| rfc9749.original | rfc9749.txt | |||
|---|---|---|---|---|
| JMAP D. Gultsch | Internet Engineering Task Force (IETF) D. Gultsch | |||
| Internet-Draft 10 January 2025 | Request for Comments: 9749 March 2025 | |||
| Intended status: Standards Track | Category: Standards Track | |||
| Expires: 14 July 2025 | ISSN: 2070-1721 | |||
| Use of VAPID in JMAP WebPush | Use of Voluntary Application Server Identification (VAPID) in JSON Meta | |||
| draft-ietf-jmap-webpush-vapid-10 | Application Protocol (JMAP) Web Push | |||
| Abstract | Abstract | |||
| This document defines a method for JMAP servers to advertise their | This document defines a method for JSON Meta Application Protocol | |||
| capability to authenticate WebPush notifications using the Voluntary | (JMAP) servers to advertise their capability to authenticate Web Push | |||
| Application Server Identification protocol. | notifications using the Voluntary Application Server Identification | |||
| (VAPID) protocol. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 14 July 2025. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9749. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2025 IETF Trust and the persons identified as the | Copyright (c) 2025 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 | 2. Conventions Used in This Document | |||
| 3. Discovering Support for VAPID . . . . . . . . . . . . . . . . 2 | 3. Discovering Support for VAPID | |||
| 4. Issuing Push Notifications . . . . . . . . . . . . . . . . . 3 | 4. Issuing Push Notifications | |||
| 5. Key Rotation . . . . . . . . . . . . . . . . . . . . . . . . 3 | 5. Key Rotation | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 6. Security Considerations | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 7. IANA Considerations | |||
| 7.1. Registration of the JMAP Capability for VAPID . . . . . . 5 | 7.1. Registration of the JMAP Capability for VAPID | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 8. References | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 8.1. Normative References | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 6 | 8.2. Informative References | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 | Author's Address | |||
| 1. Introduction | 1. Introduction | |||
| JMAP [RFC8620] specifies how clients can subscribe to events using a | JMAP [RFC8620] specifies how clients can subscribe to events using a | |||
| protocol that is compatible with WebPush [RFC8030]. Some push | protocol that is compatible with Web Push [RFC8030]. Some push | |||
| services require that the application server authenticates all push | services require that the application server authenticate all push | |||
| messages using the Voluntary Application Server Identification | messages using the VAPID protocol [RFC8292]. To facilitate that, the | |||
| protocol [RFC8292]. To facilitate that, the client (or user agent in | client (or user agent in Web Push terminology) needs the VAPID public | |||
| WebPush terminology) needs the VAPID public key of the application | key of the application server to pass along to the push service when | |||
| server to pass it along to the push service when retrieving a new | retrieving a new endpoint. | |||
| endpoint. | ||||
| 2. Conventions Used in This Document | 2. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. These words may also appear in this | capitals, as shown here. | |||
| document in lower case as plain English words, absent their normative | ||||
| meanings. | ||||
| 3. Discovering Support for VAPID | 3. Discovering Support for VAPID | |||
| The JMAP capabilities object is returned as part of the standard JMAP | The JMAP capabilities object is returned as part of the standard JMAP | |||
| session object (see Section 2 of [RFC8620]). Servers supporting this | session object (see Section 2 of [RFC8620]). Servers supporting this | |||
| specification MUST add a property called | specification MUST add a property called | |||
| "urn:ietf:params:jmap:webpush-vapid" to the capabilities object. The | urn:ietf:params:jmap:webpush-vapid to the capabilities object. The | |||
| value of this property is an object that MUST contain the following | value of this property is an object that MUST contain the following | |||
| information: | information: | |||
| * applicationServerKey: "String" | applicationServerKey: "String" | |||
| The ECDSA public key that the push service will use to | The Elliptic Curve Digital Signature Algorithm (ECDSA) public key | |||
| authenticate the application server, in its uncompressed form (as | that the push service will use to authenticate the application | |||
| described in [X9.62] Annex A) and encoded using base64url encoding | server, in its uncompressed form (as described in Section 2.3.3 of | |||
| [RFC7515]. Current systems use the P-256 curve [FIPS186]. | [SEC1]) and encoded using base64url encoding [RFC7515]. Current | |||
| systems use the P-256 curve [FIPS186]. | ||||
| Informative Note: The format of the application server key was chosen | | Informative Note: The format of the application server key was | |||
| to ensure compatibility with the browser API ([PUSH-API], | | chosen to ensure compatibility with the browser API | |||
| Section 7.2), allowing the key to be directly copied and used without | | (Section 7.2 of [PUSH-API]), allowing the key to be directly | |||
| additional transformation. Additionally, as noted in [RFC8292], | | copied and used without additional transformation. | |||
| Section 3.2, the X9.62 encoding simplifies key comparisons and is | | Additionally, as noted in Section 3.2 of [RFC8292], the X9.62 | |||
| more compact than alternative formats. | | encoding (which is compatible with SEC1 encoding) simplifies | |||
| | key comparisons and is more compact than alternative formats. | ||||
| 4. Issuing Push Notifications | 4. Issuing Push Notifications | |||
| Every time the server sends a push message to a PushSubscription URL | Every time the server sends a push message to a PushSubscription URL, | |||
| it MUST authenticate the POST request using the protocol outlined in | it MUST authenticate the POST request using the protocol outlined in | |||
| [RFC8292]. This includes both StateChange events and | [RFC8292]. This includes both StateChange events and | |||
| PushVerification notifications. To authenticate the request, the | PushVerification notifications. To authenticate the request, the | |||
| server MUST use a JWT signed by the private key corresponding to the | server MUST use a JSON Web Token (JWT) signed by the private key | |||
| application server key. This application server key MUST be the one | corresponding to the application server key. This application server | |||
| that was advertised in the capabilities object at the time the | key MUST be the one that was advertised in the capabilities object at | |||
| PushSubscription was created. | the time the PushSubscription was created. | |||
| 5. Key Rotation | 5. Key Rotation | |||
| When a server needs to replace its VAPID key, it MUST update the | When a server needs to replace its VAPID key, it MUST update the | |||
| sessionState per [RFC8620]. The client MUST monitor the JMAP session | sessionState per [RFC8620]. The client MUST monitor the JMAP session | |||
| object for changes to the VAPID key and MUST recreate its push | object for changes to the VAPID key and MUST recreate its push | |||
| subscription when it detects such a change. | subscription when it detects such a change. | |||
| After key rotation, the server MAY continue to send push | After key rotation, the server MAY continue to send push | |||
| notifications for existing push subscriptions using the old | notifications for existing push subscriptions using the old | |||
| skipping to change at page 4, line 11 ¶ | skipping to change at line 143 ¶ | |||
| prompts the client to make a PushSubscription/changes method call. | prompts the client to make a PushSubscription/changes method call. | |||
| The response to this call will contain an updated sessionState, which | The response to this call will contain an updated sessionState, which | |||
| refers to a session object that contains the new VAPID key. | refers to a session object that contains the new VAPID key. | |||
| A race condition can occur when the server updates its VAPID key | A race condition can occur when the server updates its VAPID key | |||
| after the client has refreshed the session object but before calling | after the client has refreshed the session object but before calling | |||
| the PushSubscription/set method. This situation causes the server to | the PushSubscription/set method. This situation causes the server to | |||
| send a PushVerification object to a push resource URL that is now | send a PushVerification object to a push resource URL that is now | |||
| associated with an outdated VAPID key. Consequently, the push | associated with an outdated VAPID key. Consequently, the push | |||
| service will reject the PushVerification with a 403 (Forbidden) | service will reject the PushVerification with a 403 (Forbidden) | |||
| status code, as specified in [RFC8292]. | status code, as specified in Section 4.2 of [RFC8292]. | |||
| To alleviate this problem, the client MUST check if the sessionState | To alleviate this problem, the client MUST check if the sessionState | |||
| in the response from the PushSubscription/set method points to a | in the response from the PushSubscription/set method points to a | |||
| session object with an applicationServerKey that matches their | session object with an applicationServerKey that matches their | |||
| expectations. If there is a mismatch, the client MAY retry creating | expectations. If there is a mismatch, the client MAY retry creating | |||
| the PushSubscription. Additionally, the client MAY destroy the | the PushSubscription. Additionally, the client MAY destroy the | |||
| PushSubscription from the earlier, failed attempt. | PushSubscription from the earlier, failed attempt. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| During the key rotation process, synchronization issues between the | During the key rotation process, synchronization issues between the | |||
| client and server may arise. Specifically, a client might restrict a | client and server may arise. Specifically, a client might restrict a | |||
| push subscription with the push service to an outdated key, while the | push subscription with the push service to an outdated key, while the | |||
| server sends the PushVerification object authenticated with the newly | server sends the PushVerification object authenticated with the newly | |||
| rotated key. This mismatch leads to the push service rejecting the | rotated key. This mismatch leads to the push service rejecting the | |||
| PushVerification request with HTTP status code 403, as specified in | PushVerification request with a 403 (Forbidden) status code, as | |||
| [RFC8292], Section 4.2. | specified in Section 4.2 of [RFC8292]. | |||
| Per the requirements of [RFC8620], Section 7.2, the server MUST NOT | Per the requirements of Section 7.2 of [RFC8620], the server MUST NOT | |||
| retry the rejected PushVerification request. Consequently, the | retry the rejected PushVerification request. Consequently, the | |||
| PushVerification object will not be delivered to the client. | PushVerification object will not be delivered to the client. | |||
| To mitigate such issues, the client is responsible for detecting and | To mitigate such issues, the client is responsible for detecting and | |||
| resolving any synchronization discrepancies, as outlined in the 'Key | resolving any synchronization discrepancies, as outlined in Section 5 | |||
| Rotation' section of this document. | of this document. | |||
| The inclusion of the urn:ietf:params:jmap:webpush-vapid property in | The inclusion of the urn:ietf:params:jmap:webpush-vapid property in | |||
| the JMAP capabilities object is limited to providing information | the JMAP capabilities object is limited to providing information | |||
| about the server's support for Voluntary Application Server | about the server's support for VAPID. This property does not reveal | |||
| Identification (VAPID). This property does not reveal sensitive | sensitive information, nor does it introduce new security or privacy | |||
| information, nor does it introduce new security or privacy risks | risks beyond those inherent to JMAP and Web Push. The security | |||
| beyond those inherent to JMAP and WebPush. The security | considerations for JMAP [RFC8620] (especially Sections 8.6 and 8.7), | |||
| considerations for JMAP ([RFC8620], especially Section 8.6 and | Web Push [RFC8030], and VAPID [RFC8292] apply to this document. | |||
| Section 8.7 of that document), WebPush ([RFC8030]) and VAPID | ||||
| ([RFC8292]) apply to this document. | ||||
| 7. IANA Considerations | 7. IANA Considerations | |||
| 7.1. Registration of the JMAP Capability for VAPID | ||||
| This specification requests IANA to register a new capability in the | 7.1. Registration of the JMAP Capability for VAPID | |||
| JMAP Capabilities registry with the following data: | ||||
| Capability Name: urn:ietf:params:jmap:webpush-vapid | ||||
| Specification document: this document | ||||
| Intended use: common | ||||
| Change Controller: IETF | IANA has registered the following new capability in the "JMAP | |||
| Capabilities" registry: | ||||
| Security and privacy considerations: this document, Section 6 | Capability Name: urn:ietf:params:jmap:webpush-vapid | |||
| Intended Use: common | ||||
| Change Controller: IETF | ||||
| Security and Privacy Considerations: RFC 9749, Section 6 | ||||
| Reference: RFC 9749 | ||||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [FIPS186] National Institute of Standards and Technology (NIST), | [FIPS186] NIST, "Digital Signature Standard (DSS)", NIST FIPS 186-5, | |||
| "Digital Signature Standard (DSS)", FIPS 186-4, July 2013, | DOI 10.6028/NIST.FIPS.186-5, February 2023, | |||
| <https://doi.org/10.6028/NIST.FIPS.186-4>. | <https://doi.org/10.6028/NIST.FIPS.186-5>. | |||
| [X9.62] American National Standards Institute, "Public Key | [SEC1] Standards for Efficient Cryptography Group, "SEC 1: | |||
| Cryptography for the Financial Services Industry: The | Elliptic Curve Cryptography", Version 2.0, May 2009, | |||
| Elliptic Curve Digital Signature Algorithm (ECDSA)", | <http://www.secg.org/sec1-v2.pdf>. | |||
| ANSI X9.62-2005, November 2005. | ||||
| [RFC8620] Jenkins, N. and C. Newman, "The JSON Meta Application | [RFC8620] Jenkins, N. and C. Newman, "The JSON Meta Application | |||
| Protocol (JMAP)", RFC 8620, DOI 10.17487/RFC8620, July | Protocol (JMAP)", RFC 8620, DOI 10.17487/RFC8620, July | |||
| 2019, <https://www.rfc-editor.org/info/rfc8620>. | 2019, <https://www.rfc-editor.org/info/rfc8620>. | |||
| [RFC8030] Thomson, M., Damaggio, E., and B. Raymor, Ed., "Generic | [RFC8030] Thomson, M., Damaggio, E., and B. Raymor, Ed., "Generic | |||
| Event Delivery Using HTTP Push", RFC 8030, | Event Delivery Using HTTP Push", RFC 8030, | |||
| DOI 10.17487/RFC8030, December 2016, | DOI 10.17487/RFC8030, December 2016, | |||
| <https://www.rfc-editor.org/info/rfc8030>. | <https://www.rfc-editor.org/info/rfc8030>. | |||
| skipping to change at page 6, line 15 ¶ | skipping to change at line 232 ¶ | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
| Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May | Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May | |||
| 2015, <https://www.rfc-editor.org/info/rfc7515>. | 2015, <https://www.rfc-editor.org/info/rfc7515>. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [PUSH-API] Peter Beverloo, Martin Thomson, and Marcos Caceres, "Push | [PUSH-API] Beverloo, P., Ed., Thomson, M., Ed., and M. Caceres, Ed., | |||
| API", September 2024, <https://www.w3.org/TR/push-api/>. | "Push API", W3C Working Draft, September 2024, | |||
| <https://www.w3.org/TR/push-api/>. | ||||
| Author's Address | Author's Address | |||
| Daniel Gultsch | Daniel Gultsch | |||
| Email: daniel@gultsch.de | Email: daniel@gultsch.de | |||
| End of changes. 27 change blocks. | ||||
| 100 lines changed or deleted | 93 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||