Thanks Robert.
On 28 June 2017 at 14:38, Robert Sparks <rjsparks(_at_)nostrum(_dot_)com> wrote:
1) The draft says that expiry claims MUST NOT be more than 24 hours from the
time of the request. Consider adding some discussion of why 24 hours was
chosen
(vs some other arbitrary value), especially given the MUST NOT strength of the
requirement.
Frankly, the decision is a little arbitrary, but it's where we landed.
It's a balance between competing concerns of reuse and the exposure to
theft and abuse that comes with reuse. The overriding reason for a
MUST NOT strength is that it allows the server to reject requests with
bad claims. I'll add a sentence to the security considerations, which
talk about the need for expiration and the implications of the MUST
NOT.
See https://github.com/webpush-wg/webpush-vapid/pull/40
2) The last paragraph of 4.2 says application servers create subscriptions,
but
it means to say that user agents do. Martin already addressed when I brought
it
up out-of-band with
<https://github.com/webpush-wg/webpush-vapid/pull/39/files>.
3) The last sentence of the abstract is missing a word. Perhaps s/subscription
a/subscription to a/ ?
Fixed, thanks.
4) Consider using the RFC8174 update to RFC2119.
Noted.