idnits 2.17.1
draft-rescorla-rtcweb-generic-idp-00.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
-- The document has examples using IPv4 documentation addresses according
to RFC6890, but does not use any IPv6 documentation addresses. Maybe
there should be IPv6 examples, too?
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== The document seems to contain a disclaimer for pre-RFC5378 work, but was
first submitted on or after 10 November 2008. The disclaimer is usually
necessary only for documents that revise or obsolete older RFCs, and that
take significant amounts of text from those RFCs. If you can contact all
authors of the source material and they are willing to grant the BCP78
rights to the IETF Trust, you can and should remove the disclaimer.
Otherwise, the disclaimer is needed and you can ignore this comment.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (January 22, 2012) is 4477 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: 'TBD' is mentioned on line 382, but not defined
== Unused Reference: 'I-D.ietf-rtcweb-security-arch' is defined on line
901, but no explicit reference was found in the text
== Unused Reference: 'I-D.abarth-origin' is defined on line 916, but no
explicit reference was found in the text
== Outdated reference: A later version (-12) exists of
draft-ietf-rtcweb-security-01
** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110)
** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159)
Summary: 3 errors (**), 0 flaws (~~), 6 warnings (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 RTCWEB E. Rescorla
3 Internet-Draft RTFM, Inc.
4 Intended status: Standards Track January 22, 2012
5 Expires: July 25, 2012
7 RTCWEB Generic Identity Provider Interface
8 draft-rescorla-rtcweb-generic-idp-00
10 Abstract
12 Security for RTCWEB communications requires that the communicating
13 endpoints be able to authenticate each other. While authentication
14 may be mediated by the calling service, there are settings in which
15 this is undesirable. This document describes a generic mechanism for
16 leveraging existing identity providers (IdPs) such as BrowserID or
17 OAuth to provide this authentication service.
19 Legal
21 THIS DOCUMENT AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON
22 AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
23 REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE
24 IETF TRUST, AND THE INTERNET ENGINEERING TASK FORCE, DISCLAIM ALL
25 WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
26 WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE
27 ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
28 FOR A PARTICULAR PURPOSE.
30 Status of this Memo
32 This Internet-Draft is submitted in full conformance with the
33 provisions of BCP 78 and BCP 79.
35 Internet-Drafts are working documents of the Internet Engineering
36 Task Force (IETF). Note that other groups may also distribute
37 working documents as Internet-Drafts. The list of current Internet-
38 Drafts is at http://datatracker.ietf.org/drafts/current/.
40 Internet-Drafts are draft documents valid for a maximum of six months
41 and may be updated, replaced, or obsoleted by other documents at any
42 time. It is inappropriate to use Internet-Drafts as reference
43 material or to cite them other than as "work in progress."
45 This Internet-Draft will expire on July 25, 2012.
47 Copyright Notice
48 Copyright (c) 2012 IETF Trust and the persons identified as the
49 document authors. All rights reserved.
51 This document is subject to BCP 78 and the IETF Trust's Legal
52 Provisions Relating to IETF Documents
53 (http://trustee.ietf.org/license-info) in effect on the date of
54 publication of this document. Please review these documents
55 carefully, as they describe your rights and restrictions with respect
56 to this document. Code Components extracted from this document must
57 include Simplified BSD License text as described in Section 4.e of
58 the Trust Legal Provisions and are provided without warranty as
59 described in the Simplified BSD License.
61 This document may contain material from IETF Documents or IETF
62 Contributions published or made publicly available before November
63 10, 2008. The person(s) controlling the copyright in some of this
64 material may not have granted the IETF Trust the right to allow
65 modifications of such material outside the IETF Standards Process.
66 Without obtaining an adequate license from the person(s) controlling
67 the copyright in such materials, this document may not be modified
68 outside the IETF Standards Process, and derivative works of it may
69 not be created outside the IETF Standards Process, except to format
70 it for publication as an RFC or to translate it into languages other
71 than English.
73 Table of Contents
75 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
76 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
77 3. Trust Relationships: IdPs, APs, and RPs . . . . . . . . . . . 6
78 4. Overview of Operation . . . . . . . . . . . . . . . . . . . . 7
79 5. Protocol Details . . . . . . . . . . . . . . . . . . . . . . . 9
80 5.1. General Message Structure . . . . . . . . . . . . . . . . 9
81 5.1.1. Errors . . . . . . . . . . . . . . . . . . . . . . . . 9
82 5.2. IdP Proxy Setup . . . . . . . . . . . . . . . . . . . . . 10
83 5.2.1. Determining the IdP URI . . . . . . . . . . . . . . . 10
84 5.2.1.1. Authenticating Party . . . . . . . . . . . . . . . 11
85 5.2.1.2. Relying Party . . . . . . . . . . . . . . . . . . 11
86 5.3. Requesting Assertions . . . . . . . . . . . . . . . . . . 11
87 5.4. Verifying Assertions . . . . . . . . . . . . . . . . . . . 12
88 5.4.1. Identity Formats . . . . . . . . . . . . . . . . . . . 13
89 5.4.2. PostMessage Checks . . . . . . . . . . . . . . . . . . 14
90 5.4.3. PeerConnection API Extensions . . . . . . . . . . . . 14
91 5.4.3.1. Authenticating Party . . . . . . . . . . . . . . . 14
92 5.4.3.2. Relying Party . . . . . . . . . . . . . . . . . . 15
93 5.5. Example Bindings to Specific Protocols . . . . . . . . . . 16
94 5.5.1. BrowserID . . . . . . . . . . . . . . . . . . . . . . 16
95 5.5.2. OAuth . . . . . . . . . . . . . . . . . . . . . . . . 19
96 5.6. Security Considerations . . . . . . . . . . . . . . . . . 20
97 5.6.1. PeerConnection Origin Check . . . . . . . . . . . . . 20
98 5.6.2. IdP Well-known URI . . . . . . . . . . . . . . . . . . 20
99 5.7. Web Security Feature Interactions . . . . . . . . . . . . 21
100 5.7.1. Popup Blocking . . . . . . . . . . . . . . . . . . . . 21
101 5.7.2. Third Party Cookies . . . . . . . . . . . . . . . . . 21
102 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
103 6.1. Normative References . . . . . . . . . . . . . . . . . . . 21
104 6.2. Informative References . . . . . . . . . . . . . . . . . . 22
105 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22
107 1. Introduction
109 Security for RTCWEB communications requires that the communicating
110 endpoints be able to authenticate each other. While authentication
111 may be mediated by the calling service, there are settings in which
112 this is undesirable. This document describes a mechanism for
113 leveraging existing identity providers (IdPs) such as BrowserID or
114 OAuth to provide this authentication service.
116 Specifically, Alice and Bob have relationships with some Identity
117 Provider (IdP) that supports a protocol such OpenID or BrowserID)
118 that can be used to attest to their identity. While they are making
119 calls through the signaling service, their identities (and the
120 cryptographic keying material used to make the call) is authenticated
121 via the IdP. This separation isn't particularly important in "closed
122 world" cases where Alice and Bob are users on the same social
123 network, have identities based on that network, and are calling using
124 that network's signaling service. However, there are important
125 settings where that is not the case, such as federation (calls from
126 one network to another) and calling on untrusted sites, such as where
127 two users who have a relationship via a given social network want to
128 call each other on another, untrusted, site, such as a poker site.
130 +----------------+
131 | |
132 | Signaling |
133 | Server |
134 | |
135 +----------------+
136 ^ ^
137 / \
138 HTTPS / \ HTTPS
139 / \
140 / \
141 v v
142 JS API JS API
143 +-----------+ +-----------+
144 | | Media | |
145 Alice | Browser |<---------->| Browser | Bob
146 | | (DTLS-SRTP)| |
147 +-----------+ +-----------+
148 ^ ^--+ +--^ ^
149 | | | |
150 v | | v
151 +-----------+ | | +-----------+
152 | |<--------+ | |
153 | IdP A | | | IdP B |
154 | | +------->| |
155 +-----------+ +-----------+
157 Figure 1: A call with IdP-based identity
159 Figure 1 shows the basic topology. Alice and Bob are on the same
160 signaling server, but they additionally have relationships with their
161 own IdPs. Alice has registered with IdP A and Bob has registered
162 with IdP B. Note that nothing stops these IdPs from being the same,
163 or indeed from being the same as the signaling server, but they can
164 also be totally distinct. In particular, Alice and Bob need not have
165 identities from the same IdP.
167 Starting from this point, the mechanisms described in this document
168 allow Alice and Bob to establish a mutually authenticated phone call.
169 In the interest of clarity the remainder of this section provides a
170 brief overview of how these mechanisms fit into the bigger RTCWEB
171 calling picture. For a detailed description of the relevant protocol
172 elements and their interaction with the larger signaling protocol see
173 [I-D.ietf-rtcweb-security]. When Alice goes to call Bob, her browser
174 (specifically her PeerConnection object) contacts her IdP on her
175 behalf and obtains an assertion of her identity bound to her
176 certificate fingerprint. This assertion is carried with her
177 signaling messages to the signaling server and then down to Bob.
179 Bob's browser verifies the assertion, possibly with the cooperation
180 of the IdP, and can then display Alice's identity to Bob in a trusted
181 user interface element. If Alice is in Bob's address book, then this
182 interface might also include her real name, a picture, etc.
184 When/If Bob agrees to answer the call, his browser contacts his IdP
185 and gets a similar assertion. This assertion is sent to the
186 signaling server as part of Bob's answer which is then forwarded to
187 Alice. Alice's browser verifies Bob's identity and can display the
188 result in a trusted UI element. At this point Alice and Bob know
189 each other's fingerprints and so they can transitively verify the
190 keys used to authenticate the DTLS-SRTP handshake and hence the
191 security of the media.
193 The mechanisms in this document do not require the browser to
194 implement any particular identity protocol or to support any
195 particular IdP. Instead, this document provides a generic interface
196 which any IdP can implement. Thus, new IdPs and protocols can be
197 introduced without change to either the browser or the calling
198 service. This avoids the need to make a commitment to any particular
199 identity protocol, although browsers may opt to directly implement
200 some identity protocols in order to provide superior performance or
201 UI properties.
203 2. Terminology
205 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
206 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
207 document are to be interpreted as described in RFC 2119 [RFC2119].
209 3. Trust Relationships: IdPs, APs, and RPs
211 Any authentication protocol has three major participants:
213 Authenticating Party (AP): The entity which is trying to establish
214 its identity.
216 Identity Provider (IdP): The entity which is vouching for the AP's
217 identity.
219 Relying Party (RP): The entity which is trying to verify the AP's
220 identity.
222 The AP and the IdP have an account relationship of some kind: the AP
223 registers with the IdP and is able to subsequently authenticate
224 directly to the IdP (e.g., with a password). This means that the
225 browser must somehow know which IdP(s) the user has an account
226 relationship with. This can either be something that the user
227 configures into the browser or that is configured at the calling site
228 and then provided to the PeerConnection by the calling site.
230 At a high level there are two kinds of IdPs:
232 Authoritative: IdPs which have verifiable control of some section
233 of the identity space. For instance, in the realm of e-mail, the
234 operator of "example.com" has complete control of the namespace
235 ending in "@example.com". Thus, "alice@example.com" is whoever
236 the operator says it is. Examples of systems with authoritative
237 identity providers include DNSSEC, RFC 4474, and Facebook Connect
238 (Facebook identities only make sense within the context of the
239 Facebook system).
241 Third-Party: IdPs which don't have control of their section of the
242 identity space but instead verify user's identities via some
243 unspecified mechanism and then attest to it. Because the IdP
244 doesn't actually control the namespace, RPs need to trust that the
245 IdP is correctly verifying AP identities, and there can
246 potentially be multiple IdPs attesting to the same section of the
247 identity space. Probably the best-known example of a third-party
248 identity provider is SSL certificates, where there are a large
249 number of CAs all of whom can attest to any domain name.
251 If an AP is authenticating via an authoritative IdP, then the RP does
252 not need to explicitly trust the IdP at all: as long as the RP knows
253 how to verify that the IdP indeed made the relevant identity
254 assertion (a function provided by the mechanisms in this document),
255 then any assertion it makes about an identity for which it is
256 authoritative is directly verifiable.
258 By contrast, if an AP is authenticating via a third-party IdP, the RP
259 needs to explicitly trust that IdP (hence the need for an explicit
260 trust anchor list in PKI-based SSL/TLS clients). The list of
261 trustable IdPs needs to be configured directly into the browser,
262 either by the user or potentially by the browser manufacturer. This
263 is a significant advantage of authoritative IdPs and implies that if
264 third-party IdPs are to be supported, the potential number needs to
265 be fairly small.
267 4. Overview of Operation
269 In order to provide security without trusting the calling site, the
270 PeerConnection component of the browser must interact directly with
271 the IdP. In this section, we describe a standalone mechanism based
272 on IFRAMEs and postMessage(), however, most likely this will
273 eventually be superceded by WebIntents .
274 [[ OPEN ISSUE: I've been looking at WebIntents and I believe that it
275 can be made to work but may require some modifications. I am
276 currently studying the problem. More analysis to come.]] ]].
278 +------------------------------------+
279 | https://calling-site.example.com |
280 | |
281 | |
282 | |
283 | Calling JS Code |
284 | ^ |
285 | | API Calls |
286 | v |
287 | PeerConnection |
288 | ^ |
289 | | postMessage() |
290 | v |
291 | +-------------------------+ | +---------------+
292 | | https://idp.example.org | | | |
293 | | |<--------->| Identity |
294 | | IdP JS | | | Provider |
295 | | | | | |
296 | +-------------------------+ | +---------------+
297 | |
298 +------------------------------------+
300 When the PeerConnection object wants to interact with the IdP, the
301 sequence of events is as follows:
303 1. The browser (the PeerConnection component) instantiates an IdP
304 proxy (typically a hidden IFRAME) with its source at the IdP.
305 This allows the IdP to load whatever JS is necessary into the
306 proxy, which runs in the IdP's security context.
307 2. If the user is not already logged in, the IdP does whatever is
308 required to log them in, such as soliciting a username and
309 password.
310 3. Once the user is logged in, the IdP proxy notifies the browser
311 (via postMessage()) that it is ready.
312 4. The browser and the IdP proxy communicate via a standardized
313 series of messages delivered via postMessage. For instance, the
314 browser might request the IdP proxy to sign or verify a given
315 identity assertion.
317 This approach allows us to decouple the browser from any particular
318 identity provider; the browser need only know how to load the IdP's
319 JavaScript--which is deterministic from the IdP's identity--and the
320 generic protocol for requesting and verifying assertions. The IdP
321 provides whatever logic is necessary to bridge the generic protocol
322 to the IdP's specific requirements. Thus, a single browser can
323 support any number of identity protocols, including being forward
324 compatible with IdPs which did not exist at the time the browser was
325 written.
327 5. Protocol Details
329 5.1. General Message Structure
331 Messages between the PeerConnection object and the IdP proxy are
332 formatted using JSON [RFC4627]. For instance, the PeerConnection
333 would request a signature with the following "SIGN" message:
335 {
336 "type":"SIGN",
337 "id": "1",
338 "message":"012345678abcdefghijkl"
339 }
341 All messages MUST contain a "type" field which indicates the general
342 meaning of the message.
344 All requests from the PeerConnection object MUST contain an "id"
345 field which MUST be unique for that PeerConnection object. Any
346 responses from the IdP proxy MUST contain the same id in response,
347 which allows the PeerConnection to correlate requests and responses.
349 Any message-specific data is carried in a "message" field. Depending
350 on the message type, this may either be a string or a deeper JSON
351 object.
353 5.1.1. Errors
355 If an error occurs, the IdP sends a message of type "ERROR". The
356 message MAY have an "error" field containing freeform text data which
357 containing additional information about what happened. For instance:
359 {
360 "type":"ERROR",
361 "error":"Signature verification failed"
362 }
364 Figure 2: Example error
366 5.2. IdP Proxy Setup
368 In order to perform an identity transaction, the PeerConnection must
369 first create the IdP proxy. While the specific technical mechanism
370 used is left up to the implementation, the following requirements
371 MUST be met for security and interoperability.
373 o Any JS MUST run in the IdP's security context.
374 o The usual browser sandbox isolation mechanisms MUST be enforced
375 with respect to the IdP proxy.
376 o JS running in the IdP proxy MUST be able to send and receive
377 messages to the PeerConnection object using postMessage.
378 o Either window.parent or window.opener MUST be set such that
379 messages sent with postMessage() arrive at the PeerConnection
380 object. If both variables are set, they MUST be the same.
381 o Messages sent by the PeerConnection object MUST have their .origin
382 value set to "rtcweb:://idp-interface". [TBD]
384 One mechanism for implementing the IdP proxy is as a hidden (CSS
385 "display=none") IFRAME with a URI as determined in Section 5.2.1.
386 The PeerConnection component will of course need to specially arrange
387 for the origin value to be set correctly; as dicussed in Section 5.6,
388 the fact that ordinary Web pages cannot set their origins to
389 "rtcweb://..." is an essential security feature.
391 Initially the IdP proxy is in an unready state; the IdP JS must be
392 loaded and there may be several round trips to the IdP server, for
393 instance to log the user in. Thus, the IFRAME's "onready" property
394 is not a reliable indicator of when the IdP IFRAME is ready to
395 receive commands. Instead, when the IdP proxy is ready to receive
396 commands, it delivers a "ready" message via postMessage(). As this
397 message is unsolicited, it simply contains:
399 { "type":"READY" }
401 Once the PeerConnection object receives the ready message, it can
402 send commands to the IdP proxy.
404 5.2.1. Determining the IdP URI
406 Each IdP proxy instance is associated with two values:
408 domain name: The IdP's domain name
409 protocol: The specific IdP protocol which the IdP is using. This is
410 a completely IdP-specific string, but allows an IdP to implement
411 two protocols in parallel. This value may be the empty string.
413 Each IdP MUST serve its initial entry page (i.e., the one loaded by
414 the IdP proxy) from the well-known URI specified in "/.well-known/
415 idp-proxy/" on the IdP's web site. This URI MUST be loaded
416 via HTTPS [RFC2818]. For example, for the IdP "identity.example.com"
417 and the protocol "example", the URL would be:
419 https://example.com/.well-known/idp-proxy/example
421 5.2.1.1. Authenticating Party
423 How an AP determines the appropriate IdP domain is out of scope of
424 this specification. In general, however, the AP has some actual
425 account relationship with the IdP, as this identity is what the IdP
426 is attesting to. Thus, the AP somehow supplies the IdP information
427 to the browser. Some potential mechanisms include:
429 o Provided by the user directly.
430 o Selected from some set of IdPs known to the calling site. E.g., a
431 button that shows "Authenticate via Facebook Connect"
433 5.2.1.2. Relying Party
435 Unlike the AP, the RP need not have any particular relationship with
436 the IdP. Rather, it needs to be able to process whatever assertion
437 is provided by the AP. As the assertion contains the IdP's identity,
438 the URI can be constructed directly from the assertion, and thus the
439 RP can directly verify the technical validity of the assertion with
440 no user interaction. Authoritative assertions need only be
441 verifiable. Third-party assertions also MUST be verified against
442 local policy, as described in Section 5.4.1.
444 5.3. Requesting Assertions
446 In order to request an assertion, the PeerConnection sends a "SIGN"
447 message. Aside from the mandatory fields, this message has a
448 "message" field containing a string. The contents of this string are
449 defined in [I-D.ietf-rtcweb-security], but are opaque from the
450 perspective of this protocol.
452 A successful response to a "SIGN" message contains a message field
453 which is a JS dictionary dictionary consisting of two fields:
455 idp: A dictionary containing the domain name of the provider and the
456 protocol string
457 assertion: An opaque field containing the assertion itself. This is
458 only interpretable by the idp or its proxy.
460 Figure 3 shows an example transaction, with the message "abcde..."
461 being signed and bound to identity "ekr@example.org". In this case,
462 the message has presumably been digitally signed/MACed in some way
463 that the IdP can later verify it, but this is an implementation
464 detail and out of scope of this document. Line breaks are inserted
465 solely for readability.
467 PeerConnection -> IdP proxy:
468 {
469 "type":"SIGN",
470 "id":1,
471 "message":"abcdefghijklmnopqrstuvwyz"
472 }
474 IdPProxy -> PeerConnection:
475 {
476 "type":"SUCCESS",
477 "id":1,
478 "message": {
479 "idp":{
480 "domain": "example.org"
481 "protocol": "bogus"
482 },
483 "assertion":\"{\"identity\":\"bob@example.org\",
484 \"contents\":\"abcdefghijklmnopqrstuvwyz\",
485 \"signature\":\"010203040506\"}"
486 }
487 }
489 Figure 3: Example assertion request
491 5.4. Verifying Assertions
493 In order to verify an assertion, an RP sends a "VERIFY" message to
494 the IdP proxy containing the assertion supplied by the AP in the
495 "message" field.
497 The IdP proxy verifies the assertion. Depending on the identity
498 protocol, this may require one or more round trips to the IdP. For
499 instance, an OAuth-based protocol will likely require using the IdP
500 as an oracle, whereas with BrowserID the IdP proxy can likely verify
501 the signature on the assertion without contacting the IdP, provided
502 that it has cached the IdP's public key.
504 Regardless of the mechanism, if verification succeeds, a successful
505 response from the IdP proxy MUST contain a message field consisting
506 of a dictionary/hash with the following fields:
508 identity The identity of the AP from the IdP's perspective. Details
509 of this are provided in Section 5.4.1
510 contents The original unmodified string provided by the AP in the
511 original SIGN request.
513 Figure 4 shows an example transaction. Line breaks are inserted
514 solely for readability.
516 PeerConnection -> IdP Proxy:
517 {
518 "type":"VERIFY",
519 "id":2,
520 "message":\"{\"identity\":\"bob@example.org\",
521 \"contents\":\"abcdefghijklmnopqrstuvwyz\",
522 \"signature\":\"010203040506\"}"
523 }
525 IdP Proxy -> PeerConnection:
526 {
527 "type":"SUCCESS",
528 "id":2,
529 "message": {
530 "identity" : {
531 "name" : "bob@example.org",
532 "displayname" : "Bob"
533 },
534 "contents":"abcdefghijklmnopqrstuvwyz"
535 }
536 }
538 Figure 4: Example assertion request
540 5.4.1. Identity Formats
542 Identities passed from the IdP proxy to the PeerConnection are
543 structured as JSON dictionaries with one mandatory field: "name".
544 This field MUST consist of an RFC822-formatted string representing
545 the user's identity. [[ OPEN ISSUE: Would it be better to have a
546 typed field? ]] The PeerConnection API MUST check this string as
547 follows:
549 1. If the RHS of the string is equal to the domain name of the IdP
550 proxy, then the assertion is valid, as the IdP is authoritative
551 for this domain.
552 2. If the RHS of the string is not equal to the domain name of the
553 IdP proxy, then the PeerConnection object MUST reject the
554 assertion unless (a) the IdP domain is listed as an acceptable
555 third-party IdP and (b) local policy is configured to trust this
556 IdP domain for the RHS of the identity string.
558 Sites which have identities that do not fit into the RFC822 style
559 (for instance, Facebook ids are simple numeric values) SHOULD convert
560 them to this form by appending their IdP domain (e.g.,
561 12345@identity.facebook.com), thus ensuring that they are
562 authoritative for the identity.
564 The IdP proxy MAY also include a "displayname" field which contains a
565 more user-friendly identity assertion. Browsers SHOULD take care in
566 the UI to distinguish the "name" assertion which is verifiable
567 directly from the "displayname" which cannot be verified and thus
568 relies on trust in the IdP. In future, we may define other fields to
569 allow the IdP to provide more information to the browser.
571 5.4.2. PostMessage Checks
573 Because the PeerConnect object and the IdP proxy communicate via
574 postMessage(), it is essential to verify that the origin of any
575 message (contained in the event.origin property) and source
576 (contained in the event.source) property are as expected:
578 o For messages from the PeerConnection object, the IdP proxy MUST
579 verify that the origin is "rtcweb://idp-interface" and that the
580 source matches either window.opener or window.parent. If both are
581 non-falsey, they MUST be equal. If any of these checks fail, the
582 message MUST be rejected. [[ OPEN ISSUE: An alternate (more
583 generic) design would be to not check the origin here but rather
584 to include the origin in the assertion and have it checked at the
585 RP. Comments? ]]
586 o For messages from the IdP proxy, the PeerConnection object MUST
587 verify that the origin matches the IdP's origin and that the
588 source matches the window/IFRAME opened for the IdP proxy. [[ OPEN
589 ISSUE: do we need to check the origin? What if the IdP wants to
590 redirect a bit? ]]
592 If any of these checks fail, the message MUST be rejected. In
593 general, mismatches SHOULD NOT cause transaction failure, since
594 malicious JS might use bogus messages as a form of DoS attack.
596 5.4.3. PeerConnection API Extensions
598 5.4.3.1. Authenticating Party
600 As discussed in Section 3, the AP's IdP can either be configured
601 directly into the browser or selected from a list known to the
602 calling site. We anticipate that some browsers will allow
603 configuration of IdPs in the browser UI but allow the calling
604 application to provide new candidate IdPs or to direct the selection
605 of a known one. Thus, one model would be:
607 o If a IdP is provided by the calling application use that.
608 o If no IdP is provided, and one is configured, use that.
609 o If no IdP is provided or configured, do nothing.
611 Implementations MAY also wish to have configuration settings override
612 the calling application's preferences.
614 APIs for PeerConnection configuration are as-yet unsettled, but it
615 MUST be possible to specify the following parameters to the
616 PeerConnection.
618 o The IdP domain.
619 o The users expected identity (if known) [this allows selection
620 between multiple candidate identities with the same IdP.]
622 5.4.3.2. Relying Party
624 Because the browser UI must be responsible for displaying the user's
625 identity, it isn't strictly necessary to have new JS interfaces on
626 the relying party side. However, two new interfaces are RECOMMENDED.
628 When a message is provided to the PeerConnection API with
629 processSignalingMessage() with an assertion that cannot be verified,
630 there is a need for some sort of error indicating verification
631 failure. [Note: I don't see an interface for any other kind of
632 parse error, so I'm not sure what to imitate here.]
634 A new attribute should be added to indicate the verification status.
635 For instance:
637 readonly attribute DOMString verifiedIdentity;
639 The attribute value should be a JS dictionary indicating the identity
640 and the domain name of the IdP, such as:
642 {
643 "identity" : "ekr@example.org",
644 "idp": "example.org"
645 }
647 5.5. Example Bindings to Specific Protocols
649 This section provides some examples of how the mechanisms described
650 in this document could be used with existing authentication protocols
651 such as BrowserID or OAuth. Note that this does not require browser-
652 level support for either protocol. Rather, the protocols can be fit
653 into the generic framework. (Though BrowserID in particular works
654 better with some client side support).
656 5.5.1. BrowserID
658 BrowserID [https://browserid.org/] is a technology which allows a
659 user with a verified email address to generate an assertion
660 (authenticated by their identity provider) attesting to their
661 identity (phrased as an email address). The way that this is used in
662 practice is that the relying party embeds JS in their site which
663 talks to the BrowserID code (either hosted on a trusted intermediary
664 or embedded in the browser). That code generates the assertion which
665 is passed back to the relying party for verification. The assertion
666 can be verified directly or with a Web service provided by the
667 identity provider. It's relatively easy to extend this functionality
668 to authenticate RTCWEB calls, as shown below.
670 +----------------------+ +----------------------+
671 | | | |
672 | Alice's Browser | | Bob's Browser |
673 | | OFFER ------------> | |
674 | Calling JS Code | | Calling JS Code |
675 | ^ | | ^ |
676 | | | | | |
677 | v | | v |
678 | PeerConnection | | PeerConnection |
679 | | ^ | | | ^ |
680 | Finger| |Signed | |Signed | | |
681 | print | |Finger | |Finger | |"Alice"|
682 | | |print | |print | | |
683 | v | | | v | |
684 | +--------------+ | | +---------------+ |
685 | | IdP Proxy | | | | IdP Proxy | |
686 | | to | | | | to | |
687 | | BrowserID | | | | BrowserID | |
688 | | Signer | | | | Verifier | |
689 | +--------------+ | | +---------------+ |
690 | ^ | | ^ |
691 +-----------|----------+ +----------|-----------+
692 | |
693 | Get certificate |
694 v | Check
695 +----------------------+ | certificate
696 | | |
697 | Identity |/-------------------------------+
698 | Provider |
699 | |
700 +----------------------+
702 The way this mechanism works is as follows. On Alice's side, Alice
703 goes to initiate a call.
705 1. The calling JS instantiates a PeerConnection and tells it that it
706 is interested in having it authenticated via BrowserID (i.e., it
707 provides "browserid.org" as the IdP name.)
708 2. The PeerConnection instantiates the BrowserID signer in the IdP
709 proxy
710 3. The BrowserID signer contacts Alice's identity provider,
711 authenticating as Alice (likely via a cookie).
712 4. The identity provider returns a short-term certificate attesting
713 to Alice's identity and her short-term public key.
714 5. The Browser-ID code signs the fingerprint and returns the signed
715 assertion + certificate to the PeerConnection.
717 6. The PeerConnection returns the signed information to the calling
718 JS code.
719 7. The signed assertion gets sent over the wire to Bob's browser
720 (via the signaling service) as part of the call setup.
722 Obviously, the format of the signed assertion varies depending on
723 what signaling style the WG ultimately adopts. However, for
724 concreteness, if something like ROAP were adopted, then the entire
725 message might look like:
727 {
728 "messageType":"OFFER",
729 "callerSessionId":"13456789ABCDEF",
730 "seq": 1
731 "sdp":"
732 v=0\n
733 o=- 2890844526 2890842807 IN IP4 192.0.2.1\n
734 s= \n
735 c=IN IP4 192.0.2.1\n
736 t=2873397496 2873404696\n
737 m=audio 49170 RTP/AVP 0\n
738 a=fingerprint: SHA-1 \
739 4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB\n",
740 "identity":{
741 "idp":{ // Standardized
742 "domain":"browserid.org",
743 "method":"default"
744 },
745 "assertion": // Contents are browserid-specific
746 "\"assertion\": {
747 \"digest\":\"\",
748 \"audience\": \"[TBD]\"
749 \"valid-until\": 1308859352261,
750 },
751 \"certificate\": {
752 \"email\": \"rescorla@example.org\",
753 \"public-key\": \"\",
754 \"valid-until\": 1308860561861,
755 }" // certificate is signed by example.org
756 }
757 }
759 [TODO: Need to talk about Audience a bit.] Note that while the IdP
760 here is specified as "browserid.org", the actual certificate is
761 signed by example.org. This is because BrowserID is a combined
762 authoritative/third-party system in which browserid.org delegates the
763 right to be authoritative (what BrowserID calls primary) to
764 individual domains.
766 On Bob's side, he receives the signed assertion as part of the call
767 setup message and a similar procedure happens to verify it.
769 1. The calling JS instantiates a PeerConnection and provides it the
770 relevant signaling information, including the signed assertion.
771 2. The PeerConnection instantiates the IdP proxy which examines the
772 IdP name and brings up the BrowserID verification code.
773 3. The BrowserID verifier contacts the identity provider to verify
774 the certificate and then uses the key to verify the signed
775 fingerprint.
776 4. Alice's verified identity is returned to the PeerConnection (it
777 already has the fingerprint).
778 5. At this point, Bob's browser can display a trusted UI indication
779 that Alice is on the other end of the call.
781 When Bob returns his answer, he follows the converse procedure, which
782 provides Alice with a signed assertion of Bob's identity and keying
783 material.
785 5.5.2. OAuth
787 While OAuth is not directly designed for user-to-user authentication,
788 with a little lateral thinking it can be made to serve. We use the
789 following mapping of OAuth concepts to RTCWEB concepts:
791 +----------------------+----------------------+
792 | OAuth | RTCWEB |
793 +----------------------+----------------------+
794 | Client | Relying party |
795 | Resource owner | Authenticating party |
796 | Authorization server | Identity service |
797 | Resource server | Identity service |
798 +----------------------+----------------------+
800 Table 1
802 The idea here is that when Alice wants to authenticate to Bob (i.e.,
803 for Bob to be aware that she is calling). In order to do this, she
804 allows Bob to see a resource on the identity provider that is bound
805 to the call, her identity, and her public key. Then Bob retrieves
806 the resource from the identity provider, thus verifying the binding
807 between Alice and the call.
809 Alice IdP Bob
810 ---------------------------------------------------------
811 Call-Id, Fingerprint ------->
812 <------------------- Auth Code
813 Auth Code ---------------------------------------------->
814 <----- Get Token + Auth Code
815 Token --------------------->
816 <------------- Get call-info
817 Call-Id, Fingerprint ------>
819 This is a modified version of a common OAuth flow, but omits the
820 redirects required to have the client point the resource owner to the
821 IdP, which is acting as both the resource server and the
822 authorization server, since Alice already has a handle to the IdP.
824 Above, we have referred to "Alice", but really what we mean is the
825 PeerConnection. Specifically, the PeerConnection will instantiate an
826 IFRAME with JS from the IdP and will use that IFRAME to communicate
827 with the IdP, authenticating with Alice's identity (e.g., cookie).
828 Similarly, Bob's PeerConnection instantiates an IFRAME to talk to the
829 IdP.
831 5.6. Security Considerations
833 This mechanism relies for its security on the IdP and on the
834 PeerConnection correctly enforcing the security invariants described
835 above. At a high level, the IdP is attesting that the user
836 identified in the assertion wishes to be associated with the
837 assertion. Thus, it must not be possible for arbitrary third parties
838 to get assertions tied to a user or to produce assertions that RPs
839 will accept.
841 5.6.1. PeerConnection Origin Check
843 Fundamentally, the IdP proxy is just a piece of HTML and JS loaded by
844 the browser, so nothing stops a Web attacker o from creating their
845 own IFRAME, loading the IdP proxy HTML/JS, and requesting a
846 signature. In order to prevent this attack, we require that all
847 signatures be tied to a specific origin ("rtcweb://...") which cannot
848 be produced by a page tied to a Web attacker. Thus, while an
849 attacker can instantiate the IdP proxy, they cannot send messages
850 from an appropriate origin and so cannot create acceptable
851 assertions. [[OPEN ISSUE: Where is this enforced? ]]
853 5.6.2. IdP Well-known URI
855 As described in Section 5.2.1 the IdP proxy HTML/JS landing page is
856 located at a well-known URI based on the IdP's domain name. This
857 requirement prevents an attacker who can write some resources at the
858 IdP (e.g., on one's Facebook wall) from being able to impersonate the
859 IdP.
861 5.7. Web Security Feature Interactions
863 A number of optional Web security features have the potential to
864 cause issues for this mechanism, as discussed below.
866 5.7.1. Popup Blocking
868 If the user is not already logged into the IdP, the IdP proxy may
869 need to pop up a top level window in order to prompt the user for
870 their authentication information (it is bad practice to do this in an
871 IFRAME inside the window because then users have no way to determine
872 the destination for their password). If the user's browser is
873 configured to prevent popups, this may fail (depending on the exact
874 algorithm that the popup blocker uses to suppress popups). It may be
875 necessary to provide a standardized mechanism to allow the IdP proxy
876 to request popping of a login window. Note that care must be taken
877 here to avoid PeerConnection becoming a general escape hatch from
878 popup blocking. One possibility would be to only allow popups when
879 the user has explicitly registered a given IdP as one of theirs (this
880 is only relevant at the AP side in any case). This is what
881 WebIntents does, and the problem would go away if WebIntents is used.
883 5.7.2. Third Party Cookies
885 Some browsers allow users to block third party cookies (cookies
886 associated with origins other than the top level page) for privacy
887 reasons. Any IdP which uses cookies to persist logins will be broken
888 by third-party cookie blocking. One option is to accept this as a
889 limitation; another is to have the PeerConnection object disable
890 third-party cookie blocking for the IdP proxy.
892 6. References
894 6.1. Normative References
896 [I-D.ietf-rtcweb-security]
897 Rescorla, E., "Security Considerations for RTC-Web",
898 draft-ietf-rtcweb-security-01 (work in progress),
899 October 2011.
901 [I-D.ietf-rtcweb-security-arch]
902 Rescorla, E., "RTCWeb Security Architecture",
903 draft-ietf-rtcweb-security-arch (work in progress),
904 January 2012.
906 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
907 Requirement Levels", BCP 14, RFC 2119, March 1997.
909 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
911 [RFC4627] Crockford, D., "The application/json Media Type for
912 JavaScript Object Notation (JSON)", RFC 4627, July 2006.
914 6.2. Informative References
916 [I-D.abarth-origin]
917 Barth, A., "The Web Origin Concept",
918 draft-abarth-origin-09 (work in progress), November 2010.
920 Author's Address
922 Eric Rescorla
923 RTFM, Inc.
924 2064 Edgewood Drive
925 Palo Alto, CA 94303
926 USA
928 Phone: +1 650 678 2350
929 Email: ekr@rtfm.com