IETF Logo Mail Archive

Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation

Alec Fenichel <alec.fenichel@transnexus.com> Mon, 25 October 2021 20:49 UTC

Return-Path: <alec.fenichel@transnexus.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AA113A073E for <stir@ietfa.amsl.com>; Mon, 25 Oct 2021 13:49:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_HTML_ONLY=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=transnexus.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dd4gwHHZ-7bh for <stir@ietfa.amsl.com>; Mon, 25 Oct 2021 13:48:58 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1anam02on2046.outbound.protection.outlook.com [40.107.96.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A23C3A0045 for <stir@ietf.org>; Mon, 25 Oct 2021 13:48:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HAuMiA6lhBguJLIjsKYaMbLf1eH98H6mnsyhaODqWZQUk2/wKs+Iwaoyvb7MstzXwVkcFdb0QjJpReoWDp+Q12YqVC9Tjx8ZHy1cJFf2u0b57TXu+1xIOlDWHkDoyY5aJrbC1+1q6D7QaefiVuDXJ9G+1CcSTOqOYAfdTQpwlllXAzyVbMKZB02PmFDzLZoKO9/Bm9YmwWyGW/YkOe56aQ8b+4Z1O1KEC6LX4WNitFqKJNDmeAT979y/p0BI732L3Y45i6HY6QpsCHehnQBiF8wgwkkj259GfBcDCAuNOE2+0w9yo30BOThYQgerZ319Mxfl1AtYfNBa62MnFI935A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TtUEptSRwc2HVoXIPnuaCBSD0L+VcKL8ocjQRUXob3s=; b=SnL8J7v5ynrH8tpmQOl2sFgH1XL0luAPsgJU5ASW5IVdvLBujnWeuAyH5HJtUCdW+3ZF9UyGIk3NGlF0jl8E5FcsemRXX4KBIFYN5lnM7+39xh8xV8RCrj2TKtwJq7zGhtu005ekrGrkUkkvQZ8EbBROdaYf5d+fc3962grpbualQiTYHaOdEX0/psDZcGcBsr1LM4NaNwhIl2w/ShLu6B6X2K1Aak8Ff+IYnY3NCq2E2I0vubUfNEfrbIEazZgRLiVo1KDvjux6fzO4d218Ylk9p094HwPdFp+WwyRRjqRGLw28q7zJEAVysBJgOswLOXEpwgGIGlpjgqg5v67svA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=transnexus.com; dmarc=pass action=none header.from=transnexus.com; dkim=pass header.d=transnexus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transnexus.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TtUEptSRwc2HVoXIPnuaCBSD0L+VcKL8ocjQRUXob3s=; b=WmYv4wJwd3+auKR9R4gJ/Y2/AKZ7kKm8qcVMqyYbbJUC6Ni5fp4GEBrSZ5YaFz8/sM9+ilF5fwjxzYjik6xEWzdWSj+gLvAHe3jGdcUjnt3GrDPhWO+/wvlwgIxvLpnf4XcMyws3UXIhSNuoZ6Y/1yLiP+EN6EKeoYqcRZY3bs8=
Received: from BN6PR11MB3921.namprd11.prod.outlook.com (2603:10b6:405:81::20) by BN9PR11MB5516.namprd11.prod.outlook.com (2603:10b6:408:105::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.18; Mon, 25 Oct 2021 20:48:50 +0000
Received: from BN6PR11MB3921.namprd11.prod.outlook.com ([fe80::91e7:43e2:7c72:a2e4]) by BN6PR11MB3921.namprd11.prod.outlook.com ([fe80::91e7:43e2:7c72:a2e4%5]) with mapi id 15.20.4628.020; Mon, 25 Oct 2021 20:48:50 +0000
From: Alec Fenichel <alec.fenichel@transnexus.com>
To: Chris Wendt <chris-ietf@chriswendt.net>, Jack Rickard <jack.rickard@microsoft.com>
CC: Ben Campbell <ben@nostrum.com>, IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Thread-Topic: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation
Thread-Index: AdfFnr87c2vxVfrsRiOmBanuACp+5QEEwNAAAAAf/AAAALWMgAAACVBJAAFnDIAAAAk8ugADBdIAAAF8kwAABQyjvQ==
Date: Mon, 25 Oct 2021 20:48:50 +0000
Message-ID: <BN6PR11MB39210A006DEB2342643C555199839@BN6PR11MB3921.namprd11.prod.outlook.com>
References: <AM5PR83MB035516622330F5CD32DF0B5588BE9@AM5PR83MB0355.EURPRD83.prod.outlook.com> <BB62785D-A43F-43FA-A61A-ABFF6FBF6043@nostrum.com> <BN6PR11MB3921F8D627E293A0F80D088C99839@BN6PR11MB3921.namprd11.prod.outlook.com> <08113F61-C401-4D0B-9DA7-261284221FFE@nostrum.com> <BN6PR11MB392164563BF5D7E389AC7BD699839@BN6PR11MB3921.namprd11.prod.outlook.com> <D5A360AF-685C-496D-B9DC-B2DBBDD5E1DA@nostrum.com> <BN6PR11MB39217E246AC4168581E182E699839@BN6PR11MB3921.namprd11.prod.outlook.com> <AM5PR83MB0355DC26C1C4C8F1011DA1FB88839@AM5PR83MB0355.EURPRD83.prod.outlook.com> <8DDD70F9-587C-4A77-A1DA-9F781E387076@chriswendt.net>
In-Reply-To: <8DDD70F9-587C-4A77-A1DA-9F781E387076@chriswendt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: chriswendt.net; dkim=none (message not signed) header.d=none;chriswendt.net; dmarc=none action=none header.from=transnexus.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 00a99a48-b953-43e9-77c8-08d997f8d969
x-ms-traffictypediagnostic: BN9PR11MB5516:
x-microsoft-antispam-prvs: <BN9PR11MB55169902A18FF3157D546E4D99839@BN9PR11MB5516.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: N0DWUT3rpX5ij/JMX/TqMpnNu6X10zZReeeEtNtQ/+HUdwGb81mZZ1OGbjfWamfFfDyJ6DOqP4dDR4dNp+aR6SuOPPYOoZYBxNMBQ0tOj3OOrNvAw7gLecWf65yTWfsOdLCiBgXboNLSfzLq/0LH8JMeUseURRERZ3xLiwsvzjPzT3cTEyyqY27HdDpiNUERq1Xv+1DDL3dwUHbskk4bOeXOMBPxMqHOYDY3L8TSqybrbik7DWhUCwt38YoLpSiyx/olcG0lfu7eEGs2FTtAW5oaYW0cnvOnWNTyy0ELWxHP0Q0rPbA4xD8hpsfo7qkcc2mE1ve1rW+cIbdQEqECxtUy/TWibfrVpFQ6VnlSIKVy4yMI2DishyBLfiMHWro4jNJbJsXEggDy5rW7W0sTnj/AlfcWG24/sZpFQ3N7sqmLh3KafEnpM01nhsiM/QssJDzyj+ei5Gwcrl6GvqQRPNANoHyuNHdVpuvhxCgcikfQ8qBsYCBiyCLZzGi8+sGfGJpL+icnNRon5Qmyx9T6znrm09vyEB4RauJjG12LOLHJuJDQlmSTJVRN0SgggcoPrF8GlPhQw9bdvRGAW3aMZpYcEsYWRqmNU5R07EE0he4kLa8/cXV36Uo7bUIiY0PgbC5U0XuhPf8+FQkuD61JpDh7uupEBtqHXz1e0MZJA6vxtGTbQDFc2PMknEByoF/ELTBiGrZCcXEU0SdTU2t8u/YXpc8KakxvOZ7XwsvdVYE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN6PR11MB3921.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(136003)(396003)(39830400003)(366004)(83380400001)(71200400001)(110136005)(316002)(54906003)(2906002)(52536014)(33656002)(99936003)(122000001)(86362001)(55016002)(26005)(5660300002)(6506007)(8676002)(8936002)(53546011)(30864003)(7696005)(166002)(966005)(66556008)(64756008)(508600001)(66946007)(45080400002)(66446008)(38070700005)(66476007)(40140700001)(66574015)(44832011)(76116006)(9686003)(4326008)(38100700002)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 9T/azsTEQP711BRaFiv7JIboEOm2SVV6ioVQ3z/Fp3E7J2DttlcQa276LYb9mGUEI9Se+UPUNupyoq/5du2KcJp681XXtVxlLUsgHu/A/W+avHzX+lsQK8sU/sHpEOUSR0pwZSIiS0kk/Rk6heY1ohOwkyDz4hp8tQNRrzdnh6SMc38zZrZFMlvajTxRPpRsCylDG9WbVZs+4Lb5ILoIP7suV+qekJygQzSBpOoiMmrMN/gYmxkGfSU84CDAA1WHJpoOC5Doi0GcDxQujB3qSFdV/us8mBSdyQmSMPdvfd+011EzmpjaVy2/rCoSuRJaTbdmgeM9j+jjozvwg25AJTvoINZyOB85C205DOctaTEcDKJ2QTWfR9VrC1MBCQYT4T6hIZXgJtJKfig71+m5eAvxlMtKWwgnGFwz9aS3JhHbUc0aX47C9PJWtYwOMMp/HF6X9oNmVw2Mg4frLVzQVLtfLxggyQGHvmrSY8zLtR4Al7kmU4j7FkBSh98ijYiWon7l3KcTO1DDvcSgOvyUGqepG+HdB8rRnAmkFsFy8z8NhJWBlgJCwZ7kuq72RRWBotKXmP75N2zUMV5DYW+EJW1UV0Bm00i2nVZoWNsoWZHjdHbmmhJdElkdKbdHm9uB26T3QKKraPzJTe7SQ0XIygDzPX2plx2M+AuoVQjCcYH6qrY9Srou3yYsy2A4JRKFaHwZk8cPoCssxWBahImw2n91S/ddkZ5IMsCl1A8GuIbig5ceng2NeC7ooDiNPyn8Vw80nRE1V8TT4O8aCnyO5kZN5k6QcTP7oRESWvxjiuU6jleN56GNybA9wh9/qN0874zQHkNDd4Pk4Sli7T4qhxAijMkda5PvGYfrfcp+JzEgh+VaPKFARoJUXGvYS06uB9Z7y6WddYtUEJH8bTjW9Z1Lttua6rM1S/sIn3Kyu6rjr4sFKA3diU/TZTQpqgwI167gyv9PoIEqLnDJpnRTsD56q4dUl0Rgf2/Pld68pdsmeOb9BGlzyd4iBkAacP785uUEiBlvMirGgUPPKuu1xGHoOXb38zQ25QAXCF0jIbkQGmZ7i+upqwbH6KT+eMTcJIlR/GhUKeAjiVxPBsRwQnlR89rCtgv3on1sl6M45V6IZEM3Bi++R37zeCyE9UEnuQejO3yopcLmvQmRlmqYh5/XIWFoVaqYTibL8LuwyvS1B7GXBfFmb9isOk4LFgI+KGvoOV8ASBtRnV7/d/U3Ge0yFEoHNwR9w0yw5m3h8j8d+HzEIezAq5rtyyUsUjHTOzMyiCSBqz8M/EBwvjWrZZHQjC9WitIwuqom48E2ao9E3mEM4qyFEiz9wVsw9LL+FriNUPT7c4lijIBgzAXnkm9agj7Pp56Tjaoz+hRIpGWs9ih9RuZrjo8cAmG/RgQyAQD2uiAQs9CLjsDEtQVnmA5vxXzvlggfy3cI6S7pTxROyGvRLeuwGJYDCce0u77iFSCW8PL08YvrrRBXTENLt6XuzS8bTguciqSeiI2NenK6OVR54T5ECRG/VE4xcvdrB2/Vwdts2fFNj72tzs02w8qB33yMS0axSEJI+XxYDLPdWUa3EGJheBaz/wW5K5oqZs53rI4DhtApdXXY8Fa8bAKT84geoxrUoRoqKZ36Fa0xX6aJf35xIexAlWSzOnMkVnY0TrXkK9Y1DPHfOnPysqs2H2EF499AvExwByPyE6Q=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_AB6F2C5E-2E82-EB42-BE5A-6C891C1EC290_"
MIME-Version: 1.0
X-OriginatorOrg: transnexus.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB3921.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 00a99a48-b953-43e9-77c8-08d997f8d969
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2021 20:48:50.3617 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8e2972a2-d21d-49ac-b005-18e8ceaadee3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bE/jfO8kV7SRV/zasm7/Bp1/X8kkV9JzrPahVS9bMhmYe7ZJZ1SspEr2dlLsL0jjbXlO/qWNLbMO4xqrF4cel8PoPLnIeXHZzEuX9haw+h0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN9PR11MB5516
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/62vmz97D86TWWuslbB_cAJswnfg>
Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 20:49:03 -0000

Hey Chris,

 

I don’t feel that after reading the proposed text an originating service provider would properly implement verification. Maybe further details should be added in IP-NNI not here, but I think they need to be somewhere.

 

Sincerely,

 

Alec Fenichel

Senior Software Architect

alec.fenichel@transnexus.com

+1 (407) 760-0036

TransNexus

 

From: Chris Wendt <chris-ietf@chriswendt.net>
Date: Monday, October 25, 2021 at 14:27
To: Jack Rickard <jack.rickard@microsoft.com>
Cc: Alec Fenichel <alec.fenichel@transnexus.com>, Ben Campbell <ben@nostrum.com>, IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation

I will be submitting a new draft very soon, but here is the paragraph i added to the verification section (without modifying the existing text)  Hopefully this is a good compromise, I sort of think it is and captures what everyone has been discussing, but let me know.  

 

-Chris

 

"In some middle box scenarios, a relying party may not have the need to validate content that is referenced by URIs (e.g. only wanting to validate base PASSporT info like "orig" and "dest" or other "rcd" info like "nam" or "apn"). In these scenarios, this proceedure while not considered a full verification, can be performed without verifying the full integrity checks of URI referenced content."





On Oct 25, 2021, at 1:38 PM, Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org> wrote:

 

I’d also lean towards SHOULD NOT, for the same reasons. Anyone who wants to check the digests is only going to cause harm unless they are in a very odd situation.

 

Jack 

 

From: stir <stir-bounces@ietf.org> On Behalf Of Alec Fenichel
Sent: 25 October 2021 17:41
To: Ben Campbell <ben@nostrum.com>
Cc: IETF STIR Mail List <stir@ietf.org>; Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org>; Russ Housley <housley@vigilsec.com>
Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation

 

Ben,

 

I am flexible on the strength of the language in the spec. I just think we need to be very clear in the spec that the OSP verifying the integrity is all but useless. Resources are going to be cached. I would expect that just like certificates, the cache hit ratio will be extremely high (we see 99.99%+). So it is likely that one or both parties are just checking their cached copy of the resources, not the actual resources. So the OSP checking that the integrity matches does not indicate that it will match when the dereferencing entity checks the integrity.

 

 

 

> I think some of the big OSPs might choose not to send RCD claims at all if they cannot fully verify them at the time of transmission.

 

This check provides a false sense of security not any actual security. I just think we need to make sure that is understood.

 

 

 

> Local policy? Again, I suspect some operators will have a local policy of “send nothing I can’t be sure of”, even if that means “don’t send the other parts that might be fine."

 

They can’t be sure of it even if they check. Again, I think it is important that we make sure everyone understands that the OSP checking does not mean, or even imply, it will match when the dereferencing entity checks.

 

 

 

> No expectation to dereference is different than an expectation not to dereference. I support the former, not the latter, at least in the IETF spec.

 

I’m good with either so long as we make it clear what checking the integrity accomplishes (or in the OSP case, does not accomplish).

 

 

 

> But in any case, I’m not going to die on this hill. I prefer ‘MAY, or even just not saying anything. But If others want “SHOULD NOT”, I can live with it.

 

If we just say that the OSP MAY check, then this may be interpreted as something that is optional but provides better security, which it does not. So if we say MAY, then I think it is important to explain how checking doesn’t accomplish anything.

 

 

Sincerely,

 

Alec Fenichel

Senior Software Architect

+1 (407) 760-0036

TransNexus

 

From: Ben Campbell <ben@nostrum.com>
Date: Monday, October 25, 2021 at 12:10
To: Alec Fenichel <alec.fenichel@transnexus.com>
Cc: Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org>, IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation

Hi, see inline:

 

On Oct 25, 2021, at 10:45 AM, Alec Fenichel <alec.fenichel@transnexus.com> wrote:

 

I think SHOULD NOT is what we want.

 

What happens if the integrity check fails? I would argue the OSP should still send it downstream including inserting it into their “shaken” PASSporT. So dereferencing the resources just adds post dial delay if the outcome of checking the integrity doesn’t change the expected behavior.

 

I think some of the big OSPs might choose not to send RCD claims at all if they cannot fully verify them at the time of transmission. I recognize that is not ideal from an end-to-end trust model for RCD and delegate certs, but the current status quo is OSPs don’t send RCDl, and I get the impression that some operators are nervous about the idea of doing it in the first place.

 

I do suspect that, when they fully understand the cost of verifying RCDi for every call, they will choose not to do so. But I think that is their choice to make,

 

 

 

Also, there could be a dozen resources (logos of various sizes). What if one of them failed to download (server 404) but the rest worked? How do you handle a partial failure? I think we want to avoid having to address this scenario.

 

Local policy? Again, I suspect some operators will have a local policy of “send nothing I can’t be sure of”, even if that means “don’t send the other parts that might be fine."

 

 

We should make it clear that there is absolutely no expectation that the OSP dereferences the resources. The OSPs simply passes what they receive (assuming all of the other validation checks pass).

 

No expectation to dereference is different than an expectation not to dereference. I support the former, not the latter, at least in the IETF spec. (I could imagine IP-NNI strengthening the requirement to the latter). 

 

But in any case, I’m not going to die on this hill. I prefer ‘MAY, or even just not saying anything. But If others want “SHOULD NOT”, I can live with it.

 

Ben.

 

 

Sincerely,

 

Alec Fenichel

Senior Software Architect

+1 (407) 760-0036

TransNexus

 

From: Ben Campbell <ben@nostrum.com>
Date: Monday, October 25, 2021 at 11:29
To: Alec Fenichel <alec.fenichel@transnexus.com>
Cc: Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org>, IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation

Do you mean the second sentence to have the strength of a SHOULD NOT? I can imagine an OSP that might prefer not to transmit any RCD content without confirming it is valid at the time of transmission. Perhaps for liability or contractual reasons. Would we want to strongly discourage that, or just leave it as local policy? 

 

One particular use case I can imagine is an OSP that copies RCD claims into it's SHAKEN certificate to be signed with its own credentials. While that might not really require them to verify integrity if they include the RCDi claim, they may well have an aversion to signing something that they haven’t completely verified.  (Assuming they don’t also rehost the external content as part of this, in which case they would need to verify integrity)

 

Thanks!

 

Ben.

 

 

On Oct 25, 2021, at 10:18 AM, Alec Fenichel <alec.fenichel@transnexus.com> wrote:

 

Another way of putting it: the entity dereferencing the resource must verify that the resource matches the supplied integrity. The resource should not be dereferenced for the sake of verifying the integrity.

 

Sincerely,

 

Alec Fenichel

Senior Software Architect

+1 (407) 760-0036

TransNexus

 

From: stir <stir-bounces@ietf.org> on behalf of Ben Campbell <ben@nostrum.com>
Date: Monday, October 25, 2021 at 11:07
To: Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org>
Cc: IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation

(as individual)

 

I think I agree with you in general. To paraphrase the conclusions:

 

The VS MUST verify the passport signature and the claim constraints. That verifies that the claim values are correct has signed by the  AS, for example that the value in the rcdi is the correct value. Any party that uses RCD claims that are covered by an rcdi hash MUST verify that hash before trusting that content. Other parties MAY verify it according to local policy.

 

Does that match your thoughts?

 

On Oct 20, 2021, at 6:37 AM, Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org> wrote:

 

Hi all,

 

To clarify things, and hopefully reduce the number of rounds of review, this is a write-up of my position (and hopefully some alternative positions) on rcdi validation.

 

rcdi is a mechanism to ensure the integrity of the rcd information, and so any entity that retrieves/uses the rcd information clearly must validate that information against the rcdi digests, otherwise it could not trust what it had downloaded.

 

However, any verification service that does not need to retrieve the RCD information, cannot and possibly should not always retrieve and validate it, for a few reasons:

  1. There isn’t enough time – downloading and validating all the data (or in fact any data) takes a prohibitively long time, especially as an intermediate verification service does not know which bits of data are going to be used.
  2. The data could change – even if an intermediate does perform the validation, the end entity must repeat this as the information it retrieves could very well be different to what the intermediate validated.
  1. There was discussion in the meeting of a TSP that rehosted the RCD information, in that case it is the end entity in this discussion and realistically needs its own integrity mechanism on what it has rehosted.
  1. An intermediate could reject something that the end entity would accept – downloading information from the internet is not perfectly reliable, there could be firewall issues, or just temporary server issues that cause an intermediate validator to not be able to get the RCD information, in which case it would fail to validate the passport and throw out all the rcd information (and potentially all the STIR information). An end entity does not have to do this, it might be able to retrieve items the intermediate cannot, it might not want all the information in the first place, and in the worst case it can gracefully degrade the rcd information it cannot access.

 

Taking all of that, I believe that the rcd and rcdi information should be treated as “valid” in the context of PASSporT verification if the data in the PASSporT is correct (this would include checking JWTClaimConstraints), but not depend on any of the referenced information’s integrity.

 

There is a question there about “/rcd”,”/nam”, and “/apn” digests, for the sake of simplicity I’d suggest they also aren’t required to be checked by the verifier, but I don’t believe it matters.

 

There are some issues with this approach though:

  1. Security is more complicated – this split validation model introduces extra complexity to the security of RCD information in PASSporTs. As far as I can tell, this wouldn’t introduce any new attack vectors, but does place a greater burden on the end entity doing things correctly.
  2. This introduces a new entity – I don’t believe any previous documents have made a distinction between the end entity and verification services, just focusing on authentication services and verification services. This introduces actions that this end entity must perform for the system to conform to the standard.

 

 

Those issues are not enough to change my mind; however, I welcome different opinions and there are almost certainly more I haven’t thought of or weren’t discussed.

 

Thanks,

Jack Rickard 
he/him 
Software Engineer 
jack.rickard@microsoft.com 

Image removed by sender.<Picture (Device Independent Bitmap) 1.jpg>

 

 

 

 

 

_______________________________________________
stir mailing list
stir@ietf.org
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fstir&data=04%7C01%7Calec.fenichel%40transnexus.com%7C29d6fc72c9434eb3744908d997e50673%7C8e2972a2d21d49acb00518e8ceaadee3%7C0%7C0%7C637707832646364107%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=22%2F38PtcLawBT%2FKqEqw3ZxLH5kKJKYCuHjbCVU9DLSQ%3D&reserved=0" rel="nofollow">https://www.ietf.org/mailman/listinfo/stir

 

v2.23.0 | Report a Bug | By Email