Real-time communication in web browsers (RTCWEB) security architecture is based on federated identity systems in which browsers rely on third-party Identity Providers (IdP) to provide several services. Examples of IdPs include OpenID, OAuth, and Mozilla Persona. One service is to cryptographically bind Datagram Transport Layer Security (DTLS) certificate fingerprints to user identities such that the users are ensured that the encrypted media streams (i.e. Secure Real-time Transport Protocol (SRTP)) are coming from and going to sources owned by the authenticated users. Another service is to allow users to authenticate each other during call initiation through IdPs that are independent of the calling sites. For example, two users can authenticate each other with their social media accounts with a calling application from a poker site.
Users may want an identity to be verifiable by a different IdP to avoid single point of failure or traffic bottleneck. In current identity protocols, each user identity is tied to one IdP and there is only one verification path for each identity. In some cases, all the critical IdPs may become unavailable but the network still allows the browsers to communicate in a point-to-point (P2P) fashion. Current identity protocols do not support such direct authentications between users. For various reasons, a user may want to replace an old identity by a new one, without losing the connection between the two. However, the current identity protocols do not allow one identity to be cryptographically bound to another one, making it difficult and expensive to verify such connection.