Use of VAPID in JMAP WebPush

Introduction JMAP specifies how clients can subscribe to events using a protocol that is compatible with WebPush . Some push services require that the application server authenticates all push messages using the Voluntary Application Server Identification protocol . To facilitate that, the client (or user agent in WebPush terminology) needs the VAPID public key of the application server to pass it along to the push service when retrieving a new endpoint.

Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. These words may also appear in this document in lower case as plain English words, absent their normative meanings.

Discovering Support for VAPID The JMAP capabilities object is returned as part of the standard JMAP session object (see Section 2 of ). Servers supporting this specification MUST add a property called "urn:ietf:params:jmap:webpush-vapid" to the capabilities object. The value of this property is an object that MUST contain the following information: applicationServerKey: "String" The ECDSA public key (current systems use the P-256 curve) , in its uncompressed form as described in Annex A and encoded using base64url encoding , that the push service will use to authenticate the application server. Informative Note: The format of the application server key was chosen to ensure compatibility with the browser API (, Section 7.2), allowing the key to be directly copied and used without additional transformation. Additionally, as noted in , Section 3.2, the X9.62 encoding simplifies key comparisons and is more compact than alternative formats.

Issuing Push Notifications Every time the server sends a push message to a PushSubscription URL it MUST authenticate the POST request using the protocol outlined in . This includes both StateChange events and PushVerification notifications. To authenticate the request, the server MUST use a JWT signed by the private key corresponding to the application server key. This application server key MUST be the one that was advertised in the capabilities object at the time the PushSubscription was created.

Key Rotation When a server needs to replace its VAPID key, it MUST update the sessionState per . The client MUST monitor the JMAP session object for changes to the VAPID key and MUST recreate its push subscription after detecting such a change. After key rotation, the server MAY continue to send push notifications for existing push subscriptions using the old application server key for a transitional period. This allows clients time to recreate their respective push subscriptions. After the transitional period (or immediately for implementations that do not have one), the server MUST destroy push subscriptions that use the old key. When destroying push subscriptions that include the data type PushSubscription, the server MAY issue one final StateChange push notification using the old URL and application server key to notify the client of changes to the PushSubscription data type. This prompts the client to make a PushSubscription/changes method call. The response to this call will contain an updated sessionState, which refers to a session object that contains the new VAPID key. A race condition can occur when the server updates its VAPID key after the client has refreshed the session object but before calling the PushSubscription/set method. This situation causes the server to send a PushVerification object to a push resource URL that is now associated with an outdated VAPID key. Consequently, the push service will reject the PushVerification with a 403 (Forbidden) status code, as specified in . To alleviate this problem, the client MUST check if the sessionState in the response from the PushSubscription/set method points to a session object with an applicationServerKey that matches their expectations. If there is a mismatch, the client MAY retry creating the PushSubscription. Additionally, the client MAY destroy the PushSubscription from the earlier, failed attempt.

Security Considerations During the key rotation process, synchronization issues between the client and server may arise. Specifically, a client might restrict a push subscription with the push service to an outdated key, while the server sends the PushVerification object authenticated with the newly rotated key. This mismatch leads to the push service rejecting the PushVerification request with HTTP status code 403, as specified in , Section 4.2. Per the requirements of , Section 7.2, the server MUST NOT retry the rejected PushVerification request. Consequently, the PushVerification object will not be delivered to the client. To mitigate such issues, the client is responsible for detecting and resolving any synchronization discrepancies, as outlined in the 'Key Rotation' section of this document. The inclusion of the urn:ietf:params:jmap:webpush-vapid property in the JMAP capabilities object is limited to providing information about the server's support for Voluntary Application Server Identification (VAPID). This property does not reveal sensitive information, nor does it introduce new security or privacy risks beyond those inherent to JMAP and WebPush. The security considerations for JMAP (, especially Section 8.6 and Section 8.7 of that document), WebPush () and VAPID () apply to this document.

IANA Considerations

Registration of the JMAP Capability for VAPID This specification requests IANA to register a new capability in the JMAP Capabilities registry with the following data: Capability Name: urn:ietf:params:jmap:webpush-vapid Specification document: this document Intended use: common Change Controller: IETF Security and privacy considerations: this document, Section 6