Update VAPID + Message Encryption requirements (#71)

rfc2822 · web-flow · commit 34f51dd997ae · 2025-03-05T10:00:09.000+01:00
* Add and require content-encoding; remove redundant samples

* Adapt key names and types
diff --git a/content.mkd b/content.mkd
@@ -229,7 +229,7 @@ POST https://example.com/webdav/collection/
 Content-Type: application/xml; charset="utf-8"
 
 <?xml version="1.0" encoding="utf-8" ?>
-{::include xml/sample-registration.xml}
+{::include xml/sample-push-register.xml}
 
 HTTP/1.1 201 Created
 Location: https://example.com/webdav/subscriptions/io6Efei4ooph
@@ -386,18 +386,12 @@ The `web-push-subscription` element represents the public information of a Web P
 
 It contains exactly one `push-resource` element, which contains an absolute URI that identifies the endpoint where Web Push notifications are sent to. The push resource is used as the unique identifier for the subscription.
 
-Example:
-
-~~~
-{::include xml/sample-web-push-subscription.xml}
-~~~
-
 
 ## VAPID
 
 VAPID binds push subscriptions to the specific WebDAV-Push server.
 
-A WebDAV-Push server which supports VAPID stores a key pair. The server exposes an additional transport property `server-public-key` (within the `web-push` element), which contains the VAPID public key in uncompressed form and base64url encoded. Its attribute `type="p256dh"` MUST be added to allow different key types in the future. See {{collection-properties}} for an example.
+A WebDAV-Push server which supports VAPID stores a key pair. The server exposes an additional transport property `vapid-public-key` (within the `web-push` element), which contains the VAPID public key in uncompressed form and base64url encoded. Its attribute `type="p256ecdsa"` MUST be added to allow different key types in the future. See {{collection-properties}} for an example.
 
 If available, the client SHOULD use this key to create a restricted subscription at the push service.
 
@@ -408,17 +402,11 @@ When the server sends a push message, it includes a corresponding `Authorization
 
 Message encryption hides details of push messages from the push services. Before creating the subscription, the client generates a key pair as defined in {{RFC8291}}.
 
-When the client then registers this subscription at the server, it includes additional subscription properties:
+When the client then registers this subscription at the server, it includes these subscription properties:
 
 * `client-public-key` – public key of the user agent's key pair in uncompressed form and base64url encoded; attribute `type="p256dh"` MUST be added to allow different key types in the future
 * `auth-secret` – authentication secret
 
-Example for a subscription registration requesting message encryption:
-
-~~~
-{::include xml/sample-registration-with-encryption.xml}
-~~~
-
 The server uses these data to encrypt the payload and send it to the push service. The client then decrypts the payload again.
 
 
diff --git a/xml/sample-propfind-multistatus.xml b/xml/sample-propfind-multistatus.xml
@@ -4,7 +4,7 @@
     <prop>
       <P:transports>
         <P:web-push>
-          <P:server-public-key type="p256dh">BA1Hxzyi1RUM1b5wjxsn7nGxAszw2u61m164i3MrAIxHF6YK5h4SDYic-dRuU_RCPCfA5aq9ojSwk5Y2EmClBPs</P:server-public-key>
+          <P:vapid-public-key type="p256ecdsa">BA1Hxzyi1RUM1b5wjxsn7nGxAszw2u61m164i3MrAIxHF6YK5h4SDYic-dRuU_RCPCfA5aq9ojSwk5Y2EmClBPs</P:vapid-public-key>
         </P:web-push>
         <!-- Not covered by this document:
         <X:some-other-transport>
diff --git a/xml/sample-push-register.xml b/xml/sample-push-register.xml
@@ -2,6 +2,9 @@
   <subscription>
     <web-push-subscription>
       <push-resource>https://up.example.net/yohd4yai5Phiz1wi</push-resource>
+      <content-encoding>aes128gcm</content-encoding>
+      <subscription-public-key type="p256dh">BCVxsr7N_eNgVRqvHtD0zTZsEc6-VV-JvLexhqUzORcxaOzi6-AYWXvTBHm4bjyPjs7Vd8pZGH6SRpkNtoIAiw4</subscription-public-key>
+      <auth-secret>BTBZMqHH6r4Tts7J_aSIgg</auth-secret>
     </web-push-subscription>
   </subscription>
   <trigger>
diff --git a/xml/sample-registration-with-encryption.xml b/xml/sample-registration-with-encryption.xml
diff --git a/xml/sample-web-push-subscription.xml b/xml/sample-web-push-subscription.xml
diff --git a/xml/webdav-push.rng b/xml/webdav-push.rng
@@ -145,10 +145,10 @@
     <element name="web-push">
       <!-- VAPID key -->
       <optional>
-        <element name="server-public-key">
+        <element name="vapid-public-key">
           <attribute name="type">
             <choice>
-              <value>p256dh</value>
+              <value>p256ecdsa</value>
               <!-- or other type / not covered by this schema -->
             </choice>
           </attribute>
@@ -160,13 +160,21 @@
 
   <define name="web-push-subscription">
     <element name="web-push-subscription">
-      <element name="push-resource">
-        <text/>   <!-- push resource (absolute URI) -->
-      </element>
+      <interleave>
+        <!-- push resource (absolute URI) -->
+        <element name="push-resource">
+          <text/>
+        </element>
 
-      <!-- message encryption -->
-      <optional>
-        <element name="client-public-key">
+        <!-- message encryption -->
+        <element name="content-encoding">
+          <choice>
+            <value>aes128gcm</value>    <!-- defined in RFC8188 -->
+            <!-- or other encoding / not covered by this schema -->
+          </choice>
+        </element>
+
+        <element name="subscription-public-key">
           <attribute name="type">
             <choice>
               <value>p256dh</value>
@@ -179,7 +187,7 @@
         <element name="auth-secret">
           <text/>
         </element>
-      </optional>
+      </interleave>
     </element>
   </define>
 
