IETF Logo Mail Archive

Re: [stir] current draft charter

Dan York <york@isoc.org> Mon, 17 June 2013 19:55 UTC

Return-Path: <york@isoc.org>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B2EA21F940D for <stir@ietfa.amsl.com>; Mon, 17 Jun 2013 12:55:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WNIePbUs5PD7 for <stir@ietfa.amsl.com>; Mon, 17 Jun 2013 12:55:42 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0235.outbound.protection.outlook.com [207.46.163.235]) by ietfa.amsl.com (Postfix) with ESMTP id 8B30721F9E00 for <stir@ietf.org>; Mon, 17 Jun 2013 12:55:18 -0700 (PDT)
Received: from BN1PR06MB072.namprd06.prod.outlook.com (10.242.211.17) by BN1PR06MB071.namprd06.prod.outlook.com (10.242.211.15) with Microsoft SMTP Server (TLS) id 15.0.702.21; Mon, 17 Jun 2013 19:55:14 +0000
Received: from BN1PR06MB072.namprd06.prod.outlook.com ([169.254.5.133]) by BN1PR06MB072.namprd06.prod.outlook.com ([169.254.5.155]) with mapi id 15.00.0702.005; Mon, 17 Jun 2013 19:55:14 +0000
From: Dan York <york@isoc.org>
To: Michael Hammer <michael.hammer@yaanatech.com>, "hadriel.kaplan@oracle.com" <hadriel.kaplan@oracle.com>
Thread-Topic: [stir] current draft charter
Thread-Index: AQHOZwiVGT8OWD09JUqSfli80C7Gm5kxT0wAgAAL0QCAAIQHAIAAcu6AgAADDoCAABB/AP//41KAgABTd4CAAADrAIAABU0AgABkooCAAOCqgIAAU3yAgAA76gCABBp3gIAAEOyAgABhe4CAAHK1AIAAY2yAgABAOYCAAAt/gIAADPmAgAADXICAAAXuAP//27kA
Date: Mon, 17 Jun 2013 19:55:13 +0000
Message-ID: <CDE4C972.E47B%york@isoc.org>
In-Reply-To: <00C069FD01E0324C9FFCADF539701DB3A03DD801@ex2k10mb2.corp.yaanatech.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.255.101.4]
x-forefront-antispam-report: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BN1PR06MB071; H:BN1PR06MB072.namprd06.prod.outlook.com; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <AB31637A8DF08F4C91E408492BF11381@namprd06.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
Cc: "stir@ietf.org" <stir@ietf.org>, "richard@shockey.us" <richard@shockey.us>
Subject: Re: [stir] current draft charter
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stir>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jun 2013 19:55:46 -0000

Mike,


On 6/17/13 2:05 PM, "Michael Hammer" <michael.hammer@yaanatech.com> wrote:

>But, clarify one thing for me.  Does DNSSEC ensure both:
>-  that the uploading of information is authentic,

DNSSEC ensures that the information the recipient is retrieving from DNS
is the same information that was put into DNS by the entity operating the
DNS servers for that domain (and signing the records).  It provides an
integrity check on the data received in a DNS query.

It can make no assertions about the quality or authenticity of the data
that was uploaded into the DNS servers.  All it can say is that the data
you are receiving matches the data that was served by the DNS servers
(based on the cryptographic signatures).  If an attacker compromised the
DNS servers, including the ability to generate DNSSEC signatures, he or
she would be able to upload bogus data - but if this happens there are
probably larger issues for the operator of the servers to worry about.

In the STIR example, if we were to use DNS we would need to assume a
certain level of trust in the entities putting the phone numbers and
corresponding identities into the DNS.  As you mentioned this is probably
the CC numbering authority in many/most cases.

>-  attempts to read the data actually get to that secure entry?

DNSSEC has a concept of a "global chain of trust" that links the
individual records and their signatures up to an ultimate trust anchor,
which, in the case of public DNSSEC would be the root of the DNS.
Essentially, you have a DNSKEY record with your public key.  There is then
a Delegation Signer (DS) record in the parent zone that is a hash of the
DNSKEY[1]. This continues on up to the TLDs and to the root.

If STIR were to use DNS/DNSSEC, the entity (server, IP-PBX, SBC, endpoint,
whatever) performing the DNSSEC validation for the call would know that it
was reaching the secure entry because:

1. the info for the telephone number identifier (cert, text record,
whatever) would be cryptographically signed by the zone's public key
(carried in the matching RRSIG record).

2. the entity would be able to use the DS records to walk back up the
global chain of trust to be sure that it was using the correct key for
validation.

If either of these cases failed (a bad (or nonexistent) signature or an
inability to verify the chain of trust), the entity performing validation
would know that it had probably NOT been able to get to that secure entry.

Note that this assumes that DNSSEC would *always* be used so that a
nonexistent signature would also cause a warning.

Dan


[1] And yes, I'm simplifying this a bit for the purpose of illustration.
Those who want more gory details can see RFC 6781 -
http://tools.ietf.org/html/rfc6781

--
Dan York
Senior Content Strategist, Internet Society
york@isoc.org  +1-802-735-1624
Jabber: york@jabber.isoc.org
Skype: danyork   http://twitter.com/danyork

http://www.internetsociety.org/deploy360/

v2.23.0 | Report a Bug | By Email