IETF Logo Mail Archive

Re: [stir] Questions on the draft-ietf-stir-passport-rcd-04 integrity mechanism

Chris Wendt <chris-ietf@chriswendt.net> Fri, 20 September 2019 14:33 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC92D1200B8 for <stir@ietfa.amsl.com>; Fri, 20 Sep 2019 07:33:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRIXUR-hcasZ for <stir@ietfa.amsl.com>; Fri, 20 Sep 2019 07:33:12 -0700 (PDT)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E115A120089 for <stir@ietf.org>; Fri, 20 Sep 2019 07:33:11 -0700 (PDT)
Received: by mail-qk1-x736.google.com with SMTP id u22so4003634qkk.11 for <stir@ietf.org>; Fri, 20 Sep 2019 07:33:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=6S5Ha3NHwKe19TnwBw40P0+x35EjsCBcO45skVxwJvQ=; b=LjVTojwTgyED48GPjBoHcPgIHYcwWxnDwFW9dbJb+zrVF1smEDLISSN+39JTcctm4Z Y8Cxbf9zQjjuWUNft5xNDewkDVI2SIyDJvTx17+ApD096gMJg0vWkNkzKJDZMIQ7XuRn 0y2d9sS1hTXEPPOJIir1OeU0oT23KrGWqNMB8gr41Eate57sZ3c+UpzJ6u5MT3hXocDU lCWCnLRd5CoUYjYCRu2FZAKnbXYLx8rGIW1XsxORe3VLeL2fw5oHQ0SAKmNbT/I70/mo Hlzb7LyTs48EpRKW1mrs0SvBQVotXYZycJTScQmcazoc/wdhvppDiZpFBqPK8rflEUDe /RLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=6S5Ha3NHwKe19TnwBw40P0+x35EjsCBcO45skVxwJvQ=; b=EidUe5mAiRvbtqBAsUxC1W10yG3QGNCzd8HrSnExY5GZYyURaJHzt/8ORTqY4BaOeT ouBNjDvydqAlQVWt6siHHLATG74iHyeKvUeBt19kxHWoqczq2AklGdA1xMdg5Qm8mynl 36Q0wQBGxQqkfWYIMvnLYqRpVosDWvOy0TrHWReCxr99ZXS5hldovccH7AM5uIjdPFCN DJZtEKZuxmczbhvvNWsSuqxs56Gg7xCzifK1RN3hVhvzyIvVxMa8oY1Vju4dZbk0FNhf 424S9Ej6PYM5ZnsHG6UnQMu/WiAcuCsoDEMt3OwVmobd7UHglNq5F/U22Vt9623F5tC5 YxWA==
X-Gm-Message-State: APjAAAXW1WAQM//p9bEpiJq56IurHvD+wKWH6ZC1nl59feluBA3N45dv fRmKmGd3Sll21dBpr99hDk8dFg==
X-Google-Smtp-Source: APXvYqwDc9iYJ4D1Q7PpE5UvMD+MMvYWkFvoiOJjZ5xv6zXXDHnD0v8pOd+MtVr3rkC8+2w4f+uUuA==
X-Received: by 2002:a37:9944:: with SMTP id b65mr3943507qke.175.1568989990846; Fri, 20 Sep 2019 07:33:10 -0700 (PDT)
Received: from ?IPv6:2601:41:c402:39e0:c037:ad72:e7e2:edde? ([2601:41:c402:39e0:c037:ad72:e7e2:edde]) by smtp.gmail.com with ESMTPSA id l23sm1628136qta.53.2019.09.20.07.33.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 20 Sep 2019 07:33:10 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <5394EB92-8148-420F-96E4-DBA979D5F3FC@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D36028C2-FC2F-4320-833C-12B3E4A0647C"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 20 Sep 2019 10:33:09 -0400
In-Reply-To: <B66C4ABF-5E37-4796-BF45-B2074C95EC56@nostrum.com>
Cc: "Peterson, Jon" <jon.peterson@team.neustar>, "stir@ietf.org" <stir@ietf.org>
To: Ben Campbell <ben@nostrum.com>
References: <D0D57997-56AC-4E68-BC12-2CE07C52B711@nostrum.com> <0CCCD3F6-B0A5-4B0C-B563-2E85AC3E3B3A@nostrum.com> <9DA8A5FC-866B-4DF3-BA76-68AF733EAF4D@chriswendt.net> <5A3DFEE8-60E0-4870-9689-FEAAFA0D7BE8@nostrum.com> <FE1ED9C6-2BDA-4A97-BCFC-CA6BDCAA9680@team.neustar> <B66C4ABF-5E37-4796-BF45-B2074C95EC56@nostrum.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/-iCpE1iffXHkpxv_5BdOcC5sB9w>
Subject: Re: [stir] Questions on the draft-ietf-stir-passport-rcd-04 integrity mechanism
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2019 14:33:16 -0000

We can talk on the call, but i think MAY seems a little too open ended to me.  I think high level there is three main levels of use-cases/security between use of “rcdi” and using JWT constraints.  I think i’d prefer to explicitly describe those scenarios, first not using “rcdi” at all, second using “rcdi” without constraints and then “rcdi” with constraints.  Does that make sense?

-Chris

> On Sep 16, 2019, at 5:41 PM, Ben Campbell <ben@nostrum.com> wrote:
> 
> 
> 
>> On Sep 13, 2019, at 12:17 PM, Peterson, Jon <jon.peterson@team.neustar <mailto:jon.peterson@team.neustar>> wrote:
>> 
>>  
>> At a high level, what we want out of certs here is a capability that empowers the issuer of a certificate to constrain the contents of RCD when the signer signs a PASSporT. I don’t think we want to say that RCD can only be used when the JWT Constraint is present, and I don’t think we want to say that the integrity check provided by “rcdi” can only be present in a PASSporT when the signing certificate has a JWT Constraint in it. Including “rcdi” in the JWT Constraints should be just a hook, that the issuer of a certificate can use to make sure that RCD isn’t being abused in cases where there are concerns about that.
> 
> There’s nothing there I disagree with, but I don’t think that is quite what is captured in rcd-04.
> 
> Would it make sense to state the use of “rcdi” as MAY include and MUST verify if present.
> 
> 
>>  
>> Outside of the JWT Constraint, I was originally not immensely worried about link substitution attacks on the RCD system: that is, ones where the signer of an RCD PASSporT believes a URL in RCD points to an image of the Ford Motor Company, say, but while a SIP call is in transit, someone switches the resource that the URL indicates to an image of Chevrolet, so that when it is rendered on the terminating side the callee sees something different than the signer intended. The creator of the PASSporT, after all, picked that URL, and it just doesn’t make sense for them to pick a URL that they don’t have meaningful change control over. The only edge case where I see real concerns is one where the creator of the PASSporT and its signer are different administrative entities, and the creator tricks the signer into vouching for a URL that will be pointed to a different resource after it is signed. That edge case convinced me that there was at least some value to “rcdi” independent of the JWT Constraint; the “rcdi” lets the signer capture the resource as it was seen at signing time, which should help mitigate cases where naughty entities try to push malware or something through that URL. Is that enough motivation for a SHOULD for “rcdi”, at least for the referenced content case? We want that use case to work whether there are JWT Constraints present or not.
> 
> My personal preference would be to make it a MAY, and add non-normative guidance about when it would be a good idea to use it. I wouldn’t really object to making the JWT Constraint MAY if rcdi is present, and SHOULD in the specific use case you describe, but I wonder if we would not have problems thinking up an exhaustive list of all SHOULD cases in advance.
> 
> Thanks!
> 
> Ben.
> 
>>  
>> Jon Peterson
>> Neustar, Inc.
>>  
>> From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org>> on behalf of Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>>
>> Date: Monday, September 9, 2019 at 3:07 PM
>> To: Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net>>
>> Cc: "stir@ietf.org <mailto:stir@ietf.org>" <stir@ietf.org <mailto:stir@ietf.org>>
>> Subject: Re: [stir] Questions on the draft-ietf-stir-passport-rcd-04 integrity mechanism
>>  
>> Hi Chris, 
>>  
>>  
>> Please see inline. 
>>  
>> Also, I forgot one comment unrelated to the integrity mechanism: in section 5.1, the wikimedia folks would probably appreciate it we do not include a link to content hosted there in an example in an RFC :-)
>>  
>> Thanks!
>>  
>> Ben.
>> 
>> 
>>> On Sep 9, 2019, at 2:02 PM, Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net>> wrote:
>>>  
>>> Hi Ben, 
>>>  
>>> For 1, simple answer is yes the intention was to make the content tied to the cert.  My experience is that calling name and other info is not changed often, however, assuming your premise, why would that be a problem?  If you want to be changing your RCD info once a year, once a month, or once a day then why is it a problem to push everything through the integrity mechanism and generate a new cert each time?  I think this is pretty logical.  If you don’t do that, what is the alternative to keep the properties of integrity of the information protected by a signature?
>>  
>> I agree that tying the content to the cert makes sense for some use cases where there is a content policy “authority” either as part of the CA, or that easily fits in the workflow for issuing the cert (perhaps via some ACME-ish token) But I think there will also be use cases where it does not. In particular, cases where either there is no such authority, or the signer of the RCD PASSporT _is_ the authority.
>>  
>> For example, the policy authority could be a third-party signer as described in section 7. Why would such an authority need to tie content to the signing certificate? It would just make life more complicated for them. (I started to ask why a 3rd party signer would need the integrity mechanism at all, but perhaps they need to protect referenced content.). 
>>  
>> I don’t object to having the _ability_ to tie content to the cert. But I think making that a MUST when using the integrity mechanism is too strong. I’d argue for a MAY, along with motivating text on why/when you might want to use it.
>>  
>> For similar reasons, I lean towards thinking the SHOULD for using the rcdi claim in the first place might be a bit strong. For example, it would serve little purpose in the third-party example above if the policy authority simply did not allow referenced content.
>> 
>> 
>>>  
>>> For 2, yes the intent was to iterate at each level of the URLs.  I suspect the number of nested URLs for most of the “common” cases, like name, logo and address, would be limited, but would need a framework that supports multiple levels of nesting or limit the number of levels or something if we are concerned.  I don’t think there is a lot of reason to be concerned but maybe i’m missing a case that would actually use a ton of nesting in any practical way.
>>  
>> If that is the intent, it needs to be clarified. I read 4.1.1 as iterating across all the URLs in the RCD input. I assume from your response that step 7 was intended to apply to retrieved content, but I initially assumed you mean to iterate over additionally identified URLs in the RCD claim itself.
>>  
>> Given the intent to recurse over multiple layers of indirect content, I think some operational guidance is even more important. My concerns were not so much around legitimate use cases for long URI chains so much as for more nefarious use cases (e.g. trying to sneak in uncontrolled web content, DOS attacks, etc.)  (Basically the concerns that Eric stated separately.)
>> 
>> 
>>>  
>>> -Chris
>>> 
>>> 
>>>> On Sep 7, 2019, at 12:50 PM, Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>> wrote:
>>>>  
>>>> Minor correction below:
>>>> 
>>>> 
>>>>> On Sep 6, 2019, at 4:31 PM, Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>> wrote:
>>>>> 
>>>>> Signed PGP part
>>>>> Hi,
>>>>> 
>>>>> I have a couple of high level questions about the new integrity mechanism in draft-ietf-stir-passport-04. Apologies if these have already been discussed.
>>>>> 
>>>>> 1) Do I understand correctly that the certificate used to sign a PASSporT with an rcdi claim MUST include a constraint for the _value_ of the digest? That is, if someone makes any change to any of the information they would normally include in an rcd claim, the signing party must get a new cert?
>>>>> 
>>>>> My concern is that, for good or bad, commercial callers really like to control the customer experience. Many like to change things up all the time. I can imagine things like special date-specific logos (e.g. Google doodles), “sale” badges on logos, distinctive branding for different “campaigns”, etc.  I realize things like ACME make the process of getting a new cert lighter weight than it used to be, but is it reasonable to require a new cert for any change?
>>>>> 
>>>>> This might be worse for third-party signers who may sign on behalf of many callers, each of which keeps changing things.
>>>>> 
>>>>> 2) If I understand correctly, if anything in the rcd claim includes a URL, the rcdi claim incorporates the associated content. What about URLs?
>>>> 
>>>> Uhm, I meant to say additional URLs
>>>> 
>>>> 
>>>>> For example, lets say a jcl key links to a jCard, and that jCard has a LOGO element with a URI? Is the alleged logo content at that URI protected?
>>>>> 
>>>>> I assume the answer is that the answer is no; otherwise it could be URLs all the way down and we have to stop somewhere. This is probably a matter of signer or issuer) policy. If so, it might be worth having some operational guidance that they need to think about such things.
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> stir mailing list
>>>> stir@ietf.org <mailto:stir@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/stir <https://www.ietf.org/mailman/listinfo/stir>

v2.23.0 | Report a Bug | By Email