IETF Logo Mail Archive

Re: [stir] STIR/SHAKEN Privacy Concerns

Richard Shockey <richard@shockey.us> Sat, 02 December 2023 02:31 UTC

Return-Path: <richard@shockey.us>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B9A5C14F5F1 for <stir@ietfa.amsl.com>; Fri, 1 Dec 2023 18:31:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=shockey.us
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xs7sXvfHzhsx for <stir@ietfa.amsl.com>; Fri, 1 Dec 2023 18:30:58 -0800 (PST)
Received: from omta38.uswest2.a.cloudfilter.net (omta38.uswest2.a.cloudfilter.net [35.89.44.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A775C14F5E4 for <stir@ietf.org>; Fri, 1 Dec 2023 18:30:58 -0800 (PST)
Received: from eig-obgw-6009a.ext.cloudfilter.net ([10.0.30.184]) by cmsmtp with ESMTPS id 9BQ0r7B50KOkL9FmTrBvSi; Sat, 02 Dec 2023 02:30:57 +0000
Received: from box5527.bluehost.com ([162.241.218.19]) by cmsmtp with ESMTPS id 9FmSrR15IBOcc9FmSr4oNH; Sat, 02 Dec 2023 02:30:57 +0000
X-Authority-Analysis: v=2.4 cv=J+25USrS c=1 sm=1 tr=0 ts=656a96e1 a=KXpOjjFwo8kCkgxs2x2AJQ==:117 a=KXpOjjFwo8kCkgxs2x2AJQ==:17 a=OWjo9vPv0XrRhIrVQ50Ab3nP57M=:19 a=dLZJa+xiwSxG16/P+YVxDGlgEgI=:19 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=e2cXIFwxEfEA:10 a=qMgonR0qfJAA:10 a=jqBRFv0mrdUA:10 a=PeFO9FbFhS32YxYntvkA:9 a=ll-iCDY8AAAA:8 a=M0OflfRGAAAA:8 a=48vgC7mUAAAA:8 a=pGLkceISAAAA:8 a=wt_rIzwp-UM1F-4Gv8kA:9 a=QEXdDO2ut3YA:10 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=eDT1TYV6cMIupswU:21 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K0A:10 a=frz4AuCg-hUA:10 a=VpyrLIdO_Ztbr3SWPBuH:22 a=6yl0mh0s51TKORVA8GqK:22 a=w1C3t2QeGrPiZgrLijVG:22
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=shockey.us; s=default; h=Content-type:Mime-version:In-Reply-To:References:Message-ID:To: From:Subject:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=W0vJLrf6/ziUdE1mkv77t2bCKhmukah6wcJ11xxbjSE=; b=fKSSaKQSXwrTSpzirH9p7BNC4V uTUUa5Vmz4fhx5nFA3yegg8psOAg2QOI4adriCVlH8rp6SL0AVHCZ4fBj4h8n7tSF6akXHbtlB4jY BKnvf/zdj6VKhYf7hG/GAzccB;
Received: from pool-100-36-48-45.washdc.fios.verizon.net ([100.36.48.45]:57558 helo=[192.168.1.214]) by box5527.bluehost.com with esmtpa (Exim 4.96.2) (envelope-from <richard@shockey.us>) id 1r9FmS-001tVt-0m; Fri, 01 Dec 2023 19:30:56 -0700
User-Agent: Microsoft-MacOutlook/16.79.23112723
Date: Fri, 01 Dec 2023 21:30:52 -0500
From: Richard Shockey <richard@shockey.us>
To: "Peterson, Jon" <Jon.Peterson=40transunion.com@dmarc.ietf.org>, Josh Brown <josh9051@gmail.com>, "stir@ietf.org" <stir@ietf.org>
Message-ID: <8CCAB324-B091-42D8-B37D-660BB6E1BC8E@shockey.us>
Thread-Topic: [stir] STIR/SHAKEN Privacy Concerns
References: <57C3B58B-8ACD-4709-8D35-B48FF9462BD1@gmail.com> <CO6PR17MB497839B38D93D5F21378110EFD81A@CO6PR17MB4978.namprd17.prod.outlook.com>
In-Reply-To: <CO6PR17MB497839B38D93D5F21378110EFD81A@CO6PR17MB4978.namprd17.prod.outlook.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3784311056_1052109286"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box5527.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - shockey.us
X-BWhitelist: no
X-Source-IP: 100.36.48.45
X-Source-L: No
X-Exim-ID: 1r9FmS-001tVt-0m
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: pool-100-36-48-45.washdc.fios.verizon.net ([192.168.1.214]) [100.36.48.45]:57558
X-Source-Auth: richard@shockey.us
X-Email-Count: 5
X-Org: HG=bhshared;ORG=bluehost;
X-Source-Cap: c2hvY2tleXU7c2hvY2tleXU7Ym94NTUyNy5ibHVlaG9zdC5jb20=
X-Local-Domain: yes
X-CMAE-Envelope: MS4xfD4IoCps235aXZ9O9QnXE+41qbdeN3mYvHB17Zi00ucwZg4z9MNRnNfONxQX9HKL6choFkpYNtPeMa3ojlX3jPqouBfim9wCwjb4QVvjN3Qlguhe5Ivu uimYc+N0nIHoA7JpJ8lj72M3Er48bjvptTNmxPl+jacX/A45MZNqFWB5sRzec4105hGtUFm9CagIiA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/9yHg6NFdbJOawWGupBNIQAtIoBU>
Subject: Re: [stir] STIR/SHAKEN Privacy Concerns
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Dec 2023 02:31:02 -0000

 

Beyond my previous remarks let me generally agree with Brother Peterson here in part. As someone that deals with national regulators on a near daily basis the general regulatory posture is to require more, not less transparency in call/message origin.  This is an ongoing fight to combat robocalls and now robotexts and the regulators are adamant that they can and will use any power they have to compel compliance.  In the US that has typically been authority under section 251 (e) 1 involving NANP numbering and the mandates under the US TRACED act.  Canadian and UK Communications Acts are different but their plenary authority is actually even more extensive than the US. The Dockets in the US FCC are 17-59 17-97 if you are interested.

 

The other aspect is there is a substantial move to permit Rich Call Data to be moved across the SIP signaling to formally identify who the calling party actually is. This is being driven by the desire of large enterprises to get you to actually answer the phone. Its voluntary now… we really don’t know what Apple is going to do with that data since they have plenary control over the UE/UX on their handsets.  

 

Film at 11

 

 

Richard Shockey

Shockey Consulting LLC

Chairman of the Board SIP Forum

www.shockey.us

www.sipforum.org

richard<at>shockey.us

Skype-Linkedin-Facebook –Twitter  rshockey101

PSTN +1 703-593-2683

 

 

From: stir <stir-bounces@ietf.org> on behalf of "Peterson, Jon" <Jon.Peterson=40transunion.com@dmarc.ietf.org>
Date: Friday, December 1, 2023 at 2:05 PM
To: Josh Brown <josh9051@gmail.com>, "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] STIR/SHAKEN Privacy Concerns

 

Hi Josh,

 

Best wishes for your work, this could all use more eyes on it than it has had, I’m sure.


“Our first concern lies with non-repudiability in the STIR/SHAKEN protocol. In the absence of STIR/SHAKEN, there exists no cryptographic mechanism to definitively prove the occurrence of a call - only someone observing the call as it happens knows it took place. However, with the implementation of STIR/SHAKEN, originating providers sign call metadata during the creation of the PASSporT. This means that a party possessing the signature can now convince anyone a call took place - or, more precisely, convince anyone that the originating provider said the call took place. (For context, a similar non-repudiability property of DKIM signatures for emails is now regarded by many researchers as a serious design flaw.)”

 

At a high level, I’d say there’s a disconnect between STIR as specified in the IETF and the historical use of logged PASSporTs you seem to be envisioning.

 

The baseline metadata captured by STIR (calling number, called number, and timestamp) has long been retained by a variety of parties for a variety of purposes across the global telephone network. The difference between saving PASSporTs and simply logging the metadata of calls sent or received is indeed the signature, as you say. But a PASSporT is an object that is supposed to rapidly expire after call processing, and I would not consider it a reliable historical artifact in isolation; the use case of presenting a PASSporT to “convince” someone that a call occurred at some time in the past is not in our scope, and would in fact require external corroboration for it to be reliable, for reasons I can go into if it would be helpful. If something needs to be fixed here, it is perhaps letting people know that STIR doesn’t support that use case.

 

(As an aside, email has a store-and-forward requirement that telephone calls and similar real-time communications do not. Also, because the metadata of telephone calls is decoupled from the contents of the call, I’m not sure the situation is entirely analogous to email, but that would be a longer conversation.)

 

Overall, I don’t believe just signing this metadata erodes the privacy properties of the overall telephone system (which were far from ideal to begin with). For the most part, the entities with access to PASSporTs are “observing the call” in the signaling path, and can (and probably do) log the same metadata in the absence of PASSporTs. I gather the main concern here arises from the possibility that PASSporTs might leak to entities extraneous to the call path – and so we go to…

 

“Our second concern is with the wide popularity of third-party authentication and verification services. Numerous companies offer these products as a service. Originating providers use the third party authentication service to generate signatures for their call metadata. Terminating providers use the third party verification service to verify said signatures and other information pertaining to the call metadata. Put simply, when using STIR/SHAKEN these third parties have complete access to all call metadata. This is concerning because call metadata is often very sensitive and the working group even has proposals to expand the amount of metadata included.”

 

Metadata associated with calls has long been shared by carriers with a variety of analytics providers, service bureaus, agencies, and other third parties – including for everyday functions like number portability, mobile roaming, freephone translation, caller name applications, and billing. This is not an appropriate venue to discuss laws or business agreements, but speaking broadly, regulatory environments and carrier infosec policies shape the data governance constraints under which such services operate. I don’t think it would be news to anyone in this working group that “call metadata is often very sensitive”; expressing “concern” about that does not reveal a protocol defect that needs to be rectified.

 

I would also say “complete access to all call metadata” is not required for baseline STIR, nor any or all of the proposed extensions to it, even. Third party authentication and verification services can integrate with carrier equipment in a variety of ways, but common HTTPS APIs used for this purpose share only the subset of signaling that is necessarily for the STIR authentication and verification services to do their work. Casting this as if these third-party vendors have unfettered access, let alone utilization rights, to “all call metadata” would not reflect the deployment reality.

 

I might add that in our era of cloud-based microservices, the boundaries between vendors, third-party service providers, and indeed carriers have gotten a lot less crisp. The distinction between something running on “carrier equipment” and a cloud service is not so stark as it was a decade or so ago. Ultimately, carriers decide to license or author AS/VS code to run themselves, or to rely on hosted solutions, based on a variety of business and operational factors unrelated to the protocol design work we do here at the IETF.

 

“Our third concern is in the Out-of-Band SHAKEN protocol, which is used for legacy providers that use pre-digital telephony infrastructure. Out-of-Band SHAKEN requires the use of a third party that stores metadata about calls in pre-digital telephone networks. This third party has access, again, to all call metadata.” 

 

OOB SHAKEN is an ATIS specification, which is not under IETF change control. RFC 8816, the IETF OOB specification, does not require revealing PASSporTs to third party services operating a Call Placement Service, provided that encryption keys can be exchanged between parties (which admittedly is not trivial). But more recent work here on OOB has focused on making its data collection risks equal your second concern above – effectively by coupling the CPS with the verification service function. 

 

Hope that helps, happy to follow up,

 

Jon Peterson

TransUnion (Neustar)

_______________________________________________ stir mailing list stir@ietf.org https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email