Voluntary Application Server Identification (VAPID) for Web Push
RFC 8292

Document Type RFC - Proposed Standard (November 2017; No errata)
Last updated 2017-11-29
Stream IETF
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Phil Sorber
Shepherd write-up Show (last changed 2017-05-06)
IESG IESG state RFC 8292 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Adam Roach
Send notices to Phil Sorber <sorber@apache.org>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Internet Engineering Task Force (IETF)                        M. Thomson
Request for Comments: 8292                                       Mozilla
Category: Standards Track                                    P. Beverloo
ISSN: 2070-1721                                                   Google
                                                           November 2017

    Voluntary Application Server Identification (VAPID) for Web Push

Abstract

   An application server can use the Voluntary Application Server
   Identification (VAPID) method described in this document to
   voluntarily identify itself to a push service.  The "vapid"
   authentication scheme allows a client to include its identity in a
   signed token with requests that it makes.  The signature can be used
   by the push service to attribute requests that are made by the same
   application server to a single entity.  The identification
   information can allow the operator of a push service to contact the
   operator of the application server.  The signature can be used to
   restrict the use of a push message subscription to a single
   application server.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8292.

Thomson & Beverloo           Standards Track                    [Page 1]
RFC 8292                   VAPID for Web Push              November 2017

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................3
      1.1. Voluntary Identification ...................................3
      1.2. Notational Conventions .....................................4
   2. Application Server Self-Identification ..........................4
      2.1. Application Server Contact Information .....................5
      2.2. Additional Claims ..........................................5
      2.3. Cryptographic Agility ......................................5
      2.4. Example ....................................................5
   3. VAPID Authentication Scheme .....................................6
      3.1. Token Parameter ("t") ......................................7
      3.2. Public Key Parameter ("k") .................................7
   4. Subscription Restriction ........................................7
      4.1. Creating a Restricted Push Message Subscription ............8
      4.2. Using Restricted Subscriptions .............................9
   5. Security Considerations .........................................9
   6. IANA Considerations ............................................10
      6.1. VAPID Authentication Scheme Registration ..................10
      6.2. VAPID Authentication Scheme Parameters ....................10
      6.3. application/webpush-options+json Media Type Registration ..11
   7. References .....................................................12
      7.1. Normative References ......................................12
      7.2. Informative References ....................................14
   Acknowledgements ..................................................14
   Authors' Addresses ................................................14

Thomson & Beverloo           Standards Track                    [Page 2]
RFC 8292                   VAPID for Web Push              November 2017

1.  Introduction

   The Web Push protocol [RFC8030] describes how an application server
   is able to request that a push service deliver a push message to a
   user agent.

   As a consequence of the expected deployment architecture, there is no
   basis for an application server to be known to a push service prior
   to requesting delivery of a push message.  Requiring that the push
   service be able to authenticate application servers places an
   unwanted constraint on the interactions between user agents and
Show full document text