Re: [stir] Proposal for update of erratum #6519

Alec Fenichel <alec.fenichel@transnexus.com> Tue, 20 April 2021 18:29 UTC

Return-Path: <alec.fenichel@transnexus.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F86D3A108E for <stir@ietfa.amsl.com>; Tue, 20 Apr 2021 11:29:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=transnexus.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YQTe6VlMGxex for <stir@ietfa.amsl.com>; Tue, 20 Apr 2021 11:29:40 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2067.outbound.protection.outlook.com [40.107.243.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDBDA3A1094 for <stir@ietf.org>; Tue, 20 Apr 2021 11:29:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WduTqMwRHB+PJr4TL4/9YDcOqfr4d1xrqShFvJB588/wF5Cqiy5m5asifyAZ0L9tXikdRsWvF/wPa4wdVYohXXUivuDlHZSQWdjbr90RjnI8qXk45DgoHzMVxul2z1Zzj0xEMrfx2FrbfvINpdk2q+B0VSK/rARxXSTZk/q+fogasB6JmItuzHP/FkpyzvRTGCTYba2hcqtCWbvwYJxkkjRWUAtGnsQ61zaiTyCOlsZGPpIBE4ElE3JJdn1nqbER1gdF9ld99j9YHPLZ0XB6eJgYrr+bPvB0syQ3+o6VdTBHS1C+SRjfSUrwx5+UxoZqE01XuQ14quJ7kMRSvER0nA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NkawQZkMVXQRMnTnxMpShyh5uuau5a1Bo/ps1LcN6so=; b=ea/OEAig5FoIutXnLJb+7m9b16BCsu1hvp9RE7CZz4jvRpsoxMp4x1JN9Zf6zKdzjvCh1ZhQYxuXc/Opc8I/tQtrWdsCXRNxHPrRPi1DHzw1XYSjrmuthKOCiUClqCZRgVwPqeOZVGFjQfzFZ5NVcMlpb0qFnkUCbnRgFDRyoxeheNFEilo8xDc1zHKv3+Ah3Sv36nLOXVuvgp3gh/BeeQKPwi3+BBG8Ckv1OlDbuGBm/fKBPBL/9GpZkkg0gadkQFneTyu0bqsWPro23Oo7qe7BDfbp5NvX4gv5adc9W5OlWxOxQmx8+h6m09LtfBFFIYOYzimJucy3mi0cp73jSQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=transnexus.com; dmarc=pass action=none header.from=transnexus.com; dkim=pass header.d=transnexus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transnexus.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NkawQZkMVXQRMnTnxMpShyh5uuau5a1Bo/ps1LcN6so=; b=rE46116IV9euKQ3HeiWhlb8EYGqeDsnu6veLpsd6Dst4PoXVDGe14pnfYByfBD4v3vA4OynpcssN7L7i7Ztd26y2z7XdvV8BFus8J1/Sb51MABPvefYb/E53pSJZf6KcBMvDNeL55DtgzkNCxTL4SIECQPAvyY0yPqSnMD+t56w=
Received: from BN6PR11MB3921.namprd11.prod.outlook.com (2603:10b6:405:81::20) by BN8PR11MB3795.namprd11.prod.outlook.com (2603:10b6:408:82::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.19; Tue, 20 Apr 2021 18:29:33 +0000
Received: from BN6PR11MB3921.namprd11.prod.outlook.com ([fe80::848e:acea:1d08:c4a1]) by BN6PR11MB3921.namprd11.prod.outlook.com ([fe80::848e:acea:1d08:c4a1%3]) with mapi id 15.20.4042.024; Tue, 20 Apr 2021 18:29:32 +0000
From: Alec Fenichel <alec.fenichel@transnexus.com>
To: "Peterson, Jon" <jon.peterson@team.neustar>, Roman Shpount <roman@telurix.com>
CC: "Peterson, Jon" <jon.peterson=40team.neustar@dmarc.ietf.org>, Marc Petit-Huguenin <marc@petit-huguenin.org>, IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>, Christer Holmberg <christer.holmberg@ericsson.com>
Thread-Topic: [stir] Proposal for update of erratum #6519
Thread-Index: AQHXNGtEYP84hmYi3EufgV06U9MN4Kq8DuYAgAAaegCAAAOBgIAADd+AgAAs2wCAAB63AIAAIcUAgADW8oCAAACy7IAABJGAgAAEteeAAAtEgIAABjCdgAAVGACAAAA2t4AAAfCAgAAA3AqAAAftAIAAAJZb
Date: Tue, 20 Apr 2021 18:29:32 +0000
Message-ID: <BN6PR11MB392142F6DFF10FC05123C0D399489@BN6PR11MB3921.namprd11.prod.outlook.com>
References: <42e964d3-2a16-660b-f8b4-fd9daedad115@petit-huguenin.org> <AM0PR07MB38604255784FF9E621257B2D93499@AM0PR07MB3860.eurprd07.prod.outlook.com> <3d8e2fce-d124-99b9-e295-734a36ad564a@petit-huguenin.org> <7558AA11-A7F9-4091-BFD3-F42C742AABAE@vigilsec.com> <167dde10-f242-2b6f-a7ce-96991158589a@petit-huguenin.org> <CAD5OKxvkN+BSY0XuBmfApDDWOLhqCLLFuQgVQryE+yHUftWs4w@mail.gmail.com> <15fc4a20-b5c8-cd27-b30e-76e1f479b4ff@petit-huguenin.org> <CAD5OKxvmvmotpxB8BGJfqRrVTjEGKQkQRow37gmwRMFaBGjEoA@mail.gmail.com> <DF470A3C-6033-48F4-8A61-3442C5DD2239@team.neustar> <BN6PR11MB39216109781BE5DE5C35AB6399489@BN6PR11MB3921.namprd11.prod.outlook.com> <6F5317AE-44F5-4CAA-82B8-830FF5223179@team.neustar> <BN6PR11MB3921A7E9996332ED9E057E4C99489@BN6PR11MB3921.namprd11.prod.outlook.com> <CAD5OKxuwB=VxjcJ6LRboHTY5evQap9k-g=M+L8OQChPDdt3BFQ@mail.gmail.com> <BN6PR11MB392155D7F465C334B96DB92199489@BN6PR11MB3921.namprd11.prod.outlook.com> <CAD5OKxvdgOzvcgc6DMN6_kpL0bsdXu8EnGzCxSqhAhKGeqiiPw@mail.gmail.com> <BN6PR11MB3921FF3AE658E7FAEB8DCE1F99489@BN6PR11MB3921.namprd11.prod.outlook.com> <CAD5OKxsUDarfzV3-Bo9e9Zvt7pj=0fLmaE5n4a0X8Scu2kvpvg@mail.gmail.com> <BN6PR11MB3921FE4F071D4EA4CE1CE06099489@BN6PR11MB3921.namprd11.prod.outlook.com>, <64219E07-0F3B-4D6F-9DD4-1CCB7FCAA62C@team.neustar>
In-Reply-To: <64219E07-0F3B-4D6F-9DD4-1CCB7FCAA62C@team.neustar>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: team.neustar; dkim=none (message not signed) header.d=none;team.neustar; dmarc=none action=none header.from=transnexus.com;
x-originating-ip: [71.199.144.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5d15586c-d330-465a-2fe0-08d9042a3e41
x-ms-traffictypediagnostic: BN8PR11MB3795:
x-microsoft-antispam-prvs: <BN8PR11MB379501C5128D79B3B4BA1BB499489@BN8PR11MB3795.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6HgRSOuNJVIM2kkhauznUxTiPX6jo3MjLZlQ+TXHVM66Ed1Y/3a+kN4++b9TlYBn31c0T9TtNIHW/1DhAFFMHw31byF04qfQeVk6LaFbV1y96Vq1TcfqXfiZdRsNJOyFuhogUcmbuEBKhykbzNNiPSupxUcWVrvr22XZFjLcUUtZ3pQywbMq+A70cxDX9wAERRh6pJ8K8P7JgFqfRQC8qsdwIn5Y9BBWhAwlrsBFDECaPrbEtRV4lNm9OOYebk0+a7YmhF/0V+8vkf0b5nqc/5pL+uS8hpNNhXoPHLhgn4SnT1qjvDGSt+spp+LW6pRuK7UpCZNDm8PRlRdEoimhvjE+hNWrTjGOZJ/saL+2X71oh4I2HCo24IrhsSav+xEg9pfFvpQnvLz+hi60BXfHwqQDHcYYgihSpglIhTbhOuq4xOO3uZPs2fK7sGx/2ikrRHn5HSyLWBi6/+jbJZ3b+aeQwTk3i/VhI9zX9brVnznF3fu6sQ46BLOshHYxHQpriWjpQc7hwOij3rvmkkXyGf1Wirj1m24KI08oxccA53yRqbp7wKI0wBc3uJKN9U9XnuiY2WOQBU991dGi3p4GM4lQwJMPk2qmkUkS4JPmYk9Ft4J2Jch5BrsAQGaMal3qFoUlQYlPU/+wApi7ER2FgTJOfxqXwCtKTfIa070n6JNd5EYOV371twZpyzzo1TZL
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN6PR11MB3921.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(366004)(376002)(39830400003)(346002)(396003)(52536014)(66946007)(7696005)(5660300002)(30864003)(66556008)(66616009)(166002)(53546011)(8936002)(54906003)(66446008)(2906002)(186003)(83380400001)(110136005)(9686003)(66476007)(64756008)(316002)(66574015)(6506007)(26005)(4326008)(122000001)(44832011)(15650500001)(55016002)(966005)(478600001)(33656002)(71200400001)(99936003)(76116006)(38100700002)(8676002)(86362001)(579004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?q4xZmPT0OdYLkpKLcesYMsRgQBx4m5FmaxsB3aFojCtcHNpDx3syKgTW?= =?Windows-1252?Q?Ksg23pwKTbbSbAIf2/91Wy+P7aO6PFLnlGvsohVBXZvT5BaW8X5KY6zW?= =?Windows-1252?Q?8n6l0mktFUXyItog1xF15zNBDzlSR1lXNWeIYDjfVxXgbbtRqtXpfXID?= =?Windows-1252?Q?HRemiy3VqR6EXXCpzXAEG1ItnX9ZtFk0tdizwkybpxxumOdjuwBCeYYn?= =?Windows-1252?Q?2HBR3D5U9ZFKH1XbD/0hX5ZsBk01QoaLhV116BBDPcC5DyRl1d73IwyW?= =?Windows-1252?Q?nidMg6Gcn0kp/6ACkmhWSwuDFehW2CHB/S+1CN04Nf0zDZEfVytBUxb6?= =?Windows-1252?Q?tcgmID5WxauLT7/UCkxpNDO7ic4FQ3UmuH5jIUzgNS3qreCiuryqPsrC?= =?Windows-1252?Q?fiz9wJLy3l+as67YtRU/DZkIZ3LIDbdRm03UXZBLJ10bDVW9i9z55z29?= =?Windows-1252?Q?slTvLypbzua+ZLeUXwkVXS/PrE2v8Fkf0XrSr8XldfKpSR4V3+eTjLFd?= =?Windows-1252?Q?f0u37DvJ6Q6QrX3+SQ7w+WRC2l0Af/sgc6a+hTbDONWoPpAcgZ/9wMd2?= =?Windows-1252?Q?wPjgSyurM5GSQnpt3Q5Dx+X6lsAn541RfKMw1I0y7ZtZNUyAsrcAuxp5?= =?Windows-1252?Q?BfaKV15WZS0BQXDxDItJ8GPJc/8n4KhkgCplkugojuTltQ2bO+DKbBsx?= =?Windows-1252?Q?vn9vQDP/Tssfv6qFjG7i+XwZDAcI0zjH52RBFTJ0F6tHRHrizoQrYBsk?= =?Windows-1252?Q?6jKpaBWeBudcNIfrFpJyGYqPZQZ5u/AaJNWh57MoH1O0Tz5ZEBlZ8hBJ?= =?Windows-1252?Q?9taTi6xyxG8AqPaqkIoRhADYYB7V+n0Hm4I7CmhnqULmqab6V302eagU?= =?Windows-1252?Q?vRAxA+Dw5UMk6FHhyDtkDCksL1vJVi3Pj4nDwH74NENa8H2a5/O8Agsc?= =?Windows-1252?Q?TO/PHqs1j3tTw7wdHwslSv3NL6zgEYL85seKJ3DIiSpwaWja5awAD/Zh?= =?Windows-1252?Q?chJNbSqYlkiUyEIR+FeB4SyAjO7B2A9FHy4ngglHxyJmLt+FYrpzC13h?= =?Windows-1252?Q?wJklqyDzUscJfZ2fzf2C+JJmXkBDVsl4+9bmMGq/YOuwLMTVEfepGLnd?= =?Windows-1252?Q?7yqpp3PgToFDRAA6oNuCXVTNlPnn2amRq2d35j6VzaDSLpBEAh+y6V3l?= =?Windows-1252?Q?cdilqBMOsv5tsgU9gY5rstqlmBsOxsfgRZ+YrvSpyw1CXGVBNRaSxT1l?= =?Windows-1252?Q?+CUug1bSztT219Trh7Nh9KSxuGUCt+M/BGRbh6XIQ0gv58CUDaoDHw1P?= =?Windows-1252?Q?olVk86opGf19ZfQIgzwixW4eDQazJjWZQns7Fx9YtOIbxgFgqz8ag5X3?= =?Windows-1252?Q?luJGi7iiabXfl4zBtiBkXg3GD1G8p6+zLfG6mWMSI8SJP5yOqNS5P6Iq?= =?Windows-1252?Q?8A+jU9xD91WvWitQiLqeiw=3D=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_510C5B45-04D7-124C-8109-664DEDCC2F57_"
MIME-Version: 1.0
X-OriginatorOrg: transnexus.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB3921.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5d15586c-d330-465a-2fe0-08d9042a3e41
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Apr 2021 18:29:32.6624 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8e2972a2-d21d-49ac-b005-18e8ceaadee3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 69F8dl7Rc3jyzrXck7THAB9ZJr2V2piLZhB/LM/cnT4BBwkBvEGjLHeFfhjZo4ZE+Y/tiX7qJoWqPPheLra3L122LkmA1NG7AaL/Yc6E/VE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3795
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/2RBYwH17ytLye6vuM2AZbuh1nOU>
Subject: Re: [stir] Proposal for update of erratum #6519
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 18:29:47 -0000

Jon,

 

I don’t think it is an issue for an STI-VS to decode a PASSporT that comes from an untrusted source. Web servers decode JWTs received over the open internet all the time.

 

On second thought, perhaps we should get rid of the info parameter all together and instead use x5u, x5c, jku, etc. parameters. Otherwise, how does the STI-VS know which one to construct if a given PASSporT extension supports more than one?

 

We could even get rid of info, alg, and ppt parameters and just have generic params. RFC 8224 would basically say that when using compact form PASSporTs any claims not included in the signaling should be included as SIP parameters of the Identity header where the SIP parameter name matches the claim name, and the value matches the encoded claim value. Values would need to be quoted as they would be case/whitespace sensitive.

 

Sincerely,

 

Alec Fenichel

Senior Software Architect

alec.fenichel@transnexus.com

+1 (407) 760-0036

TransNexus

 

From: Peterson, Jon <jon.peterson@team.neustar>
Date: Tuesday, April 20, 2021 at 14:19
To: Alec Fenichel <alec.fenichel@transnexus.com>om>, Roman Shpount <roman@telurix.com>
Cc: Peterson, Jon <jon.peterson=40team.neustar@dmarc.ietf.org>rg>, Marc Petit-Huguenin <marc@petit-huguenin.org>rg>, IETF STIR Mail List <stir@ietf.org>rg>, Russ Housley <housley@vigilsec.com>om>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [stir] Proposal for update of erratum #6519

 

I do agree that we should transition away from x5u being the sole way to identify the keying material that signs PASSporTs. We ran into this already looking at x5c, for example, and I’ve heard of a couple others. That would be a patch for both RFC8224 and RFC8225, but it’s really more additive than corrective. From an IETF process perspective, I’d suggest doing that as an Internet-Draft that targets an update to RFC8224 and RFC8225 (rather than a bis of both).

 

Personally, I need to think more about the SIP Identity header “info” parameter being optional, but the original motivation for requiring it, as far as I can remember, was related to both compact form and to having VS’s sift through Identity headers by the trust anchors they trusted. For non-compact form PASSporTs used in closed networks with mandated trust anchors, those motivations at least are less of a concern. This is the first time I can recall that I’ve heard the suggestion that Date headers should not be added by AS’s, but on first glance I’m not sure I consider that a crucial thing to fix, anyway.

 

Jon Peterson

Neustar, Inc.

 

From: Alec Fenichel <alec.fenichel@transnexus.com>
Date: Tuesday, April 20, 2021 at 10:54 AM
To: Roman Shpount <roman@telurix.com>
Cc: "Peterson, Jon" <jon.peterson=40team.neustar@dmarc.ietf.org>rg>, "Peterson, Jon" <jon.peterson@team.neustar>ar>, Marc Petit-Huguenin <marc@petit-huguenin.org>rg>, IETF STIR Mail List <stir@ietf.org>rg>, Russ Housley <housley@vigilsec.com>om>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [stir] Proposal for update of erratum #6519

 

Proposed changes:

 

1.       Be prescriptive about whether quotes are required around the ppt parameter value or not

2.       Make info param optional when using full form PASSporTs to make OOB easier for transit providers

3.       Allow info param to match claims other than x5u (e.g., jku, etc.) to support DLT and other future PASSporT extensions that don’t use x5u

4.       Make the Date header optional

 

I’m not following the SIPS recommendation for privacy due to the PASSporT. The destination number, origination number, etc. are already in the SIP signaling. How does the PASSporT add sensitive data?

 

Sincerely,

 

Alec Fenichel

Senior Software Architect

alec.fenichel@transnexus.com

+1 (407) 760-0036

TransNexus

 

From: Roman Shpount <roman@telurix.com>
Date: Tuesday, April 20, 2021 at 13:48
To: Alec Fenichel <alec.fenichel@transnexus.com>
Cc: Peterson, Jon <jon.peterson=40team.neustar@dmarc.ietf.org>rg>, Peterson, Jon <jon.peterson@team.neustar>ar>, Marc Petit-Huguenin <marc@petit-huguenin.org>rg>, IETF STIR Mail List <stir@ietf.org>rg>, Russ Housley <housley@vigilsec.com>om>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [stir] Proposal for update of erratum #6519

Hi Alec,

 

In https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam12.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Ftools.ietf.org*2Fhtml*2Frfc8224*23section-6.1%26data%3D04*7C01*7Calec.fenichel*40transnexus.com*7Cdbfa0be305214ff23a2b08d90424708f*7C8e2972a2d21d49acb00518e8ceaadee3*7C1*7C0*7C637545376833535180*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000%26sdata%3D*2FXjXtPkSDbBEwhecGcTO6EAJbikQr1cbR8PypfS1BdE*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUlJSU!!N14HnBHF!qr5yahpFu8Vma0zE13SMyYyK-6IbruAryd4ZWOzBjk7bb33m8et-Apn-wT1CjfkKYghybw%24&data=04%7C01%7Calec.fenichel%40transnexus.com%7C43776cfc305548dfc9d808d90428d014%7C8e2972a2d21d49acb00518e8ceaadee3%7C1%7C0%7C637545395625386658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YaLyOwZRtLPqElWNS3iTuU3y8DkLuGm8XgsSHwnlAAo%3D&reserved=0" rel="nofollow">https://tools.ietf.org/html/rfc8224#section-6.1 Step 3:

 

An authentication service MUST add a Date header field to SIP requests that do not have one.

 

Best Regards,

_____________
Roman Shpount

 

 

On Tue, Apr 20, 2021 at 1:44 PM Alec Fenichel <alec.fenichel@transnexus.com> wrote:

Roman,

 

Is there text that I missed that makes the Date header required?

 

Let me rephrase my first proposed change:

 

1.      The document should be prescriptive about whether quotes are required around the ppt parameter value or not

 

Sincerely,

 

Alec Fenichel

Senior Software Architect

alec.fenichel@transnexus.com

+1 (407) 760-0036

TransNexus

 

From: Roman Shpount <roman@telurix.com>
Date: Tuesday, April 20, 2021 at 13:40
To: Alec Fenichel <alec.fenichel@transnexus.com>
Cc: Peterson, Jon <jon.peterson=40team.neustar@dmarc.ietf.org>, Peterson, Jon <jon.peterson@team.neustar>ar>, Marc Petit-Huguenin <marc@petit-huguenin.org>, IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [stir] Proposal for update of erratum #6519

Alec,

 

I would also like to add:

 

1. The Date header should be optional when full PASSporT is used. The iat in PASSporT should provide enough protection for cut-and-paste attacks.

2. I think privacy considerations should be added that recommend using SIPS since the data carried in PASSporT is likely considered personally identifiable information and should not be transmitted in encrypted form.

 

Still, I wouldn't say I like quotes around the ppt param value since this parameter differs from every other token parameter in SIP headers.

_____________
Roman Shpount

 

 

On Tue, Apr 20, 2021 at 12:33 PM Alec Fenichel <alec.fenichel@transnexus.com> wrote:

Roman,

 

Makes sense. I think a new version would be great. Proposed changes:

 

1.       Require quotes around ppt param value

2.       Make info param optional when using full form PASSporTs to make OOB easier for transit providers

3.       Allow info param to match claims other than x5u (e.g., jku, etc.) to support DLT and other future PASSporT extensions that don’t use x5u

 

Sincerely,

 

Alec Fenichel

Senior Software Architect

alec.fenichel@transnexus.com

+1 (407) 760-0036

TransNexus

 

From: Roman Shpount <roman@telurix.com>
Date: Tuesday, April 20, 2021 at 12:02
To: Alec Fenichel <alec.fenichel@transnexus.com>
Cc: Peterson, Jon <jon.peterson=40team.neustar@dmarc.ietf.org>, Peterson, Jon <jon.peterson@team.neustar>ar>, Marc Petit-Huguenin <marc@petit-huguenin.org>, IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [stir] Proposal for update of erratum #6519

Alec,

 

My personal opinion is that we should try to organize an open SipIt interop event for both STIR and SHAKEN implementations. Based on the interop results, it might be good to do a new version of RFC 8224.

 

Meanwhile, we really need this errata so that we can deal with current interop issues.

 

Best Regards,

_____________
Roman Shpount

 

 

On Tue, Apr 20, 2021 at 11:31 AM Alec Fenichel <alec.fenichel@transnexus.com> wrote:

Jon,

 

Understood. Then maybe we could just leave it as is until RFC 8224 is updated? Is there any implementation out there that doesn’t support receiving with or without quotes?

 

Sincerely,

 

Alec Fenichel

Senior Software Architect

alec.fenichel@transnexus.com

+1 (407) 760-0036

TransNexus

 

From: Peterson, Jon <jon.peterson=40team.neustar@dmarc.ietf.org>
Date: Tuesday, April 20, 2021 at 11:05
To: Alec Fenichel <alec.fenichel@transnexus.com>, Peterson, Jon <jon.peterson@team.neustar>ar>, Roman Shpount <roman@telurix.com>, Marc Petit-Huguenin <marc@petit-huguenin.org>
Cc: IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [stir] Proposal for update of erratum #6519

 

I mean, no, it’s just pushy. It’s the same reason we don’t propose that you MUST only accept quoted. Given that it was the ambiguity in the original spec that caused this problem, I’m a little hesitant to be that pushy.

 

Maybe for the errata we could be less pushy, but when we (inevitably, someday) do an actual update or bis to RFC8224, we could be more pushy about it.

 

Jon Peterson

Neustar, Inc.

 

From: stir <stir-bounces@ietf.org> on behalf of Alec Fenichel <alec.fenichel=40transnexus.com@dmarc.ietf.org>
Date: Tuesday, April 20, 2021 at 7:59 AM
To: "Peterson, Jon" <jon.peterson=40team.neustar@dmarc.ietf.org>, Roman Shpount <roman@telurix.com>, Marc Petit-Huguenin <marc@petit-huguenin.org>
Cc: IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [stir] Proposal for update of erratum #6519

 

Is it really a problem to just say that you must (or must not, either way) include quotes and be done? STI-AS and STI-VS implementations will need to be updated frequently over the next few years due to all of the new PASSporT extensions, so expecting implementations to add/remove quotes seems reasonable. Implementations could accept both values at their discretion, even if it violates the standard.

 

Sincerely,

 

Alec Fenichel

Senior Software Architect

alec.fenichel@transnexus.com

+1 (407) 760-0036

TransNexus

 

From: stir <stir-bounces@ietf.org> on behalf of Peterson, Jon <jon.peterson=40team.neustar@dmarc.ietf.org>
Date: Tuesday, April 20, 2021 at 10:47
To: Roman Shpount <roman@telurix.com>, Marc Petit-Huguenin <marc@petit-huguenin.org>
Cc: IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [stir] Proposal for update of erratum #6519

 

Inline.

 

From: stir <stir-bounces@ietf.org> on behalf of Roman Shpount <roman@telurix.com>
Date: Monday, April 19, 2021 at 6:57 PM
To: Marc Petit-Huguenin <marc@petit-huguenin.org>
Cc: IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [stir] Proposal for update of erratum #6519

 

On Mon, Apr 19, 2021 at 7:56 PM Marc Petit-Huguenin <marc@petit-huguenin.org> wrote:

A literalist.  Fantastic.



That was not my understanding.

 

We can go back to the recording to check on the decision.

 

More importantly, what is the normative strength of "be tolerant to the absence of quotes when receiving"? Is this MUST accept quotes? SHOULD accept quotes?

 

In the sentence "Implementations SHOULD use quotes around the token when sending", what would be the valid use cases when implementations are allowed not to use quotes?

 

My understanding is that SHOULD implies well know exceptions.

 

The exception we are aware of is that implementations exhibiting this behavior exist. It is, in other words, for backwards compatibility reasons.

 

Regardless of what the recording says (we were kinda all over the place, if I recall), I think I agree that the right semantics are that you MUST accept quoted and unquoted, and SHOUD send quotes (the exception to the SHOULD being backwards compatibility). If we said you MUST send quotes, well, then implementations that don’t are violating the spec. As you pointed out, it’s kind of a mixed bag at the moment out there in terms of where implementations are.

 

Jon Peterson

Neustar, Inc.