Right now, the best source is the WebPush IETF discussion.
https://mailarchive.ietf.org/arch/search/?email_list=webpush&q=encryption

In short, folks are leaning toward AES curve25519, because it's greatly improved security over P-256, and there are enough libraries in the wild that it should be reasonable for App developers to use one.

Required encryption is tricky for any number of reasons. In this case, the goal is to secure your message from the intermediary carriers. Notably, it's a lot easier for carriers to avoid adding pen registries or turning over data if it's just a pile of indecipherable crap. The message is decrypted by the handling client which also generates the public key the remote server uses and is passed as part of the remote registration. The theory is also that if you're running on a compromised client, you're kinda dorked. If you're THAT paranoid (and not saying it's a bad), it's just up to you do do your own encryption as well.

On 9/1/2015 3:40 PM, Bruno Oliveira wrote:
Do you have any reference about the encryption discussion. I'd be interested to read more about it.

— abstractj PGP: 0x84DC9914


On Mon, Aug 31, 2015 at 7:59 PM, JR Conlin <jrconlin@gmail.com> wrote:

+4

(sorry, just had some fun with a bounding issue, and felt like sharing.)

Just to let y'all know, we're going to be running SimplePush for a while, mostly for older devices. One thing we discovered is that some clients may have a LARGE number of old channels registered and sending them as part of the Hello is a waste. (Our server doesn't pay attention to them.) Newer clients may have an interim fix that blanks the clientIDs:[] record.) Aside from that, we're definitely not going to be pushing any changes that should impact your library.

We've not stood up a production WebPush server, partly because the data encryption portion of the standard is still under discussion. For what it's worth, there are also a few other discussion points that have yet to be finalized (e.g. should developers register with servers, should clients specify channels like they did for SimplePush, etc.) but the data bit is the biggest obstacle.

As always, thanks so much for the continuing support.


On 8/31/2015 12:45 PM, Idel Pivnitskiy wrote:
+1

Best regards,
Idel Pivnitskiy
Twitter: @idelpivnitskiy
GitHub: @idelpivnitskiy

On Mon, Aug 31, 2015 at 7:27 PM, Daniel Bevenius <daniel.bevenius@gmail.com> wrote:
+1


måndag 31 augusti 2015 skrev Sebastien Blanc <scm.blanc@gmail.com>:
+1

On Mon, Aug 31, 2015 at 5:12 PM, Luke Holmquist <lholmqui@redhat.com> wrote:
so now that WebPush is going to take over SimplePush, i'm thinking of closing the related JIRA's that we have open for simple push in the AG-JS instance.


Not that we've really done any work on it lately,  but it would be good to clean this up a little.


Thoughts?


-Luke

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev


_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev



_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev




_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev