Message Encryption for Web Push
RFC 8291

Document Type RFC - Proposed Standard (November 2017; Errata)
Last updated 2018-01-08
Replaces draft-thomson-webpush-encryption
Stream IETF
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Phil Sorber
Shepherd write-up Show (last changed 2017-06-15)
IESG IESG state RFC 8291 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Adam Roach
Send notices to Phil Sorber <sorber@apache.org>
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions
Internet Engineering Task Force (IETF)                        M. Thomson
Request for Comments: 8291                                       Mozilla
Category: Standards Track                                  November 2017
ISSN: 2070-1721

                    Message Encryption for Web Push

Abstract

   This document describes a message encryption scheme for the Web Push
   protocol.  This scheme provides confidentiality and integrity for
   messages sent from an application server to a user agent.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8291.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Thomson                      Standards Track                    [Page 1]
RFC 8291                   Web Push Encryption             November 2017

Table of Contents

   1. Introduction ....................................................2
      1.1. Notational Conventions .....................................3
   2. Push Message Encryption Overview ................................3
      2.1. Key and Secret Distribution ................................4
   3. Push Message Encryption .........................................4
      3.1. Diffie-Hellman Key Agreement ...............................5
      3.2. Push Message Authentication ................................5
      3.3. Combining Shared and Authentication Secrets ................5
      3.4. Encryption Summary .........................................6
   4. Restrictions on Use of "aes128gcm" Content Coding ...............7
   5. Push Message Encryption Example .................................8
   6. IANA Considerations .............................................8
   7. Security Considerations .........................................8
   8. References .....................................................10
      8.1. Normative References ......................................10
      8.2. Informative References ....................................11
   Appendix A.  Intermediate Values for Encryption ...................12
   Author's Address ..................................................13

1.  Introduction

   The Web Push protocol [RFC8030] is an intermediated protocol by
   necessity.  Messages from an application server are delivered to a
   user agent (UA) via a push service, as shown in Figure 1.

    +-------+           +--------------+       +-------------+
    |  UA   |           | Push Service |       | Application |
    +-------+           +--------------+       +-------------+
        |                      |                      |
        |        Setup         |                      |
        |<====================>|                      |
        |           Provide Subscription              |
        |-------------------------------------------->|
        |                      |                      |
        :                      :                      :
        |                      |     Push Message     |
        |    Push Message      |<---------------------|
        |<---------------------|                      |
        |                      |                      |

                                 Figure 1

   This document describes how messages sent using this protocol can be
   secured against inspection, modification, and forgery by a push
   service.

Thomson                      Standards Track                    [Page 2]
RFC 8291                   Web Push Encryption             November 2017

   Web Push messages are the payload of an HTTP message [RFC7230].
   These messages are encrypted using an encrypted content encoding
   [RFC8188].  This document describes how this content encoding is
   applied and describes a recommended key management scheme.

   Multiple users of Web Push at the same user agent often share a
   central agent that aggregates push functionality.  This agent can
Show full document text