draft-ietf-rtcweb-security-arch-05.txt   draft-ietf-rtcweb-security-arch-06.txt 
RTCWEB E. Rescorla RTCWEB E. Rescorla
Internet-Draft RTFM, Inc. Internet-Draft RTFM, Inc.
Intended status: Standards Track October 22, 2012 Intended status: Standards Track January 22, 2013
Expires: April 25, 2013 Expires: July 26, 2013
RTCWEB Security Architecture RTCWEB Security Architecture
draft-ietf-rtcweb-security-arch-05 draft-ietf-rtcweb-security-arch-06
Abstract Abstract
The Real-Time Communications on the Web (RTCWEB) working group is The Real-Time Communications on the Web (RTCWEB) working group is
tasked with standardizing protocols for enabling real-time tasked with standardizing protocols for enabling real-time
communications within user-agents using web technologies (e.g communications within user-agents using web technologies (e.g
JavaScript). The major use cases for RTCWEB technology are real-time JavaScript). The major use cases for RTCWEB technology are real-time
audio and/or video calls, Web conferencing, and direct data transfer. audio and/or video calls, Web conferencing, and direct data transfer.
Unlike most conventional real-time systems (e.g., SIP-based soft Unlike most conventional real-time systems (e.g., SIP-based soft
phones) RTCWEB communications are directly controlled by some Web phones) RTCWEB communications are directly controlled by some Web
skipping to change at page 2, line 8 skipping to change at page 2, line 8
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2013. This Internet-Draft will expire on July 26, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 3, line 8 skipping to change at page 3, line 8
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Authenticated Entities . . . . . . . . . . . . . . . . . . 6 3.1. Authenticated Entities . . . . . . . . . . . . . . . . . . 7
3.2. Unauthenticated Entities . . . . . . . . . . . . . . . . . 6 3.2. Unauthenticated Entities . . . . . . . . . . . . . . . . . 7
4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.1. Initial Signaling . . . . . . . . . . . . . . . . . . . . 8 4.1. Initial Signaling . . . . . . . . . . . . . . . . . . . . 10
4.2. Media Consent Verification . . . . . . . . . . . . . . . . 10 4.2. Media Consent Verification . . . . . . . . . . . . . . . . 12
4.3. DTLS Handshake . . . . . . . . . . . . . . . . . . . . . . 10 4.3. DTLS Handshake . . . . . . . . . . . . . . . . . . . . . . 13
4.4. Communications and Consent Freshness . . . . . . . . . . . 11 4.4. Communications and Consent Freshness . . . . . . . . . . . 13
5. Detailed Technical Description . . . . . . . . . . . . . . . . 11 5. Detailed Technical Description . . . . . . . . . . . . . . . . 14
5.1. Origin and Web Security Issues . . . . . . . . . . . . . . 11 5.1. Origin and Web Security Issues . . . . . . . . . . . . . . 14
5.2. Device Permissions Model . . . . . . . . . . . . . . . . . 12 5.2. Device Permissions Model . . . . . . . . . . . . . . . . . 14
5.3. Communications Consent . . . . . . . . . . . . . . . . . . 13 5.3. Communications Consent . . . . . . . . . . . . . . . . . . 16
5.4. IP Location Privacy . . . . . . . . . . . . . . . . . . . 14 5.4. IP Location Privacy . . . . . . . . . . . . . . . . . . . 17
5.5. Communications Security . . . . . . . . . . . . . . . . . 15 5.5. Communications Security . . . . . . . . . . . . . . . . . 18
5.6. Web-Based Peer Authentication . . . . . . . . . . . . . . 16 5.6. Web-Based Peer Authentication . . . . . . . . . . . . . . 19
5.6.1. Trust Relationships: IdPs, APs, and RPs . . . . . . . 17 5.6.1. Trust Relationships: IdPs, APs, and RPs . . . . . . . 20
5.6.2. Overview of Operation . . . . . . . . . . . . . . . . 18 5.6.2. Overview of Operation . . . . . . . . . . . . . . . . 21
5.6.3. Items for Standardization . . . . . . . . . . . . . . 20 5.6.3. Items for Standardization . . . . . . . . . . . . . . 23
5.6.4. Binding Identity Assertions to JSEP Offer/Answer 5.6.4. Binding Identity Assertions to JSEP Offer/Answer
Transactions . . . . . . . . . . . . . . . . . . . . . 20 Transactions . . . . . . . . . . . . . . . . . . . . . 23
5.6.4.1. Input to Assertion Generation Process . . . . . . 20 5.6.4.1. Input to Assertion Generation Process . . . . . . 23
5.6.4.2. Carrying Identity Assertions . . . . . . . . . . . 21 5.6.4.2. Carrying Identity Assertions . . . . . . . . . . . 24
5.6.5. IdP Interaction Details . . . . . . . . . . . . . . . 21 5.6.5. IdP Interaction Details . . . . . . . . . . . . . . . 24
5.6.5.1. General Message Structure . . . . . . . . . . . . 21 5.6.5.1. General Message Structure . . . . . . . . . . . . 24
5.6.5.2. IdP Proxy Setup . . . . . . . . . . . . . . . . . 22 5.6.5.2. IdP Proxy Setup . . . . . . . . . . . . . . . . . 25
5.7. Security Considerations . . . . . . . . . . . . . . . . . 27 5.7. Security Considerations . . . . . . . . . . . . . . . . . 30
5.7.1. Communications Security . . . . . . . . . . . . . . . 27 5.7.1. Communications Security . . . . . . . . . . . . . . . 30
5.7.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . 28 5.7.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . 31
5.7.3. Denial of Service . . . . . . . . . . . . . . . . . . 29 5.7.3. Denial of Service . . . . . . . . . . . . . . . . . . 32
5.7.4. IdP Authentication Mechanism . . . . . . . . . . . . . 30 5.7.4. IdP Authentication Mechanism . . . . . . . . . . . . . 33
5.7.4.1. PeerConnection Origin Check . . . . . . . . . . . 30 5.7.4.1. PeerConnection Origin Check . . . . . . . . . . . 33
5.7.4.2. IdP Well-known URI . . . . . . . . . . . . . . . . 30 5.7.4.2. IdP Well-known URI . . . . . . . . . . . . . . . . 34
5.7.4.3. Privacy of IdP-generated identities and the 5.7.4.3. Privacy of IdP-generated identities and the
hosting site . . . . . . . . . . . . . . . . . . . 30 hosting site . . . . . . . . . . . . . . . . . . . 34
5.7.4.4. Security of Third-Party IdPs . . . . . . . . . . . 31 5.7.4.4. Security of Third-Party IdPs . . . . . . . . . . . 34
5.7.4.5. Web Security Feature Interactions . . . . . . . . 31 5.7.4.5. Web Security Feature Interactions . . . . . . . . 35
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 32 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 35
7. Changes since -03 . . . . . . . . . . . . . . . . . . . . . . 32 7. Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
8. Changes since -03 . . . . . . . . . . . . . . . . . . . . . . 32 7.1. Changes since -05 . . . . . . . . . . . . . . . . . . . . 36
9. Changes since -02 . . . . . . . . . . . . . . . . . . . . . . 32 7.2. Changes since -03 . . . . . . . . . . . . . . . . . . . . 36
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32 7.3. Changes since -03 . . . . . . . . . . . . . . . . . . . . 36
10.1. Normative References . . . . . . . . . . . . . . . . . . . 32 7.4. Changes since -02 . . . . . . . . . . . . . . . . . . . . 36
10.2. Informative References . . . . . . . . . . . . . . . . . . 33 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Appendix A. Example IdP Bindings to Specific Protocols . . . . . 34 8.1. Normative References . . . . . . . . . . . . . . . . . . . 36
A.1. BrowserID . . . . . . . . . . . . . . . . . . . . . . . . 34 8.2. Informative References . . . . . . . . . . . . . . . . . . 37
A.2. OAuth . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Appendix A. Example IdP Bindings to Specific Protocols . . . . . 38
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 38 A.1. BrowserID . . . . . . . . . . . . . . . . . . . . . . . . 38
A.2. OAuth . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 42
1. Introduction 1. Introduction
The Real-Time Communications on the Web (RTCWEB) working group is The Real-Time Communications on the Web (RTCWEB) working group is
tasked with standardizing protocols for real-time communications tasked with standardizing protocols for real-time communications
between Web browsers. The major use cases for RTCWEB technology are between Web browsers. The major use cases for RTCWEB technology are
real-time audio and/or video calls, Web conferencing, and direct data real-time audio and/or video calls, Web conferencing, and direct data
transfer. Unlike most conventional real-time systems, (e.g., SIP- transfer. Unlike most conventional real-time systems, (e.g., SIP-
based[RFC3261] soft phones) RTCWEB communications are directly based[RFC3261] soft phones) RTCWEB communications are directly
controlled by some Web server, as shown in Figure 1. controlled by some Web server, as shown in Figure 1.
skipping to change at page 5, line 35 skipping to change at page 5, line 35
v v v v
JS API JS API JS API JS API
+-----------+ +-----------+ +-----------+ +-----------+
| | Media | | | | Media | |
| Browser |<---------->| Browser | | Browser |<---------->| Browser |
| | | | | | | |
+-----------+ +-----------+ +-----------+ +-----------+
Figure 1: A simple RTCWEB system Figure 1: A simple RTCWEB system
A more complicated system might allow for interdomain calling, as
shown in Figure 2. The protocol to be used between the domains is
not standardized by RTCWEB, but given the installed base and the form
of the RTCWEB API is likely to be something SDP-based like SIP or
XMPP.
+--------------+ +--------------+
| | SIP,XMPP,...| |
| Web Server |<----------->| Web Server |
| | | |
+--------------+ +--------------+
^ ^
| |
HTTP | | HTTP
| |
v v
JS API JS API
+-----------+ +-----------+
| | Media | |
| Browser |<---------------->| Browser |
| | | |
+-----------+ +-----------+
Figure 2: A multidomain RTCWEB system
This system presents a number of new security challenges, which are This system presents a number of new security challenges, which are
analyzed in [I-D.ietf-rtcweb-security]. This document describes a analyzed in [I-D.ietf-rtcweb-security]. This document describes a
security architecture for RTCWEB which addresses the threats and security architecture for RTCWEB which addresses the threats and
requirements described in that document. requirements described in that document.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
skipping to change at page 7, line 24 skipping to change at page 8, line 14
media privacy with the minimal level of trust in the calling service. media privacy with the minimal level of trust in the calling service.
Simpler versions with lower levels of security are also possible and Simpler versions with lower levels of security are also possible and
are noted in the text where applicable. It's also important to are noted in the text where applicable. It's also important to
recognize the tension between security (or performance) and privacy. recognize the tension between security (or performance) and privacy.
The example shown here is aimed towards settings where we are more The example shown here is aimed towards settings where we are more
concerned about secure calling than about privacy, but as we shall concerned about secure calling than about privacy, but as we shall
see, there are settings where one might wish to make different see, there are settings where one might wish to make different
tradeoffs--this architecture is still compatible with those settings. tradeoffs--this architecture is still compatible with those settings.
For the purposes of this example, we assume the topology shown in the For the purposes of this example, we assume the topology shown in the
figure below. This topology is derived from the topology shown in figures below. This topology is derived from the topology shown in
Figure 1, but separates Alice and Bob's identities from the process Figure 1, but separates Alice and Bob's identities from the process
of signaling. Specifically, Alice and Bob have relationships with of signaling. Specifically, Alice and Bob have relationships with
some Identity Provider (IdP) that supports a protocol such OpenID or some Identity Provider (IdP) that supports a protocol such as OpenID
BrowserID) that can be used to attest to their identity. This or BrowserID) that can be used to demonstrate their identity to other
separation isn't particularly important in "closed world" cases where parties. For instance, Alice might have an account with a social
Alice and Bob are users on the same social network and have network which she can then use to authenticate to other web sites
identities based on that network. However, there are important without explicitly having an account with those sites; this is a
settings where that is not the case, such as federation (calls from fairly conventional pattern on the Web. Section 5.6.1 provides an
one network to another) and calling on untrusted sites, such as where overview of Identity Providers and the relevant terminology.
two users who have a relationship via a given social network want to
call each other on another, untrusted, site, such as a poker site. This separation of identity provision and signaling isn't
particularly important in "closed world" cases where Alice and Bob
are users on the same social network and have identities based on
that domain (Figure 3) However, there are important settings where
that is not the case, such as federation (calls from one domain to
another; Figure 4) and calling on untrusted sites, such as where two
users who have a relationship via a given social network want to call
each other on another, untrusted, site, such as a poker site.
Note that the servers themselves are also authenticated by an
external identity service, the SSL/TLS certificate infrastructure
(not shown). As is conventional in the Web, all identities are
ultimately rooted that system. For instance, when an IdP makes an
identity assertion, the Relying Party consuming that assertion is
able to verify because it is able to connect to the IdP via HTTPS.
+----------------+ +----------------+
| | | |
| Signaling | | Signaling |
| Server | | Server |
| | | |
+----------------+ +----------------+
^ ^ ^ ^
/ \ / \
HTTPS / \ HTTPS HTTPS / \ HTTPS
skipping to change at page 8, line 32 skipping to change at page 9, line 32
+-----------+ +-----------+ +-----------+ +-----------+
^ ^--+ +--^ ^ ^ ^--+ +--^ ^
| | | | | | | |
v | | v v | | v
+-----------+ | | +-----------+ +-----------+ | | +-----------+
| |<--------+ | | | |<--------+ | |
| IdP | | | IdP | | IdP | | | IdP |
| | +------->| | | | +------->| |
+-----------+ +-----------+ +-----------+ +-----------+
Figure 2: A call with IdP-based identity Figure 3: A call with IdP-based identity
Figure 4 shows essentially the same calling scenario but with a call
between two separate domains (i.e., a federated case). As mentioned
above, the domains communicate by some unspecified protocol and
providing separate signaling and identity allows for calls to be
authenticated regardless of the details of the inter-domain protocol.
+----------------+ Unspecified +----------------+
| | protocol | |
| Signaling |<----------------->| Signaling |
| Server | (SIP, XMPP, ...) | Server |
| | | |
+----------------+ +----------------+
^ ^
| |
HTTPS | | HTTPS
| |
| |
v v
JS API JS API
+-----------+ +-----------+
| | Media | |
Alice | Browser |<--------------------------->| Browser | Bob
| | DTLS-SRTP | |
+-----------+ +-----------+
^ ^--+ +--^ ^
| | | |
v | | v
+-----------+ | | +-----------+
| |<-------------------------+ | |
| IdP | | | IdP |
| | +------------------------>| |
+-----------+ +-----------+
Figure 4: A federated call with IdP-based identity
4.1. Initial Signaling 4.1. Initial Signaling
Alice and Bob are both users of a common calling service; they both For simplicity, assume the topology in Figure 3. Alice and Bob are
have approved the calling service to make calls (we defer the both users of a common calling service; they both have approved the
discussion of device access permissions till later). They are both calling service to make calls (we defer the discussion of device
connected to the calling service via HTTPS and so know the origin access permissions till later). They are both connected to the
with some level of confidence. They also have accounts with some calling service via HTTPS and so know the origin with some level of
identity provider. This sort of identity service is becoming confidence. They also have accounts with some identity provider.
increasingly common in the Web environment in technologies such This sort of identity service is becoming increasingly common in the
(BrowserID, Federated Google Login, Facebook Connect, OAuth, OpenID, Web environment in technologies such (BrowserID, Federated Google
WebFinger), and is often provided as a side effect service of your Login, Facebook Connect, OAuth, OpenID, WebFinger), and is often
ordinary accounts with some service. In this example, we show Alice provided as a side effect service of a user's ordinary accounts with
and Bob using a separate identity service, though they may actually some service. In this example, we show Alice and Bob using a
be using the same identity service as calling service or have no separate identity service, though the identity service may be the
identity service at all. same entity as the calling service or there may be no identity
service at all.
Alice is logged onto the calling service and decides to call Bob. She Alice is logged onto the calling service and decides to call Bob. She
can see from the calling service that he is online and the calling can see from the calling service that he is online and the calling
service presents a JS UI in the form of a button next to Bob's name service presents a JS UI in the form of a button next to Bob's name
which says "Call". Alice clicks the button, which initiates a JS which says "Call". Alice clicks the button, which initiates a JS
callback that instantiates a PeerConnection object. This does not callback that instantiates a PeerConnection object. This does not
require a security check: JS from any origin is allowed to get this require a security check: JS from any origin is allowed to get this
far. far.
Once the PeerConnection is created, the calling service JS needs to Once the PeerConnection is created, the calling service JS needs to
skipping to change at page 9, line 22 skipping to change at page 11, line 23
to a video input. At this point the first security check is to a video input. At this point the first security check is
required: untrusted origins are not allowed to access the camera and required: untrusted origins are not allowed to access the camera and
microphone. In this case, because Alice is a long-term user of the microphone. In this case, because Alice is a long-term user of the
calling service, she has made a permissions grant (i.e., a setting in calling service, she has made a permissions grant (i.e., a setting in
the browser) to allow the calling service to access her camera and the browser) to allow the calling service to access her camera and
microphone any time it wants. The browser checks this setting when microphone any time it wants. The browser checks this setting when
the camera and microphone requests are made and thus allows them. the camera and microphone requests are made and thus allows them.
In the current W3C API, once some streams have been added, Alice's In the current W3C API, once some streams have been added, Alice's
browser + JS generates a signaling message [I-D.ietf-rtcweb-jsep] browser + JS generates a signaling message [I-D.ietf-rtcweb-jsep]
contianing: containing:
o Media channel information o Media channel information
o ICE candidates o ICE candidates
o A fingerprint attribute binding the communication to Alice's o A fingerprint attribute binding the communication to a key pair
public key [RFC5763] [RFC5763]. Note that this key may simply be ephemerally generated
for this call or specific to this domain, and Alice may have a
large number of such keys.
Prior to sending out the signaling message, the PeerConnection code Prior to sending out the signaling message, the PeerConnection code
contacts the identity service and obtains an assertion binding contacts the identity service and obtains an assertion binding
Alice's identity to her fingerprint. The exact details depend on the Alice's identity to her fingerprint. The exact details depend on the
identity service (though as discussed in Section 5.6 PeerConnection identity service (though as discussed in Section 5.6 PeerConnection
can be agnostic to them), but for now it's easiest to think of as a can be agnostic to them), but for now it's easiest to think of as a
BrowserID assertion. The assertion may bind other information to the BrowserID assertion. The assertion may bind other information to the
identity besides the fingerprint, but at minimum it needs to bind the identity besides the fingerprint, but at minimum it needs to bind the
fingerprint. fingerprint.
This message is sent to the signaling server, e.g., by XMLHttpRequest This message is sent to the signaling server, e.g., by XMLHttpRequest
[XmlHttpRequest] or by WebSockets [RFC6455] The signaling server [XmlHttpRequest] or by WebSockets [RFC6455] The signaling server
processes the message from Alice's browser, determines that this is a processes the message from Alice's browser, determines that this is a
call to Bob and sends a signaling message to Bob's browser (again, call to Bob and sends a signaling message to Bob's browser (again,
the format is currently undefined). The JS on Bob's browser the format is currently undefined). The JS on Bob's browser
processes it, and alerts Bob to the incoming call and to Alice's processes it, and alerts Bob to the incoming call and to Alice's
identity. In this case, Alice has provided an identity assertion and identity. In this case, Alice has provided an identity assertion and
so Bob's browser contacts Alice's identity provider (again, this is so Bob's browser contacts Alice's identity provider (again, this is
done in a generic way so the browser has no specific knowledge of the done in a generic way so the browser has no specific knowledge of the
IdP) to verify the assertion. This allows the browser to display a IdP) to verify the assertion. This allows the browser to display a
trusted element indicating that a call is coming in from Alice. If trusted element in the browser chrome indicating that a call is
Alice is in Bob's address book, then this interface might also coming in from Alice. If Alice is in Bob's address book, then this
include her real name, a picture, etc. The calling site will also interface might also include her real name, a picture, etc. The
provide some user interface element (e.g., a button) to allow Bob to calling site will also provide some user interface element (e.g., a
answer the call, though this is most likely not part of the trusted button) to allow Bob to answer the call, though this is most likely
UI. not part of the trusted UI.
If Bob agrees [I am ignoring early media for now], a PeerConnection If Bob agrees [I am ignoring early media for now], a PeerConnection
is instantiated with the message from Alice's side. Then, a similar is instantiated with the message from Alice's side. Then, a similar
process occurs as on Alice's browser: Bob's browser verifies that process occurs as on Alice's browser: Bob's browser verifies that
the calling service is approved, the media streams are created, and a the calling service is approved, the media streams are created, and a
return signaling message containing media information, ICE return signaling message containing media information, ICE
candidates, and a fingerprint is sent back to Alice via the signaling candidates, and a fingerprint is sent back to Alice via the signaling
service. If Bob has a relationship with an IdP, the message will service. If Bob has a relationship with an IdP, the message will
also come with an identity assertion. also come with an identity assertion.
At this point, Alice and Bob each know that the other party wants to At this point, Alice and Bob each know that the other party wants to
have a secure call with them. Based purely on the interface provided have a secure call with them. Based purely on the interface provided
by the signaling server, they know that the signaling server claims by the signaling server, they know that the signaling server claims
that the call is from Alice to Bob. Because the far end sent an that the call is from Alice to Bob. This level of security is
identity assertion along with their message, they know that this is provided merely by having the fingerprint in the message and having
verifiable from the IdP as well. Of course, the call works perfectly that message received securely from the signaling server. Because
well if either Alice or Bob doesn't have a relationship with an IdP; the far end sent an identity assertion along with their message, they
they just get a lower level of assurance. Moreover, Alice might wish know that this is verifiable from the IdP as well. Note that if the
to make an anonymous call through an anonymous calling site, in which call is federated, as shown in Figure 4 then Alice is able to verify
case she would of course just not provide any identity assertion and Bob's identity in a way that is not mediated by either her signaling
the calling site would mask her identity from Bob. server or Bob's. Rather, she verifies it directly with Bob's IdP.
Of course, the call works perfectly well if either Alice or Bob
doesn't have a relationship with an IdP; they just get a lower level
of assurance. I.e., they simply have whatever information their
calling site claims about the caller/calllee's identity. Moreover,
Alice might wish to make an anonymous call through an anonymous
calling site, in which case she would of course just not provide any
identity assertion and the calling site would mask her identity from
Bob.
4.2. Media Consent Verification 4.2. Media Consent Verification
As described in ([I-D.ietf-rtcweb-security]; Section 4.2) This As described in ([I-D.ietf-rtcweb-security]; Section 4.2) media
proposal specifies that media consent verification be performed via consent verification is provided via ICE. Thus, Alice and Bob
ICE. Thus, Alice and Bob perform ICE checks with each other. At the perform ICE checks with each other. At the completion of these
completion of these checks, they are ready to send non-ICE data. checks, they are ready to send non-ICE data.
At this point, Alice knows that (a) Bob (assuming he is verified via At this point, Alice knows that (a) Bob (assuming he is verified via
his IdP) or someone else who the signaling service is claiming is Bob his IdP) or someone else who the signaling service is claiming is Bob
is willing to exchange traffic with her and (b) that either Bob is at is willing to exchange traffic with her and (b) that either Bob is at
the IP address which she has verified via ICE or there is an attacker the IP address which she has verified via ICE or there is an attacker
who is on-path to that IP address detouring the traffic. Note that who is on-path to that IP address detouring the traffic. Note that
it is not possible for an attacker who is on-path but not attached to it is not possible for an attacker who is on-path between Alice and
the signaling service to spoof these checks because they do not have Bob but not attached to the signaling service to spoof these checks
the ICE credentials. Bob's security guarantees with respect to Alice because they do not have the ICE credentials. Bob's has the same
are the converse of this. security guarantees with respect to Alice.
4.3. DTLS Handshake 4.3. DTLS Handshake
Once the ICE checks have completed [more specifically, once some ICE Once the ICE checks have completed [more specifically, once some ICE
checks have completed], Alice and Bob can set up a secure channel. checks have completed], Alice and Bob can set up a secure channel.
This is performed via DTLS [RFC4347] (for the data channel) and DTLS- This is performed via DTLS [RFC4347] (for the data channel) and DTLS-
SRTP [RFC5763] for the media channel. Specifically, Alice and Bob SRTP [RFC5763] for the media channel. Specifically, Alice and Bob
perform a DTLS handshake on every channel which has been established perform a DTLS handshake on every channel which has been established
by ICE. The total number of channels depends on the amount of by ICE. The total number of channels depends on the amount of
muxing; in the most likely case we are using both RTP/RTCP mux and muxing; in the most likely case we are using both RTP/RTCP mux and
muxing multiple media streams on the same channel, in which case muxing multiple media streams on the same channel, in which case
there is only one DTLS handshake. Once the DTLS handshake has there is only one DTLS handshake. Once the DTLS handshake has
completed, the keys are exported [RFC5705] and used to key SRTP for completed, the keys are exported [RFC5705] and used to key SRTP for
the media channels. the media channels.
At this point, Alice and Bob know that they share a set of secure At this point, Alice and Bob know that they share a set of secure
data and/or media channels with keys which are not known to any data and/or media channels with keys which are not known to any
third-party attacker. If Alice and Bob authenticated via their IdPs, third-party attacker. If Alice and Bob authenticated via their IdPs,
then they also know that the signaling service is not attacking them. then they also know that the signaling service is not mounting a man-
Even if they do not use an IdP, as long as they have minimal trust in in-the-middle attack on theor traffic. Even if they do not use an
the signaling service not to perform a man-in-the-middle attack, they IdP, as long as they have minimal trust in the signaling service not
know that their communications are secure against the signaling to perform a man-in-the-middle attack, they know that their
service as well. communications are secure against the signaling service as well
(i.e., that the signaling service cannot mount a passive attack on
the communications).
4.4. Communications and Consent Freshness 4.4. Communications and Consent Freshness
From a security perspective, everything from here on in is a little From a security perspective, everything from here on in is a little
anticlimactic: Alice and Bob exchange data protected by the keys anticlimactic: Alice and Bob exchange data protected by the keys
negotiated by DTLS. Because of the security guarantees discussed in negotiated by DTLS. Because of the security guarantees discussed in
the previous sections, they know that the communications are the previous sections, they know that the communications are
encrypted and authenticated. encrypted and authenticated.
The one remaining security property we need to establish is "consent The one remaining security property we need to establish is "consent
freshness", i.e., allowing Alice to verify that Bob is still prepared freshness", i.e., allowing Alice to verify that Bob is still prepared
to receive her communications. ICE specifies periodic STUN to receive her communications so that Alice does not continue to send
keepalizes but only if media is not flowing. Because the consent large traffic volumes to entities which went abruptly offline. ICE
issue is more difficult here, we require RTCWeb implementations to specifies periodic STUN keepalizes but only if media is not flowing.
periodically send keepalives. As described in Section 5.3, these Because the consent issue is more difficult here, we require RTCWeb
keepalives MUST be based on the consent freshness mechanism specified implementations to periodically send keepalives. As described in
in [I-D.muthu-behave-consent-freshness]. If a keepalive fails and no Section 5.3, these keepalives MUST be based on the consent freshness
new ICE channels can be established, then the session is terminated. mechanism specified in [I-D.muthu-behave-consent-freshness]. If a
keepalive fails and no new ICE channels can be established, then the
session is terminated.
5. Detailed Technical Description 5. Detailed Technical Description
5.1. Origin and Web Security Issues 5.1. Origin and Web Security Issues
The basic unit of permissions for RTCWEB is the origin [RFC6454]. The basic unit of permissions for RTCWEB is the origin [RFC6454].
Because the security of the origin depends on being able to Because the security of the origin depends on being able to
authenticate content from that origin, the origin can only be authenticate content from that origin, the origin can only be
securely established if data is transferred over HTTPS [RFC2818]. securely established if data is transferred over HTTPS [RFC2818].
Thus, clients MUST treat HTTP and HTTPS origins as different Thus, clients MUST treat HTTP and HTTPS origins as different
permissions domains. [Note: this follows directly from the origin permissions domains. [Note: this follows directly from the origin
security model and is stated here merely for clarity.] security model and is stated here merely for clarity.]
Many web browsers currently forbid by default any active mixed Many web browsers currently forbid by default any active mixed
content on HTTPS pages. I.e., when JS is loaded from an HTTP origin content on HTTPS pages. That is, when JavaScript is loaded from an
onto an HTTPS page, an error is displayed and the content is not HTTP origin onto an HTTPS page, an error is displayed and the HTTP
executed unless the user overrides the error. Any browser which content is not executed unless the user overrides the error. Any
enforces such a policy will also not permit access to RTCWEB browser which enforces such a policy will also not permit access to
functionality from mixed content pages. It is RECOMMENDED that RTCWEB functionality from mixed content pages (because they never
browsers which allow active mixed content nevertheless disable RTCWEB display mixed content). It is RECOMMENDED that browsers which allow
functionality in mixed content settings. [[ OPEN ISSUE: Should this active mixed content nevertheless disable RTCWEB functionality in
be a 2119 MUST? It's not clear what set of conditions would make mixed content settings. [[ OPEN ISSUE: Should this be a 2119 MUST?
this OK, other than that browser manufacturers have traditionally It's not clear what set of conditions would make this OK, other than
been permissive here here.]] Note that it is possible for a page that browser manufacturers have traditionally been permissive here
which was not mixed content to become mixed content during the here.]] Note that it is possible for a page which was not mixed
duration of the call. Implementations MAY choose to terminate the content to become mixed content during the duration of the call.
call or display a warning at that point, but it is also permissible Implementations MAY choose to terminate the call or display a warning
to ignore this condition. This is a deliberate implementation at that point, but it is also permissible to ignore this condition.
complexity versus security tradeoff. [[ OPEN ISSUE:: Should we be The major risk here is that the newly arrived insecure JS might
more aggressive about this?]] redirect media to a location controlled by the attacker. This is a
deliberate implementation complexity versus security tradeoff. [[
OPEN ISSUE:: Should we be more aggressive about this?]]
5.2. Device Permissions Model 5.2. Device Permissions Model
Implementations MUST obtain explicit user consent prior to providing Implementations MUST obtain explicit user consent prior to providing
access to the camera and/or microphone. Implementations MUST at access to the camera and/or microphone. Implementations MUST at
minimum support the following two permissions models for HTTPS minimum support the following two permissions models for HTTPS
origins. origins.
o Requests for one-time camera/microphone access. o Requests for one-time camera/microphone access.
o Requests for permanent access. o Requests for permanent access.
Because HTTP origins cannot be securely established against network Because HTTP origins cannot be securely established against network
attackers, implementations MUST NOT allow the setting of permanent attackers, implementations MUST NOT allow the setting of permanent
access permissions for HTTP origins. Implementations MAY also opt to access permissions for HTTP origins. Implementations MAY also opt to
refuse all permissions grants for HTTP origins, but it is RECOMMENDED refuse all permissions grants for HTTP origins, but it is RECOMMENDED
that currently they support one-time camera/microphone access. that currently they support one-time camera/microphone access.
In addition, they SHOULD support requests for access to a single In addition, they SHOULD support requests for access that promise
communicating peer. E.g., "Call customerservice@ford.com". Browsers that media from this grant will be sent to a single communicating
peer (obviously there could be other requests for other peers).
E.g., "Call customerservice@ford.com". The semantics of this request
are that the media stream from the camera and microphone will only be
routed through a connection which has been cryptographically verified
(through the IdP mechanism or an X.509 certificate in the DTLS-SRTP
handshake) as being associated with the stated identity. Browsers
servicing such requests SHOULD clearly indicate that identity to the servicing such requests SHOULD clearly indicate that identity to the
user when asking for permission. user when asking for permission. The idea behind this type of
permissions is that a user might have a fairly narrow list of peers
he is willing to communicate with, e.g., "my mother" rather than
"anyone on Facebook". Narrow permissions grants allow the browser to
do that enforcement.
API Requirement: The API MUST provide a mechanism for the requesting API Requirement: The API MUST provide a mechanism for the requesting
JS to indicate which of these forms of permissions it is JS to indicate which of these forms of permissions it is
requesting. This allows the browser client to know what sort of requesting. This allows the browser client to know what sort of
user interface experience to provide to the user, including what user interface experience to provide to the user, including what
permissions to request from the user and hence what to enforce permissions to request from the user and hence what to enforce
later. For instance, browsers might display a non-invasive door later. For instance, browsers might display a non-invasive door
hanger ("some features of this site may not work..." when asking hanger ("some features of this site may not work..." when asking
for long-term permissions) but a more invasive UI ("here is your for long-term permissions) but a more invasive UI ("here is your
own video") for single-call permissions. The API MAY grant weaker own video") for single-call permissions. The API MAY grant weaker
skipping to change at page 13, line 17 skipping to change at page 15, line 45
API Requirement: The API MUST provide a mechanism for the requesting API Requirement: The API MUST provide a mechanism for the requesting
JS to relinquish the ability to see or modify the media (e.g., via JS to relinquish the ability to see or modify the media (e.g., via
MediaStream.record()). Combined with secure authentication of the MediaStream.record()). Combined with secure authentication of the
communicating peer, this allows a user to be sure that the calling communicating peer, this allows a user to be sure that the calling
site is not accessing or modifying their conversion. site is not accessing or modifying their conversion.
UI Requirement: The UI MUST clearly indicate when the user's camera UI Requirement: The UI MUST clearly indicate when the user's camera
and microphone are in use. This indication MUST NOT be and microphone are in use. This indication MUST NOT be
suppressable by the JS and MUST clearly indicate how to terminate suppressable by the JS and MUST clearly indicate how to terminate
a call, and provide a UI means to immediately stop camera/ device access, and provide a UI means to immediately stop camera/
microphone input without the JS being able to prevent it. microphone input without the JS being able to prevent it.
UI Requirement: If the UI indication of camera/microphone use are UI Requirement: If the UI indication of camera/microphone use are
displayed in the browser such that minimizing the browser window displayed in the browser such that minimizing the browser window
would hide the indication, or the JS creating an overlapping would hide the indication, or the JS creating an overlapping
window would hide the indication, then the browser SHOULD stop window would hide the indication, then the browser SHOULD stop
camera and microphone input. [Note: this may not be necessary in camera and microphone input when the indication is hidden. [Note:
systems that are non-windows-based but that have good this may not be necessary in systems that are non-windows-based
notifications support, such as phones.] but that have good notifications support, such as phones.]
Clients MAY permit the formation of data channels without any direct Clients MAY permit the formation of data channels without any direct
user approval. Because sites can always tunnel data through the user approval. Because sites can always tunnel data through the
server, further restrictions on the data channel do not provide any server, further restrictions on the data channel do not provide any
additional security. (though see Section 5.3 for a related issue). additional security. (though see Section 5.3 for a related issue).
Implementations which support some form of direct user authentication Implementations which support some form of direct user authentication
SHOULD also provide a policy by which a user can authorize calls only SHOULD also provide a policy by which a user can authorize calls only
to specific counterparties. Specifically, the implementation SHOULD to specific counterparties. Specifically, the implementation SHOULD
provide the following interfaces/controls: provide the following interfaces/controls:
skipping to change at page 17, line 45 skipping to change at page 20, line 26
Relying Party (RP): The entity which is trying to verify the AP's Relying Party (RP): The entity which is trying to verify the AP's
identity. identity.
The AP and the IdP have an account relationship of some kind: the AP The AP and the IdP have an account relationship of some kind: the AP
registers with the IdP and is able to subsequently authenticate registers with the IdP and is able to subsequently authenticate
directly to the IdP (e.g., with a password). This means that the directly to the IdP (e.g., with a password). This means that the
browser must somehow know which IdP(s) the user has an account browser must somehow know which IdP(s) the user has an account
relationship with. This can either be something that the user relationship with. This can either be something that the user
configures into the browser or that is configured at the calling site configures into the browser or that is configured at the calling site
and then provided to the PeerConnection by the calling site. and then provided to the PeerConnection by the Web application at the
calling site. The use case for having this information configured
into the browser is that the user may "log into" the browser to bind
it to some identity. This is becoming common in new browsers.
However, it should also be possible for the IdP information to simply
be provided by the calling application.
At a high level there are two kinds of IdPs: At a high level there are two kinds of IdPs:
Authoritative: IdPs which have verifiable control of some section Authoritative: IdPs which have verifiable control of some section
of the identity space. For instance, in the realm of e-mail, the of the identity space. For instance, in the realm of e-mail, the
operator of "example.com" has complete control of the namespace operator of "example.com" has complete control of the namespace
ending in "@example.com". Thus, "alice@example.com" is whoever ending in "@example.com". Thus, "alice@example.com" is whoever
the operator says it is. Examples of systems with authoritative the operator says it is. Examples of systems with authoritative
identity providers include DNSSEC, RFC 4474, and Facebook Connect identity providers include DNSSEC, RFC 4474, and Facebook Connect
(Facebook identities only make sense within the context of the (Facebook identities only make sense within the context of the
skipping to change at page 18, line 25 skipping to change at page 21, line 7
identity space but instead verify user's identities via some identity space but instead verify user's identities via some
unspecified mechanism and then attest to it. Because the IdP unspecified mechanism and then attest to it. Because the IdP
doesn't actually control the namespace, RPs need to trust that the doesn't actually control the namespace, RPs need to trust that the
IdP is correctly verifying AP identities, and there can IdP is correctly verifying AP identities, and there can
potentially be multiple IdPs attesting to the same section of the potentially be multiple IdPs attesting to the same section of the
identity space. Probably the best-known example of a third-party identity space. Probably the best-known example of a third-party
identity provider is SSL certificates, where there are a large identity provider is SSL certificates, where there are a large
number of CAs all of whom can attest to any domain name. number of CAs all of whom can attest to any domain name.
If an AP is authenticating via an authoritative IdP, then the RP does If an AP is authenticating via an authoritative IdP, then the RP does
not need to explicitly trust the IdP at all: as long as the RP knows not need to explicitly configure trust in the IdP at all. The
how to verify that the IdP indeed made the relevant identity identity mechanism can directly verify that the IdP indeed made the
assertion (a function provided by the mechanisms in this document), relevant identity assertion (a function provided by the mechanisms in
then any assertion it makes about an identity for which it is this document), and any assertion it makes about an identity for
authoritative is directly verifiable. which it is authoritative is directly verifiable. Note that this
does not mean that the IdP might not lie, but that is a
trustworthiness judgement that the user can make at the time he looks
at the identity.
By contrast, if an AP is authenticating via a third-party IdP, the RP By contrast, if an AP is authenticating via a third-party IdP, the RP
needs to explicitly trust that IdP (hence the need for an explicit needs to explicitly trust that IdP (hence the need for an explicit
trust anchor list in PKI-based SSL/TLS clients). The list of trust anchor list in PKI-based SSL/TLS clients). The list of
trustable IdPs needs to be configured directly into the browser, trustable IdPs needs to be configured directly into the browser,
either by the user or potentially by the browser manufacturer. This either by the user or potentially by the browser manufacturer. This
is a significant advantage of authoritative IdPs and implies that if is a significant advantage of authoritative IdPs and implies that if
third-party IdPs are to be supported, the potential number needs to third-party IdPs are to be supported, the potential number needs to
be fairly small. be fairly small.
skipping to change at page 19, line 5 skipping to change at page 21, line 36
In order to provide security without trusting the calling site, the In order to provide security without trusting the calling site, the
PeerConnection component of the browser must interact directly with PeerConnection component of the browser must interact directly with
the IdP. The details of the mechanism are described in the W3C API the IdP. The details of the mechanism are described in the W3C API
specification, but the general idea is that the PeerConnection specification, but the general idea is that the PeerConnection
component downloads JS from a specific location on the IdP dictated component downloads JS from a specific location on the IdP dictated
by the IdP domain name. That JS (the "IdP proxy") runs in an by the IdP domain name. That JS (the "IdP proxy") runs in an
isolated security context within the browser and the PeerConnection isolated security context within the browser and the PeerConnection
talks to it via a secure message passing channel. talks to it via a secure message passing channel.
Note that there are two logically separate functions here:
o Identity assertion generation.
o Identity assertion verification.
The same IdP JS "endpoint" is used for both functions but of course a
given IdP might behave differently and load new JS to perform one
function or the other.
+------------------------------------+ +------------------------------------+
| https://calling-site.example.com | | https://calling-site.example.com |
| | | |
| | | |
| | | |
| Calling JS Code | | Calling JS Code |
| ^ | | ^ |
| | API Calls | | | API Calls |
| v | | v |
| PeerConnection | | PeerConnection |
skipping to change at page 21, line 7 skipping to change at page 24, line 7
The "algorithm" and digest values correspond directly to the The "algorithm" and digest values correspond directly to the
algorithm and digest in the a=fingerprint line of the SDP. algorithm and digest in the a=fingerprint line of the SDP.
Note: this structure does not need to be interpreted by the IdP or Note: this structure does not need to be interpreted by the IdP or
the IdP proxy. It is consumed solely by the RP's browser. The IdP the IdP proxy. It is consumed solely by the RP's browser. The IdP
merely treats it as an opaque value to be attested to. Thus, new merely treats it as an opaque value to be attested to. Thus, new
parameters can be added to the assertion without modifying the IdP. parameters can be added to the assertion without modifying the IdP.
5.6.4.2. Carrying Identity Assertions 5.6.4.2. Carrying Identity Assertions
Once an IdP has generated an assertion, the JSEP message. This is Once an IdP has generated an assertion, it is attached to the JSEP
done by adding a new a-line to the SDP, of the form a=identity. The message. This is done by adding a new a-line to the SDP, of the form
sole contents of this value are a base-64-encoded version of the a=identity. The sole contents of this value are a base-64-encoded
identity assertion. For example: version of the identity assertion. For example:
v=0 v=0
o=- 1181923068 1181923196 IN IP4 ua1.example.com o=- 1181923068 1181923196 IN IP4 ua1.example.com
s=example1 s=example1
c=IN IP4 ua1.example.com c=IN IP4 ua1.example.com
a=setup:actpass a=setup:actpass
a=fingerprint: SHA-1 \ a=fingerprint: SHA-1 \
4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB 4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB
a=identity: \ a=identity: \
ImlkcCI6eyJkb21haW4iOiAiZXhhbXBsZS5vcmciLCAicHJvdG9jb2wiOiAiYm9n \ ImlkcCI6eyJkb21haW4iOiAiZXhhbXBsZS5vcmciLCAicHJvdG9jb2wiOiAiYm9n \
skipping to change at page 21, line 33 skipping to change at page 24, line 33
XCJzaWduYXR1cmVcIjpcIjAxMDIwMzA0MDUwNlwifSJ9Cg== XCJzaWduYXR1cmVcIjpcIjAxMDIwMzA0MDUwNlwifSJ9Cg==
t=0 0 t=0 0
m=audio 6056 RTP/AVP 0 m=audio 6056 RTP/AVP 0
a=sendrecv a=sendrecv
a=tcap:1 UDP/TLS/RTP/SAVP RTP/AVP a=tcap:1 UDP/TLS/RTP/SAVP RTP/AVP
a=pcfg:1 t=1 a=pcfg:1 t=1
Each identity attribute should be paired (and attests to) with an Each identity attribute should be paired (and attests to) with an
a=fingerprint attribute and therefore can exist either at the session a=fingerprint attribute and therefore can exist either at the session
or media level. Multiple identity attributes may appear at either or media level. Multiple identity attributes may appear at either
level, though implementations are discouraged from doing this unless level, though it is RECOMMENDED that implementations not do this,
they have a clear idea of what security claim they intend to be because it becomes very unclear what security claim that they are
making. making and the UI guidelines above become unclear. Browsers MAY
choose refuse to display any identity indicators in the face of
multiple identity attributes with different identities but SHOULD
process multiple attributes with the same identity as described
above.
5.6.5. IdP Interaction Details 5.6.5. IdP Interaction Details
5.6.5.1. General Message Structure 5.6.5.1. General Message Structure
Messages between the PeerConnection object and the IdP proxy are Messages between the PeerConnection object and the IdP proxy are
formatted using JSON [RFC4627]. For instance, the PeerConnection formatted using JSON [RFC4627]. For instance, the PeerConnection
would request a signature with the following "SIGN" message: would request a signature with the following "SIGN" message:
{ {
skipping to change at page 22, line 13 skipping to change at page 25, line 20
} }
All messages MUST contain a "type" field which indicates the general All messages MUST contain a "type" field which indicates the general
meaning of the message. meaning of the message.
All requests from the PeerConnection object MUST contain an "id" All requests from the PeerConnection object MUST contain an "id"
field which MUST be unique for that PeerConnection object. Any field which MUST be unique for that PeerConnection object. Any
responses from the IdP proxy MUST contain the same id in response, responses from the IdP proxy MUST contain the same id in response,
which allows the PeerConnection to correlate requests and responses. which allows the PeerConnection to correlate requests and responses.
All requests from the PeerConnection object MUST contain a "origin" All requests from the PeerConnection object MUST contain an "origin"
field containing the origin of the JS which initiated the PC (i.e., field containing the origin of the JS which initiated the PC (i.e.,
the URL of the calling site). This origin value can be used by the the URL of the calling site). This origin value can be used by the
IdP to make access control decisions. For instance, an IdP might IdP to make access control decisions. For instance, an IdP might
only issue identity assertions for certain calling services in the only issue identity assertions for certain calling services in the
same way that some IdPs require that relying Web sites have an API same way that some IdPs require that relying Web sites have an API
key before learning user identity. key before learning user identity.
Any message-specific data is carried in a "message" field. Depending Any message-specific data is carried in a "message" field. Depending
on the message type, this may either be a string or a richer JSON on the message type, this may either be a string or a richer JSON
object. object.
skipping to change at page 22, line 36 skipping to change at page 25, line 43
If an error occurs, the IdP sends a message of type "ERROR". The If an error occurs, the IdP sends a message of type "ERROR". The
message MAY have an "error" field containing freeform text data which message MAY have an "error" field containing freeform text data which
containing additional information about what happened. For instance: containing additional information about what happened. For instance:
{ {
"type":"ERROR", "type":"ERROR",
"error":"Signature verification failed" "error":"Signature verification failed"
} }
Figure 3: Example error Figure 5: Example error
5.6.5.2. IdP Proxy Setup 5.6.5.2. IdP Proxy Setup
In order to perform an identity transaction, the PeerConnection must In order to perform an identity transaction, the PeerConnection must
first create an IdP proxy. While the details of this are specified first create an IdP proxy. While the details of this are specified
in the W3C API document, from the perspective of this specification, in the W3C API document, from the perspective of this specification,
however, the relevant facts are: however, the relevant facts are:
o The JS runs in the IdP's security context with the base page o The JS runs in the IdP's security context with the base page
retrieved from the URL specified in Section 5.6.5.2.1 retrieved from the URL specified in Section 5.6.5.2.1
skipping to change at page 23, line 21 skipping to change at page 26, line 29
{ "type":"READY" } { "type":"READY" }
[[ OPEN ISSUE: if the W3C half of this converges on WebIntents, then [[ OPEN ISSUE: if the W3C half of this converges on WebIntents, then
the READY message will not be necessary.]] the READY message will not be necessary.]]
Once the PeerConnection object receives the ready message, it can Once the PeerConnection object receives the ready message, it can
send commands to the IdP proxy. send commands to the IdP proxy.
5.6.5.2.1. Determining the IdP URI 5.6.5.2.1. Determining the IdP URI
In order to ensure that the IdP is under control of the domain owner
rather than someone who merely has an account on the domain owner's
server (e.g., in shared hosting scenarios), the IdP JavaScript is
hosted at a deterministic location based on the IdP's domain name.
Each IdP proxy instance is associated with two values: Each IdP proxy instance is associated with two values:
domain name: The IdP's domain name domain name: The IdP's domain name
protocol: The specific IdP protocol which the IdP is using. This is protocol: The specific IdP protocol which the IdP is using. This is
a completely IdP-specific string, but allows an IdP to implement a completely IdP-specific string, but allows an IdP to implement
two protocols in parallel. This value may be the empty string. two protocols in parallel. This value may be the empty string.
Each IdP MUST serve its initial entry page (i.e., the one loaded by Each IdP MUST serve its initial entry page (i.e., the one loaded by
the IdP proxy) from the well-known URI specified in "/.well-known/ the IdP proxy) from the well-known URI specified in "/.well-known/
idp-proxy/<protocol>" on the IdP's web site. This URI MUST be loaded idp-proxy/<protocol>" on the IdP's web site. This URI MUST be loaded
skipping to change at page 24, line 25 skipping to change at page 27, line 37
defined above, but are opaque from the perspective of the IdP. defined above, but are opaque from the perspective of the IdP.
A successful response to a "SIGN" message contains a message field A successful response to a "SIGN" message contains a message field
which is a JS dictionary dictionary consisting of two fields: which is a JS dictionary dictionary consisting of two fields:
idp: A dictionary containing the domain name of the provider and the idp: A dictionary containing the domain name of the provider and the
protocol string protocol string
assertion: An opaque field containing the assertion itself. This is assertion: An opaque field containing the assertion itself. This is
only interpretable by the idp or its proxy. only interpretable by the idp or its proxy.
Figure 4 shows an example transaction, with the message "abcde..." Figure 6 shows an example transaction, with the message "abcde..."
(remember, the messages are opaque at this layer) being signed and (remember, the messages are opaque at this layer) being signed and
bound to identity "ekr@example.org". In this case, the message has bound to identity "ekr@example.org". In this case, the message has
presumably been digitally signed/MACed in some way that the IdP can presumably been digitally signed/MACed in some way that the IdP can
later verify it, but this is an implementation detail and out of later verify it, but this is an implementation detail and out of
scope of this document. Line breaks are inserted solely for scope of this document. Line breaks are inserted solely for
readability. readability.
PeerConnection -> IdP proxy: PeerConnection -> IdP proxy:
{ {
"type":"SIGN", "type":"SIGN",
skipping to change at page 25, line 29 skipping to change at page 28, line 29
"domain": "example.org" "domain": "example.org"
"protocol": "bogus" "protocol": "bogus"
}, },
"assertion":\"{\"identity\":\"bob@example.org\", "assertion":\"{\"identity\":\"bob@example.org\",
\"contents\":\"abcdefghijklmnopqrstuvwyz\", \"contents\":\"abcdefghijklmnopqrstuvwyz\",
\"request_origin\":\"rtcweb://peerconnection\", \"request_origin\":\"rtcweb://peerconnection\",
\"signature\":\"010203040506\"}" \"signature\":\"010203040506\"}"
} }
} }
Figure 4: Example assertion request Figure 6: Example assertion request
5.6.5.2.3. Verifying Assertions 5.6.5.2.3. Verifying Assertions
In order to verify an assertion, an RP sends a "VERIFY" message to In order to verify an assertion, an RP sends a "VERIFY" message to
the IdP proxy containing the assertion supplied by the AP in the the IdP proxy containing the assertion supplied by the AP in the
"message" field. "message" field.
The IdP proxy verifies the assertion. Depending on the identity The IdP proxy verifies the assertion. Depending on the identity
protocol, this may require one or more round trips to the IdP. For protocol, this may require one or more round trips to the IdP. For
instance, an OAuth-based protocol will likely require using the IdP instance, an OAuth-based protocol will likely require using the IdP
skipping to change at page 26, line 18 skipping to change at page 29, line 18
original SIGN request. original SIGN request.
request_origin The original origin of the SIGN request on the AP request_origin The original origin of the SIGN request on the AP
side as determined by the origin of the PostMessage call. The IdP side as determined by the origin of the PostMessage call. The IdP
MUST somehow arrange to propagate this information as part of the MUST somehow arrange to propagate this information as part of the
assertion. The receiving PeerConnection MUST verify that this assertion. The receiving PeerConnection MUST verify that this
value is "rtcweb://peerconnection" (which implies that value is "rtcweb://peerconnection" (which implies that
PeerConnection must arrange that its messages to the IdP proxy are PeerConnection must arrange that its messages to the IdP proxy are
from this origin.) [[ OPEN ISSUE: Can a URI person help make a from this origin.) [[ OPEN ISSUE: Can a URI person help make a
better URI.]] better URI.]]
Figure 5 shows an example transaction. Line breaks are inserted Figure 7 shows an example transaction. Line breaks are inserted
solely for readability. solely for readability.
PeerConnection -> IdP Proxy: PeerConnection -> IdP Proxy:
{ {
"type":"VERIFY", "type":"VERIFY",
"id":2, "id":2,
"origin":"https://calling-service.example.com/", "origin":"https://calling-service.example.com/",
"message":\"{\"identity\":\"bob@example.org\", "message":\"{\"identity\":\"bob@example.org\",
\"contents\":\"abcdefghijklmnopqrstuvwyz\", \"contents\":\"abcdefghijklmnopqrstuvwyz\",
\"request_origin\":\"rtcweb://peerconnection\", \"request_origin\":\"rtcweb://peerconnection\",
skipping to change at page 26, line 46 skipping to change at page 29, line 46
"message": { "message": {
"identity" : { "identity" : {
"name" : "bob@example.org", "name" : "bob@example.org",
"displayname" : "Bob" "displayname" : "Bob"
}, },
"request_origin":"rtcweb://peerconnection", "request_origin":"rtcweb://peerconnection",
"contents":"abcdefghijklmnopqrstuvwyz" "contents":"abcdefghijklmnopqrstuvwyz"
} }
} }
Figure 5: Example verification request Figure 7: Example verification request
5.6.5.2.3.1. Identity Formats 5.6.5.2.3.1. Identity Formats
Identities passed from the IdP proxy to the PeerConnection are Identities passed from the IdP proxy to the PeerConnection are
structured as JSON dictionaries with one mandatory field: "name". structured as JSON dictionaries with one mandatory field: "name".
This field MUST consist of an RFC822-formatted string representing This field MUST consist of an RFC822-formatted string representing
the user's identity. [[ OPEN ISSUE: Would it be better to have a the user's identity. [[ OPEN ISSUE: Would it be better to have a
typed field? ]] The PeerConnection API MUST check this string as typed field? ]] The PeerConnection API MUST check this string as
follows: follows:
skipping to change at page 28, line 28 skipping to change at page 31, line 28
suitable for general use. Note, however, that a malicious signaling suitable for general use. Note, however, that a malicious signaling
service can strip off any such identity assertions, though it cannot service can strip off any such identity assertions, though it cannot
forge new ones. Note that all of the third-party security mechanisms forge new ones. Note that all of the third-party security mechanisms
available (whether X.509 certificates or a third-party IdP) rely on available (whether X.509 certificates or a third-party IdP) rely on
the security of the third party--this is of course also true of your the security of the third party--this is of course also true of your
connection to the Web site itself. Users who wish to assure connection to the Web site itself. Users who wish to assure
themselves of security against a malicious identity provider can only themselves of security against a malicious identity provider can only
do so by verifying peer credentials directly, e.g., by checking the do so by verifying peer credentials directly, e.g., by checking the
peer's fingerprint against a value delivered out of band. peer's fingerprint against a value delivered out of band.
In order to protect against malicious content JavaScript, that
JavaScript MUST NOT be allowed to have direct access to---or perform
computations with---DTLS keys. For instance, if content JS were able
to compute digital signatures, then it would be possible for content
JS to get an identity assertion for a browser's generated key and
then use that assertion plus a signature by the key to authenticate a
call protected under an ephemeral DH key controlled by the content
JS, thus violating the security guarantees otherwise provided by the
IdP mechanism. Note that it is not sufficient merely to deny the
content JS direct access to the keys, as some have suggested doing
with the WebCrypto API. The JS must also not be allowed to perform
operations that would be valid for a DTLS endpoint. By far the
safest approach is simply to deny the ability to perform any
operations that depend on secret information associated with the key.
Operations that depend on public information, such as exporting the
public key are of course safe.
5.7.2. Privacy 5.7.2. Privacy
The requirements in this document are intended to allow: The requirements in this document are intended to allow:
o Users to participate in calls without revealing their location. o Users to participate in calls without revealing their location.
o Potential callees to avoid revealing their location and even o Potential callees to avoid revealing their location and even
presence status prior to agreeing to answer a call. presence status prior to agreeing to answer a call.
However, these privacy protections come at a performance cost in However, these privacy protections come at a performance cost in
terms of using TURN relays and, in the latter case, delaying ICE. terms of using TURN relays and, in the latter case, delaying ICE.
Sites SHOULD make users aware of these tradeoffs. Sites SHOULD make users aware of these tradeoffs.
Note that the protections provided here assume a non-malicious Note that the protections provided here assume a non-malicious
calling service. As the calling service always knows the users calling service. As the calling service always knows the users
status and (absent the use of a technology like Tor) their IP status and (absent the use of a technology like Tor) their IP
skipping to change at page 30, line 25 skipping to change at page 33, line 42
to get assertions tied to a user or to produce assertions that RPs to get assertions tied to a user or to produce assertions that RPs
will accept. will accept.
5.7.4.1. PeerConnection Origin Check 5.7.4.1. PeerConnection Origin Check
Fundamentally, the IdP proxy is just a piece of HTML and JS loaded by Fundamentally, the IdP proxy is just a piece of HTML and JS loaded by
the browser, so nothing stops a Web attacker o from creating their the browser, so nothing stops a Web attacker o from creating their
own IFRAME, loading the IdP proxy HTML/JS, and requesting a own IFRAME, loading the IdP proxy HTML/JS, and requesting a
signature. In order to prevent this attack, we require that all signature. In order to prevent this attack, we require that all
signatures be tied to a specific origin ("rtcweb://...") which cannot signatures be tied to a specific origin ("rtcweb://...") which cannot
be produced by a page tied to a Web attacker. Thus, while an be produced by content JavaScript. Thus, while an attacker can
attacker can instantiate the IdP proxy, they cannot send messages instantiate the IdP proxy, they cannot send messages from an
from an appropriate origin and so cannot create acceptable appropriate origin and so cannot create acceptable assertions. I.e.,
assertions. This origin check is enforced on the relying party side, the assertion request must have come from the browser. This origin
not on the authenticating party side. The reason for this is to take check is enforced on the relying party side, not on the
the burden of knowing which origins are valid off of the IdP, thus authenticating party side. The reason for this is to take the burden
making this mechanism extensible to other applications besides of knowing which origins are valid off of the IdP, thus making this
RTCWEB. The IdP simply needs to gather the origin information (from mechanism extensible to other applications besides RTCWEB. The IdP
the posted message) and attach it to the assertion. simply needs to gather the origin information (from the posted
message) and attach it to the assertion.
Note that although this origin check is enforced on the RP side and
not at the IdP, it is absolutely imperative that it be done. The
mechanisms in this document rely on the browser enforcing access
restrictions on the DTLS keys and assertion requests which do not
come with the right origin may be from content JS rather than from
browsers, and therefore those access restrcitions cannot be assumed.
Note that this check only asserts that the browser (or some other
entity with access to the user's authentication data) attests to the
request and hence to the fingerprint. It does not demonstrate that
the browser has access to the associated private key. However,
attaching one's identity to a key that the user does not control does
not appear to provide substantial leverage to an attacker, so a proof
of possession is omitted for simplicity.
5.7.4.2. IdP Well-known URI 5.7.4.2. IdP Well-known URI
As described in Section 5.6.5.2.1 the IdP proxy HTML/JS landing page As described in Section 5.6.5.2.1 the IdP proxy HTML/JS landing page
is located at a well-known URI based on the IdP's domain name. This is located at a well-known URI based on the IdP's domain name. This
requirement prevents an attacker who can write some resources at the requirement prevents an attacker who can write some resources at the
IdP (e.g., on one's Facebook wall) from being able to impersonate the IdP (e.g., on one's Facebook wall) from being able to impersonate the
IdP. IdP.
5.7.4.3. Privacy of IdP-generated identities and the hosting site 5.7.4.3. Privacy of IdP-generated identities and the hosting site
skipping to change at page 32, line 10 skipping to change at page 35, line 42
Some browsers allow users to block third party cookies (cookies Some browsers allow users to block third party cookies (cookies
associated with origins other than the top level page) for privacy associated with origins other than the top level page) for privacy
reasons. Any IdP which uses cookies to persist logins will be broken reasons. Any IdP which uses cookies to persist logins will be broken
by third-party cookie blocking. One option is to accept this as a by third-party cookie blocking. One option is to accept this as a
limitation; another is to have the PeerConnection object disable limitation; another is to have the PeerConnection object disable
third-party cookie blocking for the IdP proxy. third-party cookie blocking for the IdP proxy.
6. Acknowledgements 6. Acknowledgements
Bernard Aboba, Harald Alvestrand, Dan Druta, Cullen Jennings, Hadriel Bernard Aboba, Harald Alvestrand, Richard Barnes, Dan Druta, Cullen
Kaplan, Matthew Kaufman, Jim McEachern, Martin Thomson, Magnus Jennings, Hadriel Kaplan, Matthew Kaufman, Jim McEachern, Martin
Westerland. Thomson, Magnus Westerland.
7. Changes since -03 7. Changes
7.1. Changes since -05
The following changes have been made since the -05 draft.
o Response to comments from Richard Barnes
o More explanation of the IdP security properties and the federation
use case.
o Editorial cleanup.
7.2. Changes since -03
Version -04 was a version control mistake. Please ignore. Version -04 was a version control mistake. Please ignore.
The following changes have been made since the -04 draft. The following changes have been made since the -04 draft.
o Move origin check from IdP to RP per discussion in YVR. o Move origin check from IdP to RP per discussion in YVR.
o Clarified treatment of X.509-level identities. o Clarified treatment of X.509-level identities.
o Editorial cleanup. o Editorial cleanup.
8. Changes since -03 7.3. Changes since -03
9. Changes since -02 7.4. Changes since -02
The following changes have been made since the -02 draft. The following changes have been made since the -02 draft.
o Forbid persistent HTTP permissions. o Forbid persistent HTTP permissions.
o Clarified the text in S 5.4 to clearly refer to requirements on o Clarified the text in S 5.4 to clearly refer to requirements on
the API to provide functionality to the site. the API to provide functionality to the site.
o Fold in the IETF portion of draft-rescorla-rtcweb-generic-idp o Fold in the IETF portion of draft-rescorla-rtcweb-generic-idp
o Retarget the continuing consent section to assume Binding Requests o Retarget the continuing consent section to assume Binding Requests
o Editorial improvements o Editorial improvements
10. References 8. References
10.1. Normative References 8.1. Normative References
[I-D.ietf-rtcweb-security] [I-D.ietf-rtcweb-security]
Rescorla, E., "Security Considerations for RTC-Web", Rescorla, E., "Security Considerations for RTC-Web",
draft-ietf-rtcweb-security-03 (work in progress), draft-ietf-rtcweb-security-03 (work in progress),
June 2012. June 2012.
[I-D.muthu-behave-consent-freshness] [I-D.muthu-behave-consent-freshness]
Perumal, M., Wing, D., and H. Kaplan, "STUN Usage for Perumal, M., Wing, D., R, R., and H. Kaplan, "STUN Usage
Consent Freshness and Session Liveness", for Consent Freshness",
draft-muthu-behave-consent-freshness-01 (work in draft-muthu-behave-consent-freshness-02 (work in
progress), July 2012. progress), January 2013.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security", RFC 4347, April 2006. Security", RFC 4347, April 2006.
[RFC4627] Crockford, D., "The application/json Media Type for [RFC4627] Crockford, D., "The application/json Media Type for
skipping to change at page 33, line 37 skipping to change at page 37, line 33
(SRTP) Security Context Using Datagram Transport Layer (SRTP) Security Context Using Datagram Transport Layer
Security (DTLS)", RFC 5763, May 2010. Security (DTLS)", RFC 5763, May 2010.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. Real-time Transport Protocol (SRTP)", RFC 5764, May 2010.
[RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454,
December 2011. December 2011.
10.2. Informative References 8.2. Informative References
[I-D.ietf-rtcweb-jsep] [I-D.ietf-rtcweb-jsep]
Uberti, J. and C. Jennings, "Javascript Session Uberti, J. and C. Jennings, "Javascript Session
Establishment Protocol", draft-ietf-rtcweb-jsep-01 (work Establishment Protocol", draft-ietf-rtcweb-jsep-02 (work
in progress), June 2012. in progress), October 2012.
[I-D.jennings-rtcweb-signaling] [I-D.jennings-rtcweb-signaling]
Jennings, C., Rosenberg, J., and R. Jesup, "RTCWeb Offer/ Jennings, C., Rosenberg, J., and R. Jesup, "RTCWeb Offer/
Answer Protocol (ROAP)", Answer Protocol (ROAP)",
draft-jennings-rtcweb-signaling-01 (work in progress), draft-jennings-rtcweb-signaling-01 (work in progress),
October 2011. October 2011.
[I-D.kaufman-rtcweb-security-ui] [I-D.kaufman-rtcweb-security-ui]
Kaufman, M., "Client Security User Interface Requirements Kaufman, M., "Client Security User Interface Requirements
for RTCWEB", draft-kaufman-rtcweb-security-ui-00 (work in for RTCWEB", draft-kaufman-rtcweb-security-ui-00 (work in
 End of changes. 50 change blocks. 
177 lines changed or deleted 350 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/