idnits 2.17.1 draft-thomson-webpush-aggregate-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (October 08, 2014) is 3488 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-02) exists of draft-thomson-webpush-http2-00 ** Obsolete normative reference: RFC 5988 (Obsoleted by RFC 8288) ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259) Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 WebPush M. Thomson 3 Internet-Draft Mozilla 4 Intended status: Standards Track October 08, 2014 5 Expires: April 11, 2015 7 Web Push Channel Aggregation 8 draft-thomson-webpush-aggregate-00 10 Abstract 12 The Web Push protocol provides a means of ensuring constant network 13 availability of devices that would otherwise have limited 14 availability. This document describes extensions to that protocol 15 that enable the efficient delivery of messages to multiple devices. 16 This allows an application to request that a web push server deliver 17 the same message to a potentially large set of devices. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on April 11, 2015. 36 Copyright Notice 38 Copyright (c) 2014 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 55 3. List Registration Service . . . . . . . . . . . . . . . . . . 2 56 3.1. Creating an Aggregated Channel . . . . . . . . . . . . . 3 57 3.2. Aggregation Channel Request Format . . . . . . . . . . . 3 58 3.3. Determining Aggregation Set Status . . . . . . . . . . . 4 59 3.4. Modifying the Aggregation Set . . . . . . . . . . . . . . 4 60 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 61 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 62 5.1. Registration of Link Relation Type . . . . . . . . . . . 5 63 5.2. Registration of MIME Media Type . . . . . . . . . . . . . 5 64 6. Normative References . . . . . . . . . . . . . . . . . . . . 5 65 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 67 1. Introduction 69 The delivery of the same message to large numbers of devices is a 70 common feature of push notification services. This document 71 describes a mechanism based on the Web Push protocol 72 [I-D.thomson-webpush-http2]. 74 A new link relation is added to the Web Push registration response. 75 This identifies a service that can be used to create a push channel 76 endpoint that aggregates multiple individual push channels. 78 Applications can use the aggregated channel to deliver the same push 79 message on all of the aggregated channels with a single request. 80 This makes the large-scale delivery of identical messages more 81 efficient. 83 2. Terminology 85 In cases where normative language needs to be emphasized, this 86 document back on established shorthands for expressing 87 interoperability requirements on implementations: the capitalized 88 words "MUST", "MUST NOT", "SHOULD" and "MAY". The meaning of these 89 is described in [RFC2119]. 91 3. List Registration Service 93 A new link relation [RFC5988], "....:push:aggregate", is provided in 94 response to a push registration or channel creation request. This 95 link relation identifies an aggregation service that can be used to 96 create a new aggregated push channel. 98 If the link relation is provided in response to a push registration 99 creation request, it applies to all channels created on that 100 registration; if the link relation is provided in response to a 101 channel creation request, it applies to just that channel. 103 Applications that send notifications to a large number of users first 104 establish a list of devices that have the same aggregation service 105 URI. Push servers provide a small number of different values for the 106 aggregate link relation. 108 Note: Though the use of different push servers will ensure that 109 applications will need to support multiple aggregation services, a 110 large number of endpoints diminishes the value of having messages 111 distributed by the push server. 113 Absence of the "...:aggregate" link relation indicates that the push 114 server does not support channel aggregation. 116 3.1. Creating an Aggregated Channel 118 A new aggregated channel is created by sending an HTTP POST request 119 to the aggregation service URI. The request contains 121 The response is identical to the response to the "channel" resource, 122 as described in Section 5 of [I-D.thomson-webpush-http2]. The 201 123 (Created) response contains the identity of the aggregated channel in 124 the Location header field. 126 Messages pushed to the aggregated channel URI (see Section 3 of 127 [I-D.thomson-webpush-http2]) are forwarded to all of the channels 128 that are included in the provided list. 130 3.2. Aggregation Channel Request Format 132 The content of this request is a JSON [RFC7159] object. The keys in 133 the object are the URIs of the channels being aggregated. The 134 corresponding value is an object containing the following keys: 136 expires: A date and time in [RFC3339] format that identifies when 137 the provided channel becomes invalid. The push server MUST remove 138 the channel from the aggregation set when this time expires. This 139 field is optional, in which case the channel does not expire. 141 pubkey: The public key to be used for encrypting messages on ths 142 channel. This field is optional. [[TBD: This - primarily the 143 corresponding CPU load - is probably the largest problem with this 144 security architecture.]] 146 This format is identified using a MIME media type of "application/ 147 push-aggregation+json" Section 5. 149 Push aggregation services MUST support gzip Content-Encoding for this 150 format. 152 3.3. Determining Aggregation Set Status 154 Editors note: This might needs to live on a different URI to avoid 155 confusion about what is being PUT there (for pushing) and all this 156 stuff. 158 A GET request to the aggregated channel URI does not provide the last 159 message sent. Instead, it produces the current set of channels that 160 are included in "application/push-aggregation+json" format. 162 3.4. Modifying the Aggregation Set 164 A PATCH request to the aggregated channel URI can be used to update 165 the set of channels that are included in the set. This uses an 166 request body containing a JSON Merge 167 [I-D.ietf-appsawg-json-merge-patch] document. 169 4. Security Considerations 171 This protocol provides an application a way to use a relatively small 172 message to cause a large amount of data to be sent. This adds 173 considerably to the denial of service risks the protocol poses to 174 devices. The basic mitigations in [I-D.thomson-webpush-http2] apply, 175 though these are significantly more important. 177 Of particular concern is access control to the aggregated channel 178 URI. The aggregate channel URI is only used by the entity that 179 requests its creation; therefore, this can be ensured by making the 180 URI difficult to guess. That is, the same entropy requirements apply 181 to aggregated channel URIs as for other channel URIs. 183 Messages sent over aggregated push channels do not have 184 confidentiality and integrity protection, unless applications provide 185 a mechanism within the message payload. Since the information is 186 pushed to multiple recipients, these channels are unsuitable for 187 confidential information. 189 5. IANA Considerations 191 TODO: expand with details 193 5.1. Registration of Link Relation Type 195 A link relation for the link aggregation resource is registered 196 accordinging to the rules in [RFC5988]. 198 5.2. Registration of MIME Media Type 200 A new MIME media type, "application/push-aggregation+json" is 201 registered according to the rules in TODO. 203 6. Normative References 205 [I-D.ietf-appsawg-json-merge-patch] 206 Hoffman, P. and J. Snell, "JSON Merge Patch", draft-ietf- 207 appsawg-json-merge-patch-07 (work in progress), August 208 2014. 210 [I-D.thomson-webpush-http2] 211 Thomson, M., "Generic Event Delivery Using HTTP Push", 212 draft-thomson-webpush-http2-00 (work in progress), May 213 2014. 215 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 216 Requirement Levels", BCP 14, RFC 2119, March 1997. 218 [RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the 219 Internet: Timestamps", RFC 3339, July 2002. 221 [RFC5988] Nottingham, M., "Web Linking", RFC 5988, October 2010. 223 [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data 224 Interchange Format", RFC 7159, March 2014. 226 Author's Address 228 Martin Thomson 229 Mozilla 230 331 E Evelyn Street 231 Mountain View 94041 232 United States 234 Email: martin.thomson@gmail.com