IETF Logo Mail Archive

[stir] "iat" value to use during PASSPorT construction

"Asveren, Tolga" <tasveren@rbbn.com> Mon, 14 May 2018 09:17 UTC

Return-Path: <tasveren@rbbn.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E75712D86B for <stir@ietfa.amsl.com>; Mon, 14 May 2018 02:17:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.09
X-Spam-Level:
X-Spam-Status: No, score=-4.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=sonusnetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4je1q5EvoBJV for <stir@ietfa.amsl.com>; Mon, 14 May 2018 02:17:49 -0700 (PDT)
Received: from us-smtp-delivery-181.mimecast.com (us-smtp-delivery-181.mimecast.com [63.128.21.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B89312D86C for <stir@ietf.org>; Mon, 14 May 2018 02:17:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=SonusNetworks.onmicrosoft.com; s=selector1-rbbn-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=h+JOWCWZAw6wYLYh62wmwd8YCO/5nrjKJ8lOder8RtM=; b=ddBcAtpty7eXzzZUT/m63rZai4YS63Ayx+XTQY91KFAW81PZ6Si3AzZ+XKIgXWGxZBKc815S3nL+Cwi1AkTvtCIGr6CR3d+J5v1JzQ20T8oB4k1Xcb8mAi3TOTz8nJjNBKY3IEeW9OKcanbcpHt0DKyV4w37MwyNmxM6jdtxU/o=
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01lp0180.outbound.protection.outlook.com [216.32.180.180]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-116-jRCn9H9fNtCClI3fGSszqw-1; Mon, 14 May 2018 05:17:46 -0400
Received: from CY4PR03MB3160.namprd03.prod.outlook.com (10.171.245.165) by CY4PR03MB2453.namprd03.prod.outlook.com (10.168.163.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.755.16; Mon, 14 May 2018 09:17:43 +0000
Received: from CY4PR03MB3160.namprd03.prod.outlook.com ([fe80::35a6:a73e:b07:b27c]) by CY4PR03MB3160.namprd03.prod.outlook.com ([fe80::35a6:a73e:b07:b27c%13]) with mapi id 15.20.0755.018; Mon, 14 May 2018 09:17:43 +0000
From: "Asveren, Tolga" <tasveren@rbbn.com>
To: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: "iat" value to use during PASSPorT construction
Thread-Index: AdPrT9q/oUbx39SISTyhzIa9uuwWlA==
Date: Mon, 14 May 2018 09:17:43 +0000
Message-ID: <CY4PR03MB3160EE4F4502CCF974B070CFA59C0@CY4PR03MB3160.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [73.29.251.142]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR03MB2453; 7:xQ7H3UUo2YO6xSyj/DNvOd2ER1wjka2oawQzqk8OhkLa+5FZ28V+/LcPZ5ciVk088r9nfptBk71wEPDyTzDO7KqMO1pe9W3rfHz7Ud6/dmKjeOzUxE27rsX30mMMPnyE/+MuXQLHpWDwwML3URprukmJul81jZXkWYRVSzglCb4m9PQiS+DCxEWTvuElrJerjcm1dztOufhCPDMWOOxfEeLqkD0AROEu6Q5chfNG6E+od09YqsGG8aZn3mWqLOFJ; 20:IKBHPxNN4d3VG3TdcPq7isTOW3al/pW/YeTzqTjxJHgcstfjoSwSJRvA9LIAc2DFbMB3f7HymXAyyjfe7T6mFXcN92olOo8U9ue5mvmy93hP/tbHT02jJ5RUo38uFJtGVfUqUfh/UkdmkWXnB3kTqsCk2DPOHk5w8mtiSn61qZs=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:CY4PR03MB2453;
x-ms-traffictypediagnostic: CY4PR03MB2453:
x-microsoft-antispam-prvs: <CY4PR03MB2453742564535C8C40E9CFBDA59C0@CY4PR03MB2453.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(192374486261705)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3002001)(93006095)(93001095)(3231254)(944501410)(52105095)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123558120)(20161123562045)(6072148)(201708071742011); SRVR:CY4PR03MB2453; BCL:0; PCL:0; RULEID:; SRVR:CY4PR03MB2453;
x-forefront-prvs: 067270ECAF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(39380400002)(376002)(366004)(39850400004)(396003)(199004)(189003)(186003)(6506007)(2351001)(26005)(105586002)(102836004)(486006)(106356001)(476003)(6916009)(7736002)(790700001)(3846002)(8676002)(316002)(81156014)(1730700003)(81166006)(6116002)(14454004)(5640700003)(8936002)(59450400001)(6436002)(7696005)(97736004)(99286004)(86362001)(25786009)(66066001)(5250100002)(5630700001)(3660700001)(3280700002)(6306002)(5660300001)(2906002)(74316002)(2900100001)(33656002)(68736007)(9686003)(53936002)(55016002)(54896002)(478600001)(2501003); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR03MB2453; H:CY4PR03MB3160.namprd03.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-microsoft-antispam-message-info: aGrLBRZW/8I3IbxtKxNdxFDP7GgL2U3gx2cm/OPtt1hgIf/fVJbAYvEc3wjINnehPXcaYjjw+tZvOpaIVhinGJXPWofqk/tY8XnLgyDeDYT0J3QM8m1LFnShUDOuHy0wIn1Km6kZPDfSGtK2ZT0mHyAKTV6IUYUnbHUz4+ejo5925ez+jB5TNw37kIsEcR2K
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 10cc88a4-8d33-4e35-25f8-08d5b97b8ce5
X-OriginatorOrg: rbbn.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 10cc88a4-8d33-4e35-25f8-08d5b97b8ce5
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 May 2018 09:17:43.6865 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 29a671dc-ed7e-4a54-b1e5-8da1eb495dc3
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR03MB2453
X-MC-Unique: jRCn9H9fNtCClI3fGSszqw-1
Content-Type: multipart/alternative; boundary="_000_CY4PR03MB3160EE4F4502CCF974B070CFA59C0CY4PR03MB3160namp_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/6-cUKDIn3vqRiXG-bX80bzQ6WZM>
Subject: [stir] "iat" value to use during PASSPorT construction
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 May 2018 09:17:53 -0000

RFC 8224 has the following in Section "4.1 PASSPorT Construction":


      Third, the JSON key "iat" MUST appear.  The authentication service

      SHOULD set the value of "iat" to an encoding of the value of the

      SIP Date header field as a JSON NumericDate (as UNIX time, per

      [RFC7519], Section 2), though an authentication service MAY set

      the value of "iat" to its own current clock time.  If the

      authentication service uses its own clock time, then the use of

      the full form of PASSporT is REQUIRED.  In either case, the

      authentication service MUST NOT generate a PASSporT for a SIP

      request if the Date header is outside of its local policy for

      freshness (sixty seconds is RECOMMENDED).

RFC 8225 has the following in Section "5.1.1 "iat" (Issued At) Claim":


   The JSON claim MUST include the "iat" (Issued At) claim ([RFC7519],

   Section 4.1.6).  As defined, the "iat" claim should be set to the

   date and time of issuance of the JWT and MUST indicate the date and

   time of the origination of the personal communications.  The time

   value should be of the NumericDate format as defined in [RFC7519],

   Section 2.  This is included for securing the token against replay

   and cut-and-paste attacks, as explained further in Section 10

   ("Security Considerations").

i- I see some conflict in RFC8225 text. It is mentioned that "iat" should be set based on issuance of JWT (which would be when PASSPorT is constructed). OTOH, it is also stated that it MUST indicate the date and time of the origination of the personal communication. The former seems to be  the right approach as what we would like to protect against cut-and-paste attacks is the PASSPorT in the context of a particular communication session. Coupling of PASSPorT with the communication session is provided through "orig"/"dest". "iat" should be set to the time of generation of PASSPorT IMHO. RFC8244 text seems to be O.K. if one accepts this interpretation as it has the notion of "local policy for freshness". The recommended value is on the very high end (anything more than a few seconds is too much in practice IMHO) but it is at least not mandating use of 60s.

ii- Aren't there legitimate cases where a communication session continues for some period of time and then due to change in its nature requires addition of PASSPorT, e.g. first there is an announcement/interaction with an automated system (which may last several minutes) and then the called-party is contacted during which PASSPorT is added (because, for example, organizational boundaries are crossed and there is a need to validate calling-party identity). For such cases there could be a legitimate and major discrepancy between Date and "current time". This is another argument in favor of considering "iat" as corresponding to PASSPorT generation rather than start of communication session IMHO. There could eb many other scenarios where similar discrepancy legitimately happens especially if one considers non-base claim types, e.g. "div".

So, the bottom line is I would like to get people's opinion about whether "iat" should pertain to the start of communication session or to the creation of PASSPorT.


Thanks,
Tolga

v2.23.0 | Report a Bug | By Email