[Sip] comments on sipping-certs
Jonathan Rosenberg <jdrosen@cisco.com> Fri, 12 November 2004 13:19 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA29539 for <sip-web-archive@ietf.org>; Fri, 12 Nov 2004 08:19:19 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CSbM6-00083A-8m for sip-web-archive@ietf.org; Fri, 12 Nov 2004 08:20:46 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CSbGQ-0000td-6H; Fri, 12 Nov 2004 08:14:54 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CSbBO-0000Gi-Dd for sip@megatron.ietf.org; Fri, 12 Nov 2004 08:09:42 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA28704 for <sip@ietf.org>; Fri, 12 Nov 2004 08:09:40 -0500 (EST)
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CSbCj-0007pS-TR for sip@ietf.org; Fri, 12 Nov 2004 08:11:08 -0500
Received: from sj-core-1.cisco.com (171.71.177.237) by sj-iport-2.cisco.com with ESMTP; 12 Nov 2004 05:21:20 -0800
Received: from mira-sjc5-d.cisco.com (IDENT:mirapoint@mira-sjc5-d.cisco.com [171.71.163.28]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id iACD95n0010403; Fri, 12 Nov 2004 05:09:05 -0800 (PST)
Received: from [130.129.135.140] (sjc-vpn1-252.cisco.com [10.21.96.252]) by mira-sjc5-d.cisco.com (MOS 3.4.6-GR) with ESMTP id AFR86543; Fri, 12 Nov 2004 05:08:59 -0800 (PST)
Message-ID: <4194B5EC.1050202@cisco.com>
Date: Fri, 12 Nov 2004 08:09:00 -0500
From: Jonathan Rosenberg <jdrosen@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Cullen Jennings <fluffy@cisco.com>, Jon Peterson <jon.peterson@neustar.biz>, sip@ietf.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 1ba0ec39a747b7612d6a8ae66d1a873c
Content-Transfer-Encoding: 7bit
Subject: [Sip] comments on sipping-certs
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 10dcc25e55b9b5f7d6ded516404bdc4c
Content-Transfer-Encoding: 7bit
Cullen, Jon Some comments on the sipping-certs draft. The document is in need of a picture that shows the overall architecture - something along the lines of a protocol model as described in: http://www.ietf.org/internet-drafts/draft-iab-model-02.txt I'd suggest that the picture show the credential server, identity service, and clients on both sides, along with a single section overviewing operation. One technical aspect of this bothered me. My understanding is that the NOTIFY from the credential server containing the cert has to be signed by an identity service in order to provide an indentity binding to the cert. However, in this case, the notification is *not* sent by the user in the From/identity field! It is sent by an entity which is authorized to send requests for that identity, and is going to have a tight trust relationship with the authentication service. The spec is quite loose with terminology; I point out some of these below, but it needs a careful scrub in this area. You need to formally define the various event packages you are using. I would suggest aligning the package names with the terminology you are using (i.e., a credential and certificate package). Generally, a lot of details are needed in various places. It reads much like a proposal and needs to move on to become a protocol specification. I think section 7 and 10.2 are out of scope. This is a fairly orthogonal piece of work that treats how offer/answers are done using s/mime. It does not appear to depend at all on the fact that the certificates were obtain through the mechanism in this draft. section 11.1 is out of place. It belongs in a section that defines client behavior for obtained a cert. also, thinking about this, it seems to me that the mechanism is susceptible to SBCs, which would be able to tap into the media stream. They would do this by handing out a different cert to subcsribers than the one you hand it. Then, any encrypted media for you comes to the SBC, which decrypts and re-encrypts with your key. Badness. Might want to mention this in the security considerations section, and recommend that a UA subscribe to its own cert using a different identity in order to verify that the proper cert is being handed out. detailed comments: > SIP provides a mechanism for end to end encryption and integrity > using S/MIME, s/end to end/end-to-end > S/MIME has not been widely implemented or deployed due to the > complexity of providing a reasonable certificate distribution > infrastructure. This is a bold statement; there are many reasons, of which this is one. > Combined with the Identity [2] work, this work allows users to have > certificates that are not signed by any well known certificate s/work/specification > This mechanism allows UAs such as IP phones to enroll > and get their credentials without any more configuration information > than they commonly have today, without any extra effort or key clicks > by the end user, and without any extra expense for the end user. this is one long run on sentence > This mechanism also lets the UA discover and retrieve the public > certificate for any other user and find out about certificate > revocations. worth noting that it actually provides more than this; its not just users, but any resource associated with an AOR. > The general approach is to provide a new SIP service referred to as a > Credential Server that allows UAs to subscribe to some other user's > certificate. a server provides a service, it isn't a service > The identity of the certificate can be vouched for > using Identity [2] work, which uses the domain's certificate to sign > that the NOTIFY really is from the Credential server for the request > user in that domain. This is not true. The signature does not verify this; the signature verifies that the request came from a server that has access to the domain keys. > The Credential Service can manage public > certificates as well as credentials that include the user's private you sometimes use credential service, sometimes credential server also, this text is confusing since credentials apparently contain certificates according to your definition. So, saying that they manage certifications *as well as* private keys is redundant > The Credential Server authenticates UAs that > are changing credentials or requesting private keys using a shared > secret that both the UA and the Server know. in this sentence, it is not obvious that "using a shared secret" applies to both changing credentials and requesting private keys. Also, my understanding is that you would request credentials as well, not just the private key (i.e., there is no way to get just one) > Typically this will be > the same shared secret that is used in Register with the Registrar > for the domain. s/Register/REGISTER > The mechanism described in this document works for both self signed > certificates and certificates signed by a well known certificate > authority; you just said that in the preceding paragraph > Previous versions of this work proposed using HTTP instead of SIP for > communicating with the Credential Server. this needs to be changed now generally, on its way to an rfc, it needs to become less conversational, statements like "this work" and "previous versions" need to go > The key difference with > using SIP is that a certificate can be revoked by sending a new > NOTIFY; in the HTTP based scheme, the certificates were cached for a > predefined period of time, typically one day, so that a revocation > could take effect only after the cache had expired. there are other differences too, i mentioned some of the benefits of presence integration. Its a good idea to compare the pros and cons now that http becomes optional. also the text is confusing because the certificate can also be revoked in sip by having it expire > 2. Conventions change to definitions > The certificates discussed in this draft are generally self signed > and use the mechanisms in the Identity work [2] to vouch for their > validity. the "work" thing again > 3. Goals > > This work allows S/MIME to be used to meet the following goals and > requirements: I think this section needs to become the introduction. Furthermore, much of the introduction is sort of a weak overview of operation. You should move that text into a stronger overview of operation section. > Not require any efforts (zero clicks) on behalf of an end user to > acquire and start using end to end security. s/efforts/effort s/end to end/end-to-end > Not require any extra cost on a per user basis in deploying > systems that support this. It does require that the domain have a > web server style certificate that is either self signed or signed > by a well known CA. this is clearly false; I'll require incremental CPU for each user to process subscriptions for their cert, and incremental storage. > Allow negotiation of E2E encrypted SRTP sessions. please use end-to-end consistently > Allow end to end encryption and integrity of SIP bodies that may > be delivered in SIP signaling, such as page mode MESSAGEs or > NOTIFY bodies in presence. integrity? i usually think of signature as the way we provide integrity, and the certs mechanism isn't used for that hmm. if you want to encrypt presence documents in NOTIFY, what uri do you use to get the certificate? is it the identity used in the subscription, or the gruu in the contact? should a credential server support subscriptiosn to gruu to get certificates? > Allow end to end encryption and integrity of SIP bodies that may > be delivered in SIP signaling, such as page mode MESSAGEs or > NOTIFY bodies in presence. i had to read this a few times to realize you were talking about the case where a user wants to discover someone elses certificate; since a certificate is included in the credential i initially found this confusing > If the identity asserted by the Authentication Service > does not match the identity requests, t what are "identitiy requests"? in this section, you need to say more. discuss when a ua might initiate the subscription, how long it will hold it. Need ot mention the keepalive issue. Also mention that these subscriptions won't generally be challenged. > which will result in a message containing both an > application/pkix-cert body and an application/pkcs8 body that has the > associated private key information for the certificate. I think you mean that the notifications will contain bodies of this type. > credential that contains both an > application/pkix-cert and an application/pkcs8 body. MUST contain > may be configured with a specific name for the Credential Server; > otherwise it defaults to the name of the domain in the User's AOR. is this a new dns usage? I think you mean that we do rfc3263 resolutionon a sip uri > The TLS connection MUST present a certificate that matches the > expected name for the credential server, so that the UA knows it is > talking to the correct server. this is not detailed enough. anyway i think it is covered in rfc3261, you should reference that section 6 blends together a discussion of handling of credentials and certs. For example, it is unclear from the last paragraph on page 5 whether or not the server digest challenges requests for certs (it should not) > Otherwise it sets up a subscription and forms a NOTIFY with the > certificate in the body and the From header field value set to the > request URI of the SUBSCRIBE. how does this work if the request is proxied or retargeted in any way? > It MUST send this NOTIFY through an > Authentication Service (as described in Identity [2]) or implement an > Authentication Service itself. it can't just do that; the notifies are sent within the dialog. The subscribe request has to be routed through the authentication service. > When a Credential Server receives a SUBSCRIBE for a credential, the > Server has to authenticate and authorize the UA and validate that > adequate transport security is being used. how is authorization done? > Once the UA has authenticated with the Server, the Server can set up > a subscription and send a Notify message that MUST contain the > credentials. This NOTIFY message is sent thought an Authorization > Service in the same way as the certificate subscriptions. s/thought/through authorization service? perhaps authentication > Next Alice sends a SIP MESSAGE message to Bob and can encrypt the > body using Bob's public key as shown below. Thought outside the > scope of this document, it is worth noting that IM messages often s/thought/though > Likewise, the authentication > of the user submitting the private key should be equivalent to or > higher than the key being transmitted. its going to be digest; i'm not sure what this means > If a UA receives a > certificate in a TLS connection that it cannot chain back to a well > known CA but is otherwise valid (i.e. a self signed certificate), it > MAY ask the user if it wishes to allow this certificate to be used, why should we allow this? seems like a recipe for trouble > If a particular credential needs to be revoked, the new credential is > simply published to the Credential Server. Every device keeping this > current in its cache will have a subscription to the credential and this current? i think you mean the credential that was just revoked > certificate for the identity in the Original URI. This means that > the certificate should only be indexed in the certificate cache by > the value of the original URI, not by the value of all the > identities found in the SubjectAltName list. that said, i think the cert should be a valid standalone cert. i think we should require, at should or possibly must, that the subjectaltname match the identity that the authentication service will assert for that user. You need a section on generating self-signed certs, i think. > The Authentication Service validates > that this message did come from the identity claimed in the From and it won't though; it will come from the credential service which cannot claim it is the identity in the from > Only the UA that can authenticate as this user can tamper with this > body, so the owner of the identity can provide a false public key but > other users cannot. or the authentication service itself, or anything with the private domain keys -- Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza Director, Service Provider VoIP Architecture Parsippany, NJ 07054-2711 Cisco Systems jdrosen@cisco.com FAX: (973) 952-5050 http://www.jdrosen.net PHONE: (973) 952-5000 http://www.cisco.com _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- [Sip] comments on sipping-certs Jonathan Rosenberg