How do peers involved in a p2p communication authenticate each other?

Question

How do peers in WebRTC authenticate each other?

Answer 1

DTLS in WebRTC uses self-signed certificates. RFC 5763 has the details, in a nutshell the certificate fingerprint is matched against the one provided in the a=fingerprint line of the SDP.

Answer 2

As the comment from Patrick Mevzek already mentioned:

It doesn't depend on DTLS or TLS, if a self-signed certificate is trusted/accepted.

This depends only from the peer's trusted certificates. If the client's or server's certificate path/chain contains a certificate, which signature could be verified by a trusted certificate, then it's assumed to be trusted. There maybe some additional checks as valid time or key-usage or the hostname. The trusted certificates are usually stored in a "trust store". So, if your server should use such a self-signed certificate, add that self-signed to your client's trust-store. If the client then receives just that self-signed certificate as path, it checks, if the signer (in that case the certificate itself) is in the trust store.

What doesn't work with such self-signed certificates is that other clients, which haven't added that certificate to their trust store, will trust that server.

How do peers in p2p systems like Webrtc authenticate each other?

If these peers add the certificate of the other into their trust store ahead, then they will trust each other.

Do they require a certificate from a CA?

If you can't add the other's certificate ahead, then you need certificates, which are signed by a CA (certificate), which is already in the trust store of the peer's.