idnits 2.17.1
draft-rescorla-rtcweb-generic-idp-01.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
-- The document has examples using IPv4 documentation addresses according
to RFC6890, but does not use any IPv6 documentation addresses. Maybe
there should be IPv6 examples, too?
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== The document seems to contain a disclaimer for pre-RFC5378 work, but was
first submitted on or after 10 November 2008. The disclaimer is usually
necessary only for documents that revise or obsolete older RFCs, and that
take significant amounts of text from those RFCs. If you can contact all
authors of the source material and they are willing to grant the BCP78
rights to the IETF Trust, you can and should remove the disclaimer.
Otherwise, the disclaimer is needed and you can ignore this comment.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (March 12, 2012) is 4422 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: 'TBD' is mentioned on line 383, but not defined
== Unused Reference: 'I-D.ietf-rtcweb-security-arch' is defined on line
911, but no explicit reference was found in the text
== Unused Reference: 'RFC6454' is defined on line 926, but no explicit
reference was found in the text
== Outdated reference: A later version (-12) exists of
draft-ietf-rtcweb-security-01
== Outdated reference: A later version (-20) exists of
draft-ietf-rtcweb-security-arch-00
** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110)
** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159)
Summary: 3 errors (**), 0 flaws (~~), 7 warnings (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 RTCWEB E. Rescorla
3 Internet-Draft RTFM, Inc.
4 Intended status: Standards Track March 12, 2012
5 Expires: September 13, 2012
7 RTCWEB Generic Identity Provider Interface
8 draft-rescorla-rtcweb-generic-idp-01
10 Abstract
12 Security for RTCWEB communications requires that the communicating
13 endpoints be able to authenticate each other. While authentication
14 may be mediated by the calling service, there are settings in which
15 this is undesirable. This document describes a generic mechanism for
16 leveraging existing identity providers (IdPs) such as BrowserID or
17 OAuth to provide this authentication service.
19 Legal
21 THIS DOCUMENT AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON
22 AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
23 REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE
24 IETF TRUST, AND THE INTERNET ENGINEERING TASK FORCE, DISCLAIM ALL
25 WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
26 WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE
27 ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
28 FOR A PARTICULAR PURPOSE.
30 Status of this Memo
32 This Internet-Draft is submitted in full conformance with the
33 provisions of BCP 78 and BCP 79.
35 Internet-Drafts are working documents of the Internet Engineering
36 Task Force (IETF). Note that other groups may also distribute
37 working documents as Internet-Drafts. The list of current Internet-
38 Drafts is at http://datatracker.ietf.org/drafts/current/.
40 Internet-Drafts are draft documents valid for a maximum of six months
41 and may be updated, replaced, or obsoleted by other documents at any
42 time. It is inappropriate to use Internet-Drafts as reference
43 material or to cite them other than as "work in progress."
45 This Internet-Draft will expire on September 13, 2012.
47 Copyright Notice
48 Copyright (c) 2012 IETF Trust and the persons identified as the
49 document authors. All rights reserved.
51 This document is subject to BCP 78 and the IETF Trust's Legal
52 Provisions Relating to IETF Documents
53 (http://trustee.ietf.org/license-info) in effect on the date of
54 publication of this document. Please review these documents
55 carefully, as they describe your rights and restrictions with respect
56 to this document. Code Components extracted from this document must
57 include Simplified BSD License text as described in Section 4.e of
58 the Trust Legal Provisions and are provided without warranty as
59 described in the Simplified BSD License.
61 This document may contain material from IETF Documents or IETF
62 Contributions published or made publicly available before November
63 10, 2008. The person(s) controlling the copyright in some of this
64 material may not have granted the IETF Trust the right to allow
65 modifications of such material outside the IETF Standards Process.
66 Without obtaining an adequate license from the person(s) controlling
67 the copyright in such materials, this document may not be modified
68 outside the IETF Standards Process, and derivative works of it may
69 not be created outside the IETF Standards Process, except to format
70 it for publication as an RFC or to translate it into languages other
71 than English.
73 Table of Contents
75 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
76 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
77 3. Trust Relationships: IdPs, APs, and RPs . . . . . . . . . . . 6
78 4. Overview of Operation . . . . . . . . . . . . . . . . . . . . 7
79 5. Protocol Details . . . . . . . . . . . . . . . . . . . . . . . 9
80 5.1. General Message Structure . . . . . . . . . . . . . . . . 9
81 5.1.1. Errors . . . . . . . . . . . . . . . . . . . . . . . . 9
82 5.2. IdP Proxy Setup . . . . . . . . . . . . . . . . . . . . . 10
83 5.2.1. Determining the IdP URI . . . . . . . . . . . . . . . 10
84 5.2.1.1. Authenticating Party . . . . . . . . . . . . . . . 11
85 5.2.1.2. Relying Party . . . . . . . . . . . . . . . . . . 11
86 5.3. Requesting Assertions . . . . . . . . . . . . . . . . . . 11
87 5.4. Verifying Assertions . . . . . . . . . . . . . . . . . . . 12
88 5.4.1. Identity Formats . . . . . . . . . . . . . . . . . . . 13
89 5.4.2. PostMessage Checks . . . . . . . . . . . . . . . . . . 14
90 5.4.3. PeerConnection API Extensions . . . . . . . . . . . . 14
91 5.4.3.1. Authenticating Party . . . . . . . . . . . . . . . 14
92 5.4.3.2. Relying Party . . . . . . . . . . . . . . . . . . 15
93 5.5. Example Bindings to Specific Protocols . . . . . . . . . . 16
94 5.5.1. BrowserID . . . . . . . . . . . . . . . . . . . . . . 16
95 5.5.2. OAuth . . . . . . . . . . . . . . . . . . . . . . . . 19
96 5.6. Security Considerations . . . . . . . . . . . . . . . . . 20
97 5.6.1. PeerConnection Origin Check . . . . . . . . . . . . . 20
98 5.6.2. IdP Well-known URI . . . . . . . . . . . . . . . . . . 20
99 5.6.3. Security of Third-Party IdPs . . . . . . . . . . . . . 21
100 5.7. Web Security Feature Interactions . . . . . . . . . . . . 21
101 5.7.1. Popup Blocking . . . . . . . . . . . . . . . . . . . . 21
102 5.7.2. Third Party Cookies . . . . . . . . . . . . . . . . . 21
103 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22
104 6.1. Normative References . . . . . . . . . . . . . . . . . . . 22
105 6.2. Informative References . . . . . . . . . . . . . . . . . . 22
106 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22
108 1. Introduction
110 Security for RTCWEB communications requires that the communicating
111 endpoints be able to authenticate each other. While authentication
112 may be mediated by the calling service, there are settings in which
113 this is undesirable. This document describes a mechanism for
114 leveraging existing identity providers (IdPs) such as BrowserID or
115 OAuth to provide this authentication service.
117 Specifically, Alice and Bob have relationships with some Identity
118 Provider (IdP) that supports a protocol such OpenID or BrowserID)
119 that can be used to attest to their identity. While they are making
120 calls through the signaling service, their identities (and the
121 cryptographic keying material used to make the call) is authenticated
122 via the IdP. This separation isn't particularly important in "closed
123 world" cases where Alice and Bob are users on the same social
124 network, have identities based on that network, and are calling using
125 that network's signaling service. However, there are important
126 settings where that is not the case, such as federation (calls from
127 one network to another) and calling on untrusted sites, such as where
128 two users who have a relationship via a given social network want to
129 call each other on another, untrusted, site, such as a poker site.
131 +----------------+
132 | |
133 | Signaling |
134 | Server |
135 | |
136 +----------------+
137 ^ ^
138 / \
139 HTTPS / \ HTTPS
140 / \
141 / \
142 v v
143 JS API JS API
144 +-----------+ +-----------+
145 | | Media | |
146 Alice | Browser |<---------->| Browser | Bob
147 | | (DTLS-SRTP)| |
148 +-----------+ +-----------+
149 ^ ^--+ +--^ ^
150 | | | |
151 v | | v
152 +-----------+ | | +-----------+
153 | |<--------+ | |
154 | IdP A | | | IdP B |
155 | | +------->| |
156 +-----------+ +-----------+
158 Figure 1: A call with IdP-based identity
160 Figure 1 shows the basic topology. Alice and Bob are on the same
161 signaling server, but they additionally have relationships with their
162 own IdPs. Alice has registered with IdP A and Bob has registered
163 with IdP B. Note that nothing stops these IdPs from being the same,
164 or indeed from being the same as the signaling server, but they can
165 also be totally distinct. In particular, Alice and Bob need not have
166 identities from the same IdP.
168 Starting from this point, the mechanisms described in this document
169 allow Alice and Bob to establish a mutually authenticated phone call.
170 In the interest of clarity the remainder of this section provides a
171 brief overview of how these mechanisms fit into the bigger RTCWEB
172 calling picture. For a detailed description of the relevant protocol
173 elements and their interaction with the larger signaling protocol see
174 [I-D.ietf-rtcweb-security]. When Alice goes to call Bob, her browser
175 (specifically her PeerConnection object) contacts her IdP on her
176 behalf and obtains an assertion of her identity bound to her
177 certificate fingerprint. This assertion is carried with her
178 signaling messages to the signaling server and then down to Bob.
180 Bob's browser verifies the assertion, possibly with the cooperation
181 of the IdP, and can then display Alice's identity to Bob in a trusted
182 user interface element. If Alice is in Bob's address book, then this
183 interface might also include her real name, a picture, etc.
185 When/If Bob agrees to answer the call, his browser contacts his IdP
186 and gets a similar assertion. This assertion is sent to the
187 signaling server as part of Bob's answer which is then forwarded to
188 Alice. Alice's browser verifies Bob's identity and can display the
189 result in a trusted UI element. At this point Alice and Bob know
190 each other's fingerprints and so they can transitively verify the
191 keys used to authenticate the DTLS-SRTP handshake and hence the
192 security of the media.
194 The mechanisms in this document do not require the browser to
195 implement any particular identity protocol or to support any
196 particular IdP. Instead, this document provides a generic interface
197 which any IdP can implement. Thus, new IdPs and protocols can be
198 introduced without change to either the browser or the calling
199 service. This avoids the need to make a commitment to any particular
200 identity protocol, although browsers may opt to directly implement
201 some identity protocols in order to provide superior performance or
202 UI properties.
204 2. Terminology
206 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
207 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
208 document are to be interpreted as described in RFC 2119 [RFC2119].
210 3. Trust Relationships: IdPs, APs, and RPs
212 Any authentication protocol has three major participants:
214 Authenticating Party (AP): The entity which is trying to establish
215 its identity.
217 Identity Provider (IdP): The entity which is vouching for the AP's
218 identity.
220 Relying Party (RP): The entity which is trying to verify the AP's
221 identity.
223 The AP and the IdP have an account relationship of some kind: the AP
224 registers with the IdP and is able to subsequently authenticate
225 directly to the IdP (e.g., with a password). This means that the
226 browser must somehow know which IdP(s) the user has an account
227 relationship with. This can either be something that the user
228 configures into the browser or that is configured at the calling site
229 and then provided to the PeerConnection by the calling site.
231 At a high level there are two kinds of IdPs:
233 Authoritative: IdPs which have verifiable control of some section
234 of the identity space. For instance, in the realm of e-mail, the
235 operator of "example.com" has complete control of the namespace
236 ending in "@example.com". Thus, "alice@example.com" is whoever
237 the operator says it is. Examples of systems with authoritative
238 identity providers include DNSSEC, RFC 4474, and Facebook Connect
239 (Facebook identities only make sense within the context of the
240 Facebook system).
242 Third-Party: IdPs which don't have control of their section of the
243 identity space but instead verify user's identities via some
244 unspecified mechanism and then attest to it. Because the IdP
245 doesn't actually control the namespace, RPs need to trust that the
246 IdP is correctly verifying AP identities, and there can
247 potentially be multiple IdPs attesting to the same section of the
248 identity space. Probably the best-known example of a third-party
249 identity provider is SSL certificates, where there are a large
250 number of CAs all of whom can attest to any domain name.
252 If an AP is authenticating via an authoritative IdP, then the RP does
253 not need to explicitly trust the IdP at all: as long as the RP knows
254 how to verify that the IdP indeed made the relevant identity
255 assertion (a function provided by the mechanisms in this document),
256 then any assertion it makes about an identity for which it is
257 authoritative is directly verifiable.
259 By contrast, if an AP is authenticating via a third-party IdP, the RP
260 needs to explicitly trust that IdP (hence the need for an explicit
261 trust anchor list in PKI-based SSL/TLS clients). The list of
262 trustable IdPs needs to be configured directly into the browser,
263 either by the user or potentially by the browser manufacturer. This
264 is a significant advantage of authoritative IdPs and implies that if
265 third-party IdPs are to be supported, the potential number needs to
266 be fairly small.
268 4. Overview of Operation
270 In order to provide security without trusting the calling site, the
271 PeerConnection component of the browser must interact directly with
272 the IdP. In this section, we describe a standalone mechanism based
273 on IFRAMEs and postMessage(), however, most likely this will
274 eventually be superceded by WebIntents .
275 [[ OPEN ISSUE: I've been looking at WebIntents and I believe that it
276 can be made to work but may require some modifications. I am
277 currently studying the problem. More analysis to come.]] ]].
279 +------------------------------------+
280 | https://calling-site.example.com |
281 | |
282 | |
283 | |
284 | Calling JS Code |
285 | ^ |
286 | | API Calls |
287 | v |
288 | PeerConnection |
289 | ^ |
290 | | postMessage() |
291 | v |
292 | +-------------------------+ | +---------------+
293 | | https://idp.example.org | | | |
294 | | |<--------->| Identity |
295 | | IdP JS | | | Provider |
296 | | | | | |
297 | +-------------------------+ | +---------------+
298 | |
299 +------------------------------------+
301 When the PeerConnection object wants to interact with the IdP, the
302 sequence of events is as follows:
304 1. The browser (the PeerConnection component) instantiates an IdP
305 proxy (typically a hidden IFRAME) with its source at the IdP.
306 This allows the IdP to load whatever JS is necessary into the
307 proxy, which runs in the IdP's security context.
308 2. If the user is not already logged in, the IdP does whatever is
309 required to log them in, such as soliciting a username and
310 password.
311 3. Once the user is logged in, the IdP proxy notifies the browser
312 (via postMessage()) that it is ready.
313 4. The browser and the IdP proxy communicate via a standardized
314 series of messages delivered via postMessage. For instance, the
315 browser might request the IdP proxy to sign or verify a given
316 identity assertion.
318 This approach allows us to decouple the browser from any particular
319 identity provider; the browser need only know how to load the IdP's
320 JavaScript--which is deterministic from the IdP's identity--and the
321 generic protocol for requesting and verifying assertions. The IdP
322 provides whatever logic is necessary to bridge the generic protocol
323 to the IdP's specific requirements. Thus, a single browser can
324 support any number of identity protocols, including being forward
325 compatible with IdPs which did not exist at the time the browser was
326 written.
328 5. Protocol Details
330 5.1. General Message Structure
332 Messages between the PeerConnection object and the IdP proxy are
333 formatted using JSON [RFC4627]. For instance, the PeerConnection
334 would request a signature with the following "SIGN" message:
336 {
337 "type":"SIGN",
338 "id": "1",
339 "message":"012345678abcdefghijkl"
340 }
342 All messages MUST contain a "type" field which indicates the general
343 meaning of the message.
345 All requests from the PeerConnection object MUST contain an "id"
346 field which MUST be unique for that PeerConnection object. Any
347 responses from the IdP proxy MUST contain the same id in response,
348 which allows the PeerConnection to correlate requests and responses.
350 Any message-specific data is carried in a "message" field. Depending
351 on the message type, this may either be a string or a richer JSON
352 object.
354 5.1.1. Errors
356 If an error occurs, the IdP sends a message of type "ERROR". The
357 message MAY have an "error" field containing freeform text data which
358 containing additional information about what happened. For instance:
360 {
361 "type":"ERROR",
362 "error":"Signature verification failed"
363 }
365 Figure 2: Example error
367 5.2. IdP Proxy Setup
369 In order to perform an identity transaction, the PeerConnection must
370 first create the IdP proxy. While the specific technical mechanism
371 used is left up to the implementation, the following requirements
372 MUST be met for security and interoperability.
374 o Any JS MUST run in the IdP's security context.
375 o The usual browser sandbox isolation mechanisms MUST be enforced
376 with respect to the IdP proxy.
377 o JS running in the IdP proxy MUST be able to send and receive
378 messages to the PeerConnection object using postMessage.
379 o Either window.parent or window.opener MUST be set such that
380 messages sent with postMessage() arrive at the PeerConnection
381 object. If both variables are set, they MUST be the same.
382 o Messages sent by the PeerConnection object MUST have their .origin
383 value set to "rtcweb:://idp-interface". [TBD]
385 One mechanism for implementing the IdP proxy is as a hidden (CSS
386 "display=none") IFRAME with a URI as determined in Section 5.2.1.
387 The PeerConnection component will of course need to specially arrange
388 for the origin value to be set correctly; as dicussed in Section 5.6,
389 the fact that ordinary Web pages cannot set their origins to
390 "rtcweb://..." is an essential security feature.
392 Initially the IdP proxy is in an unready state; the IdP JS must be
393 loaded and there may be several round trips to the IdP server, for
394 instance to log the user in. Thus, the IFRAME's "onready" property
395 is not a reliable indicator of when the IdP IFRAME is ready to
396 receive commands. Instead, when the IdP proxy is ready to receive
397 commands, it delivers a "ready" message via postMessage(). As this
398 message is unsolicited, it simply contains:
400 { "type":"READY" }
402 Once the PeerConnection object receives the ready message, it can
403 send commands to the IdP proxy.
405 5.2.1. Determining the IdP URI
407 Each IdP proxy instance is associated with two values:
409 domain name: The IdP's domain name
410 protocol: The specific IdP protocol which the IdP is using. This is
411 a completely IdP-specific string, but allows an IdP to implement
412 two protocols in parallel. This value may be the empty string.
414 Each IdP MUST serve its initial entry page (i.e., the one loaded by
415 the IdP proxy) from the well-known URI specified in "/.well-known/
416 idp-proxy/" on the IdP's web site. This URI MUST be loaded
417 via HTTPS [RFC2818]. For example, for the IdP "identity.example.com"
418 and the protocol "example", the URL would be:
420 https://example.com/.well-known/idp-proxy/example
422 5.2.1.1. Authenticating Party
424 How an AP determines the appropriate IdP domain is out of scope of
425 this specification. In general, however, the AP has some actual
426 account relationship with the IdP, as this identity is what the IdP
427 is attesting to. Thus, the AP somehow supplies the IdP information
428 to the browser. Some potential mechanisms include:
430 o Provided by the user directly.
431 o Selected from some set of IdPs known to the calling site. E.g., a
432 button that shows "Authenticate via Facebook Connect"
434 5.2.1.2. Relying Party
436 Unlike the AP, the RP need not have any particular relationship with
437 the IdP. Rather, it needs to be able to process whatever assertion
438 is provided by the AP. As the assertion contains the IdP's identity,
439 the URI can be constructed directly from the assertion, and thus the
440 RP can directly verify the technical validity of the assertion with
441 no user interaction. Authoritative assertions need only be
442 verifiable. Third-party assertions also MUST be verified against
443 local policy, as described in Section 5.4.1.
445 5.3. Requesting Assertions
447 In order to request an assertion, the PeerConnection sends a "SIGN"
448 message. Aside from the mandatory fields, this message has a
449 "message" field containing a string. The contents of this string are
450 defined in [I-D.ietf-rtcweb-security], but are opaque from the
451 perspective of this protocol.
453 A successful response to a "SIGN" message contains a message field
454 which is a JS dictionary dictionary consisting of two fields:
456 idp: A dictionary containing the domain name of the provider and the
457 protocol string
458 assertion: An opaque field containing the assertion itself. This is
459 only interpretable by the idp or its proxy.
461 Figure 3 shows an example transaction, with the message "abcde..."
462 being signed and bound to identity "ekr@example.org". In this case,
463 the message has presumably been digitally signed/MACed in some way
464 that the IdP can later verify it, but this is an implementation
465 detail and out of scope of this document. Line breaks are inserted
466 solely for readability.
468 PeerConnection -> IdP proxy:
469 {
470 "type":"SIGN",
471 "id":1,
472 "message":"abcdefghijklmnopqrstuvwyz"
473 }
475 IdPProxy -> PeerConnection:
476 {
477 "type":"SUCCESS",
478 "id":1,
479 "message": {
480 "idp":{
481 "domain": "example.org"
482 "protocol": "bogus"
483 },
484 "assertion":\"{\"identity\":\"bob@example.org\",
485 \"contents\":\"abcdefghijklmnopqrstuvwyz\",
486 \"signature\":\"010203040506\"}"
487 }
488 }
490 Figure 3: Example assertion request
492 5.4. Verifying Assertions
494 In order to verify an assertion, an RP sends a "VERIFY" message to
495 the IdP proxy containing the assertion supplied by the AP in the
496 "message" field.
498 The IdP proxy verifies the assertion. Depending on the identity
499 protocol, this may require one or more round trips to the IdP. For
500 instance, an OAuth-based protocol will likely require using the IdP
501 as an oracle, whereas with BrowserID the IdP proxy can likely verify
502 the signature on the assertion without contacting the IdP, provided
503 that it has cached the IdP's public key.
505 Regardless of the mechanism, if verification succeeds, a successful
506 response from the IdP proxy MUST contain a message field consisting
507 of a dictionary/hash with the following fields:
509 identity The identity of the AP from the IdP's perspective. Details
510 of this are provided in Section 5.4.1
511 contents The original unmodified string provided by the AP in the
512 original SIGN request.
514 Figure 4 shows an example transaction. Line breaks are inserted
515 solely for readability.
517 PeerConnection -> IdP Proxy:
518 {
519 "type":"VERIFY",
520 "id":2,
521 "message":\"{\"identity\":\"bob@example.org\",
522 \"contents\":\"abcdefghijklmnopqrstuvwyz\",
523 \"signature\":\"010203040506\"}"
524 }
526 IdP Proxy -> PeerConnection:
527 {
528 "type":"SUCCESS",
529 "id":2,
530 "message": {
531 "identity" : {
532 "name" : "bob@example.org",
533 "displayname" : "Bob"
534 },
535 "contents":"abcdefghijklmnopqrstuvwyz"
536 }
537 }
539 Figure 4: Example assertion request
541 5.4.1. Identity Formats
543 Identities passed from the IdP proxy to the PeerConnection are
544 structured as JSON dictionaries with one mandatory field: "name".
545 This field MUST consist of an RFC822-formatted string representing
546 the user's identity. [[ OPEN ISSUE: Would it be better to have a
547 typed field? ]] The PeerConnection API MUST check this string as
548 follows:
550 1. If the RHS of the string is equal to the domain name of the IdP
551 proxy, then the assertion is valid, as the IdP is authoritative
552 for this domain.
553 2. If the RHS of the string is not equal to the domain name of the
554 IdP proxy, then the PeerConnection object MUST reject the
555 assertion unless (a) the IdP domain is listed as an acceptable
556 third-party IdP and (b) local policy is configured to trust this
557 IdP domain for the RHS of the identity string.
559 Sites which have identities that do not fit into the RFC822 style
560 (for instance, Facebook ids are simple numeric values) SHOULD convert
561 them to this form by appending their IdP domain (e.g.,
562 12345@identity.facebook.com), thus ensuring that they are
563 authoritative for the identity.
565 The IdP proxy MAY also include a "displayname" field which contains a
566 more user-friendly identity assertion. Browsers SHOULD take care in
567 the UI to distinguish the "name" assertion which is verifiable
568 directly from the "displayname" which cannot be verified and thus
569 relies on trust in the IdP. In future, we may define other fields to
570 allow the IdP to provide more information to the browser.
572 5.4.2. PostMessage Checks
574 Because the PeerConnect object and the IdP proxy communicate via
575 postMessage(), it is essential to verify that the origin of any
576 message (contained in the event.origin property) and source
577 (contained in the event.source) property are as expected:
579 o For messages from the PeerConnection object, the IdP proxy MUST
580 verify that the origin is "rtcweb://idp-interface" and that the
581 source matches either window.opener or window.parent. If both are
582 non-falsey, they MUST be equal. If any of these checks fail, the
583 message MUST be rejected. [[ OPEN ISSUE: An alternate (more
584 generic) design would be to not check the origin here but rather
585 to include the origin in the assertion and have it checked at the
586 RP. Comments? ]]
587 o For messages from the IdP proxy, the PeerConnection object MUST
588 verify that the origin matches the IdP's origin and that the
589 source matches the window/IFRAME opened for the IdP proxy.
591 If any of these checks fail, the message MUST be rejected. In
592 general, mismatches SHOULD NOT cause transaction failure, since
593 malicious JS might use bogus messages as a form of DoS attack.
595 5.4.3. PeerConnection API Extensions
597 5.4.3.1. Authenticating Party
599 As discussed in Section 3, the AP's IdP can either be configured
600 directly into the browser or selected from a list known to the
601 calling site. We anticipate that some browsers will allow
602 configuration of IdPs in the browser UI but allow the calling
603 application to provide new candidate IdPs or to direct the selection
604 of a known one. Thus, one model would be:
606 o If a IdP is provided by the calling application use that.
607 o If no IdP is provided, and one is configured, use that.
608 o If no IdP is provided or configured, do nothing.
610 Implementations MAY also wish to have configuration settings override
611 the calling application's preferences.
613 APIs for PeerConnection configuration are as-yet unsettled, but it
614 MUST be possible to specify the following parameters to the
615 PeerConnection.
617 o The IdP domain.
618 o The users expected identity (if known) [this allows selection
619 between multiple candidate identities with the same IdP.]
621 5.4.3.2. Relying Party
623 Because the browser UI must be responsible for displaying the user's
624 identity, it isn't strictly necessary to have new JS interfaces on
625 the relying party side. However, two new interfaces are RECOMMENDED.
627 When a message is provided to the PeerConnection API with
628 processSignalingMessage() with an assertion that cannot be verified,
629 there is a need for some sort of error indicating verification
630 failure. [Note: I don't see an interface for any other kind of
631 parse error, so I'm not sure what to imitate here.]
633 A new attribute should be added to indicate the verification status.
634 For instance:
636 readonly attribute DOMString verifiedIdentity;
638 The attribute value should be a JS dictionary indicating the identity
639 and the domain name of the IdP, such as:
641 {
642 "identity" : "ekr@example.org",
643 "idp": "example.org"
644 }
646 5.5. Example Bindings to Specific Protocols
648 This section provides some examples of how the mechanisms described
649 in this document could be used with existing authentication protocols
650 such as BrowserID or OAuth. Note that this does not require browser-
651 level support for either protocol. Rather, the protocols can be fit
652 into the generic framework. (Though BrowserID in particular works
653 better with some client side support).
655 5.5.1. BrowserID
657 BrowserID [https://browserid.org/] is a technology which allows a
658 user with a verified email address to generate an assertion
659 (authenticated by their identity provider) attesting to their
660 identity (phrased as an email address). The way that this is used in
661 practice is that the relying party embeds JS in their site which
662 talks to the BrowserID code (either hosted on a trusted intermediary
663 or embedded in the browser). That code generates the assertion which
664 is passed back to the relying party for verification. The assertion
665 can be verified directly or with a Web service provided by the
666 identity provider. It's relatively easy to extend this functionality
667 to authenticate RTCWEB calls, as shown below.
669 +----------------------+ +----------------------+
670 | | | |
671 | Alice's Browser | | Bob's Browser |
672 | | OFFER ------------> | |
673 | Calling JS Code | | Calling JS Code |
674 | ^ | | ^ |
675 | | | | | |
676 | v | | v |
677 | PeerConnection | | PeerConnection |
678 | | ^ | | | ^ |
679 | Finger| |Signed | |Signed | | |
680 | print | |Finger | |Finger | |"Alice"|
681 | | |print | |print | | |
682 | v | | | v | |
683 | +--------------+ | | +---------------+ |
684 | | IdP Proxy | | | | IdP Proxy | |
685 | | to | | | | to | |
686 | | BrowserID | | | | BrowserID | |
687 | | Signer | | | | Verifier | |
688 | +--------------+ | | +---------------+ |
689 | ^ | | ^ |
690 +-----------|----------+ +----------|-----------+
691 | |
692 | Get certificate |
693 v | Check
694 +----------------------+ | certificate
695 | | |
696 | Identity |/-------------------------------+
697 | Provider |
698 | |
699 +----------------------+
701 The way this mechanism works is as follows. On Alice's side, Alice
702 goes to initiate a call.
704 1. The calling JS instantiates a PeerConnection and tells it that it
705 is interested in having it authenticated via BrowserID (i.e., it
706 provides "browserid.org" as the IdP name.)
707 2. The PeerConnection instantiates the BrowserID signer in the IdP
708 proxy
709 3. The BrowserID signer contacts Alice's identity provider,
710 authenticating as Alice (likely via a cookie).
711 4. The identity provider returns a short-term certificate attesting
712 to Alice's identity and her short-term public key.
713 5. The Browser-ID code signs the fingerprint and returns the signed
714 assertion + certificate to the PeerConnection.
716 6. The PeerConnection returns the signed information to the calling
717 JS code.
718 7. The signed assertion gets sent over the wire to Bob's browser
719 (via the signaling service) as part of the call setup.
721 Obviously, the format of the signed assertion varies depending on
722 what signaling style the WG ultimately adopts. However, for
723 concreteness, if something like ROAP were adopted, then the entire
724 message might look like:
726 {
727 "messageType":"OFFER",
728 "callerSessionId":"13456789ABCDEF",
729 "seq": 1
730 "sdp":"
731 v=0\n
732 o=- 2890844526 2890842807 IN IP4 192.0.2.1\n
733 s= \n
734 c=IN IP4 192.0.2.1\n
735 t=2873397496 2873404696\n
736 m=audio 49170 RTP/AVP 0\n
737 a=fingerprint: SHA-1 \
738 4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB\n",
739 "identity":{
740 "idp":{ // Standardized
741 "domain":"browserid.org",
742 "method":"default"
743 },
744 "assertion": // Contents are browserid-specific
745 "\"assertion\": {
746 \"digest\":\"\",
747 \"audience\": \"[TBD]\"
748 \"valid-until\": 1308859352261,
749 },
750 \"certificate\": {
751 \"email\": \"rescorla@example.org\",
752 \"public-key\": \"\",
753 \"valid-until\": 1308860561861,
754 }" // certificate is signed by example.org
755 }
756 }
758 Note that while the IdP here is specified as "browserid.org", the
759 actual certificate is signed by example.org. This is because
760 BrowserID is a combined authoritative/third-party system in which
761 browserid.org delegates the right to be authoritative (what BrowserID
762 calls primary) to individual domains.
764 On Bob's side, he receives the signed assertion as part of the call
765 setup message and a similar procedure happens to verify it.
767 1. The calling JS instantiates a PeerConnection and provides it the
768 relevant signaling information, including the signed assertion.
769 2. The PeerConnection instantiates the IdP proxy which examines the
770 IdP name and brings up the BrowserID verification code.
771 3. The BrowserID verifier contacts the identity provider to verify
772 the certificate and then uses the key to verify the signed
773 fingerprint.
774 4. Alice's verified identity is returned to the PeerConnection (it
775 already has the fingerprint).
776 5. At this point, Bob's browser can display a trusted UI indication
777 that Alice is on the other end of the call.
779 When Bob returns his answer, he follows the converse procedure, which
780 provides Alice with a signed assertion of Bob's identity and keying
781 material.
783 5.5.2. OAuth
785 While OAuth is not directly designed for user-to-user authentication,
786 with a little lateral thinking it can be made to serve. We use the
787 following mapping of OAuth concepts to RTCWEB concepts:
789 +----------------------+----------------------+
790 | OAuth | RTCWEB |
791 +----------------------+----------------------+
792 | Client | Relying party |
793 | Resource owner | Authenticating party |
794 | Authorization server | Identity service |
795 | Resource server | Identity service |
796 +----------------------+----------------------+
798 Table 1
800 The idea here is that when Alice wants to authenticate to Bob (i.e.,
801 for Bob to be aware that she is calling). In order to do this, she
802 allows Bob to see a resource on the identity provider that is bound
803 to the call, her identity, and her public key. Then Bob retrieves
804 the resource from the identity provider, thus verifying the binding
805 between Alice and the call.
807 Alice IdP Bob
808 ---------------------------------------------------------
809 Call-Id, Fingerprint ------->
810 <------------------- Auth Code
811 Auth Code ---------------------------------------------->
812 <----- Get Token + Auth Code
813 Token --------------------->
814 <------------- Get call-info
815 Call-Id, Fingerprint ------>
817 This is a modified version of a common OAuth flow, but omits the
818 redirects required to have the client point the resource owner to the
819 IdP, which is acting as both the resource server and the
820 authorization server, since Alice already has a handle to the IdP.
822 Above, we have referred to "Alice", but really what we mean is the
823 PeerConnection. Specifically, the PeerConnection will instantiate an
824 IFRAME with JS from the IdP and will use that IFRAME to communicate
825 with the IdP, authenticating with Alice's identity (e.g., cookie).
826 Similarly, Bob's PeerConnection instantiates an IFRAME to talk to the
827 IdP.
829 5.6. Security Considerations
831 This mechanism relies for its security on the IdP and on the
832 PeerConnection correctly enforcing the security invariants described
833 above. At a high level, the IdP is attesting that the user
834 identified in the assertion wishes to be associated with the
835 assertion. Thus, it must not be possible for arbitrary third parties
836 to get assertions tied to a user or to produce assertions that RPs
837 will accept.
839 5.6.1. PeerConnection Origin Check
841 Fundamentally, the IdP proxy is just a piece of HTML and JS loaded by
842 the browser, so nothing stops a Web attacker o from creating their
843 own IFRAME, loading the IdP proxy HTML/JS, and requesting a
844 signature. In order to prevent this attack, we require that all
845 signatures be tied to a specific origin ("rtcweb://...") which cannot
846 be produced by a page tied to a Web attacker. Thus, while an
847 attacker can instantiate the IdP proxy, they cannot send messages
848 from an appropriate origin and so cannot create acceptable
849 assertions. [[OPEN ISSUE: Where is this enforced? ]]
851 5.6.2. IdP Well-known URI
853 As described in Section 5.2.1 the IdP proxy HTML/JS landing page is
854 located at a well-known URI based on the IdP's domain name. This
855 requirement prevents an attacker who can write some resources at the
856 IdP (e.g., on one's Facebook wall) from being able to impersonate the
857 IdP.
859 5.6.3. Security of Third-Party IdPs
861 As discussed above, each third-party IdP represents a new universal
862 trust point and therefore the number of these IdPs needs to be quite
863 limited. Most IdPs, even those which issue unqualified identities
864 such as Facebook, can be recast as authoritative IdPs (e.g.,
865 123456@facebook.com). However, in such cases, the user interface
866 implications are not entirely desirable. One intermediate approach
867 is to have special (potentially user configurable) UI for large
868 authoritative IdPs, thus allowing the user to instantly grasp that
869 the call is being authenticated by Facebook, Google, etc.
871 5.7. Web Security Feature Interactions
873 A number of optional Web security features have the potential to
874 cause issues for this mechanism, as discussed below.
876 5.7.1. Popup Blocking
878 If the user is not already logged into the IdP, the IdP proxy may
879 need to pop up a top level window in order to prompt the user for
880 their authentication information (it is bad practice to do this in an
881 IFRAME inside the window because then users have no way to determine
882 the destination for their password). If the user's browser is
883 configured to prevent popups, this may fail (depending on the exact
884 algorithm that the popup blocker uses to suppress popups). It may be
885 necessary to provide a standardized mechanism to allow the IdP proxy
886 to request popping of a login window. Note that care must be taken
887 here to avoid PeerConnection becoming a general escape hatch from
888 popup blocking. One possibility would be to only allow popups when
889 the user has explicitly registered a given IdP as one of theirs (this
890 is only relevant at the AP side in any case). This is what
891 WebIntents does, and the problem would go away if WebIntents is used.
893 5.7.2. Third Party Cookies
895 Some browsers allow users to block third party cookies (cookies
896 associated with origins other than the top level page) for privacy
897 reasons. Any IdP which uses cookies to persist logins will be broken
898 by third-party cookie blocking. One option is to accept this as a
899 limitation; another is to have the PeerConnection object disable
900 third-party cookie blocking for the IdP proxy.
902 6. References
904 6.1. Normative References
906 [I-D.ietf-rtcweb-security]
907 Rescorla, E., "Security Considerations for RTC-Web",
908 draft-ietf-rtcweb-security-01 (work in progress),
909 October 2011.
911 [I-D.ietf-rtcweb-security-arch]
912 Rescorla, E., "RTCWEB Security Architecture",
913 draft-ietf-rtcweb-security-arch-00 (work in progress),
914 January 2012.
916 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
917 Requirement Levels", BCP 14, RFC 2119, March 1997.
919 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
921 [RFC4627] Crockford, D., "The application/json Media Type for
922 JavaScript Object Notation (JSON)", RFC 4627, July 2006.
924 6.2. Informative References
926 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454,
927 December 2011.
929 Author's Address
931 Eric Rescorla
932 RTFM, Inc.
933 2064 Edgewood Drive
934 Palo Alto, CA 94303
935 USA
937 Phone: +1 650 678 2350
938 Email: ekr@rtfm.com