[aerogear-dev] SimplePush Polyfill work

JR Conlin jrconlin at gmail.com
Tue Sep 1 19:00:09 EDT 2015 

Right now, the best source is the WebPush IETF discussion.
https://mailarchive.ietf.org/arch/search/?email_list=webpush&q=encryption

In short, folks are leaning toward AES curve25519, because it's greatly
improved security over P-256, and there are enough libraries in the wild
that it should be reasonable for App developers to use one.

Required encryption is tricky for any number of reasons. In this case,
the goal is to secure your message from the intermediary carriers.
Notably, it's a lot easier for carriers to avoid adding pen registries
or turning over data if it's just a pile of indecipherable crap. The
message is decrypted by the handling client which also generates the
public key the remote server uses and is passed as part of the remote
registration. The theory is also that if you're running on a compromised
client, you're kinda dorked. If you're THAT paranoid (and not saying
it's a bad), it's just up to you do do your own encryption as well.

On 9/1/2015 3:40 PM, Bruno Oliveira wrote:
> Do you have any reference about the encryption discussion. I'd be
> interested to read more about it.
>
> — abstractj PGP: 0x84DC9914
>
>
> On Mon, Aug 31, 2015 at 7:59 PM, JR Conlin <jrconlin at gmail.com
> <mailto:jrconlin at gmail.com>> wrote:
>
>     +4
>
>     (sorry, just had some fun with a bounding issue, and felt like
>     sharing.)
>
>     Just to let y'all know, we're going to be running SimplePush for a
>     while, mostly for older devices. One thing we discovered is that
>     some clients may have a LARGE number of old channels registered
>     and sending them as part of the Hello is a waste. (Our server
>     doesn't pay attention to them.) Newer clients may have an interim
>     fix that blanks the clientIDs:[] record.) Aside from that, we're
>     definitely not going to be pushing any changes that should impact
>     your library.
>
>     We've not stood up a production WebPush server, partly because the
>     data encryption portion of the standard is still under discussion.
>     For what it's worth, there are also a few other discussion points
>     that have yet to be finalized (e.g. should developers register
>     with servers, should clients specify channels like they did for
>     SimplePush, etc.) but the data bit is the biggest obstacle.
>
>     As always, thanks so much for the continuing support.
>
>
>     On 8/31/2015 12:45 PM, Idel Pivnitskiy wrote:
>>     +1
>>
>>     Best regards,
>>     Idel Pivnitskiy
>>     --
>>     E-mail: Idel.Pivnitskiy at gmail.com <mailto:Idel.Pivnitskiy at gmail.com>
>>     Twitter: @idelpivnitskiy <https://twitter.com/idelpivnitskiy>
>>     GitHub: @idelpivnitskiy <https://github.com/idelpivnitskiy>
>>
>>     On Mon, Aug 31, 2015 at 7:27 PM, Daniel Bevenius
>>     <daniel.bevenius at gmail.com <mailto:daniel.bevenius at gmail.com>> wrote:
>>
>>         +1
>>
>>
>>         måndag 31 augusti 2015 skrev Sebastien Blanc
>>         <scm.blanc at gmail.com>:
>>
>>             +1
>>
>>             On Mon, Aug 31, 2015 at 5:12 PM, Luke Holmquist
>>             <lholmqui at redhat.com> wrote:
>>
>>                 so now that WebPush is going to take over SimplePush,
>>                 i'm thinking of closing the related JIRA's that we
>>                 have open for simple push in the AG-JS instance.
>>
>>
>>                 Not that we've really done any work on it lately,
>>                  but it would be good to clean this up a little.
>>
>>
>>                 Thoughts?
>>
>>
>>                 -Luke
>>
>>                 _______________________________________________
>>                 aerogear-dev mailing list
>>                 aerogear-dev at lists.jboss.org
>>                 https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>>
>>         _______________________________________________
>>         aerogear-dev mailing list
>>         aerogear-dev at lists.jboss.org
>>         <mailto:aerogear-dev at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>>
>>
>>     _______________________________________________
>>     aerogear-dev mailing list
>>     aerogear-dev at lists.jboss.org
>>     https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20150901/429d79f2/attachment-0001.html

More information about the aerogear-dev mailing list