rfc9749v1.txt   rfc9749.txt 
Internet Engineering Task Force (IETF) D. Gultsch Internet Engineering Task Force (IETF) D. Gultsch
Request for Comments: 9749 March 2025 Request for Comments: 9749 March 2025
Category: Standards Track Category: Standards Track
ISSN: 2070-1721 ISSN: 2070-1721
Use of Voluntary Application Server Identification (VAPID) in JSON Meta Use of Voluntary Application Server Identification (VAPID) in JSON Meta
Application Protocol (JMAP) WebPush Application Protocol (JMAP) Web Push
Abstract Abstract
This document defines a method for JSON Meta Application Protocol This document defines a method for JSON Meta Application Protocol
(JMAP) servers to advertise their capability to authenticate WebPush (JMAP) servers to advertise their capability to authenticate Web Push
notifications using the Voluntary Application Server Identification notifications using the Voluntary Application Server Identification
(VAPID) protocol. (VAPID) protocol.
Status of This Memo Status of This Memo
This is an Internet Standards Track document. This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has (IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the received public review and has been approved for publication by the
skipping to change at line 64 skipping to change at line 64
7. IANA Considerations 7. IANA Considerations
7.1. Registration of the JMAP Capability for VAPID 7.1. Registration of the JMAP Capability for VAPID
8. References 8. References
8.1. Normative References 8.1. Normative References
8.2. Informative References 8.2. Informative References
Author's Address Author's Address
1. Introduction 1. Introduction
JMAP [RFC8620] specifies how clients can subscribe to events using a JMAP [RFC8620] specifies how clients can subscribe to events using a
protocol that is compatible with WebPush [RFC8030]. Some push protocol that is compatible with Web Push [RFC8030]. Some push
services require that the application server authenticate all push services require that the application server authenticate all push
messages using the VAPID protocol [RFC8292]. To facilitate that, the messages using the VAPID protocol [RFC8292]. To facilitate that, the
client (or user agent in WebPush terminology) needs the VAPID public client (or user agent in Web Push terminology) needs the VAPID public
key of the application server to pass it along to the push service key of the application server to pass along to the push service when
when retrieving a new endpoint. retrieving a new endpoint.
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. Discovering Support for VAPID 3. Discovering Support for VAPID
The JMAP capabilities object is returned as part of the standard JMAP The JMAP capabilities object is returned as part of the standard JMAP
session object (see Section 2 of [RFC8620]). Servers supporting this session object (see Section 2 of [RFC8620]). Servers supporting this
specification MUST add a property called specification MUST add a property called
"urn:ietf:params:jmap:webpush-vapid" to the capabilities object. The urn:ietf:params:jmap:webpush-vapid to the capabilities object. The
value of this property is an object that MUST contain the following value of this property is an object that MUST contain the following
information: information:
* applicationServerKey: "String" applicationServerKey: "String"
The Elliptic Curve Digital Signature Algorithm (ECDSA) public key The Elliptic Curve Digital Signature Algorithm (ECDSA) public key
that the push service will use to authenticate the application that the push service will use to authenticate the application
server, in its uncompressed form (as described in Annex A of server, in its uncompressed form (as described in Section 2.3.3 of
[X9.62]) and encoded using base64url encoding [RFC7515]. Current [SEC1]) and encoded using base64url encoding [RFC7515]. Current
systems use the P-256 curve [FIPS186]. systems use the P-256 curve [FIPS186].
Informative Note: The format of the application server key was chosen | Informative Note: The format of the application server key was
to ensure compatibility with the browser API (Section 7.2 of | chosen to ensure compatibility with the browser API
[PUSH-API]), allowing the key to be directly copied and used without | (Section 7.2 of [PUSH-API]), allowing the key to be directly
additional transformation. Additionally, as noted in Section 3.2 of | copied and used without additional transformation.
[RFC8292], the X9.62 encoding simplifies key comparisons and is more | Additionally, as noted in Section 3.2 of [RFC8292], the X9.62
compact than alternative formats. | encoding simplifies key comparisons and is more compact than
| alternative formats.
4. Issuing Push Notifications 4. Issuing Push Notifications
Every time the server sends a push message to a PushSubscription URL, Every time the server sends a push message to a PushSubscription URL,
it MUST authenticate the POST request using the protocol outlined in it MUST authenticate the POST request using the protocol outlined in
[RFC8292]. This includes both StateChange events and [RFC8292]. This includes both StateChange events and
PushVerification notifications. To authenticate the request, the PushVerification notifications. To authenticate the request, the
server MUST use a JSON Web Token (JWT) signed by the private key server MUST use a JSON Web Token (JWT) signed by the private key
corresponding to the application server key. This application server corresponding to the application server key. This application server
key MUST be the one that was advertised in the capabilities object at key MUST be the one that was advertised in the capabilities object at
skipping to change at line 174 skipping to change at line 174
PushVerification object will not be delivered to the client. PushVerification object will not be delivered to the client.
To mitigate such issues, the client is responsible for detecting and To mitigate such issues, the client is responsible for detecting and
resolving any synchronization discrepancies, as outlined in Section 5 resolving any synchronization discrepancies, as outlined in Section 5
of this document. of this document.
The inclusion of the urn:ietf:params:jmap:webpush-vapid property in The inclusion of the urn:ietf:params:jmap:webpush-vapid property in
the JMAP capabilities object is limited to providing information the JMAP capabilities object is limited to providing information
about the server's support for VAPID. This property does not reveal about the server's support for VAPID. This property does not reveal
sensitive information, nor does it introduce new security or privacy sensitive information, nor does it introduce new security or privacy
risks beyond those inherent to JMAP and WebPush. The security risks beyond those inherent to JMAP and Web Push. The security
considerations for JMAP [RFC8620] (especially Sections 8.6 and 8.7), considerations for JMAP [RFC8620] (especially Sections 8.6 and 8.7),
WebPush [RFC8030], and VAPID [RFC8292] apply to this document. Web Push [RFC8030], and VAPID [RFC8292] apply to this document.
7. IANA Considerations 7. IANA Considerations
7.1. Registration of the JMAP Capability for VAPID 7.1. Registration of the JMAP Capability for VAPID
IANA has registered the following new capability in the "JMAP IANA has registered the following new capability in the "JMAP
Capabilities" registry: Capabilities" registry:
Capability Name: urn:ietf:params:jmap:webpush-vapid Capability Name: urn:ietf:params:jmap:webpush-vapid
Intended Use: common Intended Use: common
Change Controller: IETF Change Controller: IETF
Security and Privacy Considerations: RFC 9749, Section 6 Security and Privacy Considerations: RFC 9749, Section 6
Reference: RFC 9749 Reference: RFC 9749
8. References 8. References
8.1. Normative References 8.1. Normative References
[FIPS186] NIST, "Digital Signature Standard (DSS)", NIST FIPS 186-4, [FIPS186] NIST, "Digital Signature Standard (DSS)", NIST FIPS 186-5,
DOI 10.6028/NIST.FIPS.186-4, July 2013, DOI 10.6028/NIST.FIPS.186-5, February 2023,
<https://doi.org/10.6028/NIST.FIPS.186-4>. <https://doi.org/10.6028/NIST.FIPS.186-5>.
[X9.62] American National Standards Institute, "Public Key [SEC1] Standards for Efficient Cryptography Group, "SEC 1:
Cryptography for the Financial Services Industry: The Elliptic Curve Cryptography", Version 2.0, May 2009,
Elliptic Curve Digital Signature Algorithm (ECDSA)", <http://www.secg.org/sec1-v2.pdf>.
ANSI X9.62-2005, November 2005.
[RFC8620] Jenkins, N. and C. Newman, "The JSON Meta Application [RFC8620] Jenkins, N. and C. Newman, "The JSON Meta Application
Protocol (JMAP)", RFC 8620, DOI 10.17487/RFC8620, July Protocol (JMAP)", RFC 8620, DOI 10.17487/RFC8620, July
2019, <https://www.rfc-editor.org/info/rfc8620>. 2019, <https://www.rfc-editor.org/info/rfc8620>.
[RFC8030] Thomson, M., Damaggio, E., and B. Raymor, Ed., "Generic [RFC8030] Thomson, M., Damaggio, E., and B. Raymor, Ed., "Generic
Event Delivery Using HTTP Push", RFC 8030, Event Delivery Using HTTP Push", RFC 8030,
DOI 10.17487/RFC8030, December 2016, DOI 10.17487/RFC8030, December 2016,
<https://www.rfc-editor.org/info/rfc8030>. <https://www.rfc-editor.org/info/rfc8030>.
 End of changes. 12 change blocks. 
26 lines changed or deleted 25 lines changed or added

This html diff was produced by rfcdiff 1.48.