rfc9749.original   rfc9749.txt 
JMAP D. Gultsch Internet Engineering Task Force (IETF) D. Gultsch
Internet-Draft 10 January 2025 Request for Comments: 9749 March 2025
Intended status: Standards Track Category: Standards Track
Expires: 14 July 2025 ISSN: 2070-1721
Use of VAPID in JMAP WebPush Use of Voluntary Application Server Identification (VAPID) in JSON Meta
draft-ietf-jmap-webpush-vapid-10 Application Protocol (JMAP) WebPush
Abstract Abstract
This document defines a method for JMAP servers to advertise their This document defines a method for JSON Meta Application Protocol
capability to authenticate WebPush notifications using the Voluntary (JMAP) servers to advertise their capability to authenticate WebPush
Application Server Identification protocol. notifications using the Voluntary Application Server Identification
(VAPID) protocol.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 14 July 2025. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9749.
Copyright Notice Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. Conventions Used in This Document . . . . . . . . . . . . . . 2 2. Conventions Used in This Document
3. Discovering Support for VAPID . . . . . . . . . . . . . . . . 2 3. Discovering Support for VAPID
4. Issuing Push Notifications . . . . . . . . . . . . . . . . . 3 4. Issuing Push Notifications
5. Key Rotation . . . . . . . . . . . . . . . . . . . . . . . . 3 5. Key Rotation
6. Security Considerations . . . . . . . . . . . . . . . . . . . 4 6. Security Considerations
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 7. IANA Considerations
7.1. Registration of the JMAP Capability for VAPID . . . . . . 5 7.1. Registration of the JMAP Capability for VAPID
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 8. References
8.1. Normative References . . . . . . . . . . . . . . . . . . 5 8.1. Normative References
8.2. Informative References . . . . . . . . . . . . . . . . . 6 8.2. Informative References
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 Author's Address
1. Introduction 1. Introduction
JMAP [RFC8620] specifies how clients can subscribe to events using a JMAP [RFC8620] specifies how clients can subscribe to events using a
protocol that is compatible with WebPush [RFC8030]. Some push protocol that is compatible with WebPush [RFC8030]. Some push
services require that the application server authenticates all push services require that the application server authenticate all push
messages using the Voluntary Application Server Identification messages using the VAPID protocol [RFC8292]. To facilitate that, the
protocol [RFC8292]. To facilitate that, the client (or user agent in client (or user agent in WebPush terminology) needs the VAPID public
WebPush terminology) needs the VAPID public key of the application key of the application server to pass it along to the push service
server to pass it along to the push service when retrieving a new when retrieving a new endpoint.
endpoint.
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. These words may also appear in this capitals, as shown here.
document in lower case as plain English words, absent their normative
meanings.
3. Discovering Support for VAPID 3. Discovering Support for VAPID
The JMAP capabilities object is returned as part of the standard JMAP The JMAP capabilities object is returned as part of the standard JMAP
session object (see Section 2 of [RFC8620]). Servers supporting this session object (see Section 2 of [RFC8620]). Servers supporting this
specification MUST add a property called specification MUST add a property called
"urn:ietf:params:jmap:webpush-vapid" to the capabilities object. The "urn:ietf:params:jmap:webpush-vapid" to the capabilities object. The
value of this property is an object that MUST contain the following value of this property is an object that MUST contain the following
information: information:
* applicationServerKey: "String" * applicationServerKey: "String"
The ECDSA public key that the push service will use to
authenticate the application server, in its uncompressed form (as The Elliptic Curve Digital Signature Algorithm (ECDSA) public key
described in [X9.62] Annex A) and encoded using base64url encoding that the push service will use to authenticate the application
[RFC7515]. Current systems use the P-256 curve [FIPS186]. server, in its uncompressed form (as described in Annex A of
[X9.62]) and encoded using base64url encoding [RFC7515]. Current
systems use the P-256 curve [FIPS186].
Informative Note: The format of the application server key was chosen Informative Note: The format of the application server key was chosen
to ensure compatibility with the browser API ([PUSH-API], to ensure compatibility with the browser API (Section 7.2 of
Section 7.2), allowing the key to be directly copied and used without [PUSH-API]), allowing the key to be directly copied and used without
additional transformation. Additionally, as noted in [RFC8292], additional transformation. Additionally, as noted in Section 3.2 of
Section 3.2, the X9.62 encoding simplifies key comparisons and is [RFC8292], the X9.62 encoding simplifies key comparisons and is more
more compact than alternative formats. compact than alternative formats.
4. Issuing Push Notifications 4. Issuing Push Notifications
Every time the server sends a push message to a PushSubscription URL Every time the server sends a push message to a PushSubscription URL,
it MUST authenticate the POST request using the protocol outlined in it MUST authenticate the POST request using the protocol outlined in
[RFC8292]. This includes both StateChange events and [RFC8292]. This includes both StateChange events and
PushVerification notifications. To authenticate the request, the PushVerification notifications. To authenticate the request, the
server MUST use a JWT signed by the private key corresponding to the server MUST use a JSON Web Token (JWT) signed by the private key
application server key. This application server key MUST be the one corresponding to the application server key. This application server
that was advertised in the capabilities object at the time the key MUST be the one that was advertised in the capabilities object at
PushSubscription was created. the time the PushSubscription was created.
5. Key Rotation 5. Key Rotation
When a server needs to replace its VAPID key, it MUST update the When a server needs to replace its VAPID key, it MUST update the
sessionState per [RFC8620]. The client MUST monitor the JMAP session sessionState per [RFC8620]. The client MUST monitor the JMAP session
object for changes to the VAPID key and MUST recreate its push object for changes to the VAPID key and MUST recreate its push
subscription when it detects such a change. subscription when it detects such a change.
After key rotation, the server MAY continue to send push After key rotation, the server MAY continue to send push
notifications for existing push subscriptions using the old notifications for existing push subscriptions using the old
skipping to change at page 4, line 11 skipping to change at line 143
prompts the client to make a PushSubscription/changes method call. prompts the client to make a PushSubscription/changes method call.
The response to this call will contain an updated sessionState, which The response to this call will contain an updated sessionState, which
refers to a session object that contains the new VAPID key. refers to a session object that contains the new VAPID key.
A race condition can occur when the server updates its VAPID key A race condition can occur when the server updates its VAPID key
after the client has refreshed the session object but before calling after the client has refreshed the session object but before calling
the PushSubscription/set method. This situation causes the server to the PushSubscription/set method. This situation causes the server to
send a PushVerification object to a push resource URL that is now send a PushVerification object to a push resource URL that is now
associated with an outdated VAPID key. Consequently, the push associated with an outdated VAPID key. Consequently, the push
service will reject the PushVerification with a 403 (Forbidden) service will reject the PushVerification with a 403 (Forbidden)
status code, as specified in [RFC8292]. status code, as specified in Section 4.2 of [RFC8292].
To alleviate this problem, the client MUST check if the sessionState To alleviate this problem, the client MUST check if the sessionState
in the response from the PushSubscription/set method points to a in the response from the PushSubscription/set method points to a
session object with an applicationServerKey that matches their session object with an applicationServerKey that matches their
expectations. If there is a mismatch, the client MAY retry creating expectations. If there is a mismatch, the client MAY retry creating
the PushSubscription. Additionally, the client MAY destroy the the PushSubscription. Additionally, the client MAY destroy the
PushSubscription from the earlier, failed attempt. PushSubscription from the earlier, failed attempt.
6. Security Considerations 6. Security Considerations
During the key rotation process, synchronization issues between the During the key rotation process, synchronization issues between the
client and server may arise. Specifically, a client might restrict a client and server may arise. Specifically, a client might restrict a
push subscription with the push service to an outdated key, while the push subscription with the push service to an outdated key, while the
server sends the PushVerification object authenticated with the newly server sends the PushVerification object authenticated with the newly
rotated key. This mismatch leads to the push service rejecting the rotated key. This mismatch leads to the push service rejecting the
PushVerification request with HTTP status code 403, as specified in PushVerification request with a 403 (Forbidden) status code, as
[RFC8292], Section 4.2. specified in Section 4.2 of [RFC8292].
Per the requirements of [RFC8620], Section 7.2, the server MUST NOT Per the requirements of Section 7.2 of [RFC8620], the server MUST NOT
retry the rejected PushVerification request. Consequently, the retry the rejected PushVerification request. Consequently, the
PushVerification object will not be delivered to the client. PushVerification object will not be delivered to the client.
To mitigate such issues, the client is responsible for detecting and To mitigate such issues, the client is responsible for detecting and
resolving any synchronization discrepancies, as outlined in the 'Key resolving any synchronization discrepancies, as outlined in Section 5
Rotation' section of this document. of this document.
The inclusion of the urn:ietf:params:jmap:webpush-vapid property in The inclusion of the urn:ietf:params:jmap:webpush-vapid property in
the JMAP capabilities object is limited to providing information the JMAP capabilities object is limited to providing information
about the server's support for Voluntary Application Server about the server's support for VAPID. This property does not reveal
Identification (VAPID). This property does not reveal sensitive sensitive information, nor does it introduce new security or privacy
information, nor does it introduce new security or privacy risks risks beyond those inherent to JMAP and WebPush. The security
beyond those inherent to JMAP and WebPush. The security considerations for JMAP [RFC8620] (especially Sections 8.6 and 8.7),
considerations for JMAP ([RFC8620], especially Section 8.6 and WebPush [RFC8030], and VAPID [RFC8292] apply to this document.
Section 8.7 of that document), WebPush ([RFC8030]) and VAPID
([RFC8292]) apply to this document.
7. IANA Considerations 7. IANA Considerations
7.1. Registration of the JMAP Capability for VAPID
This specification requests IANA to register a new capability in the
JMAP Capabilities registry with the following data:
Capability Name: urn:ietf:params:jmap:webpush-vapid
Specification document: this document 7.1. Registration of the JMAP Capability for VAPID
Intended use: common
Change Controller: IETF IANA has registered the following new capability in the "JMAP
Capabilities" registry:
Security and privacy considerations: this document, Section 6 Capability Name: urn:ietf:params:jmap:webpush-vapid
Intended Use: common
Change Controller: IETF
Security and Privacy Considerations: RFC 9749, Section 6
Reference: RFC 9749
8. References 8. References
8.1. Normative References 8.1. Normative References
[FIPS186] National Institute of Standards and Technology (NIST), [FIPS186] NIST, "Digital Signature Standard (DSS)", NIST FIPS 186-4,
"Digital Signature Standard (DSS)", FIPS 186-4, July 2013, DOI 10.6028/NIST.FIPS.186-4, July 2013,
<https://doi.org/10.6028/NIST.FIPS.186-4>. <https://doi.org/10.6028/NIST.FIPS.186-4>.
[X9.62] American National Standards Institute, "Public Key [X9.62] American National Standards Institute, "Public Key
Cryptography for the Financial Services Industry: The Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm (ECDSA)", Elliptic Curve Digital Signature Algorithm (ECDSA)",
ANSI X9.62-2005, November 2005. ANSI X9.62-2005, November 2005.
[RFC8620] Jenkins, N. and C. Newman, "The JSON Meta Application [RFC8620] Jenkins, N. and C. Newman, "The JSON Meta Application
Protocol (JMAP)", RFC 8620, DOI 10.17487/RFC8620, July Protocol (JMAP)", RFC 8620, DOI 10.17487/RFC8620, July
2019, <https://www.rfc-editor.org/info/rfc8620>. 2019, <https://www.rfc-editor.org/info/rfc8620>.
skipping to change at page 6, line 15 skipping to change at line 233
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
2015, <https://www.rfc-editor.org/info/rfc7515>. 2015, <https://www.rfc-editor.org/info/rfc7515>.
8.2. Informative References 8.2. Informative References
[PUSH-API] Peter Beverloo, Martin Thomson, and Marcos Caceres, "Push [PUSH-API] Beverloo, P., Ed., Thomson, M., Ed., and M. Caceres, Ed.,
API", September 2024, <https://www.w3.org/TR/push-api/>. "Push API", W3C Working Draft, September 2024,
<https://www.w3.org/TR/push-api/>.
Author's Address Author's Address
Daniel Gultsch Daniel Gultsch
Email: daniel@gultsch.de Email: daniel@gultsch.de
 End of changes. 25 change blocks. 
91 lines changed or deleted 85 lines changed or added

This html diff was produced by rfcdiff 1.48.