IETF Logo Mail Archive

[stir] draft-ietf-stir-passport-rcd-13 rcdi validation

Jack Rickard <jack.rickard@microsoft.com> Wed, 20 October 2021 11:37 UTC

Return-Path: <jack.rickard@microsoft.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44F533A10EB for <stir@ietfa.amsl.com>; Wed, 20 Oct 2021 04:37:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.553
X-Spam-Level:
X-Spam-Status: No, score=-2.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HWw09eAtE9C1 for <stir@ietfa.amsl.com>; Wed, 20 Oct 2021 04:37:28 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80099.outbound.protection.outlook.com [40.107.8.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0FC53A0B88 for <stir@ietf.org>; Wed, 20 Oct 2021 04:37:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FrjQahu6LrgSR7wFHXZipnupRMfsx7g8V8D6tsQLiJ2D3lVpA1B0PPnnC+3qms8ypP87RXPhjLhAEVK/KT314dcNngTnaq+WlNZyah/lkpgJoX4D67BW+gKC3VKzY63LvdmRPL1LYlnmt77aAuhLFLX4o46nEHMugjh8heYyweRaJu5LWl6LS7N8Hb3goZiCSRWpD4VDHfvnmGFUY7SPmU7bgRoLzRnn7LJW7hBcXKrW5eI0RS5Yr7w8MspozQVuaWz18a0/4rocIfqS21Xv6J79fqz0eNGUD0B1zYSnacPQ3fUf77d4tSkNF5Po+9UQWd4vzNOvD6H+SeFw8nFvdQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Yqacp/UHbjZxIH+87j2tK/YFCroP1gHg32RraHXB+IU=; b=NBtJFu3vMWrRpL7ZON+tE7CE6aHxVxOM5O9z8ZL0kwb4/9BB5Gq2y2CG5qaFbpOMoMWUjV9SI977/Kz4KAm/qyjLj9RTx9uG4QuLB+PTAUcbCYt62ig0b6t2gg8BebkPb3Jo5fhZMCLqc5pXGc5jKJ0Eq+uaZZ1pX+V5mPH114rSf8HxZYD7m6qmnbIYVtCeYr4zd98eHQ4FhNmbXO+NL7Ka6BuL9mXuSu84X2ug0l0N3iNF+LzazbJ97phyjy4qsE0CywXkTgQeNbZCC+EBwaLueI3/FxZrQSNZNSuwK+AV6FrnN3mORYYbK9oQZzx/YjNPOXbFnpJN1AjllPJ32Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Yqacp/UHbjZxIH+87j2tK/YFCroP1gHg32RraHXB+IU=; b=Sbr+jF0jre47Aa1yEQXL8cvHUEHuzVrmDLfNBjoFhFl5AKaDfLXEVbyL/w71ML63JQDl41sxlkTTeZhbrRIZlNz/7WYTf0rXJi9At8U4N8uif5xriLas8rTOaWFRKpOl95h1yZ1lR6/iYtOarCTeWWXWL8IlXJuaCshISL8esQE=
Received: from AM5PR83MB0355.EURPRD83.prod.outlook.com (2603:10a6:206:25::24) by AM6PR83MB0261.EURPRD83.prod.outlook.com (2603:10a6:209:6a::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.1; Wed, 20 Oct 2021 11:37:18 +0000
Received: from AM5PR83MB0355.EURPRD83.prod.outlook.com ([fe80::349b:ab5e:ec0f:629b]) by AM5PR83MB0355.EURPRD83.prod.outlook.com ([fe80::349b:ab5e:ec0f:629b%7]) with mapi id 15.20.4649.001; Wed, 20 Oct 2021 11:37:18 +0000
From: Jack Rickard <jack.rickard@microsoft.com>
To: IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Thread-Topic: draft-ietf-stir-passport-rcd-13 rcdi validation
Thread-Index: AdfFnr87c2vxVfrsRiOmBanuACp+5Q==
Date: Wed, 20 Oct 2021 11:37:04 +0000
Deferred-Delivery: Wed, 20 Oct 2021 11:36:59 +0000
Message-ID: <AM5PR83MB035516622330F5CD32DF0B5588BE9@AM5PR83MB0355.EURPRD83.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=c9726230-4cf8-46d8-8f20-ae731ee317eb; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-10-20T10:21:11Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 17f93f78-b3a7-4964-7229-08d993bdf941
x-ms-traffictypediagnostic: AM6PR83MB0261:
x-microsoft-antispam-prvs: <AM6PR83MB0261DC80D0D6D1702CC6224888BE9@AM6PR83MB0261.EURPRD83.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: CbFuoqWFkhOL9PK4GieScnOtab7+S32s1Fkb7TLG9w8dr0G93sywYMxDSXMr58AWIiGRdzzWPOIydljH6T5qyTbokc+8kWMLTctGfQltWNxuqHTn9rN0kn+bkGBHi2nA9aDVjGXAqv1QYBQKJIUGidWjCSGI2Uo3VzFyeO0wBvrjtaKKDlGbYODwfjRYc/7RKnVSqQ1RFuruTGASI5uTwH2R5LtSBrJIyc05BsYCr2lpFDd2+FC/nxQ8Lt6tti1NNqHTUtHkRpvqXIqkEa7EjNHL3qz82GeZQBKWsz9TGETUjPnjfTqY0ztXGb5Ri+ScsWYiocKSH0SyIs3IvglzgpJuC7KfQpO/+IsMJ0FzeXBstdoSt1nakbFz4YggSi+jXCG0AE0w/QqLEUGdg5qnquj+x5p/5rU+JdT1ZYWePSu/rwK0KM6vvJ/li7a9NX6sVIFJr3+kJOxvKJCeCPeN2ZImRWsuOERPsNXSqVpmEddzLDcSf1Q2fI5JTAUHE84aqz4hBatHb7fxJXm4jXgD4/dgaKNNz0e8UxdL9AzAtYJS56dRQ7ESvBTjPZs9NX1mRUu3ZLrlU8ebA7qtsJvi2cZJ4doI7eiXV0jku5bWWxrH8eAf/6E7VZTXXFIym2ozGeyhnwB9RCovrWgPpaeyJk9wT3HX663qQthBclaV4pw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM5PR83MB0355.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(5660300002)(33656002)(6506007)(8936002)(83380400001)(6666004)(26005)(2906002)(110136005)(71200400001)(316002)(82960400001)(82950400001)(99936003)(7696005)(8990500004)(186003)(38100700002)(52536014)(30864003)(8676002)(38070700005)(10290500003)(9686003)(966005)(66446008)(122000001)(86362001)(64756008)(66946007)(66574015)(66556008)(44832011)(66476007)(55016002)(76116006)(508600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: c9/J6hSE/C/0ePDoRGGYzlZEdO9qRX7R0iBB5U7yCxfAatYT9e2DdX+/uHtxQZeXPwgNnJo6yNdQSqyEH5MrVdv+Crb+5B4J/Z0AQR1Nr++p++Zw9TG7uvPaz1ELF4Kb8BEtDPaGa2lrBm25X5hls+9gEBraQH8MFDsv9xnMz5uGi3k0iS8go91IDjAIvdBJ80kExHT6F4FD8OvrflL+syLlQvAKN87OA6vW+NbS3F8an1aF1Y8QJS6NQnBbgWRJ5OjcpsRx50U9QIDO+luXF7dAybWMq4jbIyiI3uWj4+LWVSFrSQYwow8xr3UB3KwYCGPWyhGlB6WUrtzpjml/5eTx3r3O+vRMzbWOrIIfPJINg5gOXglvLcvpdgVie2c2g+9GZCJGLM96Pbw8HDfCs5cWA+pxLmoY/+Kr5vCg1GSESszrxE3yW5DGFVfpenV3NZsmwuMgti6PhSei4F5mqXI1FBHyjsYY6lYQQVwJx771R3lxr+xlNeFS0EHZbeUFVsZPYompkv9q0fr51sg1SiK4reWRJc88BiFbeh0gY+uXY0mNL3mo6DkmPIogbhpTyYipYkacMN1EfPxFgbcjFss0q4QCPHXwoWSuy5yaN/PF8RsrIOXAKozLQkIElMYkPnurkWSx6F6N//tevEQRGWsAHR9dTidhipFxPOwQ+uwTNsJjqn4HJvoWwPrvT9r48r3ymOFpqJxHLRf0NBACca9ddRe57X6QLvIm6KzAAlTe1nAKkNGWL2ExSTPmGneaLGN3ASCoJNQ6YfeBYCeS9UlIy8dilVhXLHnYz06kyrmpAqekbvftZ2yIx5K9J/zQXC0F9NOdaqh8ZUkTkVntX02efSub5l/UeC1XKDd+fkvO28iT8IfZ2zoezb3HKdoGMpVsp7DuPOtFsr2cJp7Zh4TupIhxGEdI0IsmgF2uRZOJKBnoxfLmuBWwVmA6ls84ogvPAnLsqMdvgsWBnxxpO6abjvEutjsYopBmppmtIZkSmgUsHWv9eJd3rYcUoZJYFH8bMZVo/QCWyhLaFlu1ylQ96mCn9DtuBAM9B38qlQMLc6pm1pzoTA+LgSXn5r61RQ3K2uxVqjCbxzst6PoM4X34EZ1hUSMosBXfUL6OSvNnLYjyuaOFxdF5ZTgldLBtCWU+eB+6IDCMYaffltsWRdFgOoXTeL4J+AiT+1TwH1uPNzPEeac8vuYZGdQWmOUqegx8wcgc8gGpvustxdzKtT6NnHgF+cYhCV8Tup1MS2wS2zKJ2SANM06zeXRR7O32N0oEGpOFVqQdX/jli37CvD4Fsgkv0ryhxiMk5MMHTSaQmU1KJiZcxIdoFWH/Mq7dnhPs4VLkzO7xtZxHbMDihHnUXuingU5ZTnsRNWMmDdQKx0Jx7jUgOJWdxHB8pnDx
Content-Type: multipart/related; boundary="_004_AM5PR83MB035516622330F5CD32DF0B5588BE9AM5PR83MB0355EURP_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM5PR83MB0355.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 17f93f78-b3a7-4964-7229-08d993bdf941
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2021 11:37:18.7644 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jackrickard@microsoft.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR83MB0261
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/-KyCQ8_OIMkTN6BAXLv4gjuRjF4>
Subject: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Oct 2021 11:37:34 -0000

Hi all,

To clarify things, and hopefully reduce the number of rounds of review, this is a write-up of my position (and hopefully some alternative positions) on rcdi validation.

rcdi is a mechanism to ensure the integrity of the rcd information, and so any entity that retrieves/uses the rcd information clearly must validate that information against the rcdi digests, otherwise it could not trust what it had downloaded.

However, any verification service that does not need to retrieve the RCD information, cannot and possibly should not always retrieve and validate it, for a few reasons:
1.      There isn't enough time - downloading and validating all the data (or in fact any data) takes a prohibitively long time, especially as an intermediate verification service does not know which bits of data are going to be used.
2.      The data could change - even if an intermediate does perform the validation, the end entity must repeat this as the information it retrieves could very well be different to what the intermediate validated.
a.      There was discussion in the meeting of a TSP that rehosted the RCD information, in that case it is the end entity in this discussion and realistically needs its own integrity mechanism on what it has rehosted.
3.      An intermediate could reject something that the end entity would accept - downloading information from the internet is not perfectly reliable, there could be firewall issues, or just temporary server issues that cause an intermediate validator to not be able to get the RCD information, in which case it would fail to validate the passport and throw out all the rcd information (and potentially all the STIR information). An end entity does not have to do this, it might be able to retrieve items the intermediate cannot, it might not want all the information in the first place, and in the worst case it can gracefully degrade the rcd information it cannot access.

Taking all of that, I believe that the rcd and rcdi information should be treated as "valid" in the context of PASSporT verification if the data in the PASSporT is correct (this would include checking JWTClaimConstraints), but not depend on any of the referenced information's integrity.

There is a question there about "/rcd","/nam", and "/apn" digests, for the sake of simplicity I'd suggest they also aren't required to be checked by the verifier, but I don't believe it matters.

There are some issues with this approach though:
1.      Security is more complicated - this split validation model introduces extra complexity to the security of RCD information in PASSporTs. As far as I can tell, this wouldn't introduce any new attack vectors, but does place a greater burden on the end entity doing things correctly.
2.      This introduces a new entity - I don't believe any previous documents have made a distinction between the end entity and verification services, just focusing on authentication services and verification services. This introduces actions that this end entity must perform for the system to conform to the standard.


Those issues are not enough to change my mind; however, I welcome different opinions and there are almost certainly more I haven't thought of or weren't discussed.

Thanks,
Jack Rickard
he/him
Software Engineer
jack.rickard@microsoft.com<mailto:jack.rickard@microsoft.com>

 [https://emailsignaturetemplate.azurewebsites.net/img/Microsoft_Logo.png]

v2.23.0 | Report a Bug | By Email