<?xmlversion="1.0" encoding="US-ASCII"?> <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ <!ENTITY RFC2119 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"> <!ENTITY RFC2818 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2818.xml"> <!ENTITY RFC3261 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3261.xml"> <!ENTITY RFC3264 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3264.xml"> <!ENTITY RFC3711 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3711.xml"> <!ENTITY RFC3986 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3986.xml"> <!ENTITY RFC4566 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4566.xml"> <!ENTITY RFC4568 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4568.xml"> <!ENTITY RFC4648 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4648.xml"> <!ENTITY RFC5246 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5246.xml"> <!ENTITY RFC5479 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5479.xml"> <!ENTITY RFC5705 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5705.xml"> <!ENTITY RFC5763 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5763.xml"> <!ENTITY RFC5764 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5764.xml"> <!ENTITY RFC5785 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5785.xml"> <!ENTITY RFC5890 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5890.xml"> <!ENTITY RFC6265 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6265.xml"> <!ENTITY RFC6347 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6347.xml"> <!ENTITY RFC6454 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6454.xml"> <!ENTITY RFC6455 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6455.xml"> <!ENTITY RFC6943 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6943.xml"> <!ENTITY RFC7022 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7022.xml"> <!ENTITY RFC6120 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6120.xml"> <!ENTITY RFC7617 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7617.xml"> <!ENTITY RFC7675 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7675.xml"> <!ENTITY RFC7918 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7918.xml"> <!ENTITY RFC8174 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"> <!ENTITY RFC8122 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8122.xml"> <!ENTITY RFC8259 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8259.xml"> <!ENTITY RFC8261 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8261.xml"> <!ENTITY RFC8445 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8445.xml"> <!ENTITY I-D.ietf-rtcweb-overview SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-rtcweb-overview.xml"> <!ENTITY I-D.ietf-rtcweb-jsep SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-rtcweb-jsep.xml"> <!ENTITY I-D.ietf-rtcweb-security SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-rtcweb-security.xml"> <!ENTITY I-D.ietf-rtcweb-rtp-usage SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-rtcweb-rtp-usage.xml"> <!ENTITY I-D.ietf-mmusic-sdp-uks SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-mmusic-sdp-uks"> ]> <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <?rfc toc="yes" ?> <?rfc symrefs="yes" ?> <?rfc strict="yes" ?> <?rfc compact="yes" ?> <?rfc sortrefs="yes" ?> <?rfc colonspace="yes" ?> <?rfc rfcedstyle="no" ?> <!-- Don't change this. It breaks stuff --> <?rfc tocdepth="4"?>version='1.0' encoding='utf-8'?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" category="std" consensus="true" docName="draft-ietf-rtcweb-security-arch-20"ipr="pre5378Trust200902">indexInclude="true" ipr="pre5378Trust200902" number="8827" prepTime="2021-01-16T18:38:47" scripts="Common,Latin" sortRefs="true" submissionType="IETF" symRefs="true" tocDepth="4" tocInclude="true" xml:lang="en"> <link href="https://datatracker.ietf.org/doc/draft-ietf-rtcweb-security-arch-20" rel="prev"/> <link href="https://dx.doi.org/10.17487/rfc8827" rel="alternate"/> <link href="urn:issn:2070-1721" rel="alternate"/> <front> <title abbrev="WebRTC Sec. Arch.">WebRTC Security Architecture</title> <seriesInfo name="RFC" value="8827" stream="IETF"/> <author fullname="Eric Rescorla"initials="E.K."initials="E." surname="Rescorla"><organization>RTFM, Inc.</organization><organization showOnFrontPage="true">Mozilla</organization> <address><postal> <street>2064 Edgewood Drive</street> <city>Palo Alto</city> <region>CA</region> <code>94303</code> <country>USA</country> </postal> <phone>+1 650 678 2350</phone><email>ekr@rtfm.com</email> </address> </author><date/> <area>ART</area> <workgroup>RTCWEB</workgroup> <abstract> <t><date month="01" year="2021"/> <abstract pn="section-abstract"> <t indent="0" pn="section-abstract-1"> This document defines the security architecture for WebRTC, a protocol suite intended for use with real-time applications that can be deployed in browsers- "real time-- "real-time communication on the Web". </t> </abstract></front> <middle><boilerplate> <sectiontitle="Introduction" anchor="sec.introduction"> <t> The Real-Time Communications onanchor="status-of-memo" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.1"> <name slugifiedName="name-status-of-this-memo">Status of This Memo</name> <t indent="0" pn="section-boilerplate.1-1"> This is an Internet Standards Track document. </t> <t indent="0" pn="section-boilerplate.1-2"> This document is a product of theWeb (RTCWEB) working group standardized protocols for real-time communications between Web browsers, generally called "WebRTC" <xref target="I-D.ietf-rtcweb-overview"/>. The major use cases for WebRTC technology are real-time audio and/or video calls, Web conferencing,Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review anddirect data transfer. Unlike most conventional real-time systems, (e.g., SIP-based <xref target="RFC3261"></xref> soft phones) WebRTC communications are directly controlledhas been approved for publication bysome Web server, via a JavaScript (JS) API as shownthe Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in<xref target="fig.simple"/>.Section 2 of RFC 7841. </t><figure title="A simple WebRTC system" anchor="fig.simple"> <artwork><![CDATA[ +----------------+ | | | Web Server | | | +----------------+ ^ ^ / \ HTTP / \ HTTP / \ / \ v v JS API JS API +-----------+ +-----------+ | | Media | | | Browser |<---------->| Browser | | | | | +-----------+ +-----------+ ]]></artwork> </figure> <t> A more complicated system might allow for interdomain calling, as shown in <xref target="fig.multidomain"/>. The protocol<t indent="0" pn="section-boilerplate.1-3"> Information about the current status of this document, any errata, and how to provide feedback on it may beused between the domains is not standardized by WebRTC, but given the installed baseobtained at <eref target="https://www.rfc-editor.org/info/rfc8827" brackets="none"/>. </t> </section> <section anchor="copyright" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.2"> <name slugifiedName="name-copyright-notice">Copyright Notice</name> <t indent="0" pn="section-boilerplate.2-1"> Copyright (c) 2021 IETF Trust and theform ofpersons identified as theWebRTC APIdocument authors. All rights reserved. </t> <t indent="0" pn="section-boilerplate.2-2"> This document islikelysubject tobe something SDP-based like SIP or something like Extensible MessagingBCP 78 andPresence Protocol (XMPP) <xref target="RFC6120"/>. </t> <figure title="A multidomain WebRTC system" anchor="fig.multidomain"> <artwork><![CDATA[ +--------------+ +--------------+ | | SIP,XMPP,...| | | Web Server |<----------->| Web Server | | | | | +--------------+ +--------------+ ^ ^ | | HTTP | | HTTP | | v v JS API JS API +-----------+ +-----------+ | | Media | | | Browser |<---------------->| Browser | | | | | +-----------+ +-----------+ ]]></artwork> </figure> <t> This system presents a number of new security challenges, which are analyzed in <xref target="I-D.ietf-rtcweb-security"/>. This document describes a security architecture for WebRTC which addressesthethreats and requirements describedIETF Trust's Legal Provisions Relating to IETF Documents (<eref target="https://trustee.ietf.org/license-info" brackets="none"/>) inthateffect on the date of publication of this document.</t> </section> <section anchor="sec-term" title="Terminology"> <t> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",Please review these documents carefully, as they describe your rights and"OPTIONAL" inrestrictions with respect to this document. Code Components extracted from this documentare to be interpretedmust include Simplified BSD License text as described inBCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when,Section 4.e of the Trust Legal Provisions andonly when, they appear in all capitals,are provided without warranty asshown here.described in the Simplified BSD License. </t></section> <section title="Trust Model" anchor="sec.proposal.trusthierarchy"> <t><t indent="0" pn="section-boilerplate.2-3"> This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. Thebasic assumption of this architecture is that network resources existperson(s) controlling the copyright ina hierarchysome oftrust, rooted in the browser, which serves as the user's Trusted Computing Base (TCB). Any security property which the user wishes tothis material may not haveenforced must be ultimately guaranteed bygranted thebrowser (or transitively by some propertyIETF Trust thebrowser verifies). Conversely, ifright to allow modifications of such material outside thebrowser is compromised, then no security guarantees are possible. Note that there are cases (e.g., Internet kiosks) whereIETF Standards Process. Without obtaining an adequate license from theuser can't really trustperson(s) controlling thebrowser that much. In these cases,copyright in such materials, this document may not be modified outside thelevelIETF Standards Process, and derivative works ofsecurity provided is limited by how much they trust the browser. </t> <t> Optimally, we wouldit may notrely on trust in any entities other thanbe created outside thebrowser. However, this is unfortunately not possible if we wishIETF Standards Process, except tohave a functional system. Other network elements fallformat it for publication as an RFC or to translate it intotwo categories: those which can be authenticated by the browserlanguages other than English. </t> </section> </boilerplate> <toc> <section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" pn="section-toc.1"> <name slugifiedName="name-table-of-contents">Table of Contents</name> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1"> <li pn="section-toc.1-1.1"> <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.1"><xref derivedContent="1" format="counter" sectionFormat="of" target="section-1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-introduction">Introduction</xref></t> </li> <li pn="section-toc.1-1.2"> <t indent="0" keepWithNext="true" pn="section-toc.1-1.2.1"><xref derivedContent="2" format="counter" sectionFormat="of" target="section-2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-terminology">Terminology</xref></t> </li> <li pn="section-toc.1-1.3"> <t indent="0" pn="section-toc.1-1.3.1"><xref derivedContent="3" format="counter" sectionFormat="of" target="section-3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-trust-model">Trust Model</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.3.2"> <li pn="section-toc.1-1.3.2.1"> <t indent="0" keepWithNext="true" pn="section-toc.1-1.3.2.1.1"><xref derivedContent="3.1" format="counter" sectionFormat="of" target="section-3.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-authenticated-entities">Authenticated Entities</xref></t> </li> <li pn="section-toc.1-1.3.2.2"> <t indent="0" pn="section-toc.1-1.3.2.2.1"><xref derivedContent="3.2" format="counter" sectionFormat="of" target="section-3.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-unauthenticated-entities">Unauthenticated Entities</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.4"> <t indent="0" pn="section-toc.1-1.4.1"><xref derivedContent="4" format="counter" sectionFormat="of" target="section-4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-overview">Overview</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.4.2"> <li pn="section-toc.1-1.4.2.1"> <t indent="0" pn="section-toc.1-1.4.2.1.1"><xref derivedContent="4.1" format="counter" sectionFormat="of" target="section-4.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-initial-signaling">Initial Signaling</xref></t> </li> <li pn="section-toc.1-1.4.2.2"> <t indent="0" pn="section-toc.1-1.4.2.2.1"><xref derivedContent="4.2" format="counter" sectionFormat="of" target="section-4.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-media-consent-verification">Media Consent Verification</xref></t> </li> <li pn="section-toc.1-1.4.2.3"> <t indent="0" pn="section-toc.1-1.4.2.3.1"><xref derivedContent="4.3" format="counter" sectionFormat="of" target="section-4.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-dtls-handshake">DTLS Handshake</xref></t> </li> <li pn="section-toc.1-1.4.2.4"> <t indent="0" pn="section-toc.1-1.4.2.4.1"><xref derivedContent="4.4" format="counter" sectionFormat="of" target="section-4.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-communications-and-consent-">Communications andthus can be granted permissions to access sensitive resources,Consent Freshness</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.5"> <t indent="0" pn="section-toc.1-1.5.1"><xref derivedContent="5" format="counter" sectionFormat="of" target="section-5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-sdp-identity-attribute">SDP Identity Attribute</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.5.2"> <li pn="section-toc.1-1.5.2.1"> <t indent="0" pn="section-toc.1-1.5.2.1.1"><xref derivedContent="5.1" format="counter" sectionFormat="of" target="section-5.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-offer-answer-considerations">Offer/Answer Considerations</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.5.2.1.2"> <li pn="section-toc.1-1.5.2.1.2.1"> <t indent="0" pn="section-toc.1-1.5.2.1.2.1.1"><xref derivedContent="5.1.1" format="counter" sectionFormat="of" target="section-5.1.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-generating-the-initial-sdp-">Generating the Initial SDP Offer</xref></t> </li> <li pn="section-toc.1-1.5.2.1.2.2"> <t indent="0" pn="section-toc.1-1.5.2.1.2.2.1"><xref derivedContent="5.1.2" format="counter" sectionFormat="of" target="section-5.1.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-generating-an-sdp-answer">Generating an SDP Answer</xref></t> </li> <li pn="section-toc.1-1.5.2.1.2.3"> <t indent="0" pn="section-toc.1-1.5.2.1.2.3.1"><xref derivedContent="5.1.3" format="counter" sectionFormat="of" target="section-5.1.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-processing-an-sdp-offer-or-">Processing an SDP Offer or Answer</xref></t> </li> <li pn="section-toc.1-1.5.2.1.2.4"> <t indent="0" pn="section-toc.1-1.5.2.1.2.4.1"><xref derivedContent="5.1.4" format="counter" sectionFormat="of" target="section-5.1.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-modifying-the-session">Modifying the Session</xref></t> </li> </ul> </li> </ul> </li> <li pn="section-toc.1-1.6"> <t indent="0" pn="section-toc.1-1.6.1"><xref derivedContent="6" format="counter" sectionFormat="of" target="section-6"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-detailed-technical-descript">Detailed Technical Description</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.6.2"> <li pn="section-toc.1-1.6.2.1"> <t indent="0" pn="section-toc.1-1.6.2.1.1"><xref derivedContent="6.1" format="counter" sectionFormat="of" target="section-6.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-origin-and-web-security-iss">Origin andthose which cannot be authenticatedWeb Security Issues</xref></t> </li> <li pn="section-toc.1-1.6.2.2"> <t indent="0" pn="section-toc.1-1.6.2.2.1"><xref derivedContent="6.2" format="counter" sectionFormat="of" target="section-6.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-device-permissions-model">Device Permissions Model</xref></t> </li> <li pn="section-toc.1-1.6.2.3"> <t indent="0" pn="section-toc.1-1.6.2.3.1"><xref derivedContent="6.3" format="counter" sectionFormat="of" target="section-6.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-communications-consent">Communications Consent</xref></t> </li> <li pn="section-toc.1-1.6.2.4"> <t indent="0" pn="section-toc.1-1.6.2.4.1"><xref derivedContent="6.4" format="counter" sectionFormat="of" target="section-6.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-ip-location-privacy">IP Location Privacy</xref></t> </li> <li pn="section-toc.1-1.6.2.5"> <t indent="0" pn="section-toc.1-1.6.2.5.1"><xref derivedContent="6.5" format="counter" sectionFormat="of" target="section-6.5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-communications-security">Communications Security</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.7"> <t indent="0" pn="section-toc.1-1.7.1"><xref derivedContent="7" format="counter" sectionFormat="of" target="section-7"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-web-based-peer-authenticati">Web-Based Peer Authentication</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.7.2"> <li pn="section-toc.1-1.7.2.1"> <t indent="0" pn="section-toc.1-1.7.2.1.1"><xref derivedContent="7.1" format="counter" sectionFormat="of" target="section-7.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-trust-relationships-idps-ap">Trust Relationships: IdPs, APs, andthus are untrusted. </t> <section title="Authenticated Entities" anchor="sec.proposal.authenticated"> <t> There are two major classesRPs</xref></t> </li> <li pn="section-toc.1-1.7.2.2"> <t indent="0" pn="section-toc.1-1.7.2.2.1"><xref derivedContent="7.2" format="counter" sectionFormat="of" target="section-7.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-overview-of-operation">Overview of Operation</xref></t> </li> <li pn="section-toc.1-1.7.2.3"> <t indent="0" pn="section-toc.1-1.7.2.3.1"><xref derivedContent="7.3" format="counter" sectionFormat="of" target="section-7.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-items-for-standardization">Items for Standardization</xref></t> </li> <li pn="section-toc.1-1.7.2.4"> <t indent="0" pn="section-toc.1-1.7.2.4.1"><xref derivedContent="7.4" format="counter" sectionFormat="of" target="section-7.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-binding-identity-assertions">Binding Identity Assertions to JSEP Offer/Answer Transactions</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.7.2.4.2"> <li pn="section-toc.1-1.7.2.4.2.1"> <t indent="0" pn="section-toc.1-1.7.2.4.2.1.1"><xref derivedContent="7.4.1" format="counter" sectionFormat="of" target="section-7.4.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-carrying-identity-assertion">Carrying Identity Assertions</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.7.2.5"> <t indent="0" pn="section-toc.1-1.7.2.5.1"><xref derivedContent="7.5" format="counter" sectionFormat="of" target="section-7.5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-determining-the-idp-uri">Determining the IdP URI</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.7.2.5.2"> <li pn="section-toc.1-1.7.2.5.2.1"> <t indent="0" pn="section-toc.1-1.7.2.5.2.1.1"><xref derivedContent="7.5.1" format="counter" sectionFormat="of" target="section-7.5.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-authenticating-party">Authenticating Party</xref></t> </li> <li pn="section-toc.1-1.7.2.5.2.2"> <t indent="0" pn="section-toc.1-1.7.2.5.2.2.1"><xref derivedContent="7.5.2" format="counter" sectionFormat="of" target="section-7.5.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-relying-party">Relying Party</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.7.2.6"> <t indent="0" pn="section-toc.1-1.7.2.6.1"><xref derivedContent="7.6" format="counter" sectionFormat="of" target="section-7.6"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-requesting-assertions">Requesting Assertions</xref></t> </li> <li pn="section-toc.1-1.7.2.7"> <t indent="0" pn="section-toc.1-1.7.2.7.1"><xref derivedContent="7.7" format="counter" sectionFormat="of" target="section-7.7"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-managing-user-login">Managing User Login</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.8"> <t indent="0" pn="section-toc.1-1.8.1"><xref derivedContent="8" format="counter" sectionFormat="of" target="section-8"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-verifying-assertions">Verifying Assertions</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.8.2"> <li pn="section-toc.1-1.8.2.1"> <t indent="0" pn="section-toc.1-1.8.2.1.1"><xref derivedContent="8.1" format="counter" sectionFormat="of" target="section-8.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-identity-formats">Identity Formats</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.9"> <t indent="0" pn="section-toc.1-1.9.1"><xref derivedContent="9" format="counter" sectionFormat="of" target="section-9"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-security-considerations">Security Considerations</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.9.2"> <li pn="section-toc.1-1.9.2.1"> <t indent="0" pn="section-toc.1-1.9.2.1.1"><xref derivedContent="9.1" format="counter" sectionFormat="of" target="section-9.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-communications-security-2">Communications Security</xref></t> </li> <li pn="section-toc.1-1.9.2.2"> <t indent="0" pn="section-toc.1-1.9.2.2.1"><xref derivedContent="9.2" format="counter" sectionFormat="of" target="section-9.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-privacy">Privacy</xref></t> </li> <li pn="section-toc.1-1.9.2.3"> <t indent="0" pn="section-toc.1-1.9.2.3.1"><xref derivedContent="9.3" format="counter" sectionFormat="of" target="section-9.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-denial-of-service">Denial of Service</xref></t> </li> <li pn="section-toc.1-1.9.2.4"> <t indent="0" pn="section-toc.1-1.9.2.4.1"><xref derivedContent="9.4" format="counter" sectionFormat="of" target="section-9.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-idp-authentication-mechanis">IdP Authentication Mechanism</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.9.2.4.2"> <li pn="section-toc.1-1.9.2.4.2.1"> <t indent="0" pn="section-toc.1-1.9.2.4.2.1.1"><xref derivedContent="9.4.1" format="counter" sectionFormat="of" target="section-9.4.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-peerconnection-origin-check">PeerConnection Origin Check</xref></t> </li> <li pn="section-toc.1-1.9.2.4.2.2"> <t indent="0" pn="section-toc.1-1.9.2.4.2.2.1"><xref derivedContent="9.4.2" format="counter" sectionFormat="of" target="section-9.4.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-idp-well-known-uri">IdP Well-Known URI</xref></t> </li> <li pn="section-toc.1-1.9.2.4.2.3"> <t indent="0" pn="section-toc.1-1.9.2.4.2.3.1"><xref derivedContent="9.4.3" format="counter" sectionFormat="of" target="section-9.4.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-privacy-of-idp-generated-id">Privacy of IdP-Generated Identities and the Hosting Site</xref></t> </li> <li pn="section-toc.1-1.9.2.4.2.4"> <t indent="0" pn="section-toc.1-1.9.2.4.2.4.1"><xref derivedContent="9.4.4" format="counter" sectionFormat="of" target="section-9.4.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-security-of-third-party-idp">Security ofauthenticated entities inThird-Party IdPs</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.9.2.4.2.4.2"> <li pn="section-toc.1-1.9.2.4.2.4.2.1"> <t indent="0" pn="section-toc.1-1.9.2.4.2.4.2.1.1"><xref derivedContent="9.4.4.1" format="counter" sectionFormat="of" target="section-9.4.4.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-confusable-characters">Confusable Characters</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.9.2.4.2.5"> <t indent="0" pn="section-toc.1-1.9.2.4.2.5.1"><xref derivedContent="9.4.5" format="counter" sectionFormat="of" target="section-9.4.5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-web-security-feature-intera">Web Security Feature Interactions</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.9.2.4.2.5.2"> <li pn="section-toc.1-1.9.2.4.2.5.2.1"> <t indent="0" pn="section-toc.1-1.9.2.4.2.5.2.1.1"><xref derivedContent="9.4.5.1" format="counter" sectionFormat="of" target="section-9.4.5.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-popup-blocking">Popup Blocking</xref></t> </li> <li pn="section-toc.1-1.9.2.4.2.5.2.2"> <t indent="0" pn="section-toc.1-1.9.2.4.2.5.2.2.1"><xref derivedContent="9.4.5.2" format="counter" sectionFormat="of" target="section-9.4.5.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-third-party-cookies">Third Party Cookies</xref></t> </li> </ul> </li> </ul> </li> </ul> </li> <li pn="section-toc.1-1.10"> <t indent="0" pn="section-toc.1-1.10.1"><xref derivedContent="10" format="counter" sectionFormat="of" target="section-10"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-iana-considerations">IANA Considerations</xref></t> </li> <li pn="section-toc.1-1.11"> <t indent="0" pn="section-toc.1-1.11.1"><xref derivedContent="11" format="counter" sectionFormat="of" target="section-11"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-references">References</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.11.2"> <li pn="section-toc.1-1.11.2.1"> <t indent="0" pn="section-toc.1-1.11.2.1.1"><xref derivedContent="11.1" format="counter" sectionFormat="of" target="section-11.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-normative-references">Normative References</xref></t> </li> <li pn="section-toc.1-1.11.2.2"> <t indent="0" pn="section-toc.1-1.11.2.2.1"><xref derivedContent="11.2" format="counter" sectionFormat="of" target="section-11.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-informative-references">Informative References</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.12"> <t indent="0" pn="section-toc.1-1.12.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.a"/><xref derivedContent="" format="title" sectionFormat="of" target="name-acknowledgements">Acknowledgements</xref></t> </li> <li pn="section-toc.1-1.13"> <t indent="0" pn="section-toc.1-1.13.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.b"/><xref derivedContent="" format="title" sectionFormat="of" target="name-authors-address">Author's Address</xref></t> </li> </ul> </section> </toc> </front> <middle> <section anchor="sec.introduction" numbered="true" toc="include" removeInRFC="false" pn="section-1"> <name slugifiedName="name-introduction">Introduction</name> <t indent="0" pn="section-1-1"> The Real-Time Communications on thesystem: </t> <t> <list style="symbols"> <t> Calling services:Websites whose origin we can verify (optimally via HTTPS, but in some(RTCWEB) Working Group standardized protocols for real-time communications between Web browsers, generally called "WebRTC" <xref target="RFC8825" format="default" sectionFormat="of" derivedContent="RFC8825"/>. The major use casesbecause wefor WebRTC technology areon a topologically restricted network, such as behind a firewall,real-time audio and/or video calls, Web conferencing, andcan infer authentication from firewall behavior). </t> <t> Other users: WebRTC peers whose origin we can verify cryptographically (optimallydirect data transfer. Unlike most conventional real-time systems (e.g., SIP-based <xref target="RFC3261" format="default" sectionFormat="of" derivedContent="RFC3261"/> soft phones), WebRTC communications are directly controlled by some Web server, viaDTLS-SRTP). </t> </list>a JavaScript (JS) API as shown in <xref target="fig.simple" format="default" sectionFormat="of" derivedContent="Figure 1"/>. </t><t> Note that merely being authenticated does not make these entities trusted. For instance, just because we can verify that https://www.example.org/ is owned by Dr. Evil does not mean that we can trust Dr. Evil to access our camera and microphone. However, it gives the user an opportunity to determine whether he wishes to trust Dr. Evil or not; after all, if he desires to contact Dr. Evil (perhaps to arrange<figure anchor="fig.simple" align="left" suppress-title="false" pn="figure-1"> <name slugifiedName="name-a-simple-webrtc-system">A Simple WebRTC System</name> <artwork name="" type="" align="left" alt="" pn="section-1-2.1"> +----------------+ | | | Web Server | | | +----------------+ ^ ^ / \ HTTP / \ HTTP / \ / \ v v JS API JS API +-----------+ +-----------+ | | Media | | | Browser |<---------->| Browser | | | | | +-----------+ +-----------+ </artwork> </figure> <t indent="0" pn="section-1-3"> A more complicated system might allow forransom payment), it's safe to temporarily give him accessinter-domain calling, as shown in <xref target="fig.multidomain" format="default" sectionFormat="of" derivedContent="Figure 2"/>. The protocol to be used between thecameradomains is not standardized by WebRTC, but given the installed base andmicrophone forthepurposeform of thecall, but he doesn't want Dr. EvilWebRTC API is likely to beable to access his camera and microphone other than duringsomething SDP-based like SIP or something like thecall. The point here is that we must first identify other elements before we can determine whetherExtensible Messaging andhow much to trust them. Additionally, sometimes we need to identify the communicating peer before we know what policies to apply.Presence Protocol (XMPP) <xref target="RFC6120" format="default" sectionFormat="of" derivedContent="RFC6120"/>. </t></section> <section title="Unauthenticated Entities" anchor="sec.proposal.unauthenticated"> <t> Other than the above entities, we are not generally able to identify other network elements, thus we cannot trust them.<figure anchor="fig.multidomain" align="left" suppress-title="false" pn="figure-2"> <name slugifiedName="name-a-multidomain-webrtc-system">A Multidomain WebRTC System</name> <artwork name="" type="" align="left" alt="" pn="section-1-4.1"> +--------------+ +--------------+ | | SIP, XMPP, ... | | | Web Server |<-------------->| Web Server | | | | | +--------------+ +--------------+ ^ ^ | | HTTP | | HTTP | | v v JS API JS API +-----------+ +-----------+ | | Media | | | Browser |<------------------->| Browser | | | | | +-----------+ +-----------+ </artwork> </figure> <t indent="0" pn="section-1-5"> Thisdoes not mean that it is not possible to have any interaction with them, but it means that we must assume that they will behave maliciously and design asystem presents a number of new security challenges, whichis secure even if they do so. </t> </section> </section> <!-- Not layered ? --> <section title="Overview" anchor="sec.proposal.overview"> <!-- TODO: Federated --> <t>are analyzed in <xref target="RFC8826" format="default" sectionFormat="of" derivedContent="RFC8826"/>. Thissectiondocument describes atypicalsecurity architecture for WebRTCsession and shows howwhich addresses thevarious security elements interactthreats andwhat guaranteesrequirements described in that document. </t> </section> <section anchor="sec-term" numbered="true" toc="include" removeInRFC="false" pn="section-2"> <name slugifiedName="name-terminology">Terminology</name> <t indent="0" pn="section-2-1">The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document areprovidedtothe user. The examplebe interpreted as described in BCP 14 <xref target="RFC2119" format="default" sectionFormat="of" derivedContent="RFC2119"/> <xref target="RFC8174" format="default" sectionFormat="of" derivedContent="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t> </section> <section anchor="sec.proposal.trusthierarchy" numbered="true" toc="include" removeInRFC="false" pn="section-3"> <name slugifiedName="name-trust-model">Trust Model</name> <t indent="0" pn="section-3-1"> The basic assumption of thissectionarchitecture is that network resources exist in a"best case" scenariohierarchy of trust, rooted in the browser, which serves as the user's Trusted Computing Base (TCB). Any security property whichwe providethemaximal amount ofuserauthentication and media privacy withwishes to have enforced must be ultimately guaranteed by theminimal level of trust inbrowser (or transitively by some property thecalling service. Simpler versions with lower levels ofbrowser verifies). Conversely, if the browser is compromised, then no security guarantees arealso possible andpossible. Note that there arenoted in the textcases (e.g., Internet kiosks) whereapplicable. It's also important to recognizethetension betweenuser can't really trust the browser that much. In these cases, the level of security(or performance) and privacy. The example shown hereprovided isaimed towards settings wherelimited by how much they trust the browser. </t> <t indent="0" pn="section-3-2"> Optimally, weare more concerned about secure callingwould not rely on trust in any entities other thanabout privacy, but asthe browser. However, this is unfortunately not possible if weshall see, there are settings where one mightwish tomake different tradeoffs--this architecture is still compatible withhave a functional system. Other network elements fall into two categories: thosesettings. </t> <t> Forwhich can be authenticated by thepurposesbrowser and thus can be granted permissions to access sensitive resources, and those which cannot be authenticated and thus are untrusted. </t> <section anchor="sec.proposal.authenticated" numbered="true" toc="include" removeInRFC="false" pn="section-3.1"> <name slugifiedName="name-authenticated-entities">Authenticated Entities</name> <t indent="0" pn="section-3.1-1"> There are two major classes ofthis example, we assume the topology shownauthenticated entities in thefigures below. This topology is derived from the topology shown in <xref target="fig.simple"/>,system: </t> <dl newline="false" spacing="normal" indent="3" pn="section-3.1-2"> <dt pn="section-3.1-2.1">Calling services:</dt> <dd pn="section-3.1-2.2">Web sites whose origin we can verify (optimally via HTTPS, butseparates Alice and Bob's identities from the process of signaling. Specifically, Alice and Bob have relationships within someIdentity Provider (IdP) that supportscases because we are on aprotocol (suchtopologically restricted network, such asOpenID Connect) thatbehind a firewall, and canbe used to demonstrate their identity to other parties.infer authentication from firewall behavior).</dd> <dt pn="section-3.1-2.3">Other users:</dt> <dd pn="section-3.1-2.4">WebRTC peers whose origin we can verify cryptographically (optimally via DTLS-SRTP).</dd> </dl> <t indent="0" pn="section-3.1-3"> Note that merely being authenticated does not make these entities trusted. For instance,Alice might have an account with a social network which shejust because we canthen use to authenticate to other web sites without explicitly having an account with those sites; thisverify that <https://www.example.org/> isa fairly conventional pattern onowned by Dr. Evil does not mean that we can trust Dr. Evil to access our camera and microphone. However, it gives theWeb. <xref target="sec.trust-relationships"/> providesuser anoverview of Identity Providers andopportunity to determine whether they wish to trust Dr. Evil or not; after all, if they desire to contact Dr. Evil (perhaps to arrange for ransom payment), it's safe to temporarily give them access to therelevant terminology. Alice and Bob might have relationships with different IdPs as well. </t> <t> This separation of identity provision and signaling isn't particularly important in "closed world" cases where Alicecamera andBob are users onmicrophone for thesame social network and have identities based on that domain (<xref target="fig.proposal.idp"/>). However, there are important settings where that is notpurpose of thecase, such as federation (calls from one domain to another; <xref target="fig.proposal-federated.idp"/>) and calling on untrusted sites, such as where two users who have a relationship via a given social networkcall, but they don't want Dr. Evil tocall eachbe able to access their camera and microphone otheron another, untrusted, site, such as a poker site. </t> <t> Note thatthan during theservers themselves are also authenticated by an external identity service, the SSL/TLS certificate infrastructure (not shown). Ascall. The point here isconventional in the Web, all identities are ultimately rooted inthatsystem. For instance, when an IdP makes an identity assertion,we must first identify other elements before we can determine whether and how much to trust them. Additionally, sometimes we need to identify theRelying Party consuming that assertion iscommunicating peer before we know what policies to apply. </t> </section> <section anchor="sec.proposal.unauthenticated" numbered="true" toc="include" removeInRFC="false" pn="section-3.2"> <name slugifiedName="name-unauthenticated-entities">Unauthenticated Entities</name> <t indent="0" pn="section-3.2-1"> Other than the above entities, we are not generally able toverify becauseidentify other network elements; thus, we cannot trust them. This does not mean that it isable to connectnot possible tothe IdP via HTTPS. </t> <figure title="A callhave any interaction withIdP-based identity" anchor="fig.proposal.idp"> <artwork><![CDATA[ +----------------+ | | | Signaling | | Server | | | +----------------+ ^ ^ / \ HTTPS / \ HTTPS / \ / \ v v JS API JS API +-----------+ +-----------+ | | Media | | Alice | Browser |<---------->| Browser | Bob | | (DTLS+SRTP)| | +-----------+ +-----------+ ^ ^--+ +--^ ^ | | | | v | | v +-----------+ | | +-----------+ | |<--------+ | | | IdP1 | | | IdP2 | | | +------->| | +-----------+ +-----------+ ]]></artwork> </figure> <t> <xref target="fig.proposal-federated.idp"/> shows essentially the same calling scenariothem, butwithit means that we must assume that they will behave maliciously and design acall between two separate domains (i.e.,system which is secure even if they do so. </t> </section> </section> <section anchor="sec.proposal.overview" numbered="true" toc="include" removeInRFC="false" pn="section-4"> <name slugifiedName="name-overview">Overview</name> <t indent="0" pn="section-4-1"> This section describes afederated case), as in <xref target="fig.multidomain"/>. As mentioned above, the domains communicate by some unspecified protocoltypical WebRTC session andproviding separate signalingshows how the various security elements interact andidentity allows for callswhat guarantees are provided tobe authenticated regardless of the details of the inter-domain protocol. </t> <figure title="A federated call with IdP-based identity" anchor="fig.proposal-federated.idp"> <artwork><![CDATA[ +----------------+ Unspecified +----------------+ | | protocol | | | Signaling |<----------------->| Signaling | | Server | (SIP, XMPP, ...) | Server | | | | | +----------------+ +----------------+ ^ ^ | | HTTPS | | HTTPS | | | | v v JS API JS API +-----------+ +-----------+ | | Media | | Alice | Browser |<--------------------------->| Browser | Bob | | DTLS+SRTP | | +-----------+ +-----------+ ^ ^--+ +--^ ^ | | | | v | | v +-----------+ | | +-----------+ | |<-------------------------+ | | | IdP1 | | | IdP2 | | | +------------------------>| | +-----------+ +-----------+ ]]></artwork> </figure> <section title="Initial Signaling"> <t> For simplicity, assumethetopologyuser. The example in<xref target="fig.proposal.idp"/>. Alice and Bob are both users ofthis section is acommon calling service; they both have approved the calling service to make calls (we defer"best case" scenario in which we provide thediscussionmaximal amount ofdevice access permissions until later). They are both connected to the calling service via HTTPSuser authentication andso know the originmedia privacy withsomethe minimal level ofconfidence. They also have accountstrust in the calling service. Simpler versions withsome identity provider. This sortlower levels ofidentity service is becoming increasingly commonsecurity are also possible and are noted in theWeb environment (with technologies such as Federated Google Login, Facebook Connect, OAuth, OpenID, WebFinger), and is often providedtext where applicable. It's also important to recognize the tension between security (or performance) and privacy. The example shown here is aimed towards settings where we are more concerned about secure calling than about privacy, but asa side effect service of a user's ordinary accountswe shall see, there are settings where one might wish to make different tradeoffs -- this architecture is still compatible withsome service. Inthose settings. </t> <t indent="0" pn="section-4-2"> For the purposes of this example, weshow Alice and Bob using a separate identity service, though the identity service may beassume thesame entity astopology shown in thecalling service or there may be no identity service at all. </t> <t> Alicefigures below. This topology islogged onto the calling service and decides to call Bob. She can seederived from thecalling service that he is online and the calling service presents a JS UItopology shown in <xref target="fig.simple" format="default" sectionFormat="of" derivedContent="Figure 1"/>, but separates Alice's and Bob's identities from theformprocess ofa button next to Bob's name which says "Call".signaling. Specifically, Aliceclicks the button, which initiates a JS callbackand Bob have relationships with some Identity Provider (IdP) thatinstantiatessupports aPeerConnection object. This does not requireprotocol (such as OpenID Connect) that can be used to demonstrate their identity to other parties. For instance, Alice might have an account with asecurity check: JS from any origin is allowedsocial network which she can then use togetauthenticate to other Web sites without explicitly having an account with those sites; thisfar. </t> <t> Once the PeerConnectioniscreated,a fairly conventional pattern on thecalling service JS needs to set up some media. Because this is an audio/video call, it creates a MediaStream with two MediaStreamTracks, one connected toWeb. <xref target="sec.trust-relationships" format="default" sectionFormat="of" derivedContent="Section 7.1"/> provides anaudio inputoverview of IdPs andone connected to a video input. At this pointthefirst security check is required: untrusted origins arerelevant terminology. Alice and Bob might have relationships with different IdPs as well. Note: The IdP mechanism described here has notallowed to accessseen wide adoption. See <xref target="sec.generic.idp" format="default" sectionFormat="of" derivedContent="Section 7"/> for more on thecamerastatus of IdP-based authentication. </t> <t indent="0" pn="section-4-3"> This separation of identity provision andmicrophone, so the browser promptssignaling isn't particularly important in "closed world" cases where Alicefor permission. </t> <t> Inand Bob are users on thecurrent W3C API, once some streamssame social network and havebeen added, Alice's browser + JS generates a signaling message <xref target="I-D.ietf-rtcweb-jsep"/> containing: </t> <t> <list style="symbols"> <t> Media channel information </t> <t> Interactive Connectivity Establishment (ICE) <xref target="RFC8445"/> candidates </t> <t> A fingerprint attribute bindingidentities based on that domain (<xref target="fig.proposal.idp" format="default" sectionFormat="of" derivedContent="Figure 3"/>). However, there are important settings where that is not thecommunicationcase, such as federation (calls from one domain toa key pairanother; see <xreftarget="RFC5763"/>. Note that this key may simply be ephemerally generated for this call or specific to this domain,target="fig.proposal-federated.idp" format="default" sectionFormat="of" derivedContent="Figure 4"/>) andAlice maycalling on untrusted sites, such as where two users who have alarge number ofrelationship via a given social network want to call each other on another, untrusted, site, suchkeys. </t> </list>as a poker site. </t><t> Prior to sending out the signaling message, the PeerConnection code contacts<t indent="0" pn="section-4-4"> Note that theidentity service and obtainsservers themselves are also authenticated by anassertion binding Alice'sexternal identityto her fingerprint. The exact details depend onservice, theidentity service (though as discussedSSL/TLS certificate infrastructure (not shown). As is conventional in<xref target="sec.generic.idp"/> PeerConnection can be agnostic to them), but for now it's easiest to think of as an OAuth token. The assertion may bind other information tothe Web, all identities are ultimately rooted in that system. For instance, when an IdP makes an identitybesidesassertion, thefingerprint, but at minimum it needsRelying Party consuming that assertion is able tobind the fingerprint. </t> <t> This messageverify because it issentable to connect to thesignaling server, e.g., by XMLHttpRequest <xref target="XmlHttpRequest"/> or by WebSockets <xref target="RFC6455"/>, over TLSIdP via HTTPS. </t> <figure anchor="fig.proposal.idp" align="left" suppress-title="false" pn="figure-3"> <name slugifiedName="name-a-call-with-idp-based-ident">A Call with IdP-Based Identity</name> <artwork name="" type="" align="left" alt="" pn="section-4-5.1"> +----------------+ | | | Signaling | | Server | | | +----------------+ ^ ^ / \ HTTPS / \ HTTPS / \ / \ v v JS API JS API +-----------+ +-----------+ | | Media | | Alice | Browser |<---------->| Browser | Bob | | (DTLS+SRTP)| | +-----------+ +-----------+ ^ ^--+ +--^ ^ | | | | v | | v +-----------+ | | +-----------+ | |<--------+ | | | IdP1 | | | IdP2 | | | +------->| | +-----------+ +-----------+ </artwork> </figure> <t indent="0" pn="section-4-6"> <xreftarget="RFC5246"/>. The signaling server processestarget="fig.proposal-federated.idp" format="default" sectionFormat="of" derivedContent="Figure 4"/> shows essentially themessage from Alice's browser, determines that this issame calling scenario but with a callto Bob and sendsbetween two separate domains (i.e., a federated case), as in <xref target="fig.multidomain" format="default" sectionFormat="of" derivedContent="Figure 2"/>. As mentioned above, the domains communicate by some unspecified protocol, and providing separate signalingmessageand identity allows for calls toBob's browser (again,be authenticated regardless of theformat is currently undefined). Thedetails of the inter-domain protocol. </t> <figure anchor="fig.proposal-federated.idp" align="left" suppress-title="false" pn="figure-4"> <name slugifiedName="name-a-federated-call-with-idp-b">A Federated Call with IdP-Based Identity</name> <artwork name="" type="" align="left" alt="" pn="section-4-7.1"> +----------------+ Unspecified +----------------+ | | protocol | | | Signaling |<----------------->| Signaling | | Server | (SIP, XMPP, ...) | Server | | | | | +----------------+ +----------------+ ^ ^ | | HTTPS | | HTTPS | | | | v v JSon Bob's browser processes it, and alertsAPI JS API +-----------+ +-----------+ | | Media | | Alice | Browser |<--------------------------->| Browser | Bobto| | DTLS+SRTP | | +-----------+ +-----------+ ^ ^--+ +--^ ^ | | | | v | | v +-----------+ | | +-----------+ | |<-------------------------+ | | | IdP1 | | | IdP2 | | | +------------------------>| | +-----------+ +-----------+ </artwork> </figure> <section numbered="true" toc="include" removeInRFC="false" pn="section-4.1"> <name slugifiedName="name-initial-signaling">Initial Signaling</name> <t indent="0" pn="section-4.1-1"> For simplicity, assume theincoming call and to Alice's identity. In this case,topology in <xref target="fig.proposal.idp" format="default" sectionFormat="of" derivedContent="Figure 3"/>. Alicehas provided an identity assertionandso Bob's browser contacts Alice's identity provider (again, this is done inBob are both users of ageneric way socommon calling service; they both have approved thebrowser has no specific knowledge ofcalling service to make calls (we defer theIdP)discussion of device access permissions until later). They are both connected toverifytheassertion. It iscalling service via HTTPS and so know the origin with some level of confidence. They alsopossible tohaveIdPsaccounts withwhich the browser has a specific trustrelationship, as described in <xref target="sec.trust-relationships"/>.some IdP. Thisallows the browser to display a trusted element in the browser chrome indicating that a call is coming in from Alice. If Alicesort of identity service is becoming increasingly common inBob's address book, then this interface might also include her real name, a picture, etc. The calling site will also provide some user interface element (e.g., a button) to allow Bob to answer the call, though this is most likely not part of the trusted UI. </t> <t> If Bob agrees a PeerConnection is instantiated withthemessage from Alice's side. Then, a similar process occursWeb environment (with technologies such ason Alice's browser: Bob's browser prompts him for device permission, the media streams are created, and a return signaling message containing media information, ICE candidates,Federated Google Login, Facebook Connect, OAuth, OpenID, WebFinger), anda fingerprintissent back to Alice via the signaling service. If Bob hasoften provided as arelationship with an IdP, the message will also comeside effect service of a user's ordinary accounts withan identity assertion. </t> <t> Atsome service. In thispoint,example, we show Alice and Bobeach know that the other party wants to haveusing asecure call with them. Based purely on the interface provided byseparate identity service, though thesignaling server, they know thatidentity service may be thesignaling server claims thatsame entity as thecall is fromcalling service or there may be no identity service at all. </t> <t indent="0" pn="section-4.1-2"> Aliceto Bob. This level of securityisprovided merely by having the fingerprint inlogged onto themessagecalling service andhaving that message received securelydecides to call Bob. She can see from thesignaling server. Because the far end sent an identity assertion along with their message, they knowcalling service thatthishe isverifiable from the IdP as well. Note that ifonline and thecall is federated, as showncalling service presents a JS UI in<xref target="fig.proposal-federated.idp"/> then Alice is ablethe form of a button next toverifyBob'sidentity inname which says "Call". Alice clicks the button, which initiates awayJS callback thatisinstantiates a PeerConnection object. This does notmediated by either her signaling server or Bob's. Rather, she verifies it directly with Bob's IdP. </t> <t> Of course, the call works perfectly well if either Alice or Bob doesn't haverequire arelationship with an IdP; they justsecurity check: JS from any origin is allowed to geta lower level of assurance. I.e., they simply have whatever information their calling site claims aboutthis far. </t> <t indent="0" pn="section-4.1-3"> Once thecaller/callee's identity. Moreover, Alice might wish to make an anonymous call through an anonymous calling site, in which case she would of course just not provide any identity assertion andPeerConnection is created, the callingsite would mask her identity from Bob. </t> </section> <section title="Media Consent Verification"> <t> As described in (<xref target="I-D.ietf-rtcweb-security"/>; Section 4.2) media consent verificationservice JS needs to set up some media. Because this isprovided via ICE. Thus, Alice and Bob perform ICE checksan audio/video call, it creates a MediaStream witheach other. At the completion of these checks, they are readytwo MediaStreamTracks, one connected tosend non-ICE data. </t> <t>an audio input and one connected to a video input. At this point,Alice knows that (a) Bob (assuming he is verified via his IdP) or someone else whothesignaling service is claiming is Bobfirst security check iswilling to exchange traffic with her and (b) that either Bob is at the IP address which she has verified via ICE or there is an attacker who is on-path to that IP address detouring the traffic. Note that it is not possible for an attacker who is on-path between Alice and Bob butrequired: untrusted origins are notattached to the signaling serviceallowed tospoof these checks because they do not haveaccess theICE credentials. Bob hascamera and microphone, so thesame security guarantees with respect to Alice.browser prompts Alice for permission. </t></section> <section title="DTLS Handshake"> <t> Once<t indent="0" pn="section-4.1-4"> In therequisite ICE checkscurrent W3C API, once some streams havecompleted, Alice and Bob can set upbeen added, Alice's browser + JS generates asecure channel or channels. This is performed via DTLS <xref target="RFC6347"/> and DTLS-SRTPsignaling message <xreftarget="RFC5763"/> keying for SRTPtarget="RFC8829" format="default" sectionFormat="of" derivedContent="RFC8829"/> containing: </t> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-4.1-5"> <li pn="section-4.1-5.1"> Media channel information </li> <li pn="section-4.1-5.2"> Interactive Connectivity Establishment (ICE) <xreftarget="RFC3711"/> fortarget="RFC8445" format="default" sectionFormat="of" derivedContent="RFC8445"/> candidates </li> <li pn="section-4.1-5.3"> A "fingerprint" attribute binding themedia channel and SCTP over DTLScommunication to a key pair <xreftarget="RFC8261"/>target="RFC5763" format="default" sectionFormat="of" derivedContent="RFC5763"/>. Note that this key may simply be ephemerally generated fordata channels. Specifically, Alicethis call or specific to this domain, andBob performAlice may have aDTLS handshake on every component which has been established by ICE. The totallarge number ofchannels depends onsuch keys. </li> </ul> <t indent="0" pn="section-4.1-6"> Prior to sending out theamount of muxing; insignaling message, themost likely case we are using both RTP/RTCP muxPeerConnection code contacts the identity service andmuxing multiple media streamsobtains an assertion binding Alice's identity to her fingerprint. The exact details depend on thesame channel,identity service (though as discussed inwhich case there is only one DTLS handshake. Once the DTLS handshake has completed, the keys are exported<xreftarget="RFC5705"/> and usedtarget="sec.generic.idp" format="default" sectionFormat="of" derivedContent="Section 7"/> PeerConnection can be agnostic tokey SRTPthem), but for now it's easiest to think of as an OAuth token. The assertion may bind other information to themedia channels.identity besides the fingerprint, but at minimum it needs to bind the fingerprint. </t><t> At<t indent="0" pn="section-4.1-7"> This message is sent to the signaling server, e.g., by fetch() <xref target="fetch" format="default" sectionFormat="of" derivedContent="fetch"/> or by WebSockets <xref target="RFC6455" format="default" sectionFormat="of" derivedContent="RFC6455"/>, over TLS <xref target="RFC8446" format="default" sectionFormat="of" derivedContent="RFC8446"/>. The signaling server processes the message from Alice's browser, determines that thispoint, Aliceis a call to Bob, andBob know that they sharesends aset of secure data and/or media channels with keys which are not knownsignaling message toany third-party attacker. If AliceBob's browser (again, the format is currently undefined). The JS on Bob's browser processes it, and alerts Bobauthenticated via their IdPs, then they also know thatto thesignaling serviceincoming call and to Alice's identity. In this case, Alice has provided an identity assertion and so Bob's browser contacts Alice's IdP (again, this isnot mountingdone in aman-in-the-middle attack on their traffic. Even if they do not use an IdP, as long as theygeneric way so the browser has no specific knowledge of the IdP) to verify the assertion. It is also possible to haveminimalIdPs with which the browser has a specific trust relationship, as described in <xref target="sec.trust-relationships" format="default" sectionFormat="of" derivedContent="Section 7.1"/>. This allows thesignaling service notbrowser toperformdisplay aman-in-the-middle attack, they know that their communications are secure against the signaling service as well (i.e., thattrusted element in thesignaling service cannot mountbrowser chrome indicating that apassive attack oncall is coming in from Alice. If Alice is in Bob's address book, then this interface might also include her real name, a picture, etc. The calling site will also provide some user interface element (e.g., a button) to allow Bob to answer thecommunications).call, though this is most likely not part of the trusted UI. </t></section> <section title="Communications and Consent Freshness"> <t> From<t indent="0" pn="section-4.1-8"> If Bob agrees, asecurity perspective, everythingPeerConnection is instantiated with the message fromhereAlice's side. Then, a similar process occurs as oninAlice's browser: Bob's browser prompts him for device permission, the media streams are created, and a return signaling message containing media information, ICE candidates, and a fingerprint is sent back to Alice via the signaling service. If Bob has alittle anticlimactic:relationship with an IdP, the message will also come with an identity assertion. </t> <t indent="0" pn="section-4.1-9"> At this point, Alice and Bobexchange data protected byeach know that thekeys negotiated by DTLS. Because ofother party wants to have a secure call with them. Based purely on thesecurity guarantees discussed ininterface provided by theprevious sections,signaling server, they know that thecommunications are encrypted and authenticated. </t> <t> The one remaining security property we need to establish is "consent freshness", i.e., allowing Alice to verifysignaling server claims thatBobthe call isstill prepared to receive her communications so thatfrom Alicedoes not continue to send large traffic volumestoentities which went abruptly offline. ICE specifies periodic STUN keepalives but only if mediaBob. This level of security isnot flowing. Becauseprovided merely by having theconsent issue is more difficult here, we require WebRTC implementations to periodically send keepalives. As describedfingerprint inSection 5.3, these keepalives MUST be based ontheconsent freshness mechanism specified in <xref target="RFC7675"/>. If a keepalive failsmessage andno new ICE channels can be established, then the session is terminated. </t> </section> </section> <section title="SDP Identity Attribute" anchor="sec.sdp-id-attr"> <t> The SDP 'identity' attribute is a session-level attributehaving thatis used bymessage received securely from the signaling server. Because the far end sent anendpoint to convey its identity assertion to its peer. Theidentity assertionvaluealong with their message, they know that this isencodedverifiable from the IdP asBase-64,well. Note that if the call is federated, asdescribedshown inSection 4 of<xreftarget="RFC4648"/>. </t> <t> The procedurestarget="fig.proposal-federated.idp" format="default" sectionFormat="of" derivedContent="Figure 4"/>, then Alice is able to verify Bob's identity inthis section are based on the assumptiona way thatthe identity assertion of an endpointisbound to the fingerprints of the endpoint. This doesnotpreclude the definition of alternative means of binding an assertion to the endpoint, but such means are outside the scope of this specification.mediated by either her signaling server or Bob's. Rather, she verifies it directly with Bob's IdP. </t><t> The semantics of multiple 'identity' attributes within an offer<t indent="0" pn="section-4.1-10"> Of course, the call works perfectly well if either Alice oranswer are undefined. Implementations SHOULD only includeBob doesn't have asingle 'identity' attribute inrelationship with anoffer or answer and relying parties MAY elect to ignore all butIdP; they just get a lower level of assurance. I.e., they simply have whatever information their calling site claims about thefirst 'identity' attribute. </t> <t> <list style="hanging"> <t hangText="Name:">identity</t> <t hangText="Value:">identity-assertion</t> <t hangText="Usage Level:">session</t> <t hangText="Charset Dependent:">no</t> <t hangText="Default Value:">N/A</t> <t hangText="Name:">identity</t> </list> </t> <figure> <artwork type="inline"><![CDATA[ Syntax: identity-assertion = identity-assertion-value *(SP identity-extension) identity-assertion-value = base64 identity-extension = extension-name [ "=" extension-value ] extension-name = token extension-value = 1*(%x01-09 / %x0b-0c / %x0e-3a / %x3c-ff) ; byte-string from [RFC4566] <ALPHA and DIGIT as defined in [RFC4566]> <base64 as definedcaller/callee's identity. Moreover, Alice might wish to make an anonymous call through an anonymous calling site, in[RFC4566]> Example: a=identity:\ eyJpZHAiOnsiZG9tYWluIjoiZXhhbXBsZS5vcmciLCJwcm90b2NvbCI6ImJvZ3Vz\ In0sImFzc2VydGlvbiI6IntcImlkZW50aXR5XCI6XCJib2JAZXhhbXBsZS5vcmdc\ IixcImNvbnRlbnRzXCI6XCJhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3l6XCIsXCJz\ aWduYXR1cmVcIjpcIjAxMDIwMzA0MDUwNlwifSJ9 Note that long lineswhich case she would of course just not provide any identity assertion and the calling site would mask her identity from Bob. </t> </section> <section numbered="true" toc="include" removeInRFC="false" pn="section-4.2"> <name slugifiedName="name-media-consent-verification">Media Consent Verification</name> <t indent="0" pn="section-4.2-1"> As described in <xref target="RFC8826" sectionFormat="comma" section="4.2" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8826#section-4.2" derivedContent="RFC8826"/>, media consent verification is provided via ICE. Thus, Alice and Bob perform ICE checks with each other. At theexamplecompletion of these checks, they arefoldedready tomeet the column width constraints ofsend non-ICE data. </t> <t indent="0" pn="section-4.2-2"> At thisdocument;point, Alice knows that (a) Bob (assuming he is verified via his IdP) or someone else who thebackslash ("\")signaling service is claiming is Bob is willing to exchange traffic with her and (b) either Bob is at theend of a line,IP address which she has verified via ICE or there is an attacker who is on-path to that IP address detouring thecarriage returntraffic. Note thatfollows, and whitespace shall be ignored. ]]></artwork> </figure> <t> This specification doesit is notdefine any extensionspossible forthe attribute. </t> <t> The identity-assertion value is a JSON <xref target="RFC8259"/> encoded string. The JSON object contains two keys: "assertion" and "idp". The <spanx style="verb">assertion</spanx> key value containsanopaque string thatattacker who isconsumed by the IdP. The <spanx style="verb">idp</spanx> key value contains a dictionary with one or two further values that identify the IdP. See <xref target="sec.request-assert"/> for more details. </t> <section title="Offer/Answer Considerations" anchor="sec.sdp-id-attr-oa"> <t> This section defines the SDP Offer/Answer <xref target="RFC3264"/> considerations foron-path between Alice and Bob but not attached to theSDP 'identity' attribute. </t> <t> Within this section, 'initial offer' referssignaling service to spoof these checks because they do not have thefirst offer inICE credentials. Bob has theSDP session that contains an SDP <spanx style="verb">identity</spanx> attribute.same security guarantees with respect to Alice. </t> </section> <sectiontitle="Generating the Initial SDP Offer" anchor="sec.sdp-id-attr-oa-inio"> <t> When an offerer sends an offer, in order to provide its identity assertion tonumbered="true" toc="include" removeInRFC="false" pn="section-4.3"> <name slugifiedName="name-dtls-handshake">DTLS Handshake</name> <t indent="0" pn="section-4.3-1"> Once thepeer, it includes an 'identity' attribute inrequisite ICE checks have completed, Alice and Bob can set up a secure channel or channels. This is performed via DTLS <xref target="RFC6347" format="default" sectionFormat="of" derivedContent="RFC6347"/> and DTLS-SRTP <xref target="RFC5763" format="default" sectionFormat="of" derivedContent="RFC5763"/> keying for SRTP <xref target="RFC3711" format="default" sectionFormat="of" derivedContent="RFC3711"/> for theoffer. In addition,media channel and theofferer includes one or more SDP 'fingerprint' attributes.Stream Control Transmission Protocol (SCTP) over DTLS <xref target="RFC8261" format="default" sectionFormat="of" derivedContent="RFC8261"/> for data channels. Specifically, Alice and Bob perform a DTLS handshake on every component which has been established by ICE. The'identity' attribute MUST be bound to all the 'fingerprint' attributes intotal number of channels depends on thesession description. </t> </section> <section title="Generatingamount ofSDP Answer" anchor="sec.sdp-id-attr-oa-ansa"> <t> Ifmuxing; in theanswerer elects to include an 'identity' attribute, it followsmost likely case, we are using both RTP/RTCP mux and muxing multiple media streams on the samesteps as thosechannel, in which case there is only one DTLS handshake. Once the DTLS handshake has completed, the keys are exported <xreftarget="sec.sdp-id-attr-oa-inio"/>. The answerer can choosetarget="RFC5705" format="default" sectionFormat="of" derivedContent="RFC5705"/> and used toinclude or omit an 'identity' attribute independently, regardless of whetherkey SRTP for theofferer did so.media channels. </t></section> <section title="Processing an SDP Offer or Answer" anchor="sec.sdp-id-attr-oa-offa"> <t> When an endpoint receives an offer or answer that contains an 'identity' attribute, the answerer can use the the attribute information to contact the IdP<t indent="0" pn="section-4.3-2"> At this point, Alice andverify the identityBob know that they share a set ofthe peer.secure data and/or media channels with keys which are not known to any third-party attacker. If Alice and Bob authenticated via their IdPs, then they also know that theidentity requiressignaling service is not mounting athird-party IdPman-in-the-middle attack on their traffic. Even if they do not use an IdP, asdescribedlong as they have minimal trust in<xref target="sec.trust-relationships"/> then that IdP will needthe signaling service not tohave been specifically configured. Ifperform a man-in-the-middle attack, they know that their communications are secure against theidentity verification fails,signaling service as well (i.e., that theanswerer MUST discardsignaling service cannot mount a passive attack on theoffer or answer as malformed.communications). </t> </section> <sectiontitle="Modifying the Session" anchor="sec.sdp-id-attr-oa-modi"> <t> When modifyingnumbered="true" toc="include" removeInRFC="false" pn="section-4.4"> <name slugifiedName="name-communications-and-consent-">Communications and Consent Freshness</name> <t indent="0" pn="section-4.4-1"> From asession, if the set of fingerprintssecurity perspective, everything from here on in isunchanged, thena little anticlimactic: Alice and Bob exchange data protected by thesender MAY sendkeys negotiated by DTLS. Because of thesame 'identity' attribute. In this case,security guarantees discussed in theestablished identity MUST be applied to existing DTLS connections as well as new connections established using one of those fingerprints. Note that <xref target="I-D.ietf-rtcweb-jsep"/>, Section 5.2.1 requiresprevious sections, they know thateach media section usethesame set of fingerprints for every media section. If a new identity attributecommunications are encrypted and authenticated. </t> <t indent="0" pn="section-4.4-2"> The one remaining security property we need to establish isreceived, then the receiver MUST apply"consent freshness", i.e., allowing Alice to verify thatidentityBob is still prepared to receive her communications so that Alice does not continue toall existing connections. </t> <t> If the set of fingerprints changes, then the sender MUST eithersenda new 'identity' attribute or none at all.large traffic volumes to entities which went abruptly offline. ICE specifies periodic Session Traversal Utilities for NAT (STUN) keepalives but only if media is not flowing. Becausea changethe consent issue is more difficult here, we require WebRTC implementations to periodically send keepalives using the consent freshness mechanism specified infingerprints also causes<xref target="RFC7675" format="default" sectionFormat="of" derivedContent="RFC7675"/>. If a keepalive fails and no newDTLS connection toICE channels can be established, then thereceiver MUST discard all previously established identities.session is terminated. </t> </section> </section></section><sectiontitle="Detailed Technical Description" anchor="sec.proposal.detailed"> <section title="Origin and Web Security Issues" anchor="sec.proposal.origin"> <t>anchor="sec.sdp-id-attr" numbered="true" toc="include" removeInRFC="false" pn="section-5"> <name slugifiedName="name-sdp-identity-attribute">SDP Identity Attribute</name> <t indent="0" pn="section-5-1"> Thebasic unit of permissions for WebRTCSDP "identity" attribute isthe origina session-level attribute that is used by an endpoint to convey its identity assertion to its peer. The identity-assertion value is encoded as base64, as described in <xreftarget="RFC6454"/>. Becausetarget="RFC4648" sectionFormat="of" section="4" format="default" derivedLink="https://rfc-editor.org/rfc/rfc4648#section-4" derivedContent="RFC4648"/>. </t> <t indent="0" pn="section-5-2"> The procedures in this section are based on thesecurityassumption that the identity assertion of an endpoint is bound to theorigin depends on being ablefingerprints of the endpoint. This does not preclude the definition of alternative means of binding an assertion toauthenticate content from that origin,theorigin canendpoint, but such means are outside the scope of this specification. </t> <t indent="0" pn="section-5-3"> The semantics of multiple "identity" attributes within an offer or answer are undefined. Implementations <bcp14>SHOULD</bcp14> onlybe securely established if data is transferred over HTTPS <xref target="RFC2818"/>. Thus, clients MUST treat HTTPinclude a single "identity" attribute in an offer or answer, andHTTPS origins as different permissions domains. Note: this follows directly fromRelying Parties <bcp14>MAY</bcp14> elect to ignore all but theorigin security model and is stated here merely for clarity.first "identity" attribute. </t><t> Many web browsers currently forbid by default any active mixed content on HTTPS pages. That is, when JavaScript is loaded<dl newline="false" spacing="normal" indent="3" pn="section-5-4"> <dt pn="section-5-4.1">Name:</dt> <dd pn="section-5-4.2">identity</dd> <dt pn="section-5-4.3">Value:</dt> <dd pn="section-5-4.4">identity-assertion</dd> <dt pn="section-5-4.5">Usage Level:</dt> <dd pn="section-5-4.6">session</dd> <dt pn="section-5-4.7">Charset Dependent:</dt> <dd pn="section-5-4.8">no</dd> <dt pn="section-5-4.9">Default Value:</dt> <dd pn="section-5-4.10">N/A</dd> </dl> <t indent="0" pn="section-5-5">Syntax:</t> <sourcecode name="abnf-1" type="abnf" markers="false" pn="section-5-6"> identity-assertion = identity-assertion-value *(SP identity-extension) identity-assertion-value = base64 identity-extension = extension-name [ "=" extension-value ] extension-name = token extension-value = 1*(%x01-09 / %x0b-0c / %x0e-3a / %x3c-ff) ; byte-string froman HTTP origin onto an HTTPS page, an error is displayed[RFC4566] <ALPHA andthe HTTP content is not executed unless the user overrides the error. Any browser which enforces such a policy will also not permit access to WebRTC functionality from mixed content pages (because they never display mixed content). Browsers which allow active mixed content MUST nevertheless disable WebRTC functionalityDIGIT as defined inmixed content settings. </t> <t> Note[RFC4566]> <base64 as defined in [RFC4566]> </sourcecode> <t indent="0" pn="section-5-7">Example:</t> <sourcecode name="sdp-1" type="sdp" markers="false" pn="section-5-8"> a=identity:\ eyJpZHAiOnsiZG9tYWluIjoiZXhhbXBsZS5vcmciLCJwcm90b2NvbCI6ImJvZ3Vz\ In0sImFzc2VydGlvbiI6IntcImlkZW50aXR5XCI6XCJib2JAZXhhbXBsZS5vcmdc\ IixcImNvbnRlbnRzXCI6XCJhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3l6XCIsXCJz\ aWduYXR1cmVcIjpcIjAxMDIwMzA0MDUwNlwifSJ9</sourcecode> <aside pn="section-5-9"> <t indent="0" pn="section-5-9.1">Note thatit is possible for a page which was not mixed contentlong lines in the example are folded tobecome mixed content duringmeet thedurationcolumn width constraints of this document; thecall. The major risk here is thatbackslash ("\") at thenewly arrived insecure JS might redirect media toend of alocation controlled by the attacker. Implementations MUST either choose to terminateline, thecall or display a warning at that point. </t> <t> Also notecarriage return thatthe security architecture depends on the keying materialfollows, and whitespace shall be ignored.</t> </aside> <t indent="0" pn="section-5-10"> This specification does notbeing available to move between origins. But, itdefine any extensions for the attribute. </t> <t indent="0" pn="section-5-11"> The identity-assertion value isassumeda JSON encoded string <xref target="RFC8259" format="default" sectionFormat="of" derivedContent="RFC8259"/>. The JSON object contains two keys: "assertion" and "idp". The "assertion" key value contains an opaque string that is consumed by theidentity assertion can be passed to anyoneIdP. The "idp" key value contains a dictionary with one or two further values that identify thepage cares to.IdP. See <xref target="sec.request-assert" format="default" sectionFormat="of" derivedContent="Section 7.6"/> for more details. </t></section><sectiontitle="Device Permissions Model" anchor="sec.proposal.device.permissions"> <t> Implementations MUST obtain explicit user consent prior to providing access to the camera and/or microphone. Implementations MUST at minimum supportanchor="sec.sdp-id-attr-oa" numbered="true" toc="include" removeInRFC="false" pn="section-5.1"> <name slugifiedName="name-offer-answer-considerations">Offer/Answer Considerations</name> <t indent="0" pn="section-5.1-1"> This section defines thefollowing two permissions models for HTTPS origins. </t> <t> <list style="symbols"> <t> Requests for one-time camera/microphone access. </t> <t> Requests for permanent access. </t> </list> </t> <t> Because HTTP origins cannot be securely established against network attackers, implementations MUST refuse all permissions grantsSDP offer/answer <xref target="RFC3264" format="default" sectionFormat="of" derivedContent="RFC3264"/> considerations forHTTP origins.the SDP "identity" attribute. </t><t> In addition, they SHOULD support requests for access that promise that media from<t indent="0" pn="section-5.1-2"> Within thisgrant will be sentsection, 'initial offer' refers toa single communicating peer (obviously there could be other requests for other peers), eE.g., "Call customerservice@example.org". The semantics of this request are thatthemedia stream fromfirst offer in thecamera and microphone will only be routed through a connection which has been cryptographically verified (throughSDP session that contains an SDP "identity" attribute. </t> <section anchor="sec.sdp-id-attr-oa-inio" numbered="true" toc="include" removeInRFC="false" pn="section-5.1.1"> <name slugifiedName="name-generating-the-initial-sdp-">Generating theIdP mechanism orInitial SDP Offer</name> <t indent="0" pn="section-5.1.1-1"> When anX.509 certificateofferer sends an offer, in order to provide its identity assertion to theDTLS-SRTP handshake) as being associated with the stated identity. Note thatpeer, itis unlikely that browsers would have X.509 certificates, but servers might. Browsers servicing such requests SHOULD clearly indicate that identity toincludes an "identity" attribute in theuser when asking for permission.offer. In addition, the offerer includes one or more SDP "fingerprint" attributes. Theidea behind this type of permissions is that a user might have a fairly narrow list of peers he is willing"identity" attribute <bcp14>MUST</bcp14> be bound tocommunicate with, e.g., "my mother" rather than "anyone on Facebook". Narrow permissions grants allowall thebrowser to do that enforcement."fingerprint" attributes in the session description. </t><t> <list style="hanging"></section> <section anchor="sec.sdp-id-attr-oa-ansa" numbered="true" toc="include" removeInRFC="false" pn="section-5.1.2"> <name slugifiedName="name-generating-an-sdp-answer">Generating an SDP Answer</name> <thangText="API Requirement:"> The API MUST provide a mechanism forindent="0" pn="section-5.1.2-1"> If therequesting JSanswerer elects torelinquishinclude an "identity" attribute, it follows theabilitysame steps as those in <xref target="sec.sdp-id-attr-oa-inio" format="default" sectionFormat="of" derivedContent="Section 5.1.1"/>. The answerer can choose toseeinclude ormodify the media (e.g., via MediaStream.record()). Combined with secure authenticationomit an "identity" attribute independently, regardless of whether thecommunicating peer, this allows a user to be sure that the calling site is not accessing or modifying their conversion. </t> </list>offerer did so. </t><t> <list style="hanging"></section> <section anchor="sec.sdp-id-attr-oa-offa" numbered="true" toc="include" removeInRFC="false" pn="section-5.1.3"> <name slugifiedName="name-processing-an-sdp-offer-or-">Processing an SDP Offer or Answer</name> <thangText="UI Requirement:"> The UI MUST clearly indicate whenindent="0" pn="section-5.1.3-1"> When an endpoint receives an offer or answer that contains an "identity" attribute, theuser's camera and microphone are in use. This indication MUST NOT be suppressable byanswerer can use theJS and MUST clearly indicate how to terminate device access, and provide a UI meansattribute information toimmediately stop camera/microphone input withoutcontact theJS being able to prevent it. </t> </list> </t> <t> <list style="hanging"> <t hangText="UI Requirement:"> IfIdP and verify theUI indicationidentity ofcamera/microphone use are displayed inthebrowser such that minimizingpeer. If thebrowser window would hideidentity requires a third-party IdP as described in <xref target="sec.trust-relationships" format="default" sectionFormat="of" derivedContent="Section 7.1"/>, then that IdP will need to have been specifically configured. If theindication,identity verification fails, the answerer <bcp14>MUST</bcp14> discard the offer or answer as malformed. </t> </section> <section anchor="sec.sdp-id-attr-oa-modi" numbered="true" toc="include" removeInRFC="false" pn="section-5.1.4"> <name slugifiedName="name-modifying-the-session">Modifying theJS creating an overlapping window would hideSession</name> <t indent="0" pn="section-5.1.4-1"> When modifying a session, if theindication,set of fingerprints is unchanged, then thebrowser SHOULD stop camera and microphone input whensender <bcp14>MAY</bcp14> send theindication is hidden. [Note:same "identity" attribute. In thismay notcase, the established identity <bcp14>MUST</bcp14> benecessary in systems that are non-windows-based but that have good notifications support, such as phones.] </t> </list> </t> <t> <list style="symbols"> <t> Browsers MUST NOT permit permanent screen or application sharing permissionsapplied tobe installedexisting DTLS connections asa response to a JS request for permissions. Instead, they must require some other user action suchwell asa permissions setting or an application install experience to grant permission to a site. </t> <t> Browsers MUST provide a separate dialog request for screen/application sharing permissions even if thenew connections established using one of those fingerprints. Note that <xref target="RFC8829" sectionFormat="comma" section="5.2.1" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8829#section-5.2.1" derivedContent="RFC8829"/> requires that each mediarequest is made atsection use the sametime as camera and microphone. </t> <t> The browser MUST indicate any windows which are currently being shared in some unambiguous way. Windows which are not visible MUST NOT be shared even if the application is being shared.set of fingerprints. Ifthe screena new "identity" attribute isbeing shared,received, then the receiver <bcp14>MUST</bcp14> apply thatMUST be indicated. </t> </list>identity to all existing connections. </t><t> Browsers MAY permit<t indent="0" pn="section-5.1.4-2"> If theformationset ofdata channels without any direct user approval. Because sites can always tunnel data throughfingerprints changes, then theserver, further restrictions on the data channel do not provide any additional security. (See <xref target="sec.proposal.communications.consent"/> for a related issue). </t> <t> Implementations which support some form of direct user authentication SHOULD also providesender <bcp14>MUST</bcp14> either send apolicy by whichnew "identity" attribute or none at all. Because auser can authorize calls only to specific communicating peers. Specifically, the implementation SHOULD provide the following interfaces/controls: </t> <t> <list style="symbols"> <t> Allow future calls to this verified user. </t> <t> Allow future calls to any verified user who ischange inmy system address book (this only works with address book integration, of course). </t> </list> </t> <t> Implementations SHOULDfingerprints alsoprovidecauses adifferent user interface indication when calls are in progressnew DTLS connection tousers whose identities are directly verifiable. <xref target="sec.proposal.comsec"/> provides more on this.be established, the receiver <bcp14>MUST</bcp14> discard all previously established identities. </t> </section> </section> </section> <sectiontitle="Communications Consent" anchor="sec.proposal.communications.consent"> <t> Browser client implementationsanchor="sec.proposal.detailed" numbered="true" toc="include" removeInRFC="false" pn="section-6"> <name slugifiedName="name-detailed-technical-descript">Detailed Technical Description</name> <section anchor="sec.proposal.origin" numbered="true" toc="include" removeInRFC="false" pn="section-6.1"> <name slugifiedName="name-origin-and-web-security-iss">Origin and Web Security Issues</name> <t indent="0" pn="section-6.1-1"> The basic unit of permissions for WebRTCMUST implement ICE. Server gateway implementations which operate only at public IP addresses MUST implement either full ICE or ICE-Lite <xref target="RFC8445"/>. </t> <t> Browser implementations MUST verify reachability via ICE prior to sending any non-ICE packets to a given destination. Implementations MUST NOT provideis theICE transaction ID to JavaScript duringorigin <xref target="RFC6454" format="default" sectionFormat="of" derivedContent="RFC6454"/>. Because thelifetimesecurity of thetransaction (i.e., during the period when the ICE stack would accept a new response for that transaction). The JS MUST NOT be permittedorigin depends on being able tocontrolauthenticate content from that origin, thelocal ufrag and password, though it of course knows it. </t> <t> <!-- FIXME: phrasing of first sentence still awkward --> While continuing consentorigin can only be securely established if data isrequired, the ICE <xref target="RFC8445"/>; Section 10 keepalives use STUN Binding Indications which are one-waytransferred over HTTPS <xref target="RFC2818" format="default" sectionFormat="of" derivedContent="RFC2818"/>. Thus, clients <bcp14>MUST</bcp14> treat HTTP and HTTPS origins as different permissions domains. Note: This follows directly from the origin security model andtherefore not sufficient. The current WG consensusisto use ICE Binding Requestsstated here merely forcontinuing consent freshness. ICE already requires that implementations respond to such requests, so this approach is maximally compatible. A separate document will profile the ICE timers to be used; see <xref target="RFC7675"/>.clarity. </t></section> <section title="IP Location Privacy" anchor="sec.proposal.ip.location.privacy"> <t> A side effect of the<t indent="0" pn="section-6.1-2"> Many Web browsers currently forbid by defaultICE behaviorany active mixed content on HTTPS pages. That is, when JavaScript isthatloaded from an HTTP origin onto an HTTPS page, an error is displayed and thepeer learns one's IP address, which leaks large amounts of location information. This has negative privacy consequences in some circumstances. The API requirements in this section are intended to mitigate this issue. Note that these requirements areHTTP content is notintended to protectexecuted unless theuser's IP address from a malicious site. In general,user overrides thesite will learn at leasterror. Any browser which enforces such auser's server reflexive address from any HTTP transaction. Rather, these requirements are intendedpolicy will also not permit access to WebRTC functionality from mixed content pages (because they never display mixed content). Browsers which allow active mixed content <bcp14>MUST</bcp14> nevertheless disable WebRTC functionality in mixed content settings. </t> <t indent="0" pn="section-6.1-3"> Note that it is possible for asitepage which was not mixed content tocooperate withbecome mixed content during theuser to hide the user's IP address from the other sideduration of the call.Hiding the user's IP address from the server requires some sort of explicit privacy preserving mechanism on the client (e.g., Tor Browser [https://www.torproject.org/projects/torbrowser.html.en]) and is out of scope for this specification. </t> <t> <list style="hanging"> <t hangText="API Requirement:">TheAPI MUST provide a mechanism to allowmajor risk here is that the newly arrived insecure JS might redirect media tosuppress ICE negotiation (though perhaps to allow candidate gathering) untila location controlled by theuser has decidedattacker. Implementations <bcp14>MUST</bcp14> either choose toanswer the call [note: determining whenterminate the callhas been answered isor display aquestion forwarning at that point. </t> <t indent="0" pn="section-6.1-4"> Also note that theJS.] This enables a user to prevent a peer from learning their IP address if they electsecurity architecture depends on the keying material not being available toanswer a call and also from learning whether the usermove between origins. However, it isonline. </t> </list> </t> <t> <list style="hanging"> <t hangText="API Requirement:"> The API MUST provide a mechanism forassumed that thecalling application JSidentity assertion can be passed toindicateanyone thatonly TURN candidates arethe page cares to. </t> </section> <section anchor="sec.proposal.device.permissions" numbered="true" toc="include" removeInRFC="false" pn="section-6.2"> <name slugifiedName="name-device-permissions-model">Device Permissions Model</name> <t indent="0" pn="section-6.2-1"> Implementations <bcp14>MUST</bcp14> obtain explicit user consent prior to providing access tobe used. This preventsthepeer from learning one's IP addresscamera and/or microphone. Implementations <bcp14>MUST</bcp14> atall. This mechanism MUST also permit suppression ofminimum support therelated address field, since that leaks local addresses. </t> </list>following two permissions models for HTTPS origins. </t><t> <list style="hanging"><ul spacing="normal" bare="false" empty="false" indent="3" pn="section-6.2-2"> <li pn="section-6.2-2.1"> Requests for one-time camera/microphone access. </li> <li pn="section-6.2-2.2"> Requests for permanent access. </li> </ul> <thangText="API Requirement:"> The API MUST provide a mechanismindent="0" pn="section-6.2-3"> Because HTTP origins cannot be securely established against network attackers, implementations <bcp14>MUST</bcp14> refuse all permissions grants forthe calling application to reconfigure an existing callHTTP origins. </t> <t indent="0" pn="section-6.2-4"> In addition, they <bcp14>SHOULD</bcp14> support requests for access that promise that media from this grant will be sent toadd non-TURN candidates. Taken together,a single communicating peer (obviously there could be other requests for other peers), e.g., "Call customerservice@example.org". The semantics of this request are that the media stream from the camera and microphone will only be routed through a connection which has been cryptographically verified (through theprevious requirement allow ICE negotiation to start immediately on incoming call notification, thus reducing post-dial delay, but also to avoid disclosingIdP mechanism or an X.509 certificate in theuser's IP address until theyDTLS-SRTP handshake) as being associated with the stated identity. Note that it is unlikely that browsers would havedecided to answer. They also allow usersX.509 certificates, but servers might. Browsers servicing such requests <bcp14>SHOULD</bcp14> clearly indicate that identity tocompletely hide their IP address forthedurationuser when asking for permission. The idea behind this type ofthe call. Finally,permissions is that a user might have a fairly narrow list of peers they are willing to communicate with, e.g., "my mother" rather than "anyone on Facebook". Narrow permissions grants allow the browser to do that enforcement. </t> <dl newline="false" spacing="normal" indent="3" pn="section-6.2-5"> <dt pn="section-6.2-5.1">API Requirement:</dt> <dd pn="section-6.2-5.2"> The API <bcp14>MUST</bcp14> provide a mechanism for theuserrequesting JS tooptimize performance by reconfiguringrelinquish the ability toallow non-TURN candidates during an active call ifsee or modify the media (e.g., via MediaStream.record()). Combined with secure authentication of the communicating peer, this allows a userdecides they no longer needtohide their IP address </t> </list> </t> <t> Notebe sure thatsome enterprises may operate proxies and/or NATs designed to hide internal IP addresses fromtheoutside world. WebRTC provides no explicit mechanism to allow this function. Either such enterprises need to proxycalling site is not accessing or modifying their conversion. </dd> </dl> <dl newline="false" spacing="normal" indent="3" pn="section-6.2-6"> <dt pn="section-6.2-6.1">UI Requirement:</dt> <dd pn="section-6.2-6.2"> The UI <bcp14>MUST</bcp14> clearly indicate when theHTTP/HTTPSuser's camera andmodify the SDP and/ormicrophone are in use. This indication <bcp14>MUST NOT</bcp14> be suppressible by theJS, or there needsJS and <bcp14>MUST</bcp14> clearly indicate how tobe browser supportterminate device access, and provide a UI means tosetimmediately stop camera/microphone input without the"TURN-only" policy regardlessJS being able to prevent it. </dd> </dl> <dl newline="false" spacing="normal" indent="3" pn="section-6.2-7"> <dt pn="section-6.2-7.1">UI Requirement:</dt> <dd pn="section-6.2-7.2"> If the UI indication of camera/microphone use is displayed in thesite's preferences. </t> </section> <section title="Communications Security" anchor="sec.proposal.comsec"> <t> Implementations MUST support SRTP <xref target="RFC3711"/>. Implementations MUST support DTLS <xref target="RFC6347"/> and DTLS-SRTP <xref target="RFC5763"/><xref target="RFC5764"/> for SRTP keying. Implementations MUST support SCTP over DTLS <xref target="RFC8261"/>. </t> <t> All media channels MUST be secured via SRTP and SRTCP. Media traffic MUST NOT be sent over plain (unencrypted) RTP or RTCP;browser such thatis, implementations MUST NOT negotiate cipher suites with NULL encryption modes. DTLS-SRTP MUST be offered for every media channel. WebRTC implementations MUST NOT offer SDP Security Descriptions <xref target="RFC4568"/>minimizing the browser window would hide the indication, orselect it if offered. A SRTP MKI MUST NOT be used. </t> <t> All data channels MUST be secured via DTLS. </t> <t> All Implementations MUST support DTLS 1.2 withtheTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite andJS creating an overlapping window would hide the<xref target="FIPS186">P-256 curve</xref>. Earlier drafts of this specification required DTLS 1.0 withindication, then thecipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,browser <bcp14>SHOULD</bcp14> stop camera andatmicrophone input when thetime of this writing some implementations doindication is hidden. (Note: This may notsupport DTLS 1.2; endpoints which support only DTLS 1.2 might encounter interoperability issues. The DTLS-SRTP protection profile SRTP_AES128_CM_HMAC_SHA1_80 MUSTbesupported for SRTP. Implementations MUST favor cipher suites which support (Perfect Forward Secrecy) PFS over non-PFS cipher suites and SHOULD favor AEAD over non-AEAD cipher suites. </t> <t> Implementations MUST NOT implement DTLS renegotiation and MUST reject it with a "no_renegotiation" alert if offered.</t> <t> Endpoints MUST NOT implement TLS False Start <xref target="RFC7918"/>.</t> <t> <list style="hanging"> <t hangText="API Requirement:"> The API MUST generate a new authentication key pair for every new call by default. This is intendednecessary in systems that are non-windows-based but that have good notifications support, such as phones.) </dd> </dl> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-6.2-8"> <li pn="section-6.2-8.1"> Browsers <bcp14>MUST NOT</bcp14> permit permanent screen or application sharing permissions toallow for unlinkability. </t> <t hangText="API Requirement:"> The API MUST providebe installed as ameansresponse toreuseakey pairJS request forcalls. This can be used to enable key continuity-based authentication, and could be used to amortize key generation costs. </t> <t hangText="API Requirement:"> Unless thepermissions. Instead, they must require some other userspecifically configures an external key pair, different key pairs MUST be used for each origin. (This avoids creatingaction such as asuper-cookie.) </t> <t hangText="API Requirement:"> When DTLS-SRTP is used, the API MUST NOT permit the JSpermissions setting or an application install experience toobtain the negotiated keying material. This requirement preserves the end-to-end security of the media. </t> </list> </t> <t> <list style="hanging"> <t hangText="UI Requirements: "> A user-oriented client MUSTgrant permission to a site. </li> <li pn="section-6.2-8.2"> Browsers <bcp14>MUST</bcp14> providean "inspector" interface which allowsa separate dialog request for screen/application sharing permissions even if theuser to determinemedia request is made at thesecurity characteristics ofsame time as themedia. </t> <t>request for camera and microphone permissions. </li> <li pn="section-6.2-8.3"> Thefollowing properties SHOULD be displayed "up-front" in thebrowserchrome, i.e., without requiring the user to ask<bcp14>MUST</bcp14> indicate any windows which are currently being shared in some unambiguous way. Windows which are not visible <bcp14>MUST NOT</bcp14> be shared even if the application is being shared. If the screen is being shared, then that <bcp14>MUST</bcp14> be indicated. </li> </ul> <t indent="0" pn="section-6.2-9"> Browsers <bcp14>MAY</bcp14> permit the formation of data channels without any direct user approval. Because sites can always tunnel data through the server, further restrictions on the data channel do not provide any additional security. (See <xref target="sec.proposal.communications.consent" format="default" sectionFormat="of" derivedContent="Section 6.3"/> forthem:a related issue.) </t><t> <list style="symbols"> <t> A client MUST<t indent="0" pn="section-6.2-10"> Implementations which support some form of direct user authentication <bcp14>SHOULD</bcp14> also provide auser interface throughpolicy by which a usermay determinecan authorize calls only to specific communicating peers. Specifically, thesecurity characteristics for currently-displayed audio and video stream(s)implementation <bcp14>SHOULD</bcp14> provide the following interfaces/controls: </t><t> A client MUST<ul spacing="normal" bare="false" empty="false" indent="3" pn="section-6.2-11"> <li pn="section-6.2-11.1"> Allow future calls to this verified user. </li> <li pn="section-6.2-11.2"> Allow future calls to any verified user who is in my system address book (this only works with address book integration, of course). </li> </ul> <t indent="0" pn="section-6.2-12"> Implementations <bcp14>SHOULD</bcp14> also provide a different user interfacethrough which a user may determine the security characteristics for transmissions of their microphone audio and camera video. </t> <t> If the far endpoint wasindication when calls are in progress to users whose identities are directlyverified,verifiable. <xref target="sec.proposal.comsec" format="default" sectionFormat="of" derivedContent="Section 6.5"/> provides more on this. </t> </section> <section anchor="sec.proposal.communications.consent" numbered="true" toc="include" removeInRFC="false" pn="section-6.3"> <name slugifiedName="name-communications-consent">Communications Consent</name> <t indent="0" pn="section-6.3-1"> Browser client implementations of WebRTC <bcp14>MUST</bcp14> implement ICE. Server gateway implementations which operate only at public IP addresses <bcp14>MUST</bcp14> implement eithervia a third-party verifiable X.509 certificatefull ICE or ICE-Lite <xref target="RFC8445" format="default" sectionFormat="of" derivedContent="RFC8445"/>. </t> <t indent="0" pn="section-6.3-2"> Browser implementations <bcp14>MUST</bcp14> verify reachability via ICE prior to sending any non-ICE packets to aWeb IdP mechanism (see <xref target="sec.generic.idp"/>)given destination. Implementations <bcp14>MUST NOT</bcp14> provide the"security characteristics" MUST includeICE transaction ID to JavaScript during theverified information. X.509 identities and Web IdP identities have similar semantics and should be displayed inlifetime of the transaction (i.e., during the period when the ICE stack would accept asimilar way. </t> </list> </t> <t> </t> <t>new response for that transaction). Thefollowing properties are more likelyJS <bcp14>MUST NOT</bcp14> be permitted torequire some "drill-down" fromcontrol theuser:local ufrag and password, though it of course knows it. </t><t> <list style="symbols"> <t> The "security characteristics" MUST indicate<t indent="0" pn="section-6.3-3"> While continuing consent is required, thecryptographic algorithms inICE <xref target="RFC8445" sectionFormat="comma" section="11" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8445#section-11" derivedContent="RFC8445"/> keepalives use(For example: "AES-CBC".) </t> <t>STUN Binding Indications, which are one-way and therefore not sufficient. The"security characteristics" MUST indicate whether PFScurrent WG consensus isprovided. </t> <t> The "security characteristics" MUST include some mechanismtoallow an out-of-band verification of the peer,use ICE Binding Requests for continuing consent freshness. ICE already requires that implementations respond to suchas a certificate fingerprint or a Short Authentication String (SAS). These are compared byrequests, so this approach is maximally compatible. A separate document will profile thepeersICE timers toauthenticate one another. </t> </list> </t> </list>be used; see <xref target="RFC7675" format="default" sectionFormat="of" derivedContent="RFC7675"/>. </t> </section></section><sectiontitle="Web-Based Peer Authentication" anchor="sec.generic.idp"> <t> In a numberanchor="sec.proposal.ip.location.privacy" numbered="true" toc="include" removeInRFC="false" pn="section-6.4"> <name slugifiedName="name-ip-location-privacy">IP Location Privacy</name> <t indent="0" pn="section-6.4-1"> A side effect ofcases, it is desirable fortheendpoint (i.e.,default ICE behavior is that thebrowser)peer learns one's IP address, which leaks large amounts of location information. This has negative privacy consequences in some circumstances. The API requirements in this section are intended tobe ablemitigate this issue. Note that these requirements are not intended todirectly identify the endpoint onprotect theother side without trustinguser's IP address from a malicious site. In general, thesignaling service to which they are connected. For instance, users may be makingsite will learn at least acall viauser's server-reflexive address from any HTTP transaction. Rather, these requirements are intended to allow afederated system where they wishsite toget direct authentication ofcooperate with the user to hide the user's IP address from the otherside. Alternately, they may be makingside of the call. Hiding the user's IP address from the server requires some sort of explicit privacy-preserving mechanism on the client (e.g., Tor Browser <eref brackets="angle" target="https://www.torproject.org/projects/torbrowser.html.en"/>) and is out of scope for this specification. </t> <dl newline="false" spacing="normal" indent="3" pn="section-6.4-2"> <dt pn="section-6.4-2.1">API Requirement:</dt> <dd pn="section-6.4-2.2"> The API <bcp14>MUST</bcp14> provide a mechanism to allow the JS to suppress ICE negotiation (though perhaps to allow candidate gathering) until the user has decided to answer the call. (Note: Determining when the callonhas been answered is asite which they minimally trust (such asquestion for the JS.) This enables apoker site) butuser tosomeone who has an identity onprevent asitepeer from learning their IP address if theydo trust (such as a social network.) </t> <t> Recently,elect not to answer anumber of Web-based identity technologies (OAuth, Facebook Connect etc.) have been developed. Whilecall and also from learning whether thedetails vary, what these technologies shareuser isthat they haveonline. </dd> </dl> <dl newline="false" spacing="normal" indent="3" pn="section-6.4-3"> <dt pn="section-6.4-3.1">API Requirement:</dt> <dd pn="section-6.4-3.2"> The API <bcp14>MUST</bcp14> provide aWeb-based (i.e., HTTP/HTTPS) identity provider which attests to Alice's identity. For instance, if Alice has an account at example.org, Alice could usemechanism for theexample.org identity provider to provecalling application JS toothersindicate thatAlice is alice@example.org. The development of these technologies allows usonly TURN candidates are toseparate callingbe used. This prevents the peer fromidentity provision: Alice could call you onlearning one's IP address at all. This mechanism <bcp14>MUST</bcp14> also permit suppression of the related address field, since that leaks local addresses. </dd> </dl> <dl newline="false" spacing="normal" indent="3" pn="section-6.4-4"> <dt pn="section-6.4-4.1">API Requirement:</dt> <dd pn="section-6.4-4.2"> The API <bcp14>MUST</bcp14> provide apoker sitemechanism for the calling application to reconfigure an existing call to add non-TURN candidates. Taken together, this and the previous requirement allow ICE negotiation to start immediately on incoming call notification, thus reducing post-dial delay, butidentify herself as alice@example.org. </t> <t> Whateveralso to avoid disclosing theunderlying technology,user's IP address until they have decided to answer. They also allow users to completely hide their IP address for thegeneral principle is thatduration of theparty which is being authenticated is NOTcall. Finally, they allow a mechanism for thesignaling site but ratheruser to optimize performance by reconfiguring to allow non-TURN candidates during an active call if the user(anddecides they no longer need to hide theirbrowser). Similarly,IP address. </dd> </dl> <t indent="0" pn="section-6.4-5"> Note that some enterprises may operate proxies and/or NATs designed to hide internal IP addresses from therelying party isoutside world. WebRTC provides no explicit mechanism to allow this function. Either such enterprises need to proxy thebrowserHTTP/HTTPS andnotmodify thesignaling site. Thus,SDP and/or the JS, or there needs to be browserMUST generate the inputsupport to set theIdP assertion process and display the results"TURN-only" policy regardless of theverification processsite's preferences. </t> <t indent="0" pn="section-6.4-6"> Note: These requirements are intended to allow sites to conceal theuser in a way which cannot be imitated byuser's IP address from the peer. For guidance on concealing the user's IP address from the callingsite.site see <xref target="RFC8828" format="default" sectionFormat="of" derivedContent="RFC8828"/>. </t><t> The mechanisms defined in this document do not require the browser to implement any particular identity protocol or to</section> <section anchor="sec.proposal.comsec" numbered="true" toc="include" removeInRFC="false" pn="section-6.5"> <name slugifiedName="name-communications-security">Communications Security</name> <t indent="0" pn="section-6.5-1"> Implementations <bcp14>MUST</bcp14> supportany particular IdP. Instead, this document provides a generic interface which any IdP can implement. Thus, new IdPsSRTP <xref target="RFC3711" format="default" sectionFormat="of" derivedContent="RFC3711"/>. Implementations <bcp14>MUST</bcp14> support DTLS <xref target="RFC6347" format="default" sectionFormat="of" derivedContent="RFC6347"/> andprotocols canDTLS-SRTP <xref target="RFC5763" format="default" sectionFormat="of" derivedContent="RFC5763"/> <xref target="RFC5764" format="default" sectionFormat="of" derivedContent="RFC5764"/> for SRTP keying. Implementations <bcp14>MUST</bcp14> support SCTP over DTLS <xref target="RFC8261" format="default" sectionFormat="of" derivedContent="RFC8261"/>. </t> <t indent="0" pn="section-6.5-2"> All media channels <bcp14>MUST</bcp14> beintroduced without change to eithersecured via SRTP and thebrowserSecure Real-time Transport Control Protocol (SRTCP). Media traffic <bcp14>MUST NOT</bcp14> be sent over plain (unencrypted) RTP orthe calling service. This avoids the need to make a commitment to any particular identity protocol, although browsers may opt to directly implement some identity protocols in order to provide superior performanceRTCP; that is, implementations <bcp14>MUST NOT</bcp14> negotiate cipher suites with NULL encryption modes. DTLS-SRTP <bcp14>MUST</bcp14> be offered for every media channel. WebRTC implementations <bcp14>MUST NOT</bcp14> offer SDP security descriptions <xref target="RFC4568" format="default" sectionFormat="of" derivedContent="RFC4568"/> orUI properties. </t> <section title="Trust Relationships: IdPs, APs, and RPs" anchor="sec.trust-relationships"> <t> Any federated identity protocol has three major participants: </t> <t> <list style="hanging"> <t hangText="Authenticating Party (AP):"> The entity which is trying to establish its identity. </t> <t>select it if offered. An SRTP Master Key Identifier (MKI) <bcp14>MUST NOT</bcp14> be used. </t> <thangText="Identity Provider (IdP):"> The entity which is vouching for the AP's identity. </t> <t>indent="0" pn="section-6.5-3"> All data channels <bcp14>MUST</bcp14> be secured via DTLS. </t> <thangText="Relying Party (RP):"> The entity which is trying to verifyindent="0" pn="section-6.5-4"> All implementations <bcp14>MUST</bcp14> support DTLS 1.2 with theAP's identity. </t> </list> </t> <t> The APTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and theIdP have an account relationship<xref target="FIPS186" format="default" sectionFormat="of" derivedContent="FIPS186">P-256 curve</xref>. Earlier drafts ofsome kind: the AP registersthis specification required DTLS 1.0 with theIdPcipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, andis able to subsequently authenticate directly to the IdP (e.g., with a password). This means thatat thebrowser must somehow knowtime of this writing some implementations do not support DTLS 1.2; endpoints whichIdP(s)support only DTLS 1.2 might encounter interoperability issues. The DTLS-SRTP protection profile SRTP_AES128_CM_HMAC_SHA1_80 <bcp14>MUST</bcp14> be supported for SRTP. Implementations <bcp14>MUST</bcp14> favor cipher suites which support Forward Secrecy (FS) over non-FS cipher suites and <bcp14>SHOULD</bcp14> favor Authenticated Encryption with Associated Data (AEAD) over non-AEAD cipher suites. Note: theuser has an account relationship with.IETF is in the process of standardizing DTLS 1.3 <xref target="I-D.ietf-tls-dtls13" format="default" sectionFormat="of" derivedContent="TLS-DTLS13"/>. </t> <t indent="0" pn="section-6.5-5"> Implementations <bcp14>MUST NOT</bcp14> implement DTLS renegotiation and <bcp14>MUST</bcp14> reject it with a "no_renegotiation" alert if offered.</t> <t indent="0" pn="section-6.5-6"> Endpoints <bcp14>MUST NOT</bcp14> implement TLS False Start <xref target="RFC7918" format="default" sectionFormat="of" derivedContent="RFC7918"/>.</t> <dl newline="false" spacing="normal" indent="3" pn="section-6.5-7"> <dt pn="section-6.5-7.1">API Requirement:</dt> <dd pn="section-6.5-7.2"> The API <bcp14>MUST</bcp14> generate a new authentication key pair for every new call by default. This is intended to allow for unlinkability. </dd> <dt pn="section-6.5-7.3">API Requirement:</dt> <dd pn="section-6.5-7.4"> The API <bcp14>MUST</bcp14> provide a means to reuse a key pair for calls. This caneitherbesomething thatused to enable key continuity-based authentication, and could be used to amortize key generation costs. </dd> <dt pn="section-6.5-7.5">API Requirement:</dt> <dd pn="section-6.5-7.6"> Unless the user specifically configuresinto the browser or thatan external key pair, different key pairs <bcp14>MUST</bcp14> be used for each origin. (This avoids creating a super-cookie.) </dd> <dt pn="section-6.5-7.7">API Requirement:</dt> <dd pn="section-6.5-7.8"> When DTLS-SRTP isconfigured atused, thecalling site and then providedAPI <bcp14>MUST NOT</bcp14> permit the JS to obtain thePeerConnection bynegotiated keying material. This requirement preserves theWeb application atend-to-end security of thecalling site.media. </dd> </dl> <dl newline="false" spacing="normal" indent="3" pn="section-6.5-8"> <dt pn="section-6.5-8.1">UI Requirements:</dt> <dd pn="section-6.5-8.2"> A user-oriented client <bcp14>MUST</bcp14> provide an "inspector" interface which allows the user to determine the "security characteristics" of the media. </dd> <dt pn="section-6.5-8.3"/> <dd pn="section-6.5-8.4"> Theuse case for having this information configured intofollowing properties <bcp14>SHOULD</bcp14> be displayed "up-front" in the browseris thatchrome, i.e., without requiring the usermay "log into" the browsertobind it to some identity. This is becoming common in new browsers. However, it should also be possibleask forthe IdP information to simply be provided by the calling application. </t> <t> Atthem: </dd> <dt pn="section-6.5-8.5"/> <dd pn="section-6.5-8.6"> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-6.5-8.6.1"> <li pn="section-6.5-8.6.1.1"> A client <bcp14>MUST</bcp14> provide ahigh level there are two kinds of IdPs: </t> <t> <list style="hanging"> <t hangText="Authoritative: "> IdPsuser interface through whichhave verifiable control of some section of the identity space. For instance, in the realm of e-mail, the operator of "example.com" has complete control of the namespace ending in "@example.com". Thus, "alice@example.com" is whoevera user may determine theoperator says it is. Examples of systems with authoritative identity providers include DNSSEC, RFC 4474,"security characteristics" for currently displayed audio andFacebook Connect (Facebook identities only make sense within the context of the Facebook system). </t> <t> </t> <t hangText="Third-Party: "> IdPsvideo stream(s). </li> <li pn="section-6.5-8.6.1.2"> A client <bcp14>MUST</bcp14> provide a user interface through whichdon't have controla user may determine the "security characteristics" for transmissions of theirsection of the identity space but instead verify user's identities via some unspecified mechanismmicrophone audio andthen attest to it. Becausecamera video. </li> <li pn="section-6.5-8.6.1.3"> If the far endpoint was directly verified, either via a third-party verifiable X.509 certificate or via a Web IdPdoesn't actually controlmechanism (see <xref target="sec.generic.idp" format="default" sectionFormat="of" derivedContent="Section 7"/>), thenamespace, RPs need to trust that"security characteristics" <bcp14>MUST</bcp14> include the verified information. X.509 identities and Web IdPis correctly verifying AP identities,identities have similar semantics andthere can potentiallyshould bemultiple IdPs attestingdisplayed in a similar way. </li> </ul> </dd> <dt pn="section-6.5-8.7"/> <dd pn="section-6.5-8.8"> The following properties are more likely to require some "drill-down" from thesame section of the identity space. Probablyuser: </dd> <dt pn="section-6.5-8.9"/> <dd pn="section-6.5-8.10"> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-6.5-8.10.1"> <li pn="section-6.5-8.10.1.1"> The "security characteristics" <bcp14>MUST</bcp14> indicate thebest-known example of a third-party identity providercryptographic algorithms in use (for example, "AES-CBC"). </li> <li pn="section-6.5-8.10.1.2"> The "security characteristics" <bcp14>MUST</bcp14> indicate whether FS isSSL/TLS certificates, where there are a large number of CAs all of whom can attestprovided. </li> <li pn="section-6.5-8.10.1.3"> The "security characteristics" <bcp14>MUST</bcp14> include some mechanism toany domain name. </t> </list> </t> <t> If an AP is authenticating viaallow anauthoritative IdP, thenout-of-band verification of theRP does not need to explicitly configure trust inpeer, such as a certificate fingerprint or a Short Authentication String (SAS). These are compared by theIdP at all.peers to authenticate one another. </li> </ul> </dd> </dl> </section> </section> <section anchor="sec.generic.idp" numbered="true" toc="include" removeInRFC="false" pn="section-7"> <name slugifiedName="name-web-based-peer-authenticati">Web-Based Peer Authentication</name> <t indent="0" pn="section-7-1"> NOTE: Theidentitymechanismcan directly verify that the IdP indeed made the relevant identity assertion (a function provided by the mechanismsdescribed in thisdocument), and any assertion it makessection was designed relatively early in the RTCWEB process. In retrospect, the WG was too optimistic aboutan identitythe enthusiasm forwhich it is authoritative is directly verifiable. Note thatthisdoes not mean thatkind of mechanism. At theIdP mighttime of publication, it has notlie, but that isbeen widely adopted or implemented. It appears in this document as atrustworthiness judgement that the user can make atdescription of thetime he looks atstate of theidentity.art as of this writing. </t><t> By contrast, if an AP is authenticating via<t indent="0" pn="section-7-2"> In athird-party IdP,number of cases, it is desirable for theRP needs to explicitly trust that IdP (henceendpoint (i.e., theneed for an explicit trust anchor list in PKI-based SSL/TLS clients). The list of trustable IdPs needsbrowser) to beconfiguredable to directlyinto the browser, either byidentify theuser or potentially byendpoint on thebrowser manufacturer. This is a significant advantage of authoritative IdPs and implies that if third-party IdPs are to be supported,other side without trusting thepotential number needssignaling service to which they are connected. For instance, users may befairly small. </t> </section> <section title="Overview of Operation" anchor="sec.overview"> <t> In ordermaking a call via a federated system where they wish toprovide security without trusting the calling site,get direct authentication of thePeerConnection componentother side. Alternately, they may be making a call on a site which they minimally trust (such as a poker site) but to someone who has an identity on a site they do trust (such as a social network). </t> <t indent="0" pn="section-7-3"> Recently, a number of Web-based identity technologies (OAuth, Facebook Connect, etc.) have been developed. While thebrowser must interact directly withdetails vary, what these technologies share is that they have a Web-based (i.e., HTTP/HTTPS) IdP which attests to Alice's identity. For instance, if Alice has an account at example.org, Alice could use theIdP.example.org IdP to prove to others that Alice is alice@example.org. Thedetailsdevelopment ofthe mechanism are described in the W3C API specification,these technologies allows us to separate calling from identity provision: Alice could call you on a poker site but identify herself as alice@example.org. </t> <t indent="0" pn="section-7-4"> Whatever the underlying technology, the generalideaprinciple is that thePeerConnection component downloads JS from a specific location onparty which is being authenticated is NOT theIdP dictated bysignaling site but rather theIdP domain name. That JS (the "IdP proxy") runs in an isolated security context withinuser (and their browser). Similarly, the Relying Party is the browser and not thePeerConnection talkssignaling site. Thus, the browser <bcp14>MUST</bcp14> generate the input toit via a secure message passing channel. </t> <t> Note that there are two logically separate functions here: <list style="symbols"> <t> Identity assertion generation. </t> <t> Identitythe IdP assertionverification. </t> </list> </t> <t> The same IdP JS "endpoint" is used for both functions but of course a given IdP might behave differentlyprocess andload new JS to perform one function or the other. </t> <figure> <artwork><![CDATA[ +--------------------------------------+ | Browser | | | | +----------------------------------+ | | | https://calling-site.example.com | | | | | | | | Calling JS Code | | | | ^ | | | +---------------|------------------+ | | | API Calls | | v | | PeerConnection | | ^ | | | API Calls | | +-----------|-------------+ | +---------------+ | | v | | | | | | IdP Proxy |<-------->| Identity | | | | | | Provider | | | https://idp.example.org | | | | | +-------------------------+ | +---------------+ | | +--------------------------------------+ ]]></artwork> </figure> <t> When the PeerConnection object wants to interact with the IdP,display thesequenceresults ofevents is as follows: <list style="numbers"> <t> The browser (the PeerConnection component) instantiates an IdP proxy. This allowstheIdPverification process toload whatever JS is necessary intotheproxy. The resulting code runsuser in a way which cannot be imitated by theIdP's security context.calling site. </t><t><t indent="0" pn="section-7-5"> TheIdP registers an object with the browser that conforms to the APImechanisms defined in<xref target="webrtc-api"/>. </t> <t> The browser invokes methods on the object registered by the IdP proxy to create or verify identity assertions. </t> </list> </t> <t> This approach allows us to decouplethis document do not require the browserfromto implement any particular identityprovider; the browser need only know howprotocol or toload the IdP's JavaScript--the location ofsupport any particular IdP. Instead, this document provides a generic interface whichis determined based on the IdP's identity--and to call the generic API for requesting and verifying identity assertions. Theany IdPprovides whatever logic is necessary to bridge the generic protocolcan implement. Thus, new IdPs and protocols can be introduced without change to either theIdP's specific requirements. Thus, a singlebrowsercan support any number of identity protocols, including being forward compatible with IdPs which did not exist ator thetimecalling service. This avoids thebrowser was written. </t> </section> <section title="Items for Standardization" anchor="sec.standardized"> <t> There are two partsneed tothis work: </t> <t> <list style="symbols"> <t> The precise information from the signaling message that must be cryptographically boundmake a commitment tothe user'sany particular identityand a mechanism for carrying assertions in JSEP messages. This is specifiedprotocol, although browsers may opt to directly implement some identity protocols in<xref target="sec.jsep-binding"/>.order to provide superior performance or UI properties. </t> <section anchor="sec.trust-relationships" numbered="true" toc="include" removeInRFC="false" pn="section-7.1"> <name slugifiedName="name-trust-relationships-idps-ap">Trust Relationships: IdPs, APs, and RPs</name> <t indent="0" pn="section-7.1-1"> Any federated identity protocol has three major participants: </t><t><dl newline="false" spacing="normal" indent="3" pn="section-7.1-2"> <dt pn="section-7.1-2.1">Authenticating Party (AP):</dt> <dd pn="section-7.1-2.2"> Theinterfaceentity which is trying tothe IdP,establish its identity. </dd> <dt pn="section-7.1-2.3">Identity Provider (IdP):</dt> <dd pn="section-7.1-2.4"> The entity which isdefined invouching for thecompanion W3C WebRTC API specification <xref target="webrtc-api"/>. </t> </list> </t> <t>AP's identity. </dd> <dt pn="section-7.1-2.5">Relying Party (RP):</dt> <dd pn="section-7.1-2.6"> TheWebRTC API specification also defines JavaScript interfaces that the calling application can use to specifyentity whichIdP to use. That API also provides accessis trying to verify theassertion-generation capabilityAP's identity. </dd> </dl> <t indent="0" pn="section-7.1-3"> The AP and thestatusIdP have an account relationship of some kind: thevalidation process. </t> </section> <section title="Binding Identity Assertions to JSEP Offer/Answer Transactions" anchor="sec.jsep-binding"> <t> An identity assertion binds the user's identity (as asserted by the IdP) toAP registers with theSDP offer/answer exchangeIdP andspecificallyis able tothe media. In ordersubsequently authenticate directly toachieve this,thePeerConnectionIdP (e.g., with a password). This means that the browser mustprovidesomehow know which IdP(s) theDTLS-SRTP fingerprint touser has an account relationship with. This can either bebound tosomething that theidentity. This is provided as a JavaScript object (also known as a dictionaryuser configures into the browser orhash) with a single <spanx style="verb">fingerprint</spanx> key, as shown below: </t> <figure> <artwork><![CDATA[ { "fingerprint": [ { "algorithm": "sha-256", "digest": "4A:AD:B9:B1:3F:...:E5:7C:AB" }, { "algorithm": "sha-1", "digest": "74:E9:76:C8:19:...:F4:45:6B" } ] } ]]></artwork> </figure> <t> The <spanx style="verb">fingerprint</spanx> valuethat isan array of objects. Each object inconfigured at thearray contains <spanx style="verb">algorithm</spanx>calling site and<spanx style="verb">digest</spanx> values, which correspond directlythen provided to thealgorithm and digest values in the <spanx style="verb">fingerprint</spanx> attribute ofPeerConnection by theSDP <xref target="RFC8122"/>. </t> <t> This object is encoded in a <xref target="RFC8259">JSON</xref> string for passing toWeb application at theIdP.calling site. Theidentity assertion returned by the IdP, which is encoded inuse case for having this information configured into the<spanx style="verb">identity</spanx> attribute,browser isa JSON objectthatis encoded as described in <xref target="sec.carry-assertion"/>. </t> <t> This structure does not need to be interpreted bytheIdP or the IdP proxy. It is consumed solely byuser may "log into" theRP's browser. The IdP merely treatsbrowser to bind itas an opaque valuetobe attested to. Thus,some identity. This is becoming common in newparameters canbrowsers. However, it should also beadded to the assertion without modifyingpossible for theIdP. </t> <section title="Carrying Identity Assertions" anchor="sec.carry-assertion"> <t> Once anIdPhas generated an assertion (see <xref target="sec.request-assert"/>), it is attachedinformation tothe SDP offer/answer message. This is donesimply be provided byaddingthe calling application. </t> <t indent="0" pn="section-7.1-4"> At anew 'identity' attribute tohigh level, there are two kinds of IdPs: </t> <dl newline="false" spacing="normal" indent="3" pn="section-7.1-5"> <dt pn="section-7.1-5.1">Authoritative:</dt> <dd pn="section-7.1-5.2"> IdPs which have verifiable control of some section of theSDP. The sole contentsidentity space. For instance, in the realm ofthis valueemail, the operator of "example.com" has complete control of the namespace ending in "@example.com". Thus, "alice@example.com" is whoever the operator says it is. Examples of systems with authoritative IdPs include DNSSEC, an identityassertion. Thesystem for SIP (see <xref target="RFC8224" format="default" sectionFormat="of" derivedContent="RFC8224"/>), and Facebook Connect (Facebook identities only make sense within the context of the Facebook system). </dd> <dt pn="section-7.1-5.3">Third-Party:</dt> <dd pn="section-7.1-5.4"> IdPs which don't have control of their section of the identityassertion produced byspace but instead verify users' identities via some unspecified mechanism and then attest to it. Because the IdPis encoded into a UTF-8 JSON text, then <xref target="RFC4648">Base64-encoded</xref>doesn't actually control the namespace, RPs need toproduce this string. For example: </t> <figure> <artwork><![CDATA[ v=0 o=- 1181923068 1181923196 IN IP4 ua1.example.com s=example1 c=IN IP4 ua1.example.com a=fingerprint:sha-1 \ 4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB a=identity:\ eyJpZHAiOnsiZG9tYWluIjoiZXhhbXBsZS5vcmciLCJwcm90b2NvbCI6ImJvZ3Vz\ In0sImFzc2VydGlvbiI6IntcImlkZW50aXR5XCI6XCJib2JAZXhhbXBsZS5vcmdc\ IixcImNvbnRlbnRzXCI6XCJhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3l6XCIsXCJz\ aWduYXR1cmVcIjpcIjAxMDIwMzA0MDUwNlwifSJ9 a=... t=0 0 m=audio 6056 RTP/SAVP 0 a=sendrecv ... Notetrust thatlong lines intheexample are foldedIdP is correctly verifying AP identities, and there can potentially be multiple IdPs attesting tomeetthecolumn width constraintssame section ofthis document;thebackslash ("\") atidentity space. Probably theendbest-known example of aline, the carriage return that follows, and whitespace shall be ignored. ]]></artwork> </figure> <t> The 'identity' attribute attests to all <spanx style="verb">fingerprint</spanx> attributes in the session description. Itthird-party IdP isthereforeSSL/TLS certificates, where there are asession-level attribute. </t> <t> Multiple <spanx style="verb">fingerprint</spanx> valueslarge number of certificate authorities (CAs) all of whom canbe usedattest tooffer alternative certificates for a peer. The <spanx style="verb">identity</spanx> attribute MUST include all fingerprint values that are included in <spanx style="verb">fingerprint</spanx> attributes ofany domain name. </dd> </dl> <t indent="0" pn="section-7.1-6"> If an AP is authenticating via an authoritative IdP, then thesession description. </t> <t> TheRPbrowser MUST verify that the in-use certificate for a DTLS connection isdoes not need to explicitly configure trust in theset of fingerprints returned from the IdP when verifying an assertion. </t> </section> </section> <section title="Determining theIdPURI" anchor="sec.idp-uri"> <t> In order to ensureat all. The identity mechanism can directly verify that the IdPis under control ofindeed made thedomain owner rather than someone who merely has an account onrelevant identity assertion (a function provided by thedomain owner's server (e.g.,mechanisms inshared hosting scenarios),this document), and any assertion it makes about an identity for which it is authoritative is directly verifiable. Note that this does not mean that the IdPJavaScriptmight not lie, but that ishosted atadeterministic location based ontrustworthiness judgement that theIdP's domain name. Each IdP proxy instance is associated with two values: </t> <t> <list style="hanging"> <t hangText="Authority:"> The <xref target="RFC3986"> authority</xref>user can make atwhichtheIdP's service is hosted.time they look at the identity. </t> <thangText="protocol:"> The specific IdP protocol which the IdP is using. Thisindent="0" pn="section-7.1-7"> By contrast, if an AP is authenticating via acompletely opaque IdP-specific string, but allows an IdPthird-party IdP, the RP needs toimplement two protocols in parallel. This value may beexplicitly trust that IdP (hence theempty string. If no valueneed forprotocol is provided, a valuean explicit trust anchor list in PKI-based SSL/TLS clients). The list of"default" is used. </t> </list> </t> <t> Each IdP MUST serve its initial entry page (i.e.,trustable IdPs needs to be configured directly into theone loadedbrowser, either by theIdP proxy) from a <xref target="RFC5785">well-known URI</xref>. The well-known URI for an IdP proxy is formed from the following URI components: <list style="numbers"> <t> The scheme, "https:". An IdP MUST be loaded using <xref target="RFC2818">HTTPS</xref>. </t> <t> The <xref target="RFC3986">authority</xref>. As noted above, the authority MAY contain a non-default port numberuser oruserinfo sub-component. Both are removed when determining if an asserted identity matchespotentially by thenamebrowser manufacturer. This is a significant advantage ofthe IdP. </t> <t> The path, starting with "/.well-known/idp-proxy/"authoritative IdPs andappended with the IdP protocol. Noteimplies thatthe separator characters '/' (%2F) and '\' (%5C) MUST NOTif third-party IdPs are to bepermitted insupported, theprotocol field, lest an attacker be ablepotential number needs todirect requests outside of the controlled "/.well-known/" prefix. Query and fragment values MAYbeused by including '?' or '#' characters. </t> </list> For example, for the IdP "identity.example.com" and the protocol "example", the URL would be:fairly small. </t><figure> <artwork><![CDATA[ https://identity.example.com/.well-known/idp-proxy/example ]]></artwork> </figure> <t> The IdP MAY redirect requests</section> <section anchor="sec.overview" numbered="true" toc="include" removeInRFC="false" pn="section-7.2"> <name slugifiedName="name-overview-of-operation">Overview of Operation</name> <t indent="0" pn="section-7.2-1"> In order tothis URL, but they MUST retainprovide security without trusting the"https" scheme. This changescalling site, theeffective originPeerConnection component of theIdP, but notbrowser must interact directly with thedomainIdP. The details of theidentities thatmechanism are described in theIdP is permitted to assert and validate. I.e.,W3C API specification, but theIdPgeneral idea isstill regarded as authoritative forthat theoriginal domain. </t> <section title="Authenticating Party"> <t> How an AP determinesPeerConnection component downloads JS from a specific location on the IdP dictated by theappropriateIdP domainis out of scope of this specification. In general, however,name. That JS (the "IdP proxy") runs in an isolated security context within theAP has some actual account relationshipbrowser, and the PeerConnection talks to it via a secure message passing channel. </t> <t indent="0" pn="section-7.2-2"> Note that there are two logically separate functions here: </t> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-7.2-3"> <li pn="section-7.2-3.1"> Identity assertion generation. </li> <li pn="section-7.2-3.2"> Identity assertion verification. </li> </ul> <t indent="0" pn="section-7.2-4"> The same IdP JS "endpoint" is used for both functions, but of course a given IdP might behave differently and load new JS to perform one function or the other. </t> <artwork name="" type="" align="left" alt="" pn="section-7.2-5"> +--------------------------------------+ | Browser | | | | +----------------------------------+ | | | https://calling-site.example.com | | | | | | | | Calling JS Code | | | | ^ | | | +---------------|------------------+ | | | API Calls | | v | | PeerConnection | | ^ | | | API Calls | | +-----------|-------------+ | +---------------+ | | v | | | | | | IdP Proxy |<-------->| Identity | | | | | | Provider | | | https://idp.example.org | | | | | +-------------------------+ | +---------------+ | | +--------------------------------------+ </artwork> <t indent="0" pn="section-7.2-6"> When the PeerConnection object wants to interact with the IdP,as this identitythe sequence of events iswhatas follows: </t> <ol spacing="normal" type="1" indent="adaptive" start="1" pn="section-7.2-7"> <li pn="section-7.2-7.1" derivedCounter="1."> The browser (the PeerConnection component) instantiates an IdP proxy. This allows the IdP to load whatever JS isattesting to. Thus,necessary into theAP somehow suppliesproxy. The resulting code runs in the IdP's security context. </li> <li pn="section-7.2-7.2" derivedCounter="2."> The IdPinformationregisters an object with the browser that conforms to thebrowser. Some potential mechanisms include: <list style="symbols"> <t> ProvidedAPI defined in <xref target="webrtc-api" format="default" sectionFormat="of" derivedContent="webrtc-api"/>. </li> <li pn="section-7.2-7.3" derivedCounter="3."> The browser invokes methods on the object registered by theuser directly. </t> <t> Selected from some set of IdPs knownIdP proxy to create or verify identity assertions. </li> </ol> <t indent="0" pn="section-7.2-8"> This approach allows us to decouple thecalling site. E.g., a button that shows "Authenticate via Facebook Connect" </t> </list> </t> </section> <section title="Relying Party"> <t> Unlike the AP, the RP need not havebrowser from any particularrelationship withIdP; theIdP. Rather, it needs to be ablebrowser need only know how toprocess whatever assertion is provided by the AP. As the assertion containsload the IdP'sidentity inJavaScript -- the<spanx style="verb">idp</spanx> fieldlocation of which is determined based on theJSON-encoded object (see <xref target="sec.request-assert"/>), the URI can be constructed directly fromIdP's identity -- and to call theassertion,generic API for requesting andthusverifying identity assertions. The IdP provides whatever logic is necessary to bridge theRP can directly verifygeneric protocol to thetechnical validityIdP's specific requirements. Thus, a single browser can support any number ofthe assertionidentity protocols, including being forward compatible withno user interaction. Authoritative assertions need only be verifiable. Third-party assertions also MUST be verified against local policy, as described in <xref target="sec.id-format"/>.IdPs which did not exist at the time the browser was written. </t> </section></section><sectiontitle="Requesting Assertions" anchor="sec.request-assert"> <t>anchor="sec.standardized" numbered="true" toc="include" removeInRFC="false" pn="section-7.3"> <name slugifiedName="name-items-for-standardization">Items for Standardization</name> <t indent="0" pn="section-7.3-1"> There are two parts to this work: </t> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-7.3-2"> <li pn="section-7.3-2.1"> Theinputprecise information from the signaling message that must be cryptographically bound to the user's identityassertionand a mechanism for carrying assertions in JavaScript Session Establishment Protocol (JSEP) messages. This isthe JSON-encoded object describedspecified in <xreftarget="sec.jsep-binding"/> that contains the set of certificate fingerprints the browser intendstarget="sec.jsep-binding" format="default" sectionFormat="of" derivedContent="Section 7.4"/>. </li> <li pn="section-7.3-2.2"> The interface touse. This string is treated as opaque fromtheperspective ofIdP, which is defined in theIdP. </t> <t> The browser also identifies the origincompanion W3C WebRTC API specification <xref target="webrtc-api" format="default" sectionFormat="of" derivedContent="webrtc-api"/>. </li> </ul> <t indent="0" pn="section-7.3-3"> The WebRTC API specification also defines JavaScript interfaces that thePeerConnection is run in, which allows the IdP to make decisions based on who is requesting the assertion. </t> <t> Ancalling application canoptionally provide a user identifier hint when specifying an IdP. This value is a hint that the IdP canuse toselect amongst multiple identities, orspecify which IdP toavoid providing assertions for unwanted identities. The <spanx style="verb">username</spanx> is a string that has no meaninguse. That API also provides access toany entity other thantheIdP, it can contain any dataassertion-generation capability and theIdP needs in order to correctly generate an assertion.status of the validation process. </t><t></section> <section anchor="sec.jsep-binding" numbered="true" toc="include" removeInRFC="false" pn="section-7.4"> <name slugifiedName="name-binding-identity-assertions">Binding Identity Assertions to JSEP Offer/Answer Transactions</name> <t indent="0" pn="section-7.4-1"> An identity assertionthat is successfully providedbinds the user's identity (as asserted by theIdP consists ofIdP) to thefollowing information: </t> <t> <list style="hanging"> <t hangText="idp:"> The domain name of an IdPSDP offer/answer exchange and specifically to theprotocol string.media. In order to achieve this, the PeerConnection must provide the DTLS-SRTP fingerprint to be bound to the identity. ThisMAY identifyis provided as adifferent IdPJavaScript object (also known as a dictionary orprotocol from the one that generated the assertion.hash) with a single "fingerprint" key, as shown below: </t> <sourcecode name="json-1" type="json" markers="false" pn="section-7.4-2"> { "fingerprint": [ { "algorithm": "sha-256", "digest": "4A:AD:B9:B1:3F:...:E5:7C:AB" }, { "algorithm": "sha-1", "digest": "74:E9:76:C8:19:...:F4:45:6B" } ] }</sourcecode> <thangText="assertion:"> An opaqueindent="0" pn="section-7.4-3"> The "fingerprint" valuecontaining the assertion itself. Thisisonly interpretable byan array of objects. Each object in theidentified IdP orarray contains "algorithm" and "digest" values, which correspond directly to theIdP code runningalgorithm and digest values in theclient. </t> </list> </t> <t> <xref target="fig.assert-ex"/> shows an example assertion formatted as JSON. In this case, the message has presumably been digitally signed/MACed in some way that the IdP can later verify it, but this is an implementation detail and out of scope"fingerprint" attribute ofthis document.the SDP <xref target="RFC8122" format="default" sectionFormat="of" derivedContent="RFC8122"/>. </t><figure title="Example assertion" anchor="fig.assert-ex"> <artwork><![CDATA[ { "idp":{ "domain": "example.org", "protocol": "bogus" }, "assertion": "{\"identity\":\"bob@example.org\", \"contents\":\"abcdefghijklmnopqrstuvwyz\", \"signature\":\"010203040506\"}" } ]]></artwork> </figure> <t> For use<t indent="0" pn="section-7.4-4"> This object is encoded insignaling,a <xref target="RFC8259" format="default" sectionFormat="of" derivedContent="RFC8259">JSON</xref> string for passing to the IdP. The identity assertionis serialized into JSON, <xref target="RFC4648">Base64-encoded</xref>, and used asreturned by thevalue ofIdP, which is encoded in the<spanx style="verb">identity</spanx> attribute. IdPs SHOULD ensure"identity" attribute, is a JSON object thatany assertions they generate cannot be interpretedis encoded as described ina different context. E.g., they should use a distinct format or have separate cryptographic keys for assertion generation and other purposes. Line breaks are inserted solely for readability.<xref target="sec.carry-assertion" format="default" sectionFormat="of" derivedContent="Section 7.4.1"/>. </t></section> <section title="Managing User Login" anchor="sec.user-login"> <t> In order<t indent="0" pn="section-7.4-5"> This structure does not need togenerate an identity assertion,be interpreted by the IdPneeds proof ofor theuser's identity.IdP proxy. It iscommon practice to authenticate users (using passwords or multi-factor authentication), then use <xref target="RFC6265">Cookies</xref> or <xref target="RFC7617">HTTP authentication</xref> for subsequent exchanges. </t> <t>consumed solely by the RP's browser. The IdPproxy is able to access cookies, HTTP authentication or other persistent session data becausemerely treats itoperates inas an opaque value to be attested to. Thus, new parameters can be added to thesecurity context ofassertion without modifying the IdP. </t> <section anchor="sec.carry-assertion" numbered="true" toc="include" removeInRFC="false" pn="section-7.4.1"> <name slugifiedName="name-carrying-identity-assertion">Carrying Identity Assertions</name> <t indent="0" pn="section-7.4.1-1"> Once an IdPorigin. Therefore, if a userhas generated an assertion (see <xref target="sec.request-assert" format="default" sectionFormat="of" derivedContent="Section 7.6"/>), it islogged in,attached to theIdP could have all the information needed to generate an assertion. </t> <t> An IdP proxySDP offer/answer message. This isunabledone by adding a new "identity" attribute togenerate an assertion iftheuserSDP. The sole contents of this value isnot logged in, orthe identity assertion. The identity assertion produced by the IdPwantsis encoded into a UTF-8 JSON text, then <xref target="RFC4648" format="default" sectionFormat="of" derivedContent="RFC4648">base64-encoded</xref> tointeract withproduce this string. For example: </t> <sourcecode name="sdp-1" type="sdp" markers="false" pn="section-7.4.1-2"> v=0 o=- 1181923068 1181923196 IN IP4 ua1.example.com s=example1 c=IN IP4 ua1.example.com a=fingerprint:sha-1 \ 4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB a=identity:\ eyJpZHAiOnsiZG9tYWluIjoiZXhhbXBsZS5vcmciLCJwcm90b2NvbCI6ImJvZ3Vz\ In0sImFzc2VydGlvbiI6IntcImlkZW50aXR5XCI6XCJib2JAZXhhbXBsZS5vcmdc\ IixcImNvbnRlbnRzXCI6XCJhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3l6XCIsXCJz\ aWduYXR1cmVcIjpcIjAxMDIwMzA0MDUwNlwifSJ9 a=... t=0 0 m=audio 6056 RTP/SAVP 0 a=sendrecv ...</sourcecode> <aside pn="section-7.4.1-3"> <t indent="0" pn="section-7.4.1-3.1">Note that long lines in theuserexample are folded toacquire more information before generatingmeet theassertion. Ifcolumn width constraints of this document; theIdP wants to interact withbackslash ("\") at theuser before generating an assertion,end of a line, theIdP proxy can fail to generate an assertioncarriage return that follows, andinstead indicate a URL where login should proceed. </t> <t>whitespace shall be ignored.</t> </aside> <t indent="0" pn="section-7.4.1-4"> Theapplication can then load the provided URL"identity" attribute attests toenableall "fingerprint" attributes in theusersession description. It is therefore a session-level attribute. </t> <t indent="0" pn="section-7.4.1-5"> Multiple "fingerprint" values can be used toenter credentials.offer alternative certificates for a peer. Thecommunication between"identity" attribute <bcp14>MUST</bcp14> include all "fingerprint" values that are included in "fingerprint" attributes of theapplication andsession description. </t> <t indent="0" pn="section-7.4.1-6"> The RP browser <bcp14>MUST</bcp14> verify that theIdPin-use certificate for a DTLS connection isdescribedin<xref target="webrtc-api"/>.the set of fingerprints returned from the IdP when verifying an assertion. </t> </section> </section> <sectiontitle="Verifying Assertions" anchor="sec.verify-assert"> <t> The inputanchor="sec.idp-uri" numbered="true" toc="include" removeInRFC="false" pn="section-7.5"> <name slugifiedName="name-determining-the-idp-uri">Determining the IdP URI</name> <t indent="0" pn="section-7.5-1"> In order toidentity validationensure that the IdP is under control of theassertion string taken from a decoded 'identity' attribute. </t> <t> The IdP proxy verifies the assertion. Dependingdomain owner rather than someone who merely has an account on theidentity protocol,domain owner's server (e.g., in shared hosting scenarios), the IdP JavaScript is hosted at a deterministic location based on the IdP's domain name. Each IdP proxymight contactinstance is associated with two values: </t> <dl newline="false" spacing="normal" indent="3" pn="section-7.5-2"> <dt pn="section-7.5-2.1">authority:</dt> <dd pn="section-7.5-2.2"> The <xref target="RFC3986" format="default" sectionFormat="of" derivedContent="RFC3986"> authority</xref> at which the IdP's service is hosted. </dd> <dt pn="section-7.5-2.3">protocol:</dt> <dd pn="section-7.5-2.4"> The specific IdPserver or other servers. For instance, an OAuth-basedprotocolwill likely require usingwhich the IdPas an oracle, whereas withis using. This is asignature-based scheme might be ablecompletely opaque IdP-specific string, but allows an IdP toverify the assertion without contacting the IdP, provided that it has cachedimplement two protocols in parallel. This value may be therelevant public key. </t> <t> Regardlessempty string. If no value for protocol is provided, a value of "default" is used. </dd> </dl> <t indent="0" pn="section-7.5-3"> Each IdP <bcp14>MUST</bcp14> serve its initial entry page (i.e., themechanism, if verification succeeds, a successful response fromone loaded by the IdP proxy) from a <xref target="RFC8615" format="default" sectionFormat="of" derivedContent="RFC8615">well-known URI</xref>. The well-known URI for an IdP proxyconsists ofis formed from the followinginformation: <list style="hanging"> <t hangText="identity:">URI components: </t> <ol spacing="normal" type="1" indent="adaptive" start="1" pn="section-7.5-4"> <li pn="section-7.5-4.1" derivedCounter="1."> Theidentity ofscheme, "https:". An IdP <bcp14>MUST</bcp14> be loaded using <xref target="RFC2818" format="default" sectionFormat="of" derivedContent="RFC2818">HTTPS</xref>. </li> <li pn="section-7.5-4.2" derivedCounter="2."> The <xref target="RFC3986" format="default" sectionFormat="of" derivedContent="RFC3986">authority</xref>. As noted above, theAP fromauthority <bcp14>MAY</bcp14> contain a non-default port number or userinfo sub-component. Both are removed when determining if an asserted identity matches theIdP's perspective. Detailsname ofthis are provided in <xref target="sec.id-format"/>. </t> <t hangText="contents:">the IdP. </li> <li pn="section-7.5-4.3" derivedCounter="3."> Theoriginal unmodified string provided bypath, starting with "/.well-known/idp-proxy/" and appended with theAP as input toIdP protocol. Note that theassertion generation process. </t> </list> </t> <t> <xref target="fig.verify-ex"/> shows an example response, which is JSON-formatted. </t> <figure title="Example verification result" anchor="fig.verify-ex"> <artwork> <![CDATA[ { "identity": "bob@example.org", "contents": "{\"fingerprint\":[ ... ]}" } ]]></artwork> </figure> <section title="Identity Formats" anchor="sec.id-format"> <t> The identity provided fromseparator characters '/' (%2F) and '\' (%5C) <bcp14>MUST NOT</bcp14> be permitted in theIdPprotocol field, lest an attacker be able tothe RP browser MUST consistdirect requests outside ofa string representingtheuser's identity. This string is incontrolled "/.well-known/" prefix. Query and fragment values <bcp14>MAY</bcp14> be used by including '?' or '#' characters. </li> </ol> <t indent="0" pn="section-7.5-5"> For example, for theform "<user>@<domain>", where <spanx style="verb">user</spanx> consists of any character,IdP "identity.example.com" anddomain is aninternationalized domain name <xref target="RFC5890"></xref> encoded as a sequence of U-labels.the protocol "example", the URL would be: </t><t><artwork align="left" pn="section-7.5-6">https://identity.example.com/.well-known/idp-proxy/example</artwork> <t indent="0" pn="section-7.5-7"> ThePeerConnection API MUST checkIdP <bcp14>MAY</bcp14> redirect requests to thisstring as follows: <list style="numbers"> <t> IfURL, but they <bcp14>MUST</bcp14> retain the"domain" portion"https:" scheme. This changes the effective origin of thestring is equal toIdP, but not the domainnameof theIdP proxy, thenidentities that theassertionIdP isvalid, aspermitted to assert and validate. I.e., the IdP is still regarded as authoritative forthisthe original domain.Comparison of</t> <section numbered="true" toc="include" removeInRFC="false" pn="section-7.5.1"> <name slugifiedName="name-authenticating-party">Authenticating Party</name> <t indent="0" pn="section-7.5.1-1"> How an AP determines the appropriate IdP domainnamesisdone using the label equivalence rule defined in Section 2.3.2.4out of<xref target="RFC5890"/>. </t> <t> If the "domain" portionscope of this specification. In general, however, thestring is not equal toAP has some actual account relationship with thedomain name ofIdP, as this identity is what the IdPproxy, then the PeerConnection object MUST rejectis attesting to. Thus, theassertion unless both: <list style="numbers"> <t>AP somehow supplies the IdPdomain is trusted as an acceptable third-party IdP; and </t> <t> local policy is configuredinformation totrust this IdP domain forthedomain portion of the identity string. </t> </list> </t> </list>browser. Some potential mechanisms include: </t><t> Any "@" or "%" characters in<ul spacing="normal" bare="false" empty="false" indent="3" pn="section-7.5.1-2"> <li pn="section-7.5.1-2.1"> Provided by the"user" portionuser directly. </li> <li pn="section-7.5.1-2.2"> Selected from some set of IdPs known to theidentity MUSTcalling site (e.g., a button that shows "Authenticate via Facebook Connect"). </li> </ul> </section> <section numbered="true" toc="include" removeInRFC="false" pn="section-7.5.2"> <name slugifiedName="name-relying-party">Relying Party</name> <t indent="0" pn="section-7.5.2-1"> Unlike the AP, the RP need not have any particular relationship with the IdP. Rather, it needs to beescaped accordingable to process whatever assertion is provided by the"Percent-Encoding" rules definedAP. As the assertion contains the IdP's identity inSection 2.1the "idp" field of the JSON-encoded object (see <xreftarget="RFC3986"/>. Characters other than "@" and "%" MUST NOT be percent-encoded. For example, with a "user" of "user@133" and a "domain" of "identity.example.com",target="sec.request-assert" format="default" sectionFormat="of" derivedContent="Section 7.6"/>), theresulting string willURI can beencoded as "user%40133@identity.example.com". </t> <t> Implementations are cautioned to take care when displaying user identities containing escaped "@" characters. If such characters are unescaped prior to display, implementations MUST distinguish between the domain ofconstructed directly from theIdP proxyassertion, andany domain that might be implied bythus theportion ofRP can directly verify the"<user>" portion that appears aftertechnical validity of theescaped "@" sign.assertion with no user interaction. Authoritative assertions need only be verifiable. Third-party assertions also <bcp14>MUST</bcp14> be verified against local policy, as described in <xref target="sec.id-format" format="default" sectionFormat="of" derivedContent="Section 8.1"/>. </t> </section> </section> <sectiontitle="Security Considerations" anchor="sec.sec-cons"> <t> Much ofanchor="sec.request-assert" numbered="true" toc="include" removeInRFC="false" pn="section-7.6"> <name slugifiedName="name-requesting-assertions">Requesting Assertions</name> <t indent="0" pn="section-7.6-1"> The input to thesecurity analysis of this problemidentity assertion generation process iscontainedthe JSON-encoded object described in <xreftarget="I-D.ietf-rtcweb-security"/> or intarget="sec.jsep-binding" format="default" sectionFormat="of" derivedContent="Section 7.4"/> that contains thediscussionset of certificate fingerprints theparticular issues above. In orderbrowser intends toavoid repetition, this section focuses on (a) residual threats that are not addressed by this document and (b) threats produced by failure/misbehavior of one ofuse. This string is treated as opaque from thecomponents inperspective of thesystem.IdP. </t><section title="Communications Security"> <t> IF HTTPS is not used to secure communications to<t indent="0" pn="section-7.6-2"> The browser also identifies thesignaling server, andorigin that theidentity mechanism used in <xref target="sec.generic.idp"/>PeerConnection isnot used, then any on-path attacker can replacerun in, which allows theDTLS-SRTP fingerprints inIdP to make decisions based on who is requesting thehandshake and thus substitute its own identity for that of either endpoint.assertion. </t><t> Even if HTTPS<t indent="0" pn="section-7.6-3"> An application can optionally provide a user identifier hint when specifying an IdP. This value isused,a hint that thesignaling serverIdP canpotentially mount a man-in-the-middle attack unless implementations have some mechanism for independently verifying keys. The UI requirements in <xref target="sec.proposal.comsec"/> are designeduse toprovide such a mechanism for motivated/security conscious users, but are not suitableselect amongst multiple identities, or to avoid providing assertions forgeneral use.unwanted identities. Theidentity service mechanisms in <xref target="sec.generic.idp"/> are more suitable for general use. Note, however, that"username" is amalicious signaling servicestring that has no meaning to any entity other than the IdP; it canstrip offcontain anysuchdata the IdP needs in order to correctly generate an assertion. </t> <t indent="0" pn="section-7.6-4"> An identityassertions, though it cannot forge new ones. Noteassertion thatall of the third-party security mechanisms available (whether X.509 certificates or a third-party IdP) rely onis successfully provided by thesecurityIdP consists of thethird party--this is of course also truefollowing information: </t> <dl newline="false" spacing="normal" indent="3" pn="section-7.6-5"> <dt pn="section-7.6-5.1">idp:</dt> <dd pn="section-7.6-5.2"> The domain name of an IdP and theuser's connection to the Web site itself. Users who wish to assure themselves of security againstprotocol string. This <bcp14>MAY</bcp14> identify amalicious identity provider can only do so by verifying peer credentials directly, e.g., by checkingdifferent IdP or protocol from thepeer's fingerprint against a value delivered out of band. </t> <t> In order to protect against malicious content JavaScript,one thatJavaScript MUST NOT be allowed to have direct access to---or perform computations with---DTLS keys. For instance, if content JS were able to compute digital signatures, then it would be possible for content JS to get an identity assertion for a browser'sgeneratedkey and then use that assertion plus a signature by the key to authenticate a call protected under an ephemeral Diffie-Hellman (DH) key controlled bythecontent JS, thus violatingassertion. </dd> <dt pn="section-7.6-5.3">assertion:</dt> <dd pn="section-7.6-5.4"> An opaque value containing thesecurity guarantees otherwise providedassertion itself. This is only interpretable by the identified IdPmechanism. Note that it is not sufficient merely to denyor thecontent JS direct access toIdP code running in thekeys,client. </dd> </dl> <t indent="0" pn="section-7.6-6"> <xref target="fig.assert-ex" format="default" sectionFormat="of" derivedContent="Figure 5"/> shows an example assertion formatted assome have suggested doing withJSON. In this case, theWebCrypto API <xref target="webcrypto"/>. The JS must also not be allowed to perform operationsmessage has presumably been digitally signed/MACed in some way thatwould be valid for a DTLS endpoint. By farthesafest approachIdP can later verify it, but this issimply to deny the ability to perform any operations that depend on secret information associated with the key. Operations that depend on public information, such as exporting the public key arean implementation detail and out of scope ofcourse safe. </t> </section> <section title="Privacy"> <t> The requirements inthisdocument are intended to allow: </t> <t> <list style="symbols"> <t> Users to participate in calls without revealing their location. </t> <t> Potential callees to avoid revealing their location and even presence status prior to agreeing to answer a call. </t> </list>document. </t><t> However, these privacy protections come at a performance cost in terms of using TURN relays and,<figure anchor="fig.assert-ex" align="left" suppress-title="false" pn="figure-5"> <name slugifiedName="name-example-assertion">Example Assertion</name> <sourcecode name="json-2" type="json" markers="false" pn="section-7.6-7.1"> { "idp":{ "domain": "example.org", "protocol": "bogus" }, "assertion": "{\"identity\":\"bob@example.org\", \"contents\":\"abcdefghijklmnopqrstuvwyz\", \"signature\":\"010203040506\"}" }</sourcecode> </figure> <t indent="0" pn="section-7.6-8"> For use in signaling, thelatter case, delaying ICE. Sites SHOULD make users aware of these tradeoffs. </t> <t> Note that the protections provided here assume a non-malicious calling service. As the calling service always knows the users statusassertion is serialized into JSON, <xref target="RFC4648" format="default" sectionFormat="of" derivedContent="RFC4648">base64-encoded</xref>, and(absent the use of a technology like Tor) their IP address, they can violate the users privacy at will. Users who wish privacy against the calling sites they are using must use separate privacy enhancing technologies suchused asTor. Combined WebRTC/Tor implementations SHOULD arrange to routethemedia as well asvalue of thesignaling through Tor. Currently this will produce very suboptimal performance. </t> <t> Additionally,"identity" attribute. IdPs <bcp14>SHOULD</bcp14> ensure that anyidentifier which persists across multiple calls is potentiallyassertions they generate cannot be interpreted in aproblem for privacy, especially for anonymous calling services. Such services SHOULD instruct the browser todifferent context. E.g., they should use a distinct format or have separateDTLScryptographic keys foreach callassertion generation andalso to use TURN throughout the call. Otherwise, theotherside will learn linkable information that would allow thempurposes. Line breaks are inserted solely for readability. </t> </section> <section anchor="sec.user-login" numbered="true" toc="include" removeInRFC="false" pn="section-7.7"> <name slugifiedName="name-managing-user-login">Managing User Login</name> <t indent="0" pn="section-7.7-1"> In order tocorrelategenerate an identity assertion, thebrowser across multiple calls. Additionally, browsers SHOULD implement the privacy-preserving CNAME generation modeIdP needs proof of the user's identity. It is common practice to authenticate users (using passwords or multi-factor authentication), then use <xreftarget="RFC7022"/>.target="RFC6265" format="default" sectionFormat="of" derivedContent="RFC6265">cookies</xref> or <xref target="RFC7617" format="default" sectionFormat="of" derivedContent="RFC7617">HTTP authentication</xref> for subsequent exchanges. </t></section> <section title="Denial of Service"> <t><t indent="0" pn="section-7.7-2"> Theconsent mechanisms described in this document are intendedIdP proxy is able tomitigate denial of service attacksaccess cookies, HTTP authentication data, or other persistent session data because it operates inwhich an attacker uses clients to send large amountsthe security context oftraffic tothe IdP origin. Therefore, if avictim withoutuser is logged in, theconsent ofIdP could have all thevictim. While these mechanisms are sufficientinformation needed toprotect victims who havegenerate an assertion. </t> <t indent="0" pn="section-7.7-3"> An IdP proxy is unable to generate an assertion if the user is notimplemented WebRTC at all, WebRTC implementations needlogged in, or the IdP wants tobeinteract with the user to acquire morecareful. </t> <t> Considerinformation before generating thecase of a call center which accepts calls via WebRTC. An attacker proxiesassertion. If thecall center's front-end and arranges for multiple clients to initiate callsIdP wants to interact with thecall center. Note that this requiresuserconsent in many cases but becausebefore generating an assertion, thedata channel does not need consent, heIdP proxy canuse that directly. Since ICE will complete, browsersfail to generate an assertion and instead indicate a URL where login should proceed. </t> <t indent="0" pn="section-7.7-4"> The application can thenbe induced to send large amounts of dataload the provided URL to enable thevictim call center if it supports the data channel at all. Preventing this attack requires that automated WebRTC implementations implement sensible flow control and have the ability to triage out (i.e., stop responding to ICE probes on) calls which are behaving badly, and especially to be prepareduser toremotely throttle the data channel inenter credentials. The communication between theabsence of plausible audioapplication andvideo (whichtheattacker cannot control).IdP is described in <xref target="webrtc-api" format="default" sectionFormat="of" derivedContent="webrtc-api"/>. </t><t> Another related attack</section> </section> <section anchor="sec.verify-assert" numbered="true" toc="include" removeInRFC="false" pn="section-8"> <name slugifiedName="name-verifying-assertions">Verifying Assertions</name> <t indent="0" pn="section-8-1"> The input to identity validation isforthesignaling service to swapassertion string taken from a decoded "identity" attribute. </t> <t indent="0" pn="section-8-2"> The IdP proxy verifies theICE candidates forassertion. Depending on theaudio and video streams, thus forcing a browser to send video toidentity protocol, thesink thatproxy might contact the IdP server or othervictim expectsservers. For instance, an OAuth-based protocol willcontain audio (perhaps it is only expecting audio!) potentially causing overload. Muxing multiple media flows overlikely require using the IdP as an oracle, whereas with asingle transport makessignature-based scheme itharder to individually suppress a single flow by denying ICE keepalives. Either media-level (RTCP) mechanisms mustmight beused orable to verify theimplementation must deny responses entirely, thus terminatingassertion without contacting thecall. </t> <t> Yet another attack, suggested by Magnus Westerlund, is forIdP, provided that it has cached theattacker to cross-connect offers and answers as follows. It inducesrelevant public key. </t> <t indent="0" pn="section-8-3"> Regardless of thevictim to makemechanism, if verification succeeds, acall and then uses its controlsuccessful response from the IdP proxy consists ofother users browsers to get them to attempt a call to someone. It then translates their offers into apparent answers tothevictim, which looks like large-scale parallel forking.following information: </t> <dl newline="false" spacing="normal" indent="3" pn="section-8-4"> <dt pn="section-8-4.1">identity:</dt> <dd pn="section-8-4.2"> Thevictim still responds to ICE responses and now the browsers all try to send media toidentity of thevictim. Implementations can defend themselvesAP from the IdP's perspective. Details of thisattackare provided in <xref target="sec.id-format" format="default" sectionFormat="of" derivedContent="Section 8.1"/>. </dd> <dt pn="section-8-4.3">contents:</dt> <dd pn="section-8-4.4"> The original unmodified string provided byonly respondingthe AP as input toICE Binding Requests for a limited number of remote ufrags (thisthe assertion generation process. </dd> </dl> <t indent="0" pn="section-8-5"> <xref target="fig.verify-ex" format="default" sectionFormat="of" derivedContent="Figure 6"/> shows an example response, which is JSON-formatted. </t> <figure anchor="fig.verify-ex" align="left" suppress-title="false" pn="figure-6"> <name slugifiedName="name-example-verification-result">Example Verification Result</name> <sourcecode name="json-3" type="json" markers="false" pn="section-8-6.1"> { "identity": "bob@example.org", "contents": "{\"fingerprint\":[ ... ]}" }</sourcecode> </figure> <section anchor="sec.id-format" numbered="true" toc="include" removeInRFC="false" pn="section-8.1"> <name slugifiedName="name-identity-formats">Identity Formats</name> <t indent="0" pn="section-8.1-1"> The identity provided from thereason forIdP to therequirement thatRP browser <bcp14>MUST</bcp14> consist of a string representing theJS not be able to controluser's identity. This string is in theufragform "<user>@<domain>", where "user" consists of any character, andpassword). </t> <t>domain is an internationalized domain name <xreftarget="I-D.ietf-rtcweb-rtp-usage"/> Section 13 documentstarget="RFC5890" format="default" sectionFormat="of" derivedContent="RFC5890"/> encoded as anumbersequence ofpotential RTCP-based DoS attacks and countermeasures.U-labels. </t><t> Note that attacks based on confusing one end or the other about consent are possible even in<t indent="0" pn="section-8.1-2"> The PeerConnection API <bcp14>MUST</bcp14> check this string as follows: </t> <ol spacing="normal" type="1" indent="adaptive" start="1" pn="section-8.1-3"> <li pn="section-8.1-3.1" derivedCounter="1."> If theface"domain" portion of thethird-party identity mechanism as long as major partsstring is equal to the domain name of thesignaling messages are not signed. OnIdP proxy, then theother hand, signingassertion is valid, as theentire message severely restrictsIdP is authoritative for this domain. Comparison of domain names is done using thecapabilitieslabel equivalence rule defined in <xref target="RFC5890" sectionFormat="of" section="2.3.2.4" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5890#section-2.3.2.4" derivedContent="RFC5890"/>. </li> <li pn="section-8.1-3.2" derivedCounter="2."> <t indent="0" pn="section-8.1-3.2.1"> If the "domain" portion of thecalling application, so there are difficult tradeoffs here. </t> </section> <section title="IdP Authentication Mechanism"> <t> This mechanism relies for its security onstring is not equal to the domain name of the IdPand onproxy, then the PeerConnectioncorrectly enforcingobject <bcp14>MUST</bcp14> reject thesecurity invariants described above. At a high level,assertion unless both: </t> <ol spacing="normal" type="1" indent="adaptive" start="1" pn="section-8.1-3.2.2"> <li pn="section-8.1-3.2.2.1" derivedCounter="1."> the IdP domain isattesting thattrusted as an acceptable third-party IdP; and </li> <li pn="section-8.1-3.2.2.2" derivedCounter="2."> local policy is configured to trust this IdP domain for theuser identifieddomain portion of the identity string. </li> </ol> </li> </ol> <t indent="0" pn="section-8.1-4"> Any '@' or '%' characters in theassertion wishes"user" portion of the identity <bcp14>MUST</bcp14> be escaped according to the "percent-encoding" rules defined in <xref target="RFC3986" sectionFormat="of" section="2.1" format="default" derivedLink="https://rfc-editor.org/rfc/rfc3986#section-2.1" derivedContent="RFC3986"/>. Characters other than '@' and '%' <bcp14>MUST NOT</bcp14> beassociatedpercent-encoded. For example, with a "user" of "user@133" and a "domain" of "identity.example.com", theassertion. Thus, it must notresulting string will bepossible for arbitrary third parties to get assertions tiedencoded as "user%40133@identity.example.com". </t> <t indent="0" pn="section-8.1-5"> Implementations are cautioned toatake care when displaying useroridentities containing escaped '@' characters. If such characters are unescaped prior toproduce assertions that RPs will accept. </t> <section title="PeerConnection Origin Check" anchor="sec.pc-origin"> <t> Fundamentally,display, implementations <bcp14>MUST</bcp14> distinguish between theIdP proxy is just a piecedomain ofHTML and JS loaded by the browser, so nothing stops a Web attacker from creating their own IFRAME, loadingthe IdP proxyHTML/JS,andrequesting a signature over his own keys rather than those generated in the browser. However,any domain thatproxy wouldmight bein the attacker's origin, notimplied by theIdP's origin. Onlyportion of thebrowser itself can instantiate a context"<user>" portion that(a)appears after the escaped "@" sign. </t> </section> </section> <section anchor="sec.sec-cons" numbered="true" toc="include" removeInRFC="false" pn="section-9"> <name slugifiedName="name-security-considerations">Security Considerations</name> <t indent="0" pn="section-9-1"> Much of the security analysis of RTCWEB is contained in <xref target="RFC8826" format="default" sectionFormat="of" derivedContent="RFC8826"/> or in theIdP's origin and (b) exposes the correct API surface. Thus,discussion of theIdP proxyparticular issues above. In order to avoid repetition, this section focuses onthe sender's side MUST ensure(a) residual threats thatit is runningare not addressed by this document and (b) threats produced by failure/misbehavior of one of the components in theIdP's origin prior to issuing assertions.system. </t><t> Note that this check only asserts that the browser (or some other entity with access<section numbered="true" toc="include" removeInRFC="false" pn="section-9.1"> <name slugifiedName="name-communications-security-2">Communications Security</name> <t indent="0" pn="section-9.1-1"> If HTTPS is not used tothe user's authentication data) attestssecure communications to therequestsignaling server, andhence tothefingerprint. It doesidentity mechanism used in <xref target="sec.generic.idp" format="default" sectionFormat="of" derivedContent="Section 7"/> is notdemonstrate thatused, then any on-path attacker can replace thebrowser has access toDTLS-SRTP fingerprints in theassociated private key,handshake andtherefore an attacker can attach theirthus substitute its own identityto another party's keying material, thus making a call which comes from Alice appear to come from the attacker. See <xref target="I-D.ietf-mmusic-sdp-uks"/>fordefenses against this formthat ofattack.either endpoint. </t></section> <section title="IdP Well-known URI" anchor="sec.sec-idp-uri"> <t> As described in <xref target="sec.idp-uri"/> the IdP proxy HTML/JS landing page<t indent="0" pn="section-9.1-2"> Even if HTTPS islocated at a well-known URI based onused, theIdP's domain name. This requirement prevents an attacker whosignaling server canwritepotentially mount a man-in-the-middle attack unless implementations have someresources at the IdP (e.g., on one's Facebook wall) from being ablemechanism for independently verifying keys. The UI requirements in <xref target="sec.proposal.comsec" format="default" sectionFormat="of" derivedContent="Section 6.5"/> are designed toimpersonate the IdP. </t> </section> <section title="Privacy of IdP-generated identities and the hosting site"> <t> Depending on the structure of the IdP's assertions, the calling site may learn the user's identity from the perspective of the IdP. In many cases this isprovide such a mechanism for motivated/security conscious users, but are notan issue because the user is authenticating to the site via the IdP in any case,suitable forinstance when the user has loggedgeneral use. The identity service mechanisms inwith Facebook Connect and is then authenticating their call with<xref target="sec.generic.idp" format="default" sectionFormat="of" derivedContent="Section 7"/> are more suitable for general use. Note, however, that aFacebook identity. However, in other case, the user may not have already revealed theirmalicious signaling service can strip off any such identityto the site. In general, IdPs SHOULD either verifyassertions, though it cannot forge new ones. Note that all of theuserthird-party security mechanisms available (whether X.509 certificates or a third-party IdP) rely on the security of the third party -- this iswilling to have their identity revealedof course also true of the user's connection to the Web site(e.g., through the usualitself. Users who wish to assure themselves of security against a malicious IdPpermissions dialog) or arrange that the identity information iscan onlyavailable to known RPs (e.g., social graph adjacencies) but not todo so by verifying peer credentials directly, e.g., by checking thecalling site. The "domain" fieldpeer's fingerprint against a value delivered out ofthe assertion request can be usedband. </t> <t indent="0" pn="section-9.1-3"> In order tocheckprotect against malicious content JavaScript, thatthe user has agreedJavaScript <bcp14>MUST NOT</bcp14> be allowed todisclose their identityhave direct access tothe calling site; because-- or perform computations with -- DTLS keys. For instance, if content JS were able to compute digital signatures, then itis supplied by the PeerConnection it canwould betrustedpossible for content JS tobe correct. </t> </section> <section title="Security of Third-Party IdPs" anchor="sec.sec-third-party"> <t> As discussed above, each third-party IdP representsget an identity assertion for anew universal trust pointbrowser's generated key andthereforethen use that assertion plus a signature by thenumber of these IdPs needskey tobe quite limited. Most IdPs, even those which issue unqualified identities such as Facebook, can be recastauthenticate a call protected under an ephemeral Diffie-Hellman (DH) key controlled by the content JS, thus violating the security guarantees otherwise provided by the IdP mechanism. Note that it is not sufficient merely to deny the content JS direct access to the keys, asauthoritative IdPs (e.g., 123456@facebook.com). However, in such cases,some have suggested doing with theuser interface implications areWebCrypto API <xref target="webcrypto" format="default" sectionFormat="of" derivedContent="webcrypto"/>. The JS must also notentirely desirable. One intermediatebe allowed to perform operations that would be valid for a DTLS endpoint. By far the safest approach is simply tohave special (potentially user configurable) UI for large authoritative IdPs, thus allowingdeny theuserability toinstantly graspperform any operations that depend on secret information associated with thecall is being authenticated by Facebook, Google, etc.key. Operations that depend on public information, such as exporting the public key, are of course safe. </t> </section> <sectiontitle="Confusable Characters"> <t> Because a broad range of charactersnumbered="true" toc="include" removeInRFC="false" pn="section-9.2"> <name slugifiedName="name-privacy">Privacy</name> <t indent="0" pn="section-9.2-1"> The requirements in this document arepermittedintended to allow: </t> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-9.2-2"> <li pn="section-9.2-2.1"> Users to participate inidentity strings, it may be possible for attackerscalls without revealing their location. </li> <li pn="section-9.2-2.2"> Potential callees tocraft identities which are confusable with other identities (see <xref target="RFC6943"/> for more on this topic). This is a problem with any identifier space of this type (e.g., e-mail addresses). Those minting identifers shouldavoidmixed scriptsrevealing their location andsimilar confusable characters. Those presenting these identifierseven presence status prior to agreeing to answer auser should consider highlighting cases of mixed script usage (see <xref target="RFC5890"/>, section 4.4). Other best practices are stillcall. </li> </ul> <t indent="0" pn="section-9.2-3"> However, these privacy protections come at a performance cost indevelopment. </t> </section> </section> <section title="Web Security Feature Interactions"> <t> A numberterms ofoptional Web security features have the potential to cause issues for this mechanism, as discussed below. </t> <section title="Popup Blocking" anchor="sec.popup-blocking"> <t> When popup blocking isusing TURN relays and, inuse,theIdP proxy is unable to generate popup windows, dialogs or any other formlatter case, delaying ICE. Sites <bcp14>SHOULD</bcp14> make users aware ofuser interactions. This prevents the IdP proxy from being used to circumvent user interaction. The "LOGINNEEDED" message allowsthese tradeoffs. </t> <t indent="0" pn="section-9.2-4"> Note that theIdP proxy to informprotections provided here assume a non-malicious calling service. As the callingsiteservice always knows the user's status and (absent the use of aneed for user login, providingtechnology like Tor) their IP address, they can violate theinformation necessary to satisfy this requirement without resorting to direct user interaction fromuser's privacy at will. Users who wish privacy against theIdP proxy itself. </t> </section> <section title="Third Party Cookies" anchor="sec.3rd-party-cookies"> <t> Some browsers allow userscalling sites they are using must use separate privacy-enhancing technologies such as Tor. Combined WebRTC/Tor implementations <bcp14>SHOULD</bcp14> arrange toblock third party cookies (cookies associated with origins other thanroute thetop level page) for privacy reasons. Any IdP which uses cookies to persist loginsmedia as well as the signaling through Tor. Currently this willbe broken by third-party cookie blocking. One optionproduce very suboptimal performance. </t> <t indent="0" pn="section-9.2-5"> Additionally, any identifier which persists across multiple calls isto accept this aspotentially alimitation; another is to haveproblem for privacy, especially for anonymous calling services. Such services <bcp14>SHOULD</bcp14> instruct thePeerConnection object disable third-party cookie blockingbrowser to use separate DTLS keys for each call and also to use TURN throughout theIdP proxy.call. Otherwise, the other side will learn linkable information that would allow them to correlate the browser across multiple calls. Additionally, browsers <bcp14>SHOULD</bcp14> implement the privacy-preserving CNAME generation mode of <xref target="RFC7022" format="default" sectionFormat="of" derivedContent="RFC7022"/>. </t> </section></section> </section> </section><sectiontitle="IANA Considerations" anchor="sec.iana-cons"> <t> This specification definesnumbered="true" toc="include" removeInRFC="false" pn="section-9.3"> <name slugifiedName="name-denial-of-service">Denial of Service</name> <t indent="0" pn="section-9.3-1"> The consent mechanisms described in this document are intended to mitigate denial-of-service (DoS) attacks in which an attacker uses clients to send large amounts of traffic to a victim without the<spanx style="verb">identity</spanx> SDP attribute perconsent of theproceduresvictim. While these mechanisms are sufficient to protect victims who have not implemented WebRTC at all, WebRTC implementations need to be more careful. </t> <t indent="0" pn="section-9.3-2"> Consider the case ofSection 8.2.4a call center which accepts calls via WebRTC. An attacker proxies the call center's front-end and arranges for multiple clients to initiate calls to the call center. Note that this requires user consent in many cases, but because the data channel does not need consent, they can use that directly. Since ICE will complete, browsers can then be induced to send large amounts of<xref target="RFC4566"/>. The required informationdata to the victim call center if it supports the data channel at all. Preventing this attack requires that automated WebRTC implementations implement sensible flow control and have the ability to triage out (i.e., stop responding to ICE probes on) calls which are behaving badly, and especially to be prepared to remotely throttle the data channel in the absence of plausible audio and video (which the attacker cannot control). </t> <t indent="0" pn="section-9.3-3"> Another related attack is for the signaling service to swap the ICE candidates for the audio and video streams, thus forcing a browser to send video to the sink that the other victim expects will contain audio (perhaps it is only expecting audio!), potentially causing overload. Muxing multiple media flows over a single transport makes it harder to individually suppress a single flow by denying ICE keepalives. Either media-level (RTCP) mechanisms must be used or the implementation must deny responses entirely, thus terminating the call. </t> <t indent="0" pn="section-9.3-4"> Yet another attack, suggested by Magnus Westerlund, is for the attacker to cross-connect offers and answers as follows. It induces the victim to make a call and then uses its control of other users' browsers to get them to attempt a call to someone. It then translates their offers into apparent answers to the victim, which looks like large-scale parallel forking. The victim still responds to ICE responses, and now the browsers all try to send media to the victim. Implementations can defend themselves from this attack by only responding to ICE Binding Requests for a limited number of remote ufrags (this is the reason for the requirement that the JS not be able to control the ufrag and password). <xref target="RFC8834" sectionFormat="comma" section="13" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8834#section-13" derivedContent="RFC8834"/> documents a number of potential RTCP-based DoS attacks and countermeasures. </t> <t indent="0" pn="section-9.3-5"> Note that attacks based on confusing one end or the other about consent are possible even in the face of the third-party identity mechanism as long as major parts of the signaling messages are not signed. On the other hand, signing the entire message severely restricts the capabilities of the calling application, so there are difficult tradeoffs here. </t> </section> <section numbered="true" toc="include" removeInRFC="false" pn="section-9.4"> <name slugifiedName="name-idp-authentication-mechanis">IdP Authentication Mechanism</name> <t indent="0" pn="section-9.4-1"> This mechanism relies for its security on the IdP and on the PeerConnection correctly enforcing the security invariants described above. At a high level, the IdP is attesting that the user identified in the assertion wishes to be associated with the assertion. Thus, it must not be possible for arbitrary third parties to get assertions tied to a user or to produce assertions that RPs will accept. </t> <section anchor="sec.pc-origin" numbered="true" toc="include" removeInRFC="false" pn="section-9.4.1"> <name slugifiedName="name-peerconnection-origin-check">PeerConnection Origin Check</name> <t indent="0" pn="section-9.4.1-1"> Fundamentally, the IdP proxy is just a piece of HTML and JS loaded by the browser, so nothing stops a Web attacker from creating their own IFRAME, loading the IdP proxy HTML/JS, and requesting a signature over their own keys rather than those generated in the browser. However, that proxy would be in the attacker's origin, not the IdP's origin. Only the browser itself can instantiate a context that (a) is in the IdP's origin and (b) exposes the correct API surface. Thus, the IdP proxy on the sender's side <bcp14>MUST</bcp14> ensure that it is running in the IdP's origin prior to issuing assertions. </t> <t indent="0" pn="section-9.4.1-2"> Note that this check only asserts that the browser (or some other entity with access to the user's authentication data) attests to the request and hence to the fingerprint. It does not demonstrate that the browser has access to the associated private key, and therefore an attacker can attach their own identity to another party's keying material, thus making a call which comes from Alice appear to come from the attacker. See <xref target="RFC8844" format="default" sectionFormat="of" derivedContent="RFC8844"/> for defenses against this form of attack. </t> </section> <section anchor="sec.sec-idp-uri" numbered="true" toc="include" removeInRFC="false" pn="section-9.4.2"> <name slugifiedName="name-idp-well-known-uri">IdP Well-Known URI</name> <t indent="0" pn="section-9.4.2-1"> As described in <xref target="sec.idp-uri" format="default" sectionFormat="of" derivedContent="Section 7.5"/>, the IdP proxy HTML/JS landing page is located at a well-known URI based on the IdP's domain name. This requirement prevents an attacker who can write some resources at the IdP (e.g., on one's Facebook wall) from being able to impersonate the IdP. </t> </section> <section numbered="true" toc="include" removeInRFC="false" pn="section-9.4.3"> <name slugifiedName="name-privacy-of-idp-generated-id">Privacy of IdP-Generated Identities and the Hosting Site</name> <t indent="0" pn="section-9.4.3-1"> Depending on the structure of the IdP's assertions, the calling site may learn the user's identity from the perspective of the IdP. In many cases, this is not an issue because the user is authenticating to the site via the IdP in any case -- for instance, when the user has logged in with Facebook Connect and is then authenticating their call with a Facebook identity. However, in other cases, the user may not have already revealed their identity to the site. In general, IdPs <bcp14>SHOULD</bcp14> either verify that the user is willing to have their identity revealed to the site (e.g., through the usual IdP permissions dialog) or arrange that the identity information is only available to known RPs (e.g., social graph adjacencies) but not to the calling site. The "domain" field of the assertion request can be used to check that the user has agreed to disclose their identity to the calling site; because it is supplied by the PeerConnection it can be trusted to be correct. </t> </section> <section anchor="sec.sec-third-party" numbered="true" toc="include" removeInRFC="false" pn="section-9.4.4"> <name slugifiedName="name-security-of-third-party-idp">Security of Third-Party IdPs</name> <t indent="0" pn="section-9.4.4-1"> As discussed above, each third-party IdP represents a new universal trust point and therefore the number of these IdPs needs to be quite limited. Most IdPs, even those which issue unqualified identities such as Facebook, can be recast as authoritative IdPs (e.g., 123456@facebook.com). However, in such cases, the user interface implications are not entirely desirable. One intermediate approach is to have special (potentially user configurable) UI for large authoritative IdPs, thus allowing the user to instantly grasp that the call is being authenticated by Facebook, Google, etc. </t> <section numbered="true" toc="include" removeInRFC="false" pn="section-9.4.4.1"> <name slugifiedName="name-confusable-characters">Confusable Characters</name> <t indent="0" pn="section-9.4.4.1-1"> Because a broad range of characters are permitted in identity strings, it may be possible for attackers to craft identities which are confusable with other identities (see <xref target="RFC6943" format="default" sectionFormat="of" derivedContent="RFC6943"/> for more on this topic). This is a problem with any identifier space of this type (e.g., email addresses). Those minting identifiers should avoid mixed scripts and similar confusable characters. Those presenting these identifiers to a user should consider highlighting cases of mixed script usage (see <xref target="RFC5890" sectionFormat="comma" section="4.4" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5890#section-4.4" derivedContent="RFC5890"/>). Other best practices are still in development. </t> </section> </section> <section numbered="true" toc="include" removeInRFC="false" pn="section-9.4.5"> <name slugifiedName="name-web-security-feature-intera">Web Security Feature Interactions</name> <t indent="0" pn="section-9.4.5-1"> A number of optional Web security features have the potential to cause issues for this mechanism, as discussed below. </t> <section anchor="sec.popup-blocking" numbered="true" toc="include" removeInRFC="false" pn="section-9.4.5.1"> <name slugifiedName="name-popup-blocking">Popup Blocking</name> <t indent="0" pn="section-9.4.5.1-1"> When popup blocking is in use, the IdP proxy is unable to generate popup windows, dialogs, or any other form of user interactions. This prevents the IdP proxy from being used to circumvent user interaction. The "LOGINNEEDED" message allows the IdP proxy to inform the calling site of a need for user login, providing the information necessary to satisfy this requirement without resorting to direct user interaction from the IdP proxy itself. </t> </section> <section anchor="sec.3rd-party-cookies" numbered="true" toc="include" removeInRFC="false" pn="section-9.4.5.2"> <name slugifiedName="name-third-party-cookies">Third Party Cookies</name> <t indent="0" pn="section-9.4.5.2-1"> Some browsers allow users to block third party cookies (cookies associated with origins other than the top-level page) for privacy reasons. Any IdP which uses cookies to persist logins will be broken by third-party cookie blocking. One option is to accept this as a limitation; another is to have the PeerConnection object disable third-party cookie blocking for the IdP proxy. </t> </section> </section> </section> </section> <section anchor="sec.iana-cons" numbered="true" toc="include" removeInRFC="false" pn="section-10"> <name slugifiedName="name-iana-considerations">IANA Considerations</name> <t indent="0" pn="section-10-1"> This specification defines the "identity" SDP attribute per the procedures of <xref target="RFC4566" sectionFormat="of" section="8.2.4" format="default" derivedLink="https://rfc-editor.org/rfc/rfc4566#section-8.2.4" derivedContent="RFC4566"/>. The required information for the registration is included here: </t> <dl newline="false" spacing="normal" indent="3" pn="section-10-2"> <dt pn="section-10-2.1">Contact Name:</dt> <dd pn="section-10-2.2">IESG (iesg@ietf.org)</dd> <dt pn="section-10-2.3">Attribute Name:</dt> <dd pn="section-10-2.4">identity</dd> <dt pn="section-10-2.5">Long Form:</dt> <dd pn="section-10-2.6">identity</dd> <dt pn="section-10-2.7">Type of Attribute:</dt> <dd pn="section-10-2.8">session</dd> <dt pn="section-10-2.9">Charset Considerations:</dt> <dd pn="section-10-2.10">This attribute is not subject to the charset attribute.</dd> <dt pn="section-10-2.11">Purpose:</dt> <dd pn="section-10-2.12">This attribute carries an identity assertion, binding an identity to the transport-level security session.</dd> <dt pn="section-10-2.13">Appropriate Values:</dt> <dd pn="section-10-2.14">See <xref target="sec.sdp-id-attr" format="default" sectionFormat="of" derivedContent="Section 5"/> of RFC 8827.</dd> <dt pn="section-10-2.15">Mux Category:</dt> <dd pn="section-10-2.16">NORMAL</dd> </dl> <t indent="0" pn="section-10-3"> This section registers the "idp-proxy" well-known URI from <xref target="RFC8615" format="default" sectionFormat="of" derivedContent="RFC8615"/>. </t> <dl newline="false" spacing="normal" indent="3" pn="section-10-4"> <dt pn="section-10-4.1">URI suffix:</dt> <dd pn="section-10-4.2">idp-proxy</dd> <dt pn="section-10-4.3">Change controller:</dt> <dd pn="section-10-4.4">IETF</dd> </dl> </section> </middle> <back> <displayreference target="I-D.ietf-tls-dtls13" to="TLS-DTLS13"/> <references pn="section-11"> <name slugifiedName="name-references">References</name> <references pn="section-11.1"> <name slugifiedName="name-normative-references">Normative References</name> <reference anchor="FIPS186" quoteTitle="true" target="https://doi.org/10.6028/NIST.FIPS.186-4" derivedAnchor="FIPS186"> <front> <title>Digital Signature Standard (DSS)</title> <author> <organization showOnFrontPage="true">National Institute of Standards and Technology (NIST)</organization> </author> <date year="2013" month="July"/> </front> <seriesInfo name="NIST PUB" value="186-4"/> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.186-4"/> </reference> <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" quoteTitle="true" derivedAnchor="RFC2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author initials="S." surname="Bradner" fullname="S. Bradner"> <organization showOnFrontPage="true"/> </author> <date year="1997" month="March"/> <abstract> <t indent="0">In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference> <reference anchor="RFC2818" target="https://www.rfc-editor.org/info/rfc2818" quoteTitle="true" derivedAnchor="RFC2818"> <front> <title>HTTP Over TLS</title> <author initials="E." surname="Rescorla" fullname="E. Rescorla"> <organization showOnFrontPage="true"/> </author> <date year="2000" month="May"/> <abstract> <t indent="0">This memo describes how to use Transport Layer Security (TLS) to secure Hypertext Transfer Protocol (HTTP) connections over the Internet. This memo provides information for the Internet community.</t> </abstract> </front> <seriesInfo name="RFC" value="2818"/> <seriesInfo name="DOI" value="10.17487/RFC2818"/> </reference> <reference anchor="RFC3264" target="https://www.rfc-editor.org/info/rfc3264" quoteTitle="true" derivedAnchor="RFC3264"> <front> <title>An Offer/Answer Model with Session Description Protocol (SDP)</title> <author initials="J." surname="Rosenberg" fullname="J. Rosenberg"> <organization showOnFrontPage="true"/> </author> <author initials="H." surname="Schulzrinne" fullname="H. Schulzrinne"> <organization showOnFrontPage="true"/> </author> <date year="2002" month="June"/> <abstract> <t indent="0">This document defines a mechanism by which two entities can make use of the Session Description Protocol (SDP) to arrive at a common view of a multimedia session between them. In the model, one participant offers the other a description of the desired session from their perspective, and the other participant answers with the desired session from their perspective. This offer/answer model is most useful in unicast sessions where information from both participants is needed for the complete view of the session. The offer/answer model is used by protocols like the Session Initiation Protocol (SIP). [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="3264"/> <seriesInfo name="DOI" value="10.17487/RFC3264"/> </reference> <reference anchor="RFC3711" target="https://www.rfc-editor.org/info/rfc3711" quoteTitle="true" derivedAnchor="RFC3711"> <front> <title>The Secure Real-time Transport Protocol (SRTP)</title> <author initials="M." surname="Baugher" fullname="M. Baugher"> <organization showOnFrontPage="true"/> </author> <author initials="D." surname="McGrew" fullname="D. McGrew"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Naslund" fullname="M. Naslund"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Carrara" fullname="E. Carrara"> <organization showOnFrontPage="true"/> </author> <author initials="K." surname="Norrman" fullname="K. Norrman"> <organization showOnFrontPage="true"/> </author> <date year="2004" month="March"/> <abstract> <t indent="0">This document describes the Secure Real-time Transport Protocol (SRTP), a profile of the Real-time Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP). [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="3711"/> <seriesInfo name="DOI" value="10.17487/RFC3711"/> </reference> <reference anchor="RFC3986" target="https://www.rfc-editor.org/info/rfc3986" quoteTitle="true" derivedAnchor="RFC3986"> <front> <title>Uniform Resource Identifier (URI): Generic Syntax</title> <author initials="T." surname="Berners-Lee" fullname="T. Berners-Lee"> <organization showOnFrontPage="true"/> </author> <author initials="R." surname="Fielding" fullname="R. Fielding"> <organization showOnFrontPage="true"/> </author> <author initials="L." surname="Masinter" fullname="L. Masinter"> <organization showOnFrontPage="true"/> </author> <date year="2005" month="January"/> <abstract> <t indent="0">A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="STD" value="66"/> <seriesInfo name="RFC" value="3986"/> <seriesInfo name="DOI" value="10.17487/RFC3986"/> </reference> <reference anchor="RFC4566" target="https://www.rfc-editor.org/info/rfc4566" quoteTitle="true" derivedAnchor="RFC4566"> <front> <title>SDP: Session Description Protocol</title> <author initials="M." surname="Handley" fullname="M. Handley"> <organization showOnFrontPage="true"/> </author> <author initials="V." surname="Jacobson" fullname="V. Jacobson"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Perkins" fullname="C. Perkins"> <organization showOnFrontPage="true"/> </author> <date year="2006" month="July"/> <abstract> <t indent="0">This memo defines the Session Description Protocol (SDP). SDP is intended for describing multimedia sessions for the purposes of session announcement, session invitation, and other forms of multimedia session initiation. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4566"/> <seriesInfo name="DOI" value="10.17487/RFC4566"/> </reference> <reference anchor="RFC4568" target="https://www.rfc-editor.org/info/rfc4568" quoteTitle="true" derivedAnchor="RFC4568"> <front> <title>Session Description Protocol (SDP) Security Descriptions for Media Streams</title> <author initials="F." surname="Andreasen" fullname="F. Andreasen"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Baugher" fullname="M. Baugher"> <organization showOnFrontPage="true"/> </author> <author initials="D." surname="Wing" fullname="D. Wing"> <organization showOnFrontPage="true"/> </author> <date year="2006" month="July"/> <abstract> <t indent="0">This document defines a Session Description Protocol (SDP) cryptographic attribute for unicast media streams. The attribute describes a cryptographic key and other parameters that serve to configure security for a unicast media stream in either a single message or a roundtrip exchange. The attribute can be used with a variety of SDP media transports, and this document defines how to use it for the Secure Real-time Transport Protocol (SRTP) unicast media streams. The SDP crypto attribute requires the services of a data security protocol to secure the SDP message. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4568"/> <seriesInfo name="DOI" value="10.17487/RFC4568"/> </reference> <reference anchor="RFC4648" target="https://www.rfc-editor.org/info/rfc4648" quoteTitle="true" derivedAnchor="RFC4648"> <front> <title>The Base16, Base32, and Base64 Data Encodings</title> <author initials="S." surname="Josefsson" fullname="S. Josefsson"> <organization showOnFrontPage="true"/> </author> <date year="2006" month="October"/> <abstract> <t indent="0">This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4648"/> <seriesInfo name="DOI" value="10.17487/RFC4648"/> </reference> <reference anchor="RFC5763" target="https://www.rfc-editor.org/info/rfc5763" quoteTitle="true" derivedAnchor="RFC5763"> <front> <title>Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)</title> <author initials="J." surname="Fischl" fullname="J. Fischl"> <organization showOnFrontPage="true"/> </author> <author initials="H." surname="Tschofenig" fullname="H. Tschofenig"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Rescorla" fullname="E. Rescorla"> <organization showOnFrontPage="true"/> </author> <date year="2010" month="May"/> <abstract> <t indent="0">This document specifies how to use the Session Initiation Protocol (SIP) to establish a Secure Real-time Transport Protocol (SRTP) security context using the Datagram Transport Layer Security (DTLS) protocol. It describes a mechanism of transporting a fingerprint attribute in the Session Description Protocol (SDP) that identifies the key that will be presented during the DTLS handshake. The key exchange travels along the media path as opposed to the signaling path. The SIP Identity mechanism can be used to protect the integrity of the fingerprint attribute from modification by intermediate proxies. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5763"/> <seriesInfo name="DOI" value="10.17487/RFC5763"/> </reference> <reference anchor="RFC5764" target="https://www.rfc-editor.org/info/rfc5764" quoteTitle="true" derivedAnchor="RFC5764"> <front> <title>Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)</title> <author initials="D." surname="McGrew" fullname="D. McGrew"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Rescorla" fullname="E. Rescorla"> <organization showOnFrontPage="true"/> </author> <date year="2010" month="May"/> <abstract> <t indent="0">This document describes a Datagram Transport Layer Security (DTLS) extension to establish keys for Secure RTP (SRTP) and Secure RTP Control Protocol (SRTCP) flows. DTLS keying happens on the media path, independent of any out-of-band signalling channel present. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5764"/> <seriesInfo name="DOI" value="10.17487/RFC5764"/> </reference> <reference anchor="RFC5890" target="https://www.rfc-editor.org/info/rfc5890" quoteTitle="true" derivedAnchor="RFC5890"> <front> <title>Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework</title> <author initials="J." surname="Klensin" fullname="J. Klensin"> <organization showOnFrontPage="true"/> </author> <date year="2010" month="August"/> <abstract> <t indent="0">This document is one of a collection that, together, describe the protocol and usage context for a revision of Internationalized Domain Names for Applications (IDNA), superseding the earlier version. It describes the document collection and provides definitions and other material that are common to the set. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5890"/> <seriesInfo name="DOI" value="10.17487/RFC5890"/> </reference> <reference anchor="RFC6347" target="https://www.rfc-editor.org/info/rfc6347" quoteTitle="true" derivedAnchor="RFC6347"> <front> <title>Datagram Transport Layer Security Version 1.2</title> <author initials="E." surname="Rescorla" fullname="E. Rescorla"> <organization showOnFrontPage="true"/> </author> <author initials="N." surname="Modadugu" fullname="N. Modadugu"> <organization showOnFrontPage="true"/> </author> <date year="2012" month="January"/> <abstract> <t indent="0">This document specifies version 1.2 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document updates DTLS 1.0 to work with TLS version 1.2. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6347"/> <seriesInfo name="DOI" value="10.17487/RFC6347"/> </reference> <reference anchor="RFC6454" target="https://www.rfc-editor.org/info/rfc6454" quoteTitle="true" derivedAnchor="RFC6454"> <front> <title>The Web Origin Concept</title> <author initials="A." surname="Barth" fullname="A. Barth"> <organization showOnFrontPage="true"/> </author> <date year="2011" month="December"/> <abstract> <t indent="0">This document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document details how to determine the origin of a URI and how to serialize an origin into a string. It also defines an HTTP header field, named "Origin", that indicates which origins are associated with an HTTP request. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6454"/> <seriesInfo name="DOI" value="10.17487/RFC6454"/> </reference> <reference anchor="RFC7022" target="https://www.rfc-editor.org/info/rfc7022" quoteTitle="true" derivedAnchor="RFC7022"> <front> <title>Guidelines for Choosing RTP Control Protocol (RTCP) Canonical Names (CNAMEs)</title> <author initials="A." surname="Begen" fullname="A. Begen"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Perkins" fullname="C. Perkins"> <organization showOnFrontPage="true"/> </author> <author initials="D." surname="Wing" fullname="D. Wing"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Rescorla" fullname="E. Rescorla"> <organization showOnFrontPage="true"/> </author> <date year="2013" month="September"/> <abstract> <t indent="0">The RTP Control Protocol (RTCP) Canonical Name (CNAME) is a persistent transport-level identifier for an RTP endpoint. While the Synchronization Source (SSRC) identifier of an RTP endpoint may change if a collision is detected or when the RTP application is restarted, its RTCP CNAME is meant to stay unchanged, so that RTP endpoints can be uniquely identified and associated with their RTP media streams.</t> <t indent="0">For proper functionality, RTCP CNAMEs should be unique within the participants of an RTP session. However, the existing guidelines for choosing the RTCP CNAME provided in the RTP standard (RFC 3550) are insufficient to achieve this uniqueness. RFC 6222 was published to update those guidelines to allow endpoints to choose unique RTCP CNAMEs. Unfortunately, later investigations showed that some parts of the new algorithms were unnecessarily complicated and/or ineffective. This document addresses these concerns and replaces RFC 6222.</t> </abstract> </front> <seriesInfo name="RFC" value="7022"/> <seriesInfo name="DOI" value="10.17487/RFC7022"/> </reference> <reference anchor="RFC7675" target="https://www.rfc-editor.org/info/rfc7675" quoteTitle="true" derivedAnchor="RFC7675"> <front> <title>Session Traversal Utilities for NAT (STUN) Usage for Consent Freshness</title> <author initials="M." surname="Perumal" fullname="M. Perumal"> <organization showOnFrontPage="true"/> </author> <author initials="D." surname="Wing" fullname="D. Wing"> <organization showOnFrontPage="true"/> </author> <author initials="R." surname="Ravindranath" fullname="R. Ravindranath"> <organization showOnFrontPage="true"/> </author> <author initials="T." surname="Reddy" fullname="T. Reddy"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Thomson" fullname="M. Thomson"> <organization showOnFrontPage="true"/> </author> <date year="2015" month="October"/> <abstract> <t indent="0">To prevent WebRTC applications, such as browsers, from launching attacks by sending traffic to unwilling victims, periodic consent to send needs to be obtained from remote endpoints.</t> <t indent="0">This document describes a consent mechanism using a new Session Traversal Utilities for NAT (STUN) usage.</t> </abstract> </front> <seriesInfo name="RFC" value="7675"/> <seriesInfo name="DOI" value="10.17487/RFC7675"/> </reference> <reference anchor="RFC7918" target="https://www.rfc-editor.org/info/rfc7918" quoteTitle="true" derivedAnchor="RFC7918"> <front> <title>Transport Layer Security (TLS) False Start</title> <author initials="A." surname="Langley" fullname="A. Langley"> <organization showOnFrontPage="true"/> </author> <author initials="N." surname="Modadugu" fullname="N. Modadugu"> <organization showOnFrontPage="true"/> </author> <author initials="B." surname="Moeller" fullname="B. Moeller"> <organization showOnFrontPage="true"/> </author> <date year="2016" month="August"/> <abstract> <t indent="0">This document specifies an optional behavior of Transport Layer Security (TLS) client implementations, dubbed "False Start". It affects only protocol timing, not on-the-wire protocol data, and can be implemented unilaterally. A TLS False Start reduces handshake latency to one round trip.</t> </abstract> </front> <seriesInfo name="RFC" value="7918"/> <seriesInfo name="DOI" value="10.17487/RFC7918"/> </reference> <reference anchor="RFC8122" target="https://www.rfc-editor.org/info/rfc8122" quoteTitle="true" derivedAnchor="RFC8122"> <front> <title>Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP)</title> <author initials="J." surname="Lennox" fullname="J. Lennox"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Holmberg" fullname="C. Holmberg"> <organization showOnFrontPage="true"/> </author> <date year="2017" month="March"/> <abstract> <t indent="0">This document specifies how to establish secure connection-oriented media transport sessions over the Transport Layer Security (TLS) protocol using the Session Description Protocol (SDP). It defines the SDP protocol identifier, 'TCP/TLS'. It also defines the syntax and semantics for an SDP 'fingerprint' attribute that identifies the certificate that will be presented for the TLS session. This mechanism allows media transport over TLS connections to be established securely, so long as the integrity of session descriptions is assured.</t> <t indent="0">This document obsoletes RFC 4572 by clarifying the usage of multiple fingerprints.</t> </abstract> </front> <seriesInfo name="RFC" value="8122"/> <seriesInfo name="DOI" value="10.17487/RFC8122"/> </reference> <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" quoteTitle="true" derivedAnchor="RFC8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author initials="B." surname="Leiba" fullname="B. Leiba"> <organization showOnFrontPage="true"/> </author> <date year="2017" month="May"/> <abstract> <t indent="0">RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/> </reference> <reference anchor="RFC8259" target="https://www.rfc-editor.org/info/rfc8259" quoteTitle="true" derivedAnchor="RFC8259"> <front> <title>The JavaScript Object Notation (JSON) Data Interchange Format</title> <author initials="T." surname="Bray" fullname="T. Bray" role="editor"> <organization showOnFrontPage="true"/> </author> <date year="2017" month="December"/> <abstract> <t indent="0">JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data.</t> <t indent="0">This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t> </abstract> </front> <seriesInfo name="STD" value="90"/> <seriesInfo name="RFC" value="8259"/> <seriesInfo name="DOI" value="10.17487/RFC8259"/> </reference> <reference anchor="RFC8261" target="https://www.rfc-editor.org/info/rfc8261" quoteTitle="true" derivedAnchor="RFC8261"> <front> <title>Datagram Transport Layer Security (DTLS) Encapsulation of SCTP Packets</title> <author initials="M." surname="Tuexen" fullname="M. Tuexen"> <organization showOnFrontPage="true"/> </author> <author initials="R." surname="Stewart" fullname="R. Stewart"> <organization showOnFrontPage="true"/> </author> <author initials="R." surname="Jesup" fullname="R. Jesup"> <organization showOnFrontPage="true"/> </author> <author initials="S." surname="Loreto" fullname="S. Loreto"> <organization showOnFrontPage="true"/> </author> <date year="2017" month="November"/> <abstract> <t indent="0">The Stream Control Transmission Protocol (SCTP) is a transport protocol originally defined to run on top of the network protocols IPv4 or IPv6. This document specifies how SCTP can be used on top of the Datagram Transport Layer Security (DTLS) protocol. Using the encapsulation method described in this document, SCTP is unaware of the protocols being used below DTLS; hence, explicit IP addresses cannot be used in the SCTP control chunks. As a consequence, the SCTP associations carried over DTLS can only be single-homed.</t> </abstract> </front> <seriesInfo name="RFC" value="8261"/> <seriesInfo name="DOI" value="10.17487/RFC8261"/> </reference> <reference anchor="RFC8445" target="https://www.rfc-editor.org/info/rfc8445" quoteTitle="true" derivedAnchor="RFC8445"> <front> <title>Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal</title> <author initials="A." surname="Keranen" fullname="A. Keranen"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Holmberg" fullname="C. Holmberg"> <organization showOnFrontPage="true"/> </author> <author initials="J." surname="Rosenberg" fullname="J. Rosenberg"> <organization showOnFrontPage="true"/> </author> <date year="2018" month="July"/> <abstract> <t indent="0">This document describes a protocol for Network Address Translator (NAT) traversal for UDP-based communication. This protocol is called Interactive Connectivity Establishment (ICE). ICE makes use of the Session Traversal Utilities for NAT (STUN) protocol and its extension, Traversal Using Relay NAT (TURN).</t> <t indent="0">This document obsoletes RFC 5245.</t> </abstract> </front> <seriesInfo name="RFC" value="8445"/> <seriesInfo name="DOI" value="10.17487/RFC8445"/> </reference> <reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446" quoteTitle="true" derivedAnchor="RFC8446"> <front> <title>The Transport Layer Security (TLS) Protocol Version 1.3</title> <author initials="E." surname="Rescorla" fullname="E. Rescorla"> <organization showOnFrontPage="true"/> </author> <date year="2018" month="August"/> <abstract> <t indent="0">This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t> <t indent="0">This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t> </abstract> </front> <seriesInfo name="RFC" value="8446"/> <seriesInfo name="DOI" value="10.17487/RFC8446"/> </reference> <reference anchor="RFC8615" target="https://www.rfc-editor.org/info/rfc8615" quoteTitle="true" derivedAnchor="RFC8615"> <front> <title>Well-Known Uniform Resource Identifiers (URIs)</title> <author initials="M." surname="Nottingham" fullname="M. Nottingham"> <organization showOnFrontPage="true"/> </author> <date year="2019" month="May"/> <abstract> <t indent="0">This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes.</t> <t indent="0">In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry.</t> </abstract> </front> <seriesInfo name="RFC" value="8615"/> <seriesInfo name="DOI" value="10.17487/RFC8615"/> </reference> <reference anchor="RFC8825" target="https://www.rfc-editor.org/info/rfc8825" quoteTitle="true" derivedAnchor="RFC8825"> <front> <title>Overview: Real-Time Protocols for Browser-Based Applications</title> <author initials="H." surname="Alvestrand" fullname="Harald T. Alvestrand"> <organization showOnFrontPage="true"/> </author> <date month="January" year="2021"/> </front> <seriesInfo name="RFC" value="8825"/> <seriesInfo name="DOI" value="10.17487/RFC8825"/> </reference> <reference anchor="RFC8826" target="https://www.rfc-editor.org/info/rfc8826" quoteTitle="true" derivedAnchor="RFC8826"> <front> <title>Security Considerations for WebRTC</title> <author initials="E." surname="Rescorla" fullname="Eric Rescorla"> <organization showOnFrontPage="true"/> </author> <date month="January" year="2021"/> </front> <seriesInfo name="RFC" value="8826"/> <seriesInfo name="DOI" value="10.17487/RFC8826"/> </reference> <reference anchor="RFC8829" target="https://www.rfc-editor.org/info/rfc8829" quoteTitle="true" derivedAnchor="RFC8829"> <front> <title>JavaScript Session Establishment Protocol (JSEP)</title> <author initials="J." surname="Uberti" fullname="Justin Uberti"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Jennings" fullname="Cullen Jennings"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Rescorla" fullname="Eric Rescorla" role="editor"> <organization showOnFrontPage="true"/> </author> <date month="January" year="2021"/> </front> <seriesInfo name="RFC" value="8829"/> <seriesInfo name="DOI" value="10.17487/RFC8829"/> </reference> <reference anchor="RFC8834" target="https://www.rfc-editor.org/info/rfc8834" quoteTitle="true" derivedAnchor="RFC8834"> <front> <title>Media Transport and Use of RTP in WebRTC</title> <author initials="C." surname="Perkins" fullname="Colin Perkins"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Westerlund" fullname="Magnus Westerlund"> <organization showOnFrontPage="true"/> </author> <author initials="J." surname="Ott" fullname="Jörg Ott"> <organization showOnFrontPage="true"/> </author> <date month="January" year="2021"/> </front> <seriesInfo name="RFC" value="8834"/> <seriesInfo name="DOI" value="10.17487/RFC8834"/> </reference> <reference anchor="RFC8844" target="https://www.rfc-editor.org/info/rfc8844" quoteTitle="true" derivedAnchor="RFC8844"> <front> <title>Unknown Key-Share Attacks on Uses of TLS with the Session Description Protocol (SDP)</title> <author initials="M" surname="Thomson" fullname="Martin Thomson"> <organization showOnFrontPage="true"/> </author> <author initials="E" surname="Rescorla" fullname="Eric Rescorla"> <organization showOnFrontPage="true"/> </author> <date month="January" year="2021"/> </front> <seriesInfo name="RFC" value="8844"/> <seriesInfo name="DOI" value="10.17487/RFC8844"/> </reference> <reference anchor="webcrypto" target="https://www.w3.org/TR/2017/REC-WebCryptoAPI-20170126/" quoteTitle="true" derivedAnchor="webcrypto"> <front> <title>Web Cryptography API</title> <author initials="M" surname="Watson" fullname="Mark Watson"> </author> <date month="January" year="2017" day="26"/> </front> <refcontent>W3C Recommendation</refcontent> </reference> <reference anchor="webrtc-api" target="https://www.w3.org/TR/webrtc/" quoteTitle="true" derivedAnchor="webrtc-api"> <front> <title>WebRTC 1.0: Real-time Communication Between Browsers</title> <author initials="C." surname="Jennings" fullname="Cullen Jennings"> <organization showOnFrontPage="true"/> </author> <author initials="H." surname="Boström" fullname="Henrik Boström"> <organization showOnFrontPage="true"/> </author> <author initials="J-I." surname="Bruaroey" fullname="Jan-Ivar Bruaroey"> <organization showOnFrontPage="true"/> </author> <date/> </front> <refcontent>W3C Proposed Recommendation</refcontent> </reference> </references> <references pn="section-11.2"> <name slugifiedName="name-informative-references">Informative References</name> <reference anchor="fetch" target="https://fetch.spec.whatwg.org/" quoteTitle="true" derivedAnchor="fetch"> <front> <title>Fetch</title> <author initials="A." surname="van Kesteren"> <organization showOnFrontPage="true"/> </author> </front> </reference> <reference anchor="RFC3261" target="https://www.rfc-editor.org/info/rfc3261" quoteTitle="true" derivedAnchor="RFC3261"> <front> <title>SIP: Session Initiation Protocol</title> <author initials="J." surname="Rosenberg" fullname="J. Rosenberg"> <organization showOnFrontPage="true"/> </author> <author initials="H." surname="Schulzrinne" fullname="H. Schulzrinne"> <organization showOnFrontPage="true"/> </author> <author initials="G." surname="Camarillo" fullname="G. Camarillo"> <organization showOnFrontPage="true"/> </author> <author initials="A." surname="Johnston" fullname="A. Johnston"> <organization showOnFrontPage="true"/> </author> <author initials="J." surname="Peterson" fullname="J. Peterson"> <organization showOnFrontPage="true"/> </author> <author initials="R." surname="Sparks" fullname="R. Sparks"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Handley" fullname="M. Handley"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Schooler" fullname="E. Schooler"> <organization showOnFrontPage="true"/> </author> <date year="2002" month="June"/> <abstract> <t indent="0">This document describes Session Initiation Protocol (SIP), an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions include Internet telephone calls, multimedia distribution, and multimedia conferences. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="3261"/> <seriesInfo name="DOI" value="10.17487/RFC3261"/> </reference> <reference anchor="RFC5705" target="https://www.rfc-editor.org/info/rfc5705" quoteTitle="true" derivedAnchor="RFC5705"> <front> <title>Keying Material Exporters for Transport Layer Security (TLS)</title> <author initials="E." surname="Rescorla" fullname="E. Rescorla"> <organization showOnFrontPage="true"/> </author> <date year="2010" month="March"/> <abstract> <t indent="0">A number of protocols wish to leverage Transport Layer Security (TLS) to perform key establishment but then use some of the keying material for their own purposes. This document describes a general mechanism forthe registration is included here: <list style="hanging"> <t hangText="Contact Name:">IESG (iesg@ietf.org)</t> <t hangText="Attribute Name:">identity</t> <t hangText="Long Form:">identity</t> <t hangText="Type of Attribute:">session-level</t>allowing that. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5705"/> <seriesInfo name="DOI" value="10.17487/RFC5705"/> </reference> <reference anchor="RFC6120" target="https://www.rfc-editor.org/info/rfc6120" quoteTitle="true" derivedAnchor="RFC6120"> <front> <title>Extensible Messaging and Presence Protocol (XMPP): Core</title> <author initials="P." surname="Saint-Andre" fullname="P. Saint-Andre"> <organization showOnFrontPage="true"/> </author> <date year="2011" month="March"/> <abstract> <thangText="Charset Considerations:">This attributeindent="0">The Extensible Messaging and Presence Protocol (XMPP) isnot subject to the charset attribute.</t> <t hangText="Purpose:">This attribute carries an identity assertion, bindinganidentity to the transport-level security session.</t> <t hangText="Appropriate Values:">See <xref target="sec.sdp-id-attr"/>application profile ofRFCXXXX [[Editor Note: This document.]]</t> <t hangText="Mux Category:">NORMAL.</t> </list> </t> <t> This section reqisters the <spanx style="verb">idp-proxy</spanx> well-known URI from <xref target="RFC5785"/>. <list style="hanging"> <t hangText="URI suffix:">idp-proxy</t> <t hangText="Change controller:">IETF</t> </list> </t> </section> <section title="Acknowledgements"> <t> Bernard Aboba, Harald Alvestrand, Richard Barnes, Dan Druta, Cullen Jennings, Hadriel Kaplan, Matthew Kaufman, Jim McEachern, Martin Thomson, Magnus Westerland. Matthew Kaufman providedtheUI material in <xref target="sec.proposal.comsec"/>. Christer Holmberg providedExtensible Markup Language (XML) that enables theinitial versionnear-real-time exchange of<xref target="sec.sdp-id-attr-oa"/>. </t> </section> <section title="Changes"> <t> [RFC Editor: Please remove this section prior to publication.]</t> <section title="Changes since -15"> <t>Rewrite the Identity section instructured yet extensible data between any two or moreconventional offer/answer format.</t> <t>Clarify rules on changing identities.</t> </section> <section title="Changes since -11"> <t> Update discussion of IdP security model </t> <t> Replace "domain name" with RFC 3986 Authority </t> <t> Clean up discussionnetwork entities. This document defines XMPP's core protocol methods: setup and teardown ofhow to generate IdP URI. </t> <t> Remove obsolete text about null cipher suites. </t> <t> Remove obsolete appendixes about older IdP systems </t> <t> Require supportXML streams, channel encryption, authentication, error handling, and communication primitives forECDSA, PFS,messaging, network availability ("presence"), andAEAD </t> </section> <section title="Changes since -10"> <t> Update cipher suite profiles. </t> <t> Rework IdP interaction based on implementation experience in Firefox. </t> </section> <section title="Changes since -06"> <t> Replaced RTCWEBrequest-response interactions. This document obsoletes RFC 3920. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6120"/> <seriesInfo name="DOI" value="10.17487/RFC6120"/> </reference> <reference anchor="RFC6265" target="https://www.rfc-editor.org/info/rfc6265" quoteTitle="true" derivedAnchor="RFC6265"> <front> <title>HTTP State Management Mechanism</title> <author initials="A." surname="Barth" fullname="A. Barth"> <organization showOnFrontPage="true"/> </author> <date year="2011" month="April"/> <abstract> <t indent="0">This document defines the HTTP Cookie andRTC-Web with WebRTC, except when referringSet-Cookie header fields. These header fields can be used by HTTP servers to store state (called cookies) at HTTP user agents, letting theIETF WG </t> <t> Forbade use in mixed content as discussedservers maintain a stateful session over the mostly stateless HTTP protocol. Although cookies have many historical infelicities that degrade their security and privacy, the Cookie and Set-Cookie header fields are widely used on the Internet. This document obsoletes RFC 2965. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6265"/> <seriesInfo name="DOI" value="10.17487/RFC6265"/> </reference> <reference anchor="RFC6455" target="https://www.rfc-editor.org/info/rfc6455" quoteTitle="true" derivedAnchor="RFC6455"> <front> <title>The WebSocket Protocol</title> <author initials="I." surname="Fette" fullname="I. Fette"> <organization showOnFrontPage="true"/> </author> <author initials="A." surname="Melnikov" fullname="A. Melnikov"> <organization showOnFrontPage="true"/> </author> <date year="2011" month="December"/> <abstract> <t indent="0">The WebSocket Protocol enables two-way communication between a client running untrusted code inOrlando. </t> <t> Addedarequirement to surface NULL ciphers to the top-level. </t> <t> Triedcontrolled environment toclarify SRTP versus DTLS-SRTP. </t> <t> Addedasection on screen sharing permissions. </t> <t> Assorted editorial work. </t> </section> <section title="Changes since -05"> <t>remote host that has opted-in to communications from that code. Thefollowing changes have been made since the -05 draft. </t> <t> <list style="symbols"> <t> Response to comments from Richard Barnes </t> <t> More explanation of the IdPsecurityproperties andmodel used for this is thefederation use case. </t> <t> Editorial cleanup. </t> </list> </t> </section> <section title="Changes since -03"> <t> Version -04 was a version control mistake. Please ignore. </t> <t>origin-based security model commonly used by web browsers. Thefollowing changes have been made since the -04 draft. </t> <t> <list style="symbols"> <t> Move origin check from IdP to RP per discussion in YVR. </t> <t> Clarified treatmentprotocol consists ofX.509-level identities. </t> <t> Editorial cleanup. </t> </list> </t> </section> <section title="Changes since -03"> </section> <section title="Changes since -02"> <t>an opening handshake followed by basic message framing, layered over TCP. Thefollowing changes have been made since the -02 draft. </t> <t> <list style="symbols"> <t> Forbid persistent HTTP permissions. </t> <t> Clarified the text in S 5.4 to clearly refergoal of this technology is torequirementsprovide a mechanism for browser-based applications that need two-way communication with servers that does not rely onthe APIopening multiple HTTP connections (e.g., using XMLHttpRequest or <iframe>s and long polling). [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6455"/> <seriesInfo name="DOI" value="10.17487/RFC6455"/> </reference> <reference anchor="RFC6943" target="https://www.rfc-editor.org/info/rfc6943" quoteTitle="true" derivedAnchor="RFC6943"> <front> <title>Issues in Identifier Comparison for Security Purposes</title> <author initials="D." surname="Thaler" fullname="D. Thaler" role="editor"> <organization showOnFrontPage="true"/> </author> <date year="2013" month="May"/> <abstract> <t indent="0">Identifiers such as hostnames, URIs, IP addresses, and email addresses are often used in security contexts toprovide functionalityidentify security principals and resources. In such contexts, an identifier presented via some protocol is often compared using some policy to make security decisions such as whether thesite. </t> <t> Fold insecurity principal may access theIETF portionresource, what level ofdraft-rescorla-rtcweb-generic-idp </t> <t> Retargetauthentication or encryption is required, etc. If thecontinuing consent sectionparties involved in a security decision use different algorithms toassume Binding Requests </t> <t> Added some more privacycompare identifiers, then failure scenarios ranging from denial of service to elevation of privilege can result. This document provides a discussion of these issues that designers should consider when defining identifiers andlinkage text in various places. </t> <t> Editorial improvements </t> </list> </t> </section> </section> </middle> <back> <references title="Normative References"> &RFC2119; &RFC2818; &RFC3264; &RFC3711; &RFC3986; &RFC4566; &RFC4568; &RFC4648; &RFC5246; &RFC5763; &RFC5764; &RFC5785; &RFC5890; &RFC6347; &RFC6454; &RFC7022; &RFC7675; &RFC7918; &RFC8174; &RFC8122; &RFC8259; &RFC8261; &RFC8445; &I-D.ietf-rtcweb-overview; &I-D.ietf-rtcweb-security; &I-D.ietf-rtcweb-rtp-usage; &I-D.ietf-mmusic-sdp-uks; &I-D.ietf-rtcweb-jsep;protocols, and when constructing architectures that use multiple protocols.</t> </abstract> </front> <seriesInfo name="RFC" value="6943"/> <seriesInfo name="DOI" value="10.17487/RFC6943"/> </reference> <referenceanchor="webcrypto">anchor="RFC7617" target="https://www.rfc-editor.org/info/rfc7617" quoteTitle="true" derivedAnchor="RFC7617"> <front><title>Web Cryptography API</title><title>The 'Basic' HTTP Authentication Scheme</title> <authorfullname="W3C editors" surname="Dahl, Sleevi"> <organization>W3C</organization>initials="J." surname="Reschke" fullname="J. Reschke"> <organization showOnFrontPage="true"/> </author> <dateday="25" month="June" year="2013" />year="2015" month="September"/> <abstract> <t indent="0">This document defines the "Basic" Hypertext Transfer Protocol (HTTP) authentication scheme, which transmits credentials as user-id/ password pairs, encoded using Base64.</t> </abstract> </front><annotation>Available at http://www.w3.org/TR/WebCryptoAPI/</annotation><seriesInfo name="RFC" value="7617"/> <seriesInfo name="DOI" value="10.17487/RFC7617"/> </reference> <referenceanchor="webrtc-api">anchor="RFC8224" target="https://www.rfc-editor.org/info/rfc8224" quoteTitle="true" derivedAnchor="RFC8224"> <front><title>WebRTC 1.0: Real-time Communication Between Browsers</title><title>Authenticated Identity Management in the Session Initiation Protocol (SIP)</title> <authorfullname="W3C editors" surname="Bergkvist, Burnett, Jennings, Narayanan"> <organization>W3C</organization>initials="J." surname="Peterson" fullname="J. Peterson"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Jennings" fullname="C. Jennings"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Rescorla" fullname="E. Rescorla"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Wendt" fullname="C. Wendt"> <organization showOnFrontPage="true"/> </author> <dateday="4" month="October" year="2011" />year="2018" month="February"/> <abstract> <t indent="0">The baseline security mechanisms in the Session Initiation Protocol (SIP) are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document defines a mechanism for securely identifying originators of SIP requests. It does so by defining a SIP header field for conveying a signature used for validating the identity and for conveying a reference to the credentials of the signer.</t> <t indent="0">This document obsoletes RFC 4474.</t> </abstract> </front><annotation>Available at http://dev.w3.org/2011/webrtc/editor/webrtc.html</annotation><seriesInfo name="RFC" value="8224"/> <seriesInfo name="DOI" value="10.17487/RFC8224"/> </reference> <referenceanchor="FIPS186">anchor="RFC8828" target="https://www.rfc-editor.org/info/rfc8828" quoteTitle="true" derivedAnchor="RFC8828"> <front><title>Digital Signature Standard (DSS)</title><title>WebRTC IP Address Handling Requirements</title> <author> <organization>National Institute of Standards and Technology (NIST)</organization>initials="J" surname="Uberti" fullname="Justin Uberti"> <organization showOnFrontPage="true"/> </author> <author initials="G" surname="Shieh" fullname="Guo-wei Shieh"> <organization showOnFrontPage="true"/> </author> <dateyear="2013" month="July"/>month="January" year="2021"/> </front> <seriesInfoname="NIST PUB 186-4" value=""/>name="RFC" value="8828"/> <seriesInfo name="DOI" value="10.17487/RFC8828"/> </reference></references> <references title="Informative References"> &RFC7617; &RFC3261; &RFC5705; &RFC6455; &RFC6265; &RFC6943; &RFC6120; <reference anchor="XmlHttpRequest"> <front> <title>XMLHttpRequest Level 2</title><reference anchor="I-D.ietf-tls-dtls13" quoteTitle="true" target="https://tools.ietf.org/html/draft-ietf-tls-dtls13-39" derivedAnchor="TLS-DTLS13"> <front> <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title> <authorinitials="A." surname="van Kesteren"> <organization></organization>initials="E." surname="Rescorla" fullname="Eric Rescorla"> <organization showOnFrontPage="true">RTFM, Inc.</organization> </author> <author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig"> <organization showOnFrontPage="true">Arm Limited</organization> </author> <author initials="N." surname="Modadugu" fullname="Nagendra Modadugu"> <organization showOnFrontPage="true">Google, Inc.</organization> </author> <dateday="17" month="January" year="2012"/>month="November" day="2" year="2020"/> <abstract> <t indent="0"> This document specifies Version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. The DTLS 1.3 protocol is intentionally based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection/non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-tls-dtls13-39"/> <formattarget="http://www.w3.org/TR/XMLHttpRequest/" type="TXT"/>type="TXT" target="https://www.ietf.org/internet-drafts/draft-ietf-tls-dtls13-39.txt"/> <refcontent>Work in Progress</refcontent> </reference> </references> </references> <section numbered="false" toc="include" removeInRFC="false" pn="section-appendix.a"> <name slugifiedName="name-acknowledgements">Acknowledgements</name> <t indent="0" pn="section-appendix.a-1"> <contact fullname="Bernard Aboba"/>, <contact fullname="Harald Alvestrand"/>, <contact fullname="Richard Barnes"/>, <contact fullname="Dan Druta"/>, <contact fullname="Cullen Jennings"/>, <contact fullname="Hadriel Kaplan"/>, <contact fullname="Matthew Kaufman"/>, <contact fullname="Jim McEachern"/>, <contact fullname="Martin Thomson"/>, <contact fullname="Magnus Westerlund"/>. <contact fullname="Matthew Kaufman"/> provided the UI material in <xref target="sec.proposal.comsec" format="default" sectionFormat="of" derivedContent="Section 6.5"/>. <contact fullname="Christer Holmberg"/> provided the initial version of <xref target="sec.sdp-id-attr-oa" format="default" sectionFormat="of" derivedContent="Section 5.1"/>. </t> </section> <section anchor="authors-addresses" numbered="false" removeInRFC="false" toc="include" pn="section-appendix.b"> <name slugifiedName="name-authors-address">Author's Address</name> <author fullname="Eric Rescorla" initials="E." surname="Rescorla"> <organization showOnFrontPage="true">Mozilla</organization> <address> <email>ekr@rtfm.com</email> </address> </author> </section> </back> </rfc>