Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbrandy-rtpsec-06

Ben Campbell <> Mon, 14 January 2019 23:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B98C313141E; Mon, 14 Jan 2019 15:40:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.679
X-Spam-Status: No, score=-1.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uUt__hlbsSM0; Mon, 14 Jan 2019 15:40:53 -0800 (PST)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A8D3313143A; Mon, 14 Jan 2019 15:40:53 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id x0ENep07061554 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 14 Jan 2019 17:40:52 -0600 (CST) (envelope-from
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=default; t=1547509253; bh=SLQrW+A1h/kFxLmxwb+eVbTcjnK95af8oiwi9zRdqKo=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=BzOwdKe+o5xTEePmEMomX1uoNfE3NYPa6w6GrUu6MIZnSyEMMpYWfLKRI6dLAmRXt KtltfWI9vKZfCtnmgYW1mRyAdpujlFgNx5hKWXcf8L1iBIysjCv0fVqQZ/n4ggzf8+ SwNZekzTtQkJBsN8cameeY1bnH7N8IdDnwT4BXh8=
X-Authentication-Warning: Host [] claimed to be []
From: Ben Campbell <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_0630F3A6-1E53-4A78-877E-499DD544217B"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Mon, 14 Jan 2019 17:40:51 -0600
In-Reply-To: <>
To: Russ Housley <>,
References: <> <> <>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <>
Subject: Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbrandy-rtpsec-06
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIPBRANDY working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Jan 2019 23:40:56 -0000

Hi, any further thoughts?



> On Jan 2, 2019, at 4:49 PM, Ben Campbell <> wrote:
> Thanks for the response. Some additional comments inline:
>> On Dec 30, 2018, at 4:56 PM, Russ Housley <> wrote:
>> Ben:
>> Thanks for the thoughtful and careful review.
>> Responding only to your Substantive Comments for now...
>>> §4:
>>> - general: The section explains the requirement that the AS and VS to be colocated with the caller and recipient UAs as because putting them in an intermediary could allow that intermediary to act as a MitM. Isn’t this more a question of trust than physical location? Users already need to trust the AS and VS for STIR to work at all. In particular, I don’t think it’s safe to imply that a local AS _can’t_ act as a MiTM unless the code is inspected (and perhaps signed) by a trusted entity.
>>> For the record, I do not necessarily object to the colocation requirement; I’m just not entirely buying the explanation for it.
>> The SIPBRANDY profile is based on an end-to-end trust model.  The verification could take place at an intermediary, but to get the end-to-end assurance, the verification would need to be repeated at the end.
> Does the draft actually say that somewhere I missed? I see text saying that an intermediary could do verification, but must not block or redirect calls due to an untrusted signing credentials. I don’t see anything that states the verification needs to happen again at the endpoint.
> But in general, I think the section would benefit from more focus of what an e2e trust model really means. There’s mention of it in the second paragraph, but not really a definition. I also wonder how such a definition would apply to a decomposed endpoint. (e.g. a media server that separates SIP processing and (S)RTP processing)
>>> - 2nd paragraph: "While intermediaries MAY provide the verification service function of STIR for SIPBRANDY transactions,”: That seems to contradict the statement in the following paragraph that the user agent implementations MUST implement both the AS and VS.
>> Again, verification could take place at an intermediary for their own purposes, but the end-to-end assurance is only provided if the check is made at the end as well.
> See previous comments; does the draft actually say that somewhere?
>>> §4.1:
>>> - General: This section talks about self-signed certs and TOFU. Would you characterize those as comprehensive security? I suspect not, since they offer more exposure to active attacks. But I’m not sure they qualify as “opportunistic”, since they don’t (necessarily) allow a fallback to cleartext. In any case, some text discussing this question might be helpful. (This also includes §4.2)
>> No, I would not characterize the use of self-signed certificates as comprehensive security.  This section is suggesting them as an alternative when other certificates are not available for the caller identity.  The PKI for telephone numbers is not yet available, but it is coming.  The PKI for a SIP URI without a telephone number (e.g. "") is not being worked yet.  Sp, self-signed certificates give a way to start.  An active attacker could strip the signature altogether.
> Does that mean you would lump it into “opportunistic”? Or do we have a third, in-between category?
>>> - third paragraph: "This profile of STIR therefore relaxes the authority requirements of [RFC8224]”
>>> Does that require this draft to formally update 8224?
>> I do not think so.  RFC 8224 says:
>>  ...  Similar practices could be used to support opportunistic
>>  signing of SIP requests for UA-integrated authentication services
>>  with self-signed certificates, though that is outside the scope of
>>  this specification and is left as a matter for future investigation.
>>  Note, however, that even when using anonymous SIP URIs, an
>>  authentication service must possess a certificate corresponding to
>>  the host portion of the addr-spec of the From header field value of
>>  the request; accordingly, using domains like "anonymous.invalid"
>>  will not be usable by privacy services that simultaneously act as
>>  authentication services.  The assurance offered by the usage of
>>  anonymous URIs with a valid domain portion is "this is a known user
>>  in my domain that I have authenticated, but I am keeping its identity
>>  private.”
> I was wondering if there were some other normative requirement in 8224 that was being relaxed. On a quick scan, I do not find any. Therefore perhaps this should be an “editorial” the language
> 	"This profile of STIR therefore relaxes the authority requirements of [RFC8224] to allow the use of
>         self-signed keys for authentication services that are composed with
>         user agent”
> ... suggests that this draft relaxes some specific requirement for this specific composition; that doesn’t seem to be true.
>>> §4.3: Does this draft need to formally update 4916? It’s not clear to me if this draft intends to update these, or is stating that these are some updates we should do in the future. The last paragraph suggests the latter, but the rest of the section seems to be more the former.
>> Yes, it probably should update RFC 4916.
> If that is the case, I think the section needs to split the list of updates to clarify which are actually made by this draft, vs reserved for future work. (For example, I assume this draft is not going to update the examples to match 8224)
>>> §4.4, last paragraph: Is there an expectation that the UA will alert the user if it allows the dialog to continue without media security?
>> Since the IETF does not normally get into user interface, the "if policy permits" language would allow the user to be involved in the decision, or it could be set by other means.
> Okay.
> I’m not going to insist, but I think one could offer (perhaps non-normative) guidance that there are security implications if a user thinks a session is secure when it is not.
> Thanks!
> Ben.