/idnits10049/draft-damaggio-webpush-http2-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document date (March 6, 2015) is 2632 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Possible downref: Non-RFC (?) normative reference: ref. 'CAP-URI'

  == Outdated reference: draft-ietf-httpbis-http2 has been published as RFC
     7540

  ** Downref: Normative reference to an Informational RFC: RFC 2818

  ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126)

  ** Obsolete normative reference: RFC 5988 (Obsoleted by RFC 8288)

  ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259)


     Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	WEBPUSH                                                      E. Damaggio
3	Internet-Draft                                                 B. Raymor
4	Intended status: Standards Track                               Microsoft
5	Expires: September 7, 2015                                 March 6, 2015

7	                 Generic Event Delivery Using HTTP Push
8	                    draft-damaggio-webpush-http2-00

10	Abstract

12	   A simple protocol for the delivery of realtime events to user agents
13	   is described.  This scheme uses HTTP/2 server push.

15	Status of This Memo

17	   This Internet-Draft is submitted in full conformance with the
18	   provisions of BCP 78 and BCP 79.

20	   Internet-Drafts are working documents of the Internet Engineering
21	   Task Force (IETF).  Note that other groups may also distribute
22	   working documents as Internet-Drafts.  The list of current Internet-
23	   Drafts is at http://datatracker.ietf.org/drafts/current/.

25	   Internet-Drafts are draft documents valid for a maximum of six months
26	   and may be updated, replaced, or obsoleted by other documents at any
27	   time.  It is inappropriate to use Internet-Drafts as reference
28	   material or to cite them other than as "work in progress."

30	   This Internet-Draft will expire on September 7, 2015.

32	Copyright Notice

34	   Copyright (c) 2015 IETF Trust and the persons identified as the
35	   document authors.  All rights reserved.

37	   This document is subject to BCP 78 and the IETF Trust's Legal
38	   Provisions Relating to IETF Documents
39	   (http://trustee.ietf.org/license-info) in effect on the date of
40	   publication of this document.  Please review these documents
41	   carefully, as they describe your rights and restrictions with respect
42	   to this document.  Code Components extracted from this document must
43	   include Simplified BSD License text as described in Section 4.e of
44	   the Trust Legal Provisions and are provided without warranty as
45	   described in the Simplified BSD License.

47	Table of Contents

49	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
50	     1.1.  Conventions and Terminology . . . . . . . . . . . . . . .   4
51	   2.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . .   5
52	     2.1.  HTTP Resources  . . . . . . . . . . . . . . . . . . . . .   6
53	   3.  Registration  . . . . . . . . . . . . . . . . . . . . . . . .   6
54	   4.  Subscribing . . . . . . . . . . . . . . . . . . . . . . . . .   6
55	   5.  Requesting Push Message Delivery  . . . . . . . . . . . . . .   7
56	     5.1.  Requesting Push Message Receipts  . . . . . . . . . . . .   8
57	   6.  Receiving Push Messages . . . . . . . . . . . . . . . . . . .   9
58	     6.1.  Acknowledging Push Message Receipts . . . . . . . . . . .  10
59	   7.  Operational Considerations  . . . . . . . . . . . . . . . . .  11
60	     7.1.  Load Management . . . . . . . . . . . . . . . . . . . . .  11
61	     7.2.  Push Message Expiration . . . . . . . . . . . . . . . . .  11
62	     7.3.  Subscription Expiration . . . . . . . . . . . . . . . . .  12
63	     7.4.  Implications for Application Reliability  . . . . . . . .  12
64	   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  13
65	     8.1.  Confidentiality from Push Service Access  . . . . . . . .  13
66	     8.2.  Privacy Considerations  . . . . . . . . . . . . . . . . .  13
67	     8.3.  Authorization . . . . . . . . . . . . . . . . . . . . . .  14
68	     8.4.  Denial of Service Considerations  . . . . . . . . . . . .  15
69	     8.5.  Logging Risks . . . . . . . . . . . . . . . . . . . . . .  15
70	   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  15
71	   10. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  17
72	   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  17
73	     11.1.  Normative References . . . . . . . . . . . . . . . . . .  17
74	     11.2.  Informative References . . . . . . . . . . . . . . . . .  18
75	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  18

77	1.  Introduction

79	   Many applications on mobile and embedded devices require continuous
80	   access to network communications so that real-time events - such as
81	   incoming calls or messages - can be conveyed (or "pushed") in a
82	   timely fashion.

84	   Mobile and embedded devices typically have limited power reserves, so
85	   finding more efficient ways to serve application requirements greatly
86	   benefits the application ecosystem.  One significant contributor to
87	   power usage is the radio.  Radio communications consume a significant
88	   portion of the energy budget on a wirelessly connected device.

90	   Uncoordinated use of persistent connections or sessions can
91	   contribute to unnecessary use of the device radio, since each
92	   independent session independently incurs overheads.  In particular,
93	   keep alive traffic used to ensure that middleboxes do not prematurely
94	   time out sessions, can result in significant waste.  Maintenance
95	   traffic tends to dominate over the long term, since events are
96	   relatively rare.

98	   Consolidating all real-time events into a single session ensures more
99	   efficient use of network and radio resources.  A single service
100	   consolidates all events, distributing those events to applications as
101	   they arrive.  This requires just one session, avoiding duplicated
102	   overhead costs.

104	   A push server that does not support reliable delivery over
105	   intermittent network connections or failing applications on devices,
106	   forces the device to acknowledge receipt directly to the application
107	   server, incurring additional power drain in order to establish
108	   (usually secure) connections to the individual application servers.

110	   While reliability is not required for messages that expire in few
111	   seconds (e.g. an incoming call) or collapsible ones (e.g. the current
112	   number of unread emails), it is more important when messages contain
113	   information that is longer lasting, e.g. a command to update a
114	   configuration value, or the acknowledgement of a financial
115	   transaction or workflow step.  In particular, in the case of power-
116	   constrained devices, it is preferable to transmit the actual
117	   information in the "pushed" message reliably, instead of forcing them
118	   to reconnect periodically to get the current state.

120	   An open standard to "push" messages to embedded and mobile devices:

122	   o  Simplifies deployment of "push" features across a variety of
123	      mobile and embedded device platforms

125	   o  Creates an ecosystem of services (e.g. consolidation services) and
126	      development tools enabling efficient "push"

128	   o  Technically enables consolidating real-time events into a single
129	      session which is impossible when each "push" implementation is
130	      built in isolation

132	   There are two primary scenarios under consideration:

134	   o  Web applications in a mobile user agent and

136	   o  Embedded devices receiving push messages from cloud services
137	      through an intermediate "field gateway", i.e. a reasonably
138	      powerful device (capable of secure HTTP/2 communications), which
139	      acts as a local agent.

141	   The W3C Web Push API [API] describes an API that enables the use of a
142	   consolidated push service from web applications.  This expands on
143	   that work by describing a protocol that can be used to:

145	   o  request the delivery of a push message to a user agent,

147	   o  create new push message delivery subscriptions, and

149	   o  monitor for new push messages.

151	   Requesting the delivery of events is particularly important for the
152	   Web Push API.  The registration, management and monitoring functions
153	   are currently fulfilled by proprietary protocols; these are adequate,
154	   but do not offer any of the advantages that standardization affords.

156	   In the embedded field gateway scenario, small (possibly much less
157	   capable devices) connect to a field gateway to receive push messages.
158	   This protocol does not detail the device-to-field gateway connection,
159	   instead it details how the field-gateway can efficiently receive push
160	   messages on behalf of many devices.

162	   This document intentionally does not describe how a push service is
163	   discovered.  Discovery of push services is left for future efforts,
164	   if it turns out to be necessary at all.  User agents are expected to
165	   be configured with a URL for one (or more) push services.

167	1.1.  Conventions and Terminology

169	   In cases where normative language needs to be emphasized, this
170	   document falls back on established shorthands for expressing
171	   interoperability requirements on implementations: the capitalized
172	   words "MUST", "MUST NOT", "SHOULD" and "MAY".  The meaning of these
173	   is described in [RFC2119].

175	   This document defines the following terms:

177	   application:  Both the sender and ultimate consumer of push messages.
178	      Many applications have components that are run on a user agent and
179	      other components that run on servers.

181	   application server:  The component of an application that runs on a
182	      server and requests the delivery of a push message.

184	   push message:  A message, sent from an application server to a user
185	      agent via a push service.

187	   push service:  A service that delivers push messages to user agents.

189	   subscription:  A message delivery context that is established between
190	      the user agent and the push service and shared with applications.
191	      All push messages are associated with a subscription.

193	   user agent:  A device and software that is the recipient of push
194	      messages.

196	   Examples in this document use the HTTP/1.1 message format [RFC7230].
197	   Many of the exchanges can be completed using HTTP/1.1, where HTTP/2
198	   is necessary, the more verbose frame format from
199	   [I-D.ietf-httpbis-http2] is used.

201	2.  Overview

203	   A general model for push services includes three basic actors: a user
204	   agent, a push service, and an application (server).

206	    +-------+           +--------------+       +-------------+
207	    |  UA   |           | Push Service |       | Application |
208	    +-------+           +--------------+       +-------------+
209	        |                      |                      |
210	        |      Subscribe       |                      |
211	        |--------------------->|                      |
212	        |       Monitor        |                      |
213	        |<====================>|                      |
214	        |                      |                      |
215	        |           Provide Subscription              |
216	        |-------------------------------------------->|
217	        |                      |                      |
218	        :                      :                      :
219	        |                      |     Push Message     |
220	        |    Push Message      |<---------------------|
221	        |<---------------------|                      |
222	        |                      |                      |

224	   At the very beginning of the process, a new subscription is created
225	   by the user agent and then distributed to an application server.  The
226	   subscription is the basis of all future interactions between the user
227	   agent and push service.

229	   It is expected that a different subscription will be provided to each
230	   application; however, there are no inherent cardinality constraints
231	   in the protocol.  Multiple subscriptions might be created for the
232	   same application, or multiple applications could use the same
233	   subscription.  Note however that sharing subscriptions can have
234	   security and privacy implications.

236	   Application servers use subscriptions to deliver push messages to
237	   user agents, via the push service.

239	   Subscriptions have a limited lifetime.  They can also be terminated
240	   by either push service or user agent at any time.  User agents and
241	   application servers need to be prepared to manage changes in
242	   subscription state.

244	2.1.  HTTP Resources

246	   This protocol uses HTTP resources [RFC7230] and link relations
247	   [RFC5988].  The following resources are defined:

249	   push service:  This resource is used in Subscribing (Section 4).  It
250	      is configured into user agents.

252	   subscription:  A link relation of type "urn:ietf:params:push" refers
253	      to a subscription resource.  Subscription resources are used to
254	      deliver push messages.  An application server sends push messages
255	      (Section 5) and a user agent receives push messages (Section 6)
256	      using this resource.

258	   receipt:  A link relation of type "urn:ietf:params:push:receipt"
259	      refers to a delivery receipt resource.  An application server
260	      receives delivery confirmation (Section 5.1) for push messages
261	      using this resource.

263	3.  Registration

265	   The Registration and Subscribe resources referenced in
266	   [I-D.draft-thomson-webpush-http2-02] were deprecated to eliminate the
267	   overhead of maintaining registration-subscription relationships in
268	   the push server.

270	4.  Subscribing

272	   A user agent sends a POST request to its configured push service
273	   resource to create a new subscription.

275	   POST /subscribe/ HTTP/1.1
276	   Host: push.example.net

278	   A response with a 201 (Created) status code includes a URI for the
279	   subscription in the Location header field.

281	   HTTP/1.1 201 Created
282	   Date: Thu, 11 Dec 2014 23:56:52 GMT
283	   Link: </p/LBhhw0OohO-Wl4Oi971UGsB7sdQGUibx>;
284	           rel="urn:ietf:params:push"
285	   Location: https://push.example.net/p/LBhhw0OohO-Wl4Oi971UGsB7sdQGUibx
286	   Cache-Control: max-age:864000, private

288	   The user agent should securely distribute the "subscription" resource
289	   to its application server.  (Details are outside the scope of this
290	   document.)

292	5.  Requesting Push Message Delivery

294	   An application server requests the delivery of a push message by
295	   sending an HTTP POST request to the "subscription" resource
296	   distributed by its user agent.  The push message is included in the
297	   body of the request.

299	   The push message is a JSON [RFC7159] object which contains the push
300	   message data and directives for the push server:

302	   +-----------------+----------+--------------------------------------+
303	   | Member          | Use      | Description                          |
304	   +-----------------+----------+--------------------------------------+
305	   | message         | optional | A JSON object that contains push     |
306	   |                 |          | message data                         |
307	   | request_receipt | optional | A JSON boolean indicating whether    |
308	   |                 |          | the application server requests a    |
309	   |                 |          | confirmation that the push message   |
310	   |                 |          | was delivered to the user agent. Its |
311	   |                 |          | default value is false.              |
312	   | time_to_live    | optional | A JSON number that represents the    |
313	   |                 |          | expiration time in seconds for a     |
314	   |                 |          | push message. It is relative to the  |
315	   |                 |          | time that the push server receives   |
316	   |                 |          | the request. A message MUST NOT be   |
317	   |                 |          | delivered after it expires.          |
318	   +-----------------+----------+--------------------------------------+

320	                   Table 1: Push Message Request Format

322	   POST /p/LBhhw0OohO-Wl4Oi971UGsB7sdQGUibx HTTP/1.1
323	   Host: push.example.net
324	   Content-Type: application/json
325	   Content-Length: ...

327	   {
328	    "request_receipt": true,
329	    "message": {"data": "Hello World"}
330	   }

332	   A response with a 201 (Created) status code includes a URI for the
333	   message in the Location header field.  This does not indicate that
334	   the message was delivered to the user agent.  If a receipt was
335	   requested, then a URI for the receipt resource is included in the
336	   Link header field in the response.

338	HTTP/1.1 201 Created
339	Date: Thu, 11 Dec 2014 23:56:55 GMT
340	Link: </r/LBhhw0OohO-Wl4Oi971UGsB7sdQGUibx/;
341	        rel="urn:ietf:params:push:receipt"
342	Cache-Control: max-age=600
343	Location: https://push.example.net/p/LBhhw0OohO-Wl4Oi971UGsB7sdQGUibx/id

345	   A push server MUST return a 400 (Bad Request) status code in response
346	   to a POST request that contains malformed JSON in the body.

348	   [Should the push server return a 400 if the requested time_to_live
349	   exceeds its storage limits?]

351	   A push service MAY generate a 413 (Payload Too Large) status code in
352	   response to POST requests that include an entity body that is too
353	   large.  Push services MUST NOT generate a 413 status code in
354	   responses to an entity body that is 4k (4096 bytes) or less in size.

356	5.1.  Requesting Push Message Receipts

358	   The application server MAY request to be notified by the push server
359	   when a push message has been successfully delivered to the user
360	   agent.

362	   To request a receipt, the application server sets the value of the
363	   push message request_receipt member to true in the HTTP POST request
364	   to the "subscription" resource.

366	   The application server requests the delivery of receipts from the
367	   push server by making a HTTP GET request to the "receipt" resource.
368	   The push service does not respond to this request, it instead uses
369	   HTTP/2 server push [I-D.ietf-httpbis-http2] to send the content of
370	   push receipts when messages are acknowledged by the user agent.

372	   [Details on the message format for push receipt responses is TBD]

374	   The push server MUST generate a 504 (Gateway Timeout) if the user
375	   agent fails to acknowledge the receipt of the push message or the
376	   push server fails to deliver the message prior to its expiration.

378	6.  Receiving Push Messages

380	   A user agent requests the delivery of new push messages by making a
381	   GET request to the "subscription" resource.  The push service does
382	   not respond to this request, it instead uses HTTP/2 server push
383	   [I-D.ietf-httpbis-http2] to send the contents of push messages as
384	   they are sent by application servers.

386	   Each push message is pushed in response to a synthesized GET request.
387	   The GET request is made to the "subscription" resource.  The response
388	   body is the entity body from the most recent POST request sent to the
389	   "subscription" resource by the application server.

391	   The following example request is made over HTTP/2.

393	   HEADERS      [stream 7] +END_STREAM +END_HEADERS
394	     :method        = GET
395	     :path          = /p/LBhhw0OohO-Wl4Oi971UGsB7sdQGUibx
396	     :authority     = push.example.net

398	   The push service permits the request to remain outstanding.  When a
399	   push message is sent by an application server, a server push is
400	   associated with the initial request.  The response includes the push
401	   message.

403	   PUSH_PROMISE [stream 7; promised stream 4] +END_HEADERS
404	     :method        = GET
405	     :path          = /p/LBhhw0OohO-Wl4Oi971UGsB7sdQGUibx/id
406	     :authority     = push.example.net

408	   HEADERS      [stream 4] +END_HEADERS
409	     :status        = 200
410	     date           = Thu, 11 Dec 2014 23:56:55 GMT
411	     last-modified  = Thu, 11 Dec 2014 23:56:55 GMT
412	     cache-control  = private
413	     content-type   = ...
414	     content-length = ...

416	   DATA         [stream 4] +END_STREAM
417	     { // JSON Object // }

419	   A user agent might receive a PUSH_PROMISE for a resource for which it
420	   has no active subscription.  The resulting unwanted push message can
421	   be ignored, or the corresponding stream can be reset (using
422	   RST_STREAM) to avoid expending bandwidth.

424	   A user agent can request the contents of the "subscription" resource
425	   immediately by including a Prefer header field [RFC7240] with a
426	   "wait" parameter set to "0".  The push server SHOULD return a link
427	   reference to the "subscription" resource and expiration information
428	   in response to this request.  This request also triggers the delivery
429	   of all push messages that the push service has stored but not yet
430	   delivered.  The server MUST generate a server push for all stored
431	   messages that have not yet been delivered.

433	   Different collapsing or coalescing disciplines for messages are
434	   possible but outside the scope of this document.

436	6.1.  Acknowledging Push Message Receipts

438	   To enable "at least once delivery", the user agent MUST acknowledge
439	   receipt of the message by performing a HTTP DELETE on the resource in
440	   the :path pseudo-header field from the PUSH_PROMISE.

442	   DELETE /p/LBhhw0OohO-Wl4Oi971UGsB7sdQGUibx/id HTTP/1.1
443	   Host: push.example.net
444	   If the application has requested a delivery receipt, the push server
445	   MUST deliver a response to the application server monitoring the
446	   "receipt" resource.

448	7.  Operational Considerations

450	   [No changes to [I-D.draft-thomson-webpush-http2-02]]

452	7.1.  Load Management

454	   [No changes to [I-D.draft-thomson-webpush-http2-02]]

456	7.2.  Push Message Expiration

458	   [This section from [I-D.draft-thomson-webpush-http2-02] was updated
459	   to include the time_to_live option.]

461	   Push services typically store messages for some time to allow for
462	   limited recovery from transient faults.  If a push message is stored,
463	   but not delivered, the push service can indicate the probable
464	   duration of storage by including expiration information in the
465	   response to the push request.

467	   A push service is not obligated to store messages indefinitely.  If a
468	   user agent is not actively monitoring for push messages, those
469	   messages can be lost or overridden by newer messages on the same
470	   subscription.

472	   Push messages that were stored and not delivered to a user agent are
473	   delivered when the user agent recommences monitoring.  (A message
474	   with a time_to_live option MUST NOT be delivered once it expires.)
475	   Stored push messages SHOULD include a Last-Modified header field (see
476	   Section 2.2 of [RFC7232]) indicating when delivery was requested by
477	   an application server.

479	   A GET request to a "subscription" resource that has expired messages
480	   results in a 204 (No Content) status response, equivalent to if no
481	   push message were ever sent.

483	   Push services might need to limit the size and number of stored push
484	   messages to avoid overloading.  In addition to using the 413 (Payload
485	   Too Large) status code for too large push messages, a push service
486	   MAY expire push messages prior to any advertised expiration time.

488	7.3.  Subscription Expiration

490	   [Minor editorial changes to [I-D.draft-thomson-webpush-http2-02] to
491	   remove references to registration]

493	   In some cases, it may be necessary to terminate subscriptions so that
494	   they can be refreshed.

496	   A push service might choose to set a fixed expiration time.  If a
497	   resource has a known expiration time, expiration information is
498	   included in responses to requests that create the resource, or in
499	   requests that retrieve a representation of the resource.

501	   Expiration is indicated using either the Expires header field, or by
502	   setting a "max-age" parameter on a Cache-Control header field (see
503	   [RFC7234]).  The Cache-Control header field MUST also include the
504	   "private" directive.

506	   A push service can invalidate a subscription at any time.  If a user
507	   agent has an outstanding request to the "subscription" resource, this
508	   can be signaled by returning a 400-series status code, such as 410
509	   (Gone).  A push service uses server push to indicate that a
510	   subscription has expired; a pushed 400-series status code for the
511	   subscription resource signals the termination of a subscription.

513	   A user agent can request that a subscription be removed by sending a
514	   DELETE request to the corresponding URI.

516	   A push service MUST send a 400-series status code, such as 404 (Not
517	   Found) or 410 (Gone) if an application server atttempts to send a
518	   push message to a removed or expired subscription.

520	7.4.  Implications for Application Reliability

522	   [This section from [I-D.draft-thomson-webpush-http2-02] was updated
523	   to include receipts.]

525	   The availability of push message delivery receipts in the protocol
526	   ensures that the application developer is not tempted to create
527	   alternative mechanisms for message delivery in case the push service
528	   fails to deliver a critical message.  Setting up a polling mechanism
529	   or a backup messaging channel in order to compensate for these
530	   shortcomings negates almost all of the advantages a push service
531	   provides.

533	8.  Security Considerations

535	   [Minor editorial changes throughout Section 8 to
536	   [I-D.draft-thomson-webpush-http2-02] to remove references to
537	   registration]

539	   This protocol MUST use HTTP over TLS [RFC2818]; this includes any
540	   communications between user agent and push service, plus
541	   communications between the application and the push service.  Thus,
542	   all URIs use the "https" scheme.  This provides confidentiality and
543	   integrity protection for subscriptions and push messages from
544	   external parties.

546	8.1.  Confidentiality from Push Service Access

548	   The protection afforded by TLS does not protect content from the push
549	   service.  Without additional safeguards, a push service is able to
550	   see and modify the content of the messages.

552	   Applications are able to provide additional confidentiality,
553	   integrity or authentication mechanisms within the push message
554	   itself.  The application server sending the push message and the
555	   application on the user agent that receives it are frequently just
556	   different instances of the same application, so no standardized
557	   protocol is needed to establish a proper security context.  The
558	   process of providing the application server with subscription
559	   information provides a convenient medium for key agreement.

561	   The Web Push API codifies this practice by requiring that each push
562	   subscription created by the browser be bound to a browser generated
563	   encryption key.  Pushed messages are authenticated and decrypted by
564	   the browser before delivery to applications.  This scheme ensures
565	   that the push service is unable to examine the contents of push
566	   messages.

568	   The public key for a subscription ensures that applications using
569	   that subscription can identify messages from unknown sources and
570	   discard them.  This depends on the public key only being disclosed to
571	   entities that are authorized to send messages on the channel.  The
572	   push server does not require access to this public key.

574	8.2.  Privacy Considerations

576	   Push message confidentiality does not ensure that the identity of who
577	   is communicating and when they are communicating is protected.
578	   However, the amount of information that is exposed can be limited.

580	   Subscription URIs MUST NOT provide any basis to correlate
581	   communications for a given user agent.  It MUST NOT be possible to
582	   correlate any two subscription URIs based solely on the content of
583	   the subscription URIs.  This allows a user agent to control
584	   correlation across different applications, or over time.

586	   In particular, user and device information MUST NOT be exposed
587	   through the subscription URI.

589	   In addition, subscription URIs established by the same user agent
590	   MUST NOT include any information that allows them to be correlated
591	   with the associated user agent.

593	   Note:  This need not be perfect as long as the resulting anonymity
594	      set (see [RFC6973], Section 6.1.1) is sufficiently large.  A
595	      subscription URI necessarily identifies a push service or a single
596	      server instance.  It is also possible that traffic analysis could
597	      be used to correlate subscriptions.

599	   A user agent MUST be able to create new subscriptions with new
600	   identifiers at any time.

602	8.3.  Authorization

604	   This protocol does not define how a push service establishes whether
605	   a user agent is permitted to create a subscription, or whether push
606	   messages can be delivered to the user agent.  A push service MAY
607	   choose to authorize request based on any HTTP-compatible
608	   authorization method available, of which there are numerous options.
609	   The authorization process and any associated credentials are expected
610	   to be configured in the user agent along with the URI for the "push
611	   service".

613	   Authorization for sending push messages is managed using capability
614	   URLs (see [CAP-URI]).  A capability URL grants access to a resource
615	   based solely on knowledge of the URL.  Capability URLs are used for
616	   their "easy onward sharing" and "easy client API" properties.  These
617	   make it possible to avoid relying on relationships between push
618	   services and application servers, with the protocols necessary to
619	   build and support those relationships.

621	   A subscription URI therefore acts as a bearer token: knowledge of the
622	   URI implies authorization to send push messages.  Subscription URIs
623	   MUST be extremely difficult to guess.  Encoding a large amount of
624	   random entropy (at least 120 bits) in the path component ensures that
625	   it is difficult to successfully guess a valid subscription URI.

627	8.4.  Denial of Service Considerations

629	   Discarding unwanted messages at the user agent based on message
630	   authentication doesn't protect against a denial of service attack on
631	   the user agent.  Even a relatively small volume of push messages can
632	   cause battery-powered devices to exhaust power reserves.  Limiting
633	   the number of entities with access to push channels limits the number
634	   of entities that can generate value push requests of the push server.

636	   An application can limit where push messages can originate by
637	   limiting the distribution of subscription URIs to authorized
638	   entities.  Ensuring that subscription URIs are hard to guess ensures
639	   that only applications servers that have been given a subscription
640	   URI can use it.

642	   A malicious application with a valid subscription use the greater
643	   resources of a push service to mount a denial of service attack on a
644	   user agent.  Push service SHOULD limit the rate at which push
645	   messages are sent to individual user agents.  A push service or user
646	   agent MAY terminate subscriptions (Section 7.3) that receives too
647	   many push messages.

649	   Conversely, a push service is also able to deny service to user
650	   agents.  Intentional failure to deliver messages is difficult to
651	   distinguish from faults, which might occur due to transient network
652	   errors, interruptions in user agent availability, or genuine service
653	   outages.

655	8.5.  Logging Risks

657	   Server request logs can reveal subscription URIs.  Acquiring a
658	   subscription URI permits the sending of push messages.  Logging could
659	   also reveal relationships between different subscription URIs for the
660	   same user agent.

662	   Limitations on log retention and strong access control mechanisms can
663	   ensure that URIs are not learned by unauthorized entities.

665	9.  IANA Considerations

667	   This document registers XXXXX URNs for use in identifying link
668	   relation types.  These are added to a new "Web Push Identifiers"
669	   registry according to the procedures in Section 4 of [RFC3553]; the
670	   corresponding "push" sub-namespace is entered in the "IETF URN Sub-
671	   namespace for Registered Protocol Parameter Identifiers" registry.

673	   The "Web Push Identifiers" registry operates under the IETF Review
674	   policy [RFC5226].

676	   Registry name:  Web Push Identifiers

678	   URN Prefix:  urn:ietf:params:push

680	   Specification:  (this document)

682	   Respository:  [Editor/IANA note: please include a link to the final
683	      registry location.]

685	   Index value:  Values in this registry are URNs or URN prefixes that
686	      start with the prefix "urn:ietf:params:push".  Each is registered
687	      independently.

689	   New registrations in the "Web Push Identifiers" are encouraged to
690	   include the following information:

692	   URN:  A complete URN or URN prefix.

694	   Description:  A summary description.

696	   Specification:  A reference to a specification describing the
697	      semantics of the URN or URN prefix.

699	   Contact:  Email for the person or group making the registration.

701	   Index value:  As described in [RFC3553], URN prefixes that are
702	      registered include a description of how the URN is constructed.
703	      This is not applicable for specific URNs.

705	   Two values are entered as the initial content of the "Web Push
706	   Identifiers" registry.

708	   URN:  urn:ietf:params:push

710	   Description:  This link relation type is used to identify a web push
711	      subscription.

713	   Specification:  (this document)

715	   Contact:  Web Push WG (webpush@ietf.org)

717	   URN:  urn:ietf:params:push:receipt

719	   Description:  This link relation type is used to identify a resource
720	      for receiving delivery receipts for push messages.

722	   Specification:  (this document)
723	   Contact:  Web Push WG (webpush@ietf.org)

725	10.  Acknowledgements

727	   This document incorporates and iterates on material from
728	   [I-D.draft-thomson-webpush-http2-02].

730	11.  References

732	11.1.  Normative References

734	   [CAP-URI]  Tennison, J., "Good Practices for Capability URLs", FPWD
735	              capability-urls, February 2014,
736	              <http://www.w3.org/TR/capability-urls/>.

738	   [I-D.draft-thomson-webpush-http2-02]
739	              Thomson, M., "Generic Event Delivery Using HTTP Push (work
740	              in progress)", December 2014,
741	              <https://tools.ietf.org/html/draft-thomson-webpush-
742	              http2-02.txt>.

744	   [I-D.ietf-httpbis-http2]
745	              Belshe, M., Peon, R., and M. Thomson, "Hypertext Transfer
746	              Protocol version 2", draft-ietf-httpbis-http2-17 (work in
747	              progress), February 2015.

749	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
750	              Requirement Levels", BCP 14, RFC 2119, March 1997.

752	   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

754	   [RFC3553]  Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An
755	              IETF URN Sub-namespace for Registered Protocol
756	              Parameters", BCP 73, RFC 3553, June 2003.

758	   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
759	              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
760	              May 2008.

762	   [RFC5988]  Nottingham, M., "Web Linking", RFC 5988, October 2010.

764	   [RFC7159]  Bray, T., "The JavaScript Object Notation (JSON) Data
765	              Interchange Format", RFC 7159, March 2014.

767	   [RFC7230]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
768	              (HTTP/1.1): Message Syntax and Routing", RFC 7230, June
769	              2014.

771	   [RFC7232]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
772	              (HTTP/1.1): Conditional Requests", RFC 7232, June 2014.

774	   [RFC7234]  Fielding, R., Nottingham, M., and J. Reschke, "Hypertext
775	              Transfer Protocol (HTTP/1.1): Caching", RFC 7234, June
776	              2014.

778	   [RFC7240]  Snell, J., "Prefer Header for HTTP", RFC 7240, June 2014.

780	11.2.  Informative References

782	   [API]      Sullivan, B. and E. Fullea, "Web Push API", ED push-api,
783	              December 2014, <https://w3c.github.io/push-api/>.

785	   [RFC6973]  Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
786	              Morris, J., Hansen, M., and R. Smith, "Privacy
787	              Considerations for Internet Protocols", RFC 6973, July
788	              2013.

790	Authors' Addresses

792	   Elio Damaggio
793	   Microsoft
794	   One Microsoft Way
795	   Redmond, WA  98052
796	   US

798	   Email: elioda@microsoft.com

800	   Brian Raymor
801	   Microsoft
802	   One Microsoft Way
803	   Redmond, WA  98052
804	   US

806	   Email: brian.raymor@microsoft.com