identity.html

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <link href="webrtc.css" rel="stylesheet">
  <title>Identity for WebRTC 1.0</title>
  <script class="remove" src="respec-w3c-common.js" type="text/javascript">
  // // keep this comment //
  </script>
  <script class="remove" src="identity.js" type="text/javascript">
  // // keep
    this comment //
  </script>
</head>
<body>
  <section id="abstract">
    <p>This document defines a set of ECMAScript APIs in WebIDL to allow
      and application using WebRTC to assert an identity, and to mark
      media streams as only viewable by another identity.
      This specification is being
    developed in conjunction with a protocol specification developed by the
    IETF RTCWEB group.</p>
  </section>
  <section id="sotd">

    <p>While the specification is feature complete and is expected to be stable, there are also a number of <a href="https://github.com/w3c/webrtc-pc/issues?utf8=%E2%9C%93&amp;q=is%3Aopen%20is%3Aissue%20-label%3AEditorial%20">known substantive issues</a> on the specification that will be addressed during the Candidate Recommendation period based on implementation experience feedback.</p>

    <p>It might also evolve based on feedback gathered as its <a href="https://github.com/web-platform-tests/wpt/tree/master/webrtc">associated test suite</a> evolves. This test suite will be used to build an <a href="https://wpt.fyi/webrtc">implementation report</a> of the API.</p>

    <p>To go into Proposed Recommendation status, the group expects to demonstrate implementation of each feature in at least two deployed browsers, and at least one implementation of each optional feature. Mandatory feature with only one implementation may be marked as optional in a revised Candidate Recommendation where applicable.</p>


  </section>
  <section class="informative" id="intro">
    <h2>Introduction</h2>
    <p>This document specifies APIs used for identity in WebRTC.</p>
    <p>This
    specification is being developed in conjunction with a protocol
    specification developed by the <a href=
    "https://datatracker.ietf.org/wg/rtcweb/">IETF RTCWEB group</a> and an API
    specification to get access to local media devices [[!GETUSERMEDIA]]
    developed by the <a href="https://www.w3.org/wiki/Media_Capture">Media
    Capture Task Force</a>. An overview of the system can be found in
    [[RTCWEB-OVERVIEW]] and [[RTCWEB-SECURITY]].</p>
  </section>
  <section id="conformance">
    <p>This specification defines conformance criteria that apply to a single
    product: the <dfn>user agent</dfn> that implements the interfaces that it
    contains.</p>
    <p>Conformance requirements phrased as algorithms or specific steps may be
    implemented in any manner, so long as the end result is equivalent. (In
    particular, the algorithms defined in this specification are intended to be
    easy to follow, and not intended to be performant.)</p>
    <p>Implementations that use ECMAScript to implement the APIs defined in
    this specification MUST implement them in a manner consistent with the
    ECMAScript Bindings defined in the Web IDL specification [[!WEBIDL-1]], as
    this specification uses that specification and terminology.</p>
  </section>
  <section>
    <h2>Terminology</h2>
    <p>The <code><a data-cite=
    "!HTML51/webappapis.html#event-handler">EventHandler</a></code>
    interface, representing a callback used for event handlers, and the
    <code><dfn data-cite="!HTML51/webappapis.html#errorevent-errorevent">
    ErrorEvent</dfn></code> interface are defined in [[!HTML51]].</p>
    <p>The concepts <dfn data-cite="!HTML51/webappapis.html#queuing">queue a
    task</dfn>, <dfn data-cite="!HTML51/infrastructure.html#fire">fire a
    simple event</dfn> and <dfn data-cite="!HTML51/webappapis.html#networking-task-source">networking
    task source</dfn> are defined in [[!HTML51]].</p>
    <p>The terms <dfn>event</dfn>, <dfn data-cite="!HTML51/webappapis.html#events-event-handlers">event
    handlers</dfn> and <dfn data-cite="!HTML51/webappapis.html#event-handler-event-type">event
    handler event types</dfn> are defined in [[!HTML51]].</p>
    <p><code><dfn data-cite="!HIGHRES-TIME#dom-performance-timeorigin">performance.timeOrigin</dfn></code>
    and <code><dfn data-cite="!HIGHRES-TIME#dom-performance-now">performance.now()</dfn></code>
    are defined in [[!HIGHRES-TIME]].</p>
    <p>The terms <dfn>MediaStream</dfn>, <dfn>MediaStreamTrack</dfn>, and
    <dfn>MediaStreamConstraints</dfn> are defined in [[!GETUSERMEDIA]].
    Note that <code><a>MediaStreamTrack</a></code>
    is extended in <code><a href="#isolated-track">
    the MediaStreamTrack section</a></code> in this document.</p>
    <p>The term <dfn>Blob</dfn> is defined in [[!FILEAPI]].</p>
    <p>The term <dfn>media description</dfn> is defined in [[!RFC4566]].</p>
    <p>The term <dfn>media transport</dfn> is defined in [[!RFC7656]].</p>
    <p>The term <dfn>generation</dfn> is defined in [[!TRICKLE-ICE]] Section 2.</p>
    <p>The terms <dfn data-cite="!WEBRTC-STATS#dom-rtcstatstype">RTCStatsType</dfn>, <dfn data-cite="!WEBRTC-STATS#dfn-stats-object">stats object</dfn> and <dfn data-cite="!WEBRTC-STATS#dfn-monitored-object">monitored object</dfn> are defined in [[!WEBRTC-STATS]].
    <p>When referring to exceptions, the terms <dfn
    data-cite="!WEBIDL-1#dfn-throw">throw</dfn> and
    <dfn data-dfn-for="exception" data-cite=
    "!WEBIDL-1#dfn-create-exception">create</dfn> are
    defined in [[!WEBIDL-1]].</p>
    <p>The term "throw" is used as specified in [[!INFRA]]: it terminates
      the current processing steps.
    </p>
    <p>The terms <dfn data-lt="fulfill|fulfillment">fulfilled</dfn>, <dfn
    data-lt="reject|rejection|rejecting">rejected</dfn>, <dfn data-lt=
    "resolve|resolves">resolved</dfn>, <dfn>pending</dfn> and
    <dfn>settled</dfn> used in the context of Promises are defined in
    [[!ECMASCRIPT-6.0]].</p>
    <p>The terms <dfn>bundle</dfn>, <dfn>bundle-only</dfn> and <dfn>bundle-policy</dfn>
    are defined in [[!JSEP]].</p>
    <p>The <dfn>OAuth Client</dfn> and <dfn>Authorization Server</dfn> roles
      are defined in [[!RFC6749]] Section 1.1.</p>
    <p>
      The terms <dfn data-lt="rtcpeerconnection">RTCPeerConnection</dfn>,
      <dfn>target peer identity</dfn>,
      <dfn data-dfn-for="rtcpeerconnection">setRemoteDescription</dfn>,
      <dfn data-dfn-for="rtcpeerconnection">createOffer</dfn>,
      <dfn data-dfn-for="rtcpeerconnection">createAnswer</dfn>,
      <dfn data-dfn-for="rtcpeerconnection">addTrack</dfn> and
      <dfn data-lt="rtcerror">RTCError</dfn> are defined in [[!WEBRTC]].
    </p>
  </section>
    <h2 id="sec.identity-proxy">Identity</h2>
    <section>
      <h3>Identity Provider Interaction</h3>
      <p>WebRTC offers and answers (and hence the channels established by
      <code><a>RTCPeerConnection</a></code> objects) can be authenticated by
      using a web-based Identity Provider (IdP). The idea is that the entity
      sending an offer or answer acts as the Authenticating Party (AP) and
      obtains an identity assertion from the IdP which it attaches to the
      session description. The consumer of the session description (i.e., the
      <code><a>RTCPeerConnection</a></code> on which
      <code>setRemoteDescription</code> is called) acts as the Relying Party
      (RP) and verifies the assertion.</p>
      <p>The interaction with the IdP is designed to decouple the browser from
      any particular identity provider; the browser need only know how to load
      the IdP's JavaScript, the location of which is determined by the IdP's
      identity, and the generic interface to generating and validating
      assertions. The IdP provides whatever logic is necessary to bridge the
      generic protocol to the IdP's specific requirements. Thus, a single
      browser can support any number of identity protocols, including being
      forward compatible with IdPs which did not exist at the time the browser
      was written.</p>
      <section>
        <h4 id="sec.identity-proxy-communications">Identity Provider
        Selection</h4>
        <p>An IdP is used to generate an identity assertion as follows:</p>
        <ol>
          <li>If the <code>setIdentityProvider()</code> method has been called,
          the IdP provided shall be used.</li>
          <li>If the <code>setIdentityProvider()</code> method has not been
          called, then the user agent MAY use an IdP configured into the
          browser.</li>
        </ol>
        <p>In order to verify assertions, the IdP domain name and protocol are
        taken from the <code>domain</code> and <code>protocol</code> fields of
        the identity assertion.</p>
      </section>
      <section>
        <h4 id="sec.create-identity-proxy">Instantiating an IdP Proxy</h4>
        <p>In order to communicate with the IdP, the user agent loads the IdP
        JavaScript from the IdP. The URI for the IdP script is a well-known URI
        formed from the <q>domain</q> and <q>protocol</q> fields, as specified
        in [[!RTCWEB-SECURITY-ARCH]].</p>
        <p>The IdP MAY generate an HTTP redirect to another "https" origin, the
        browser MUST treat a redirect to any other scheme as a fatal error.</p>
        <p>The user agent instantiates an isolated interpreted context, a
        JavaScript <dfn data-cite="!ECMASCRIPT-6.0#sec-code-realms">
        realm</dfn> that operates in the origin of the loaded JavaScript.
        Note that a redirect will change the origin of the loaded script.</p>
        <p>The <a>realm</a> is populated with a global that implements both the
        <dfn>RTCIdentityProviderGlobalScope</dfn> and
        <code>WorkerGlobalScope</code> [[!WEBWORKERS]] interfaces.</p>
        <p>The user agent provides an instance of
        <code><a>RTCIdentityProviderRegistrar</a></code> named
        <var>rtcIdentityProvider</var> in the global scope of the <a>realm</a>.
        This object is used by the IdP to interact with the user agent.</p>
        <div>
          <pre class="idl">[Global, Exposed=RTCIdentityProviderGlobalScope]
interface RTCIdentityProviderGlobalScope : WorkerGlobalScope {
    readonly        attribute RTCIdentityProviderRegistrar rtcIdentityProvider;
};</pre>
          <section>
            <h2>Attributes</h2>
            <dl data-link-for="RTCIdentityProviderGlobalScope" data-dfn-for=
            "RTCIdentityProviderGlobalScope" class="attributes">
              <dt><dfn data-idl><code>rtcIdentityProvider</code></dfn> of type
              <span class=
              "idlAttrType"><a>RTCIdentityProviderRegistrar</a></span>,
              readonly</dt>
              <dd>This object is used by the IdP to register an
              <code><a>RTCIdentityProvider</a></code> instance with the
              browser.</dd>
            </dl>
          </section>
        </div>
        <section>
          <h2 id="sec.implement-idp">Implementing an IdP Securely</h2>
          <p>An environment that mimics the identity provider realm can be
          provided by any script. However, only scripts running in the origin
          of the IdP are able to generate an identical environment. Other
          origins can load and run the IdP proxy code, but they will be unable
          to replicate data that is unique to the origin of the IdP.</p>
          <p>This means that it is critical that an IdP use data that is
          restricted to its own origin when generating identity assertions.
          Otherwise, another origin could load the IdP script and use it to
          impersonate users.</p>
          <p>The data that the IdP script uses could be stored on the client
          (for example, in [[INDEXEDDB]]) or loaded from
          servers. Data that is acquired from a server SHOULD require
          credentials and be protected from cross-origin access.</p>
          <p>There is no risk to the integrity of identity assertions if an IdP
          validates an identity assertion without using origin-private
          data.</p>
        </section>
      </section>
    </section>
    <section>
      <h2 id="sec.register-idp">Registering an IdP Proxy</h2>
      <p>An IdP proxy implements the <code><a>RTCIdentityProvider</a></code>
      methods, which are the means by which the user agent is able to request
      that an identity assertion be generated or validated.</p>
      <p>Once instantiated, the IdP script is executed. The IdP MUST call the
      <code>register()</code> function on the
      <dfn>RTCIdentityProviderRegistrar</dfn> instance during script
      execution. If an IdP is not registered during this script execution, the
      user agent cannot use the IdP proxy and MUST fail any future attempt to
      interact with the IdP.</p>
      <div>
        <pre class="idl">[Exposed=RTCIdentityProviderGlobalScope]
interface RTCIdentityProviderRegistrar {
    void register (RTCIdentityProvider idp);
};</pre>
        <section>
          <h2>Methods</h2>
          <dl data-link-for="RTCIdentityProviderRegistrar" data-dfn-for=
          "RTCIdentityProviderRegistrar" class="methods">
            <dt><dfn data-idl><code>register</code></dfn></dt>
            <dd>
              <p>This method is invoked by the IdP when its script is first
              executed. This registers <code><a>RTCIdentityProvider</a></code>
              methods with the user agent.</p>
            </dd>
          </dl>
        </section>
      </div>
      <section>
        <h2>Interface Exposed by Identity Providers</h2>
        <p>The callback functions in <code>RTCIdentityProvider</code> are
        exposed by identity providers and is called by
        <code>RTCPeerConnection</code> to acquire or validate identity
        assertions.</p>
        <div>
          <pre class="idl">dictionary RTCIdentityProvider {
    required GenerateAssertionCallback generateAssertion;
    required ValidateAssertionCallback validateAssertion;
};</pre>
          <section>
            <h2>Dictionary <dfn data-dfn-for="">RTCIdentityProvider</dfn>
            Members</h2>
            <dl data-link-for="RTCIdentityProvider" data-dfn-for="RTCIdentityProvider">
              <dt><dfn data-idl><code>generateAssertion</code></dfn> of type
              <span class="idlMemberType"><a>GenerateAssertionCallback</a></span>,
              required</dt>
              <dd>
                <p>A user agent invokes this method on the IdP to request the
                generation of an identity assertion.</p>
                <p>The IdP provides a promise that <a>resolves</a> to an
                <code><a>RTCIdentityAssertionResult</a></code> to successfully
                generate an identity assertion. Any other value, or a <a>rejected</a>
                promise, is treated as an error.</p>
              </dd>
              <dt><dfn data-idl><code>validateAssertion</code></dfn> of type
              <span class="idlMemberType"><a>ValidateAssertionCallback</a></span>,
              required</dt>
              <dd>
                <p>A user agent invokes this method on the IdP to request the
                validation of an identity assertion.</p>
                <p>The IdP returns a Promise that <a>resolves</a> to an
                <code><a>RTCIdentityValidationResult</a></code> to successfully
                validate an identity assertion and to provide the actual
                identity. Any other value, or a <a>rejected</a> promise, is treated as
                an error.</p>
              </dd>
            </dl>
          </section>
        </div>
        <div>
          <pre class="idl">
          callback GenerateAssertionCallback = Promise&lt;RTCIdentityAssertionResult&gt;
          (DOMString contents, DOMString origin, RTCIdentityProviderOptions options);
          </pre>
          <section>
            <h2>Callback <dfn>GenerateAssertionCallback</dfn>
            Parameters</h2>
            <dl data-link-for="GenerateAssertionCallback" data-dfn-for=
            "GenerateAssertionCallback" class="callback-members">
              <dt><code>contents</code> of type <span class=
              "idlMemberType"><a>DOMString</a></span></dt>
              <dd>The <var>contents</var> parameter includes the information
              that the user agent wants covered by the identity assertion. The
              IdP MUST treat <code>contents</code> as opaque string. A
              successful validation of the provided assertion MUST produce the
              same string.</dd>
              <dt><code>origin</code> of type <span class=
              "idlMemberType"><a>DOMString</a></span></dt>
              <dd>
                The <var>origin</var> parameter identifies the origin of the
                <code><a>RTCPeerConnection</a></code> that triggered this
                request. An IdP can use this information as input to policy
                decisions about use. This value is generated by the <a>user
                agent</a> based on the origin of the document that created the
                <code>RTCPeerConnection</code> and therefore can be trusted to
                be correct.
              </dd>
              <dt><code>options</code> of type <span class=
              "idlMemberType"><a>RTCIdentityProviderOptions</a></span></dt>
              <dd>This includes the options provided by the application when
              calling <code>setIdentityProvider</code>. Though the
              dictionary is an optional argument to
              <code>setIdentityProvider</code>, default values are used
              as necessary when passing the value to the identity provider; see
              the definition of <code><a>RTCIdentityProviderOptions</a></code>
              for details.</dd>
            </dl>
          </section>
        </div>
        <div>
          <pre class="idl">
          callback ValidateAssertionCallback = Promise&lt;RTCIdentityValidationResult&gt;
          (DOMString assertion, DOMString origin);
          </pre>
          <section>
            <h2>Callback <dfn>ValidateAssertionCallback</dfn>
            Parameters</h2>
            <dl data-link-for="ValidateAssertionCallback" data-dfn-for=
            "ValidateAssertionCallback" class="callback-members">
              <dt><code>assertion</code> of type <span class=
              "idlMemberType"><a>DOMString</a></span></dt>
              <dd>The <var>assertion</var> parameter includes the assertion
              that was recovered from an <code>a=identity</code> in the session
              description; that is, the value that was part of the
              <code><a>RTCIdentityAssertionResult</a></code> provided by the
              IdP that generated the assertion.</dd>
              <dt><code>origin</code> of type <span class=
              "idlMemberType"><a>DOMString</a></span></dt>
              <dd>The <var>origin</var> parameter identifies the origin of the
              <code><a>RTCPeerConnection</a></code> that triggered this
              request. An IdP can use this information as input to policy
              decisions about use.</dd>
            </dl>
          </section>
        </div>
      </section>
      <section>
        <h2>Identity Assertion and Validation Results</h2>
        <div>
          <pre class="idl">dictionary RTCIdentityAssertionResult {
    required RTCIdentityProviderDetails idp;
    required DOMString                  assertion;
};</pre>
          <section>
            <h2>Dictionary <dfn>RTCIdentityAssertionResult</dfn>
            Members</h2>
            <dl data-link-for="RTCIdentityAssertionResult" data-dfn-for=
            "RTCIdentityAssertionResult" class="dictionary-members">
              <dt><dfn data-idl><code>idp</code></dfn> of type <span class=
              "idlMemberType"><a>RTCIdentityProviderDetails</a></span>,
              required</dt>
              <dd>
                <p>An IdP provides these details to identify the IdP that
                validates the identity assertion. This struct contains the same
                information that is provided to
                <code><a>setIdentityProvider</a></code>.</p>
              </dd>
              <dt><dfn data-idl><code>assertion</code></dfn> of type <span class=
              "idlMemberType"><a>DOMString</a></span>, required</dt>
              <dd>
                <p>An identity assertion. This is an opaque string that MUST
                contain all information necessary to assert identity. This
                value is consumed by the validating IdP.</p>
              </dd>
            </dl>
          </section>
        </div>
        <div>
          <pre class="idl">dictionary RTCIdentityProviderDetails {
    required DOMString domain;
             DOMString protocol = "default";
};</pre>
          <section>
            <h2>Dictionary <dfn>RTCIdentityProviderDetails</dfn>
            Members</h2>
            <dl data-link-for="RTCIdentityProviderDetails" data-dfn-for=
            "RTCIdentityProviderDetails" class="dictionary-members">
              <dt><dfn data-idl><code>domain</code></dfn> of type <span class=
              "idlMemberType"><a>DOMString</a></span>, required</dt>
              <dd>
                <p>The domain name of the IdP that validated the associated
                identity assertion.</p>
              </dd>
              <dt><dfn data-idl><code>protocol</code></dfn> of type <span class=
              "idlMemberType"><a>DOMString</a></span>, defaulting to
              <code>"default"</code></dt>
              <dd>
                <p>The protocol parameter used for the IdP. The string
                MUST NOT include the character <code>'/'</code> or
                <code>'\'</code>.</p>
              </dd>
            </dl>
          </section>
        </div>
        <div>
          <pre class="idl">dictionary RTCIdentityValidationResult {
    required DOMString identity;
    required DOMString contents;
};</pre>
          <section>
            <h2>Dictionary <dfn>RTCIdentityValidationResult</dfn>
            Members</h2>
            <dl data-link-for="RTCIdentityValidationResult" data-dfn-for=
            "RTCIdentityValidationResult" class="dictionary-members">
              <dt><dfn data-idl><code>identity</code></dfn> of type <span class=
              "idlMemberType"><a>DOMString</a></span>, required</dt>
              <dd>
                <p>The validated identity of the peer.</p>
              </dd>
              <dt><dfn data-idl><code>contents</code></dfn> of type <span class=
              "idlMemberType"><a>DOMString</a></span>, required</dt>
              <dd>
                <p>The payload of the identity assertion. An IdP that validates
                an identity assertion MUST return the same string that was
                provided to the original IdP that generated the assertion.</p>
                <p>The user agent uses the <var>contents</var> string to
                determine if the identity assertion matches the session
                description.</p>
              </dd>
            </dl>
          </section>
        </div>
      </section>
    </section>
    <section>
      <h3 id="sec.identity-proxy-assertion-request">Requesting Identity
      Assertions</h3>
      <p>The identity assertion request process is triggered by a call to
      <code>createOffer</code>, <code>createAnswer</code>, or
      <code>getIdentityAssertion</code>. When these calls are invoked and an
      identity provider has been set, the following steps are executed:</p>
      <ol>
        <li>
          <p>The <code>RTCPeerConnection</code> instantiates an IdP as
          described in <a href="#sec.identity-proxy-communications">Identity
          Provider Selection</a> and <a href="#sec.register-idp">Registering an
          IdP Proxy</a>. If the IdP cannot be loaded, instantiated, or the IdP
          proxy is not registered, this process fails.</p>
        </li>
        <li>
          <p>If the <code>RTCPeerConnection</code> was not constructed with a set
          of certificates, and one has not yet been generated, wait
          for it to be generated.</p>
        </li>
        <li>
          <p>The <code>RTCPeerConnection</code> invokes the <code><a data-link-for=
          "RTCIdentityProvider">generateAssertion</a></code> method on the
          <code><a>RTCIdentityProvider</a></code> methods registered by the
          IdP.</p>
          <p>The <code>RTCPeerConnection</code> generates the
          <var>contents</var> parameter to this method as described in
          [[!RTCWEB-SECURITY-ARCH]]. The value of <var>contents</var> includes
          the fingerprint of the certificate that was selected or generated
          during the construction of the <code>RTCPeerConnection</code>. The
          <var>origin</var> parameter contains the origin of the script that
          calls the <code>RTCPeerConnection</code> method that triggers this
          behavior. The <var>usernameHint</var> value is the same value that is
          provided to <code>setIdentityProvider</code>, if any such value
          was provided.</p>
        </li>
        <li>
          <p>The IdP proxy returns a Promise to the
          <code>RTCPeerConnection</code>. The IdP proxy is expected to generate
          the identity assertion asynchronously.</p>
          <p>If the user has been authenticated by the IdP, and the IdP is able
          to generate an identity assertion, the IdP <a>resolves</a> the promise with
          an identity assertion in the form of an
          <code><a>RTCIdentityAssertionResult</a></code>.</p>
          <p>This step depends entirely on the IdP. The methods by which an IdP
          authenticates users or generates assertions is not specified, though
          they could involve interacting with the IdP server or other
          servers.</p>
        </li>
        <li>
          <p>If the IdP proxy produces an error or returns a promise that does
          not <a>resolve</a> to a valid
          <code><a>RTCIdentityAssertionResult</a></code> (see <a href=
          "#sec.idp-error-handling"></a>), then assertion generation fails.</p>
        </li>
        <li>
          <p>The <code>RTCPeerConnection</code> MAY store the identity
          assertion for use with future offers or answers. If a fresh identity
          assertion is needed for any reason, applications can create a new
          <code>RTCPeerConnection</code>.</p>
        </li>
        <li>
          <p>If the identity request was triggered by a
          <code>createOffer()</code> or <code>createAnswer()</code>, then the
          assertion is converted to a JSON string, base64-encoded and inserted
          into an <code>a=identity</code> attribute in the session
          description.</p>
        </li>
      </ol>
      <p>If assertion generation fails, then the promise for the corresponding
      function call is <a>rejected</a> with a newly <a data-link-for="exception"
      data-lt="create">created</a> <code>OperationError</code>.</p>
      <section>
        <h4 id="sec.idp-loginneeded">User Login Procedure</h4>
        <p>An IdP MAY reject an attempt to generate an identity assertion if it
        is unable to verify that a user is authenticated. This might be due to
        the IdP not having the necessary authentication information available
        to it (such as cookies).</p>
        <p>Rejecting the promise returned by <code><a data-link-for=
        "RTCIdentityProvider">generateAssertion</a></code> will cause the error
        to propagate to the application. Login errors are indicated by <a>rejecting</a>
        the promise with an <code><a>RTCError</a></code> with <code>errorDetail</code>
        set to "idp-need-login".</p>
        <p>The URL to login at will be passed to the application in the
        <code>idpLoginUrl</code> attribute of the
        <code>RTCPeerConnection</code>.</p>
        <p>An application can load the login URL in an IFRAME or popup window;
        the resulting page then SHOULD provide the user with an opportunity to
        enter any information necessary to complete the authorization
        process.</p>
        <p>Once the authorization process is complete, the page loaded in the
        IFRAME or popup sends a message using <var>postMessage</var>
        [[!webmessaging]] to the page that loaded it (through the <var><a data-cite=
        "!HTML51/browsers.html#opener">
        window.opener</a></var> attribute for popups, or through <var><a data-cite=
        "!HTML51/browsers.html#dom-window-parent">
        window.parent</a></var> for pages loaded in an IFRAME). The message
        MUST consist of the <var>DOMString</var> "WEBRTC-LOGINDONE". This message
        informs the application that another attempt at generating an identity
        assertion is likely to be successful.</p>
      </section>
    </section>
    <section>
      <h3 id="sec.identity-verify-assertion">Verifying Identity Assertions</h3>
      <p>Identity assertion validation happens when <code><a data-link-for=
      "RTCPeerConnection">setRemoteDescription</a></code> is invoked on
      <code><a>RTCPeerConnection</a></code>. The process runs asynchronously,
      meaning that validation of an identity assertion might not block the
      completion of <code>setRemoteDescription</code>.</p>
      <p>The identity assertion request process involves the following
      asynchronous steps:</p>
      <ol>
        <li>
          <p>The <code>RTCPeerConnection</code> awaits any prior identity
          validation. Only one identity validation can run at a time for an
          <code>RTCPeerConnection</code>. This can happen because the
          resolution of <code>setRemoteDescription</code> is not blocked by
          identity validation unless there is a <a>target peer
          identity</a>.</p>
        </li>
        <li>
          <p>The <code>RTCPeerConnection</code> loads the identity assertion
          from the session description and decodes the base64 value, then
          parses the resulting JSON. The <var>idp</var> parameter of the
          resulting dictionary contains a <var>domain</var> and an optional
          <var>protocol</var> value that identifies the IdP, as described in
          [[!RTCWEB-SECURITY-ARCH]].</p>
        </li>
        <li>
          <p>If the identity assertion is malformed, or if <var>protocol</var>
          includes the character <code>'/'</code> or <code>'\'</code>,
          this process fails.</p>
        </li>
        <li>
          <p>The <code>RTCPeerConnection</code> instantiates the identified IdP
          as described in <a href="#sec.identity-proxy-communications"></a> and
          <a href="#sec.register-idp"></a>. If the IdP cannot be loaded,
          instantiated or the IdP proxy is not registered, this process
          fails.</p>
        </li>
        <li>
          <p>The <code>RTCPeerConnection</code> invokes the <code><a data-link-for=
          "RTCIdentityProvider">validateAssertion</a></code> method registered
          by the IdP.</p>
          <p>The <var>assertion</var> parameter is taken from the decoded
          identity assertion. The <var>origin</var> parameter contains the
          origin of the script that calls the <code>RTCPeerConnection</code>
          method that triggers this behavior.</p>
        </li>
        <li>
          <p>The IdP proxy returns a promise and performs the validation
          process asynchronously.</p>
          <p>The IdP proxy verifies the identity assertion using whatever means
          necessary. Depending on the authentication protocol this could
          involve interacting with the IdP server.</p>
        </li>
        <li>
          <p>If the IdP proxy produces an error or returns a promise that does
          not <a>resolve</a> to a valid
          <code><a>RTCIdentityValidationResult</a></code> (see <a href=
          "#sec.idp-error-handling"></a>), then identity validation fails.</p>
        </li>
        <li>
          <p>Once the assertion is successfully verified, the IdP proxy
          <a>resolves</a> the promise with an
          <code><a>RTCIdentityValidationResult</a></code> containing the
          validated identity and the original contents that are the payload of
          the assertion.</p>
        </li>
        <li>
          <p>The <code>RTCPeerConnection</code> decodes the <code><a data-link-for=
          "RTCIdentityValidationResult">contents</a></code> and validates that
          it contains a fingerprint value for every <code>a=fingerprint</code>
          attribute in the session description. This ensures that the
          certificate used by the remote peer for communications is covered by
          the identity assertion.</p>
          <p class="note">A <a>user agent</a> is required to fail to
          communicate with peers that offer a certificate that doesn't match an
          <code>a=fingerprint</code> line in the negotiated session
          description.</p>
          <p class="note">The user agent decodes <a data-link-for=
          "RTCIdentityValidationResult"><code>contents</code></a> using
          the format described in [[!RTCWEB-SECURITY-ARCH]]. However the IdP
          MUST treat <code>contents</code> as opaque and return the same string
          to allow for future extensions.</p>
        </li>
        <li>
          <p>The <code>RTCPeerConnection</code> validates that the domain
          portion of the identity matches the domain of the IdP as described in
          [[!RTCWEB-SECURITY-ARCH]]. If this check fails then the identity
          validation fails.</p>
        </li>
        <li>
          <p>The <code>RTCPeerConnection</code> resolves the <code><a data-link-for=
          "RTCPeerConnection">peerIdentity</a></code> attribute with a new
          instance of <code>RTCIdentityAssertion</code> that includes the IdP
          domain and peer identity.</p>
        </li>
        <li>
          <p>The <a>user agent</a> MAY display identity information to a user
          in its UI. Any user identity information that is displayed in this
          fashion MUST use a mechanism that cannot be spoofed by content.</p>
        </li>
      </ol>
      <p>If identity validation fails, the <code><a data-link-for=
      "RTCPeerConnection">peerIdentity</a></code> promise is <a>rejected</a> with a
      newly <a data-link-for="exception" data-lt="create">created</a>
      <code>OperationError</code> if it is not <a>settled</a>.  Then, if there is no <a>target peer identity</a>, set <code><a data-link-for=
      "RTCPeerConnection">peerIdentity</a></code> to a new unresolved promise. This permits the use of renegotiation (or a
      subsequent answer, if the session description was a provisional answer)
      to resolve or reject the identity.</p>
      <p>If identity validation fails and there is a <a>target peer
      identity</a> for the <code>RTCPeerConnection</code>, the promise returned
      by <code>setRemoteDescription</code> is <a>rejected</a> with the same
      <code>DOMException</code>.</p>
    </section>
    <section>
      <h2 id="sec.idp-error-handling">IdP Error Handling</h2>
      <p>Errors in IdP processing will - in most cases - result in the failure
      of the procedure that invoked the IdP proxy. This will result in the
      <a>rejection</a> of the promise returned by <code><a data-link-for=
      "RTCPeerConnection">getIdentityAssertion</a></code>, <code><a data-link-for=
      "RTCPeerConnection">createOffer</a></code>, or <code><a data-link-for=
      "RTCPeerConnection">createAnswer</a></code>. An IdP proxy error causes a
      <code><a data-link-for="RTCPeerConnection">setRemoteDescription</a></code>
      promise to be <a>rejected</a> if there is a <a>target peer identity</a>; IdP
      errors in calls to <code><a data-link-for=
      "RTCPeerConnection">setRemoteDescription</a></code> where there is no
      <a>target peer identity</a> cause the <code><a data-link-for=
      "RTCPeerConnection">peerIdentity</a></code> promise to be <a>rejected</a>
      instead.</p>
      <p>If an error occurs these promises are <a>rejected</a> with an
      <code><a>RTCError</a></code> if an error occurs in interacting with the IdP
      proxy. The following scenarios result in errors:</p>
      <ul>
        <li><p>An <code>RTCPeerConnection</code> might be configured with an
        identity provider, but loading of the IdP URI fails. Any procedure that
        attempts to invoke such an identity provider and cannot load the
        URI fails with an <code><a>RTCError</a></code> with <code>errorDetail</code>
        set to "idp-load-failure" and the httpRequestStatusCode attribute of
        the error set to the HTTP status code of the response.</p></li>
        <li><p>If the IdP loads fails due to the TLS certificate used for the
        HTTPS connection not being trusted, it fails with an
        <code><a>RTCError</a></code> with <code>errorDetail</code> set to
       "idp-tls-failure". This typically happens when the IdP uses
        certificate pinning and an intermediary such as an enterprise
        firewall has intercepted the TLS connection.</p></li>
        <li><p>If the script loaded from the identity provider is
        not valid JavaScript or does not implement the correct interfaces,
        it causes an IdP failure with an <code><a>RTCError</a></code> with
        <code>errorDetail</code> set to "idp-bad-script-failure".</p></li>
        <li><p>An apparently valid identity provider might fail in several
        ways.
        <!-- 1 remove this comment later. ONE -->
        If the IdP token has expired, then the IdP MUST fail with an
        <code><a>RTCError</a></code> with <code>errorDetail</code> set to
        "idp-token-expired".
        <!-- 2 remove this comment later. TWO -->
        If the IdP token is not valid, then the IdP MUST fail with an
        <code><a>RTCError</a></code> with <code>errorDetail</code> set to
        "idp-token-invalid".
        <!-- 3 remove this comment later. THREE -->
        If an identity provider throws an exception or returns a promise
        that is ultimately <a>rejected</a>, then the procedure that depends on the IdP
        MUST also fail. These types of errors will cause an IdP failure with an
        <code><a>RTCError</a></code> with <code>errorDetail</code> set to
        "idp-execution-failure".</p></li>
        <li><p>The <a>user agent</a> SHOULD limit the time that it allows for
        an IdP to 15 seconds. This includes both the loading of the <a href=
        "#sec.identity-proxy-communications">IdP proxy</a> and the identity
        assertion generation or validation. Failure to do so potentially causes
        the corresponding operation to take an indefinite amount of time. This
        timer can be cancelled when the IdP proxy produces a
        response. Expiration of this timer cases an IdP failure with an
        <code><a>RTCError</a></code> with <code>errorDetail</code> set to
        "idp-timeout".</p></li>
        <li><p>If the identity provider requires the user to login, the
        operation will fail <code><a>RTCError</a></code> with <code>errorDetail</code>
        set to "idp-need-login" and the <code>idpLoginUrl</code> attribute of
        the error set to the URL that can be used to login.</p></li>
        <li><p>Even when the IdP proxy produces a positive result, the
        procedure that uses this information might still fail. Additional
        validation of an <a>RTCIdentityValidationResult</a> value is still
        necessary. The procedure for <a
        href="#sec.identity-verify-assertion">validation of identity
        assertions</a> describes additional steps that are required to
        successfully validate the output of the IdP proxy.</p></li>
      </ul>
      <p>Any error generated by the IdP MAY provide additional
      information in the <code>idpErrorInfo</code> attribute. The
      information in this string is defined by the IdP in use.</p>
    </section>
    <section>
      <h3>RTCPeerConnection Interface Extensions</h3>
      <p>The Identity API extends the <code><a>RTCPeerConnection</a></code>
      interface as described below.</p>
      <div>
        <pre class="idl">partial interface RTCPeerConnection {
    void               setIdentityProvider (DOMString provider, optional RTCIdentityProviderOptions options);
    Promise&lt;DOMString&gt; getIdentityAssertion ();
    readonly        attribute Promise&lt;RTCIdentityAssertion&gt; peerIdentity;
    readonly        attribute DOMString?                    idpLoginUrl;
    readonly        attribute DOMString?                    idpErrorInfo;
};</pre>
        <section>
          <h2>Attributes</h2>
          <dl data-link-for="RTCPeerConnection" data-dfn-for=
          "RTCPeerConnection" class="attributes">
            <dt><dfn data-idl><code>peerIdentity</code></dfn> of type <span class=
            "idlAttrType">Promise&lt;<a>RTCIdentityAssertion</a>&gt;</span>,
            readonly</dt>
            <dd>
              <p>A promise that <a>resolves</a> with the identity of the peer if the
              identity is successfully validated.</p>
              <p>This promise is <a>rejected</a> if an identity assertion is present
              in a remote session description and validation of that assertion
              fails for any reason. If the promise is <a>rejected</a>, a new
              unresolved value is created, unless a <a>target peer identity</a>
              has been established. If this promise successfully <a>resolves</a>, the
              value will not change.</p>
            </dd>
            <dt><dfn data-idl><code>idpLoginUrl</code></dfn> of type <span class=
            "idlAttrType"><a>DOMString</a></span>, readonly, nullable</dt>
            <dd>
              <p>The URL that an application can navigate to so that the user
              can login to the IdP, as described in <a href=
              "#sec.idp-loginneeded"></a>.</p>
            </dd>
            <dt><dfn data-idl><code>idpErrorInfo</code></dfn> of type <span class=
            "idlAttrType"><a>DOMString</a></span>, readonly, nullable</dt>
            <dd>
              <p>An attribute that the IdP can use to pass additional
              information back to the applications about the
              error. The format of this string is defined by the IdP
              and may be JSON.</p>
            </dd>
          </dl>
        </section>
        <section>
          <h2>Methods</h2>
          <dl data-link-for="RTCPeerConnection" data-dfn-for=
          "RTCPeerConnection" class="methods">
            <dt><code>setIdentityProvider</code></dt>
            <dd>
              <p>Sets the identity provider to be used for a given
              <code>RTCPeerConnection</code> object.</p>
              <p>When the <dfn data-idl><code>setIdentityProvider</code></dfn> method is
              invoked, the user agent MUST run the following steps:</p>
              <ol>
                <li>
                  <p>If the <code><a>RTCPeerConnection</a></code> object's
                  <a>[[\IsClosed]]</a> slot is <code>true</code>, <a>throw</a> an
                  <code>InvalidStateError</code>.</p>
                </li>
                <li>
                  <p>If <var>options.protocol</var> includes the the character
                  <code>'/'</code> or <code>'\'</code>, throw a
                  <code>SyntaxError</code>.</p>
                </li>
                <li>
                  <p>Set the current identity provider values to the tuple
                  (<code>provider</code>, <code>options</code>).</p>
                </li>
                <li>
                  <p>If any identity provider value has changed, discard any
                  stored identity assertion.</p>
                </li>
              </ol>
              <p>Identity provider information is not used until an identity
              assertion is required, either in response to a call to
              <code>getIdentityAssertion</code>, or a session description is
              requested with a call to either <code>createOffer</code> or
              <code>createAnswer</code>.</p>
            </dd>
            <dt><dfn data-idl><code>getIdentityAssertion</code></dfn></dt>
            <dd>
              <p>Initiates the process of obtaining an identity assertion.
              Applications need not make this call. It is merely intended to
              allow them to start the process of obtaining identity assertions
              before a call is initiated. If an identity is needed and an identity
              provider has been set using the <code><a>setIdentityProvider</a></code>
              method, then an identity will be automatically requested when
              an offer or answer is created.</p>
              <p>When <code>getIdentityAssertion</code> is invoked, queue a
              task to run the following steps:</p>
              <ol>
                <li>
                  <p>If the <code><a>RTCPeerConnection</a></code> object's
                  <a>[[\IsClosed]]</a> slot is <code>true</code>, <a>throw</a> an
                  <code>InvalidStateError</code>.</p>
                </li>
                <li>
                  <p><a href="#sec.identity-proxy-assertion-request">Request an
                  identity assertion</a> from the IdP.</p>
                </li>
                <li>
                  <p><a>Resolve</a> the promise with the base64 and JSON encoded
                  assertion.</p>
                </li>
              </ol>
            </dd>
          </dl>
        </section>
      </div>
      <div>
        <pre class="idl">dictionary RTCIdentityProviderOptions {
    DOMString protocol = "default";
    DOMString usernameHint;
    DOMString peerIdentity;
};
        </pre>
        <section>
          <h2><dfn>RTCIdentityProviderOptions</dfn> Members</h2>
          <dl data-link-for="RTCIdentityProviderOptions" data-dfn-for=
          "RTCIdentityProviderOptions" class="attributes">
            <dt><dfn data-idl><code>protocol</code></dfn> of type <span class=
            "idlAttrType"><a>DOMString</a></span></dt>
            <dd>
              <p>The name of the protocol that is used by the identity
              provider. This MUST NOT include '/' (U+002F) or '\' (U+005C)
              characters. This value defaults to "default" if not provided.</p>
            </dd>
            <dt><dfn data-idl><code>usernameHint</code></dfn> of type <span class=
            "idlAttrType"><a>DOMString</a></span></dt>
            <dd>
              <p>A hint to the identity provider about the identity of the
              principal for which it should generate an identity assertion. If
              absent, the value <code>undefined</code> is used.</p>
            </dd>
            <dt><dfn data-idl><code>peerIdentity</code></dfn> of type <span class=
            "idlAttrType"><a>DOMString</a></span></dt>
            <dd>
              <p>The identity of the peer. For identity providers that bind
              their assertions to a particular pair of communication peers,
              this allows them to generate an assertion that includes both
              local and remote identities. If this value is omitted, but a
              value is provided for the <code><a href=
              "https://www.w3.org/TR/webrtc/#dom-rtcconfiguration-peeridentity">peerIdentity</a></code>
              member of <code><a>RTCConfiguration</a></code> [[!WEBRTC]], the value from
              <code><a>RTCConfiguration</a></code> is used.</p>
            </dd>
          </dl>
        </section>
      </div>
      <div>
        <pre class="idl">[Constructor(DOMString idp, DOMString name), Exposed=Window]
interface RTCIdentityAssertion {
    attribute DOMString idp;
    attribute DOMString name;
};</pre>
        <section>
          <h2><dfn>RTCIdentityAssertion</dfn> Attributes</h2>
          <dl data-link-for="RTCIdentityAssertion" data-dfn-for=
          "RTCIdentityAssertion" class="attributes">
            <dt><dfn data-idl><code>idp</code></dfn> of type <span class=
            "idlAttrType"><a>DOMString</a></span></dt>
            <dd>
              <p>The domain name of the identity provider that validated this
              identity.</p>
            </dd>
            <dt><dfn data-idl><code>name</code></dfn> of type <span class=
            "idlAttrType"><a>DOMString</a></span></dt>
            <dd>
              <p>An RFC5322-conformant [[RFC5322]] representation of the
              verified peer identity. This identity will have been verified via
              the procedures described in [[!RTCWEB-SECURITY-ARCH]].</p>
            </dd>
          </dl>
        </section>
      </div>
    </section>
    <section>
    <h2>Media Stream API Extensions for Network Use</h2>

    <section>
      <h3>Isolated Media Streams</h3>
      <p>A MediaStream acquired using <code>getUserMedia()</code> is, by
      default, accessible to an application. This means that the application is
      able to access the contents of tracks, modify their content, and send
      that media to any peer it chooses.</p>
      <p>WebRTC supports calling scenarios where media is sent to a
      specifically identified peer, without the contents of media streams being
      accessible to applications. This is enabled by use of the
      <code>peerIdentity</code> parameter to <code>getUserMedia()</code>.</p>
      <p>An application willingly relinquishes access to media by including a
      <code>peerIdentity</code> parameter in the
      <code>MediaStreamConstraints</code>. This attribute is set to a
      <code>DOMString</code> containing the identity of a specific peer.</p>
      <p>The <code>MediaStreamConstraints</code> dictionary is expanded to
      include the <code>peerIdentity</code> parameter.</p>
      <div>
        <pre class="idl">partial dictionary MediaStreamConstraints {
             DOMString peerIdentity;
};</pre>
        <section>
          <h2>Dictionary MediaStreamConstraints
          Members</h2>
          <dl data-link-for="MediaStreamConstraints" data-dfn-for=
          "MediaStreamConstraints" class="dictionary-members">
            <dt><dfn data-idl><code>peerIdentity</code></dfn> of type <span class=
            "idlMemberType"><a>DOMString</a></span></dt>
            <dd>
              <p>If set, <code>peerIdentity</code> isolates media from the
              application. Media can only be sent to the identified peer.</p>
            </dd>
          </dl>
        </section>
      </div>
      <p>A user that is prompted to provide consent for access to a camera or
      microphone can be shown the value of the <code>peerIdentity</code>
      parameter, so that they can be informed that the consent is more narrowly
      restricted.</p>
      <p>When the <code><dfn>peerIdentity</dfn></code> option is supplied to
      <code>getUserMedia()</code>, all of the <code>MediaStreamTrack</code>s in
      the resulting <code>MediaStream</code> are isolated so that content is
      not accessible to any application. Isolated
      <code>MediaStreamTrack</code>s can be used for two purposes:</p>
      <ul>
        <li>
          <p>Displayed in an appropriate media tag (e.g., a video or audio
          element). The browser MUST ensure that content is inaccessible to the
          application by ensuring that the resulting content is given the same
          protections as content that is <a data-cite=
          "!fetch#concept-cors-check">
          CORS cross-origin</a>, as described in the relevant <a data-cite=
          "!HTML51/semantics-embedded-content.html#security-and-privacy-considerations">
          Security and privacy considerations section</a> of [[HTML51]].</p>
        </li>
        <li>
          <p>Used as the argument to <a data-link-for=
          "RTCPeerConnection">addTrack</a> on an
          <code><a>RTCPeerConnection</a></code> instance, subject to the
          restrictions in <a href="#isolated-pc">isolated streams and
          RTCPeerConnection</a>.</p>
        </li>
      </ul>
      <p>A <code>MediaStreamTrack</code> that is added to another
      <code>MediaStream</code> remains isolated. When an isolated
      <code>MediaStreamTrack</code> is added to a <code>MediaStream</code> with
      a different peerIdentity, the <code>MediaStream</code> gets a combination
      of isolation restrictions. A <code>MediaStream</code> containing
      <code>MediaStreamTrack</code> instances with mixed isolation properties
      can be displayed, but cannot be sent using
      <code><a>RTCPeerConnection</a></code>.</p>
      <p>Any <code>peerIdentity</code> property MUST be retained on cloned
      copies of <code>MediaStreamTrack</code>s.</p>
      <!-- Any stream or track that might be derived from an isolated stream,
           such as
           through <a href="https://www.w3.org/TR/streamproc/#media-element-extensions">captureStreamUntilEnded
           or captureStream</a>, MUST also retain any isolation protections.
        -->
      <section id="isolated-track">
        <h4>Extended MediaStreamTrack Properties</h4>
        <p><code>MediaStreamTrack</code> is expanded to include an
        <var>isolated</var> attribute and a corresponding event. This allows an
        application to quickly and easily determine whether a track is
        accessible.</p>
        <div>
          <pre class="idl">partial interface MediaStreamTrack {
    readonly        attribute boolean      isolated;
                    attribute EventHandler onisolationchange;
};</pre>
          <section>
            <h2>Attributes</h2>
            <dl data-link-for="MediaStreamTrack" data-dfn-for=
            "MediaStreamTrack" class="attributes">
              <dt><dfn data-idl><code>isolated</code></dfn> of type <span class=
              "idlAttrType"><a>boolean</a></span>, readonly</dt>
              <dd>
                <p>A <code>MediaStreamTrack</code> is isolated (and the
                corresponding <var>isolated</var> attribute set to
                <var>true</var>) when content is inaccessible to the owning
                document. This occurs as a result of setting the
                <var>peerIdentity</var> option. A track is also isolated if it
                comes from a cross origin source.</p>
              </dd>
              <dt><dfn data-idl><code>onisolationchange</code></dfn> of type
              <span class="idlAttrType"><a>EventHandler</a></span></dt>
              <dd>
                <p>This event handler, of type <a>isolationchange</a>, is fired
                when the value of the <var>isolated</var> attribute
                changes.</p>
              </dd>
            </dl>
          </section>
        </div>
      </section>
      <section id="isolated-pc">
        <h4>Isolated Streams and RTCPeerConnection</h4>
        <p>A <code>MediaStreamTrack</code> with a <var>peerIdentity</var>
        option set can be added to any <code><a>RTCPeerConnection</a></code>.
        However, the content of an isolated track MUST NOT be transmitted
        unless all of the following constraints are met:</p>
        <ul>
          <li>
            <p>A <code>MediaStreamTrack</code> from a stream acquired using the
            <var>peerIdentity</var> option can be transmitted if the
            <code><a>RTCPeerConnection</a></code> has successfully <a href="#sec.identity-verify-assertion">validated the identity</a> of the
            peer AND that identity is the same identity that was used in the
            <var>peerIdentity</var> option associated with the track. That is,
            the <code>name</code> attribute of the <code>peerIdentity</code>
            attribute of the <code><a>RTCPeerConnection</a></code> instance
            MUST match the value of the <code>peerIdentity</code> option passed
            to <code>getUserMedia()</code>.</p>
            <p>Rules for matching identity are described in
            [[!RTCWEB-SECURITY-ARCH]].</p>
          </li>
          <li>
            <p>The peer has indicated that it will respect the isolation
            properties of streams. That is, a DTLS connection with a promise to
            respect stream confidentiality, as defined in [[!RTCWEB-ALPN]] has
            been established.</p>
          </li>
        </ul>
        <p>Failing to meet these conditions means that no media can be sent for
        the affected <code>MediaStreamTrack</code>. Video MUST be replaced by
        black frames, audio MUST be replaced by silence, and equivalently
        information-free content MUST be provided for other media types.</p>
        <p>Remotely sourced <code>MediaStreamTrack</code>s MUST be isolated if
        they are received over a DTLS connection that has been negotiated with
        track isolation. This protects isolated media from the application in
        the receiving browser. These tracks MUST only be displayed to a user
        using the appropriate media element (e.g., &lt;video&gt; or
        &lt;audio&gt;).</p>
        <p>Any <code>MediaStreamTrack</code> that has the
        <var>peerIdentity</var> option set causes all tracks sent using the
        same <code><a>RTCPeerConnection</a></code> to be isolated at the
        receiving peer. All DTLS connections created for an
        <code><a>RTCPeerConnection</a></code> with isolated local streams MUST
        be negotiated so that media remains isolated at the remote peer. This
        causes non-isolated media to become isolated at the receiving peer if
        any isolated tracks are added to the same
        <code><a>RTCPeerConnection</a></code>.</p>
        <p class="note">Tracks that are not bound to a particular
        <var>peerIdentity</var> do not cause other streams to be isolated,
        these tracks simply do not have their content transmitted.</p>
        <p>If a stream becomes isolated after initially being accessible, or an
        isolated stream is added to an active session, then media for that
        stream is replaced by information-free content (e.g., black frames or
        silence).</p>
      </section>
      <section id="isolation-protection">
        <h4>Protection Afforded by Media Isolation</h4>
        <p>Media isolation ensures that the content of a
        <code>MediaStreamTrack</code> is not accessible to web applications.
        However, to ensure that media with a <var>peerIdentity</var> option set
        can be sent to peers, some meta-information about the media will be
        exposed to applications.</p>
        <p>Applications will be able to observe the parameters of the media
        that affect session negotiation and conversion into RTP. This includes
        the codecs that might be supported by the track, the bitrate, the
        number of packets, and the current settings that are set on the
        <code>MediaStreamTrack</code>.</p>
        <p>In particular, the <a href="https://www.w3.org/TR/webrtc/#sec.stats-model">statistics</a> [[!WEBRTC]] that
        <code><a>RTCPeerConnection</a></code> records are not reduced in
        capability. New statistics that might compromise isolation MUST be
        avoided, or explicitly suppressed for isolated streams.</p>
        <p>Most of these data are exposed to the network when the media is
        transmitted. Only the settings for the <code>MediaStreamTrack</code>
        present a new source of information. This can includes the frame rate
        and resolution of video tracks, the bandwidth of audio tracks, and
        other information about the source, which would not otherwise be
        revealed to a network observer. Since settings don't change at a high
        frequency or in response to changes in media content, settings only
        reveal limited reveal information about the content of a track.
        However, any setting that might change dynamically in response to the
        content of an isolated <code>MediaStreamTrack</code> MUST have changes
        suppressed.</p>
      </section>
    </section>
    </section>
    <section>
      <h2>Identity Examples</h2>
      <p>The identity system is designed so that applications need not take any
      special action in order for users to generate and verify identity
      assertions; if a user has configured an IdP into their browser, then the
      browser will automatically request/generate assertions and the other side
      will automatically verify them and display the results. However,
      applications may wish to exercise tighter control over the identity
      system as shown by the following examples.</p>
      <div>
        <p>This example shows how to configure the identity provider.</p>
        <pre class="example highlight">
pc.setIdentityProvider('example.com');
        </pre>
      </div>
      <div>
        <p>This example shows how to configure the identity provider with all
        the options.</p>
        <pre class="example highlight">
pc.setIdentityProvider('example.com', {
  usernameHint: 'alice@example.com',
  peerIdentity: 'bob@example.net'
});
        </pre>
      </div>
      <div>
        <p>This example shows how to consume identity assertions inside a Web
        application.</p>
        <pre class="example highlight">
async function consumeIdentityAssertion() {
  const identity = await pc.peerIdentity;
  console.log('IdP = ', identity.idp, 'identity =', identity.name);
}
        </pre>
      </div>
    </section>
  <section>
    <h2>Change Log</h2>
    <p>This section will be removed before publication.</p>
    <!-- Why do the first two headings automatically convert to <h2>? -->
    <!-- Because you haven't added a <section> element around them
         and respec rewrites h? elements based on the section depth -->
    <h3>Changes since June 21, 2018</h3>
    <ol>
      <li>This document was split from the [[WEBRTC]] specification.</li>
      <li>Editors were changed to Cullen Jennings and Martin Thomson.</li>
    </ol>
  </section>
  <section class="appendix">
    <h2>Acknowledgements</h2>
    <p>The editors wish to thank the Working Group chairs and Team Contact,
    Harald Alvestrand, Stefan H&aring;kansson, Erik Lagerway and Dominique
    Haza&euml;l-Massieux, for their support. Substantial text in this
    specification was provided by many people including Martin Thomson, Harald
    Alvestrand, Justin Uberti, Eric Rescorla, Peter Thatcher, Jan-Ivar Bruaroey
    and Peter Saint-Andre. Dan Burnett would like to acknowledge the
    significant support received from Voxeo and Aspect during the development
    of this specification.</p>
  </section>
</body>