Skip to main content

3. Trust Model

3. Trust Model

The WebRTC security architecture assumes three main entities:

  1. The User Agent (UA): The browser or other client software that the user is running. The UA is considered trusted by the user to act on their behalf and protect their privacy.
  2. The Calling Service (CS): The web server (or set of servers) that serves the WebRTC application (JavaScript, HTML, etc.) to the UA. The CS facilitates the setup of the call (signaling). The UA trusts the CS within the context of the Same-Origin Policy (SOP).
  3. The Identity Provider (IdP): A service that vouches for the identity of a user. The IdP is independent of the CS.

The WebRTC security architecture aims to provide security guarantees that do not solely depend on the CS. While the CS is trusted to set up the call, it might be malicious or compromised. Therefore, end-to-end security between UAs is established such that the CS cannot decrypt or modify the media traffic.

Furthermore, mechanisms are provided for UAs to verify the identity of the remote peer via an IdP, ensuring that the user is communicating with the intended person, not an imposter inserted by a compromised CS.

Last updated on