elf-pavlik
commented
1 year ago I think we should first evaluate Voluntary Application Server Identification (VAPID) for Web Push which is already used by WebPush #140
Following #155 we could recommend VAPID as one of the available auth schemes, where WebPushChannel2023 would only work with this one since it builds on top of WebPush.
All the sendTo channel types would be able to use it, it seems reasonable to include the public key in the SubscriptionService description. For WebPush it is required since before Subscription Request is made the client is already using that public key to create a subscription with WebPush Service.
csarven
https://solid.github.io/notifications/ldn-channel-2023#authentication (copied from ldn-channel-2023 PR: https://github.com/solid/notifications/pull/147 )
Details need to be further specified. The Security Vocabulary (or The Cert Ontology, WOT) can be used.
sendTohas acontroller(which is thereceiver).senderdescribes the key.See Notification Channel Data Model for example where subscription request and response including public keys.
Subscription Client lets the Notification Receiver know about the Notification Sender and their public key.
Notification Receiver sets Authorization rules for Notification Sender.
Notification Sender can optionally use HTTP Message Signatures.