4. Overview

The WebRTC security architecture consists of several layers:

4.1 Protocols

WebRTC uses existing secure protocols:

DTLS-SRTP [RFC5764] for media encryption and key establishment.
SCTP over DTLS [RFC8261] for data channels.
ICE [RFC8445] for NAT traversal and consent verification.

4.2 Application Interface

The WebRTC API allows the web application to set up secure connections. However, the browser (UA) enforces security invariants that the application cannot override, such as:

Mandatory encryption for all media and data.
Explicit user consent for device access (camera, microphone).
Same-Origin Policy enforcement.

4.3 Identity

To bind the secure channel (DTLS) to a human identity, WebRTC uses an identity assertion mechanism. An Identity Provider (IdP) generates an assertion (e.g., a digitally signed token) linking the user's identity to the DTLS fingerprint of their UA. This assertion is passed to the remote peer, who verifies it with the IdP. This ensures that the person at the other end of the secure channel controls the identity asserted by the IdP.

4. Overview​

4.1 Protocols​

4.2 Application Interface​

4.3 Identity​

4. Overview

4.1 Protocols

4.2 Application Interface

4.3 Identity