Re: [stir] 8224: "end users"
"Holmes, David W [CTO]" <David.Holmes@sprint.com> Tue, 28 April 2020 22:30 UTC
Return-Path: <David.Holmes@sprint.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC3C73A0407 for <stir@ietfa.amsl.com>; Tue, 28 Apr 2020 15:30:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 524-BYwrlVDv for <stir@ietfa.amsl.com>; Tue, 28 Apr 2020 15:30:02 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2104.outbound.protection.outlook.com [40.107.93.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0D583A0402 for <stir@ietf.org>; Tue, 28 Apr 2020 15:30:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DGBNqMwvv/zQYGdLEn3Xxo+AjM/IZw9l6gNQ7XusJodgGkxxJ3mo2gUE5RKl1dZamj6AOZpw0w0z6rcBJPVdC+gSJy5O2GwCX2Tv7YwTKoLGDqvJP/1YXK9pXGfakhNZdp5wQgLiebqgG/E91P0hKwBzXJPgNqJofEqirp6eTQIphEevLi24V/GVWE3+r/j5+tITxFEV1NGYgOrCoxMwoSGRe4uy6xCbW7ph5VFQGX7DoYrI/yK3KU8RJCGQaoJn61jDjfoMWqEIT7TWVS64P0kbkE+NtweL9EUGkWsU5ClaigSh03GeKCWqnMy4qVLVrNri/6+xzfQkMxiuyDA46w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wMj7oIlbS28nLGCGn30m1QNrufkWNVtJlFFsMSrldo4=; b=Az2Ts3tP6nU/IxR0Zl1awAhh8hIAUeS+IQsc9tWka00vQijgiOZbRdZqMWBuYCm2s1jdF48VuqgJpAoGlWBXTGYyaNw5/LR1szf6yBAatX1pwr8hakhzjAIeaDiRu1MmKEIBEpspkOyVxiHprEI+7RkrbCFEd5sMVC054EHeZ/VxHdm6mZ9rYXJWUyBk8oEbXcKqg89EV417o5EHXjbhlanY3PAVRW96AcFZuQyFxmOsvgjbeHZc/h+NqmCb4ikK+oA/C05hx46S3vcZXeE705ni4hmgNp+oWZzhiJF3rGBseHcBpYagnBxqL5EHx1c+Pk5z/iEtjzkYwlzn8a5w9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sprint.com; dmarc=pass action=none header.from=sprint.com; dkim=pass header.d=sprint.com; arc=none
Received: from MWHPR05MB3487.namprd05.prod.outlook.com (2603:10b6:301:3d::10) by MWHPR05MB2798.namprd05.prod.outlook.com (2603:10b6:300:5b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.8; Tue, 28 Apr 2020 22:29:54 +0000
Received: from MWHPR05MB3487.namprd05.prod.outlook.com ([fe80::c90b:25e2:3ce8:1613]) by MWHPR05MB3487.namprd05.prod.outlook.com ([fe80::c90b:25e2:3ce8:1613%4]) with mapi id 15.20.2958.015; Tue, 28 Apr 2020 22:29:54 +0000
From: "Holmes, David W [CTO]" <David.Holmes@sprint.com>
To: Michael Thomas <mike@mtcc.com>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] 8224: "end users"
Thread-Index: AQHWHZZENPq427/kikexgi1dz5goyqiPGvVQ
Date: Tue, 28 Apr 2020 22:29:54 +0000
Message-ID: <MWHPR05MB3487ADAFF745A1D57E622C07F7AC0@MWHPR05MB3487.namprd05.prod.outlook.com>
References: <350f7a78-52b6-4c45-5ecf-0d30db8b8f4b@mtcc.com>
In-Reply-To: <350f7a78-52b6-4c45-5ecf-0d30db8b8f4b@mtcc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: mtcc.com; dkim=none (message not signed) header.d=none;mtcc.com; dmarc=none action=none header.from=sprint.com;
x-originating-ip: [24.17.217.200]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: fe84a4d4-8541-4f6e-09b6-08d7ebc3accb
x-ms-traffictypediagnostic: MWHPR05MB2798:
x-microsoft-antispam-prvs: <MWHPR05MB27989073D254CA172DD821F0F7AC0@MWHPR05MB2798.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0387D64A71
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 000xD/Z3Xn6lp6ah/dbh8gozhAx1D9/1t2fNrHCBzVjuRBBEBnrt2ps5RZ/OiFL4B0xKTmDL5AZByx08+ftRGGm/Exr+M5lw+A1eTnbFlZTZLWCW5LZp1NYQPcQcgGYtHTXZSzG6oTqJivQsZrmgXMHjqSqtQT/eAeePkLXxI6kE/TIdyDw9pVu5zJyshvL0QBIpAXVGXsuiSNKD9jYBYBjGAet2zw2gwN9f2lvGyu1qnPRW7uCaZnBjxKBY+nMVgr+XZRENi/cf+8AqvIQOvI0qcwUNU0r1j1fOTJtn3ZYHTLW8EGMYoy/ad7htQulW390ldxUjkotKeWu6dsE8YGlmsLHF8LmgUxYQeXYWgULV/p7R1bYL4BdZfVRr3okoLsQVYGKy/C+jvv7muon81RoBVQX5wetUAh5FDNNljdfSgaZX5aNqA5Ddz7zsnHzQDwhIm4+wFINg4+/gv/h5dGn+rk1GG5AKxHsG0aUXOmAjwh8D95ZvYSRur9BCBzPYfMQbQNz87zuLo4+crtcAxA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR05MB3487.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(136003)(346002)(366004)(396003)(376002)(110136005)(5660300002)(55016002)(86362001)(9686003)(478600001)(99936003)(2906002)(186003)(71200400001)(66446008)(8936002)(33656002)(66616009)(64756008)(66476007)(316002)(7696005)(66946007)(53546011)(66556008)(26005)(8676002)(52536014)(6506007)(76116006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: iCVvBjBkjen/iLR3E2xbk8C8VImppFYIiqFoOdypIY+y5GhwQZlMx3EO8VHgp+HW27XacKbR1OgJCOdvKw1QjWQJhr4PRx30as4EvcvC6RIJq25Q2LrQ5F2HKL1XEpU1JFRrMkzAWuJ3w0oHWKEdckcwd777hjKmonmTAbOaE/YoChL74nkpG0MNNilbx0HJGRcDL101WhLunFvCOYt+AOVO+yudHQykhxvs5DIx3/8BmI3La/ugpZrwkJTgUCZUcNdKCEs0I4L1BpEymtUcxoXOmtGD3ZqXrMXA70C0WxMw48vV2gL53aOdibTxihFoWD16ZvgYbRLAIG1ZPOkqNTZ4ovY8hkC/v3S3JYxn4mfRVfOJoGNfA+HFmocM/wMCBAiULpvu1QfYuNu2Q2+LFMnnHlciwAkyYG9JbQB4PxsveEK5BYEWKHk1X+YhTezTMhPY2IfBcNI4frpOZrH0tBZRpJUVyBg959XEfoI9iKz4m8mvHwqyjxiwtLTE7eQtDF5ci9w0ZSo75a6Gc77QcjRsM6yMj98pagpnZyCpPvfhCgJX8lxTm8tO8d01fvcMkvCe4qeVn3idbfxkAzn+ieUx5ht7DhLmAnbP+nYTY1n+zJsfs7pB5VlQKl+cIvh7PkqMEaT7VRLMtmtuT8ZwYs3qjre79iSHspIyfqsyVR4S/tlUCrLkOsysWIp/NCONAsc1aWISFOeSUxP4/pSA2sshQb3xJ+f/3zJbUJBeFR5NNM3ESJH+QAtNJgE4ZuF+wIKWvp3yIc9SPNt8B9XvbCiHwCnpOAopRFxV63QVsnc=
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_004_MWHPR05MB3487ADAFF745A1D57E622C07F7AC0MWHPR05MB3487namp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: sprint.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fe84a4d4-8541-4f6e-09b6-08d7ebc3accb
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2020 22:29:54.4453 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4f8bc0ac-bd78-4bf5-b55f-1b31301d9adf
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1CG7vtn07IVFQilG0JCneVrXiaLpWBfRmmcEYfoeOJddHHeuUVqzEudeoY7dXNo5X41xmq60c6sOPViTD0oHaA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR05MB2798
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/u9gG3tdg4Z5FxkVUFboLbqMl9Ag>
Subject: Re: [stir] 8224: "end users"
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 22:30:05 -0000
Michael, I believe you are referring to the issue of “reputation”; which is a commercial/legal concept & way beyond the purview of any technical standards group to verify. Validation of the ID of the originating party as described is only one factor that may be used, along with other factors with others as you note, to evaluate the reputation of the originator & allow trust of the originator & potentially of the content of the communication. BR/David David Holmes Standards Direct 425.256.7082 | Mobile 425.260.1868 | david.holmes@sprint.com<mailto:david.holmes@sprint.com> Sprint.com<http://www.sprint.com/> | Follow us on Twitter<https://twitter.com/sprint?lang=en>, Facebook<https://www.facebook.com/sprint/> and Instagram<https://www.instagram.com/sprint/> [A close up of a logo Description automatically generated] From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Michael Thomas Sent: Tuesday, April 28, 2020 12:50 PM To: stir@ietf.org Subject: [stir] 8224: "end users" CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. The Abstract says: The baseline security mechanisms in the Session Initiation Protocol (SIP) are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document defines a mechanism for securely identifying originators of SIP requests. It does so by defining a SIP header field for conveying a signature used for validating the identity and for conveying a reference to the credentials of the signer. Given the rest of the document, "end user" and "originators" is highly misleading. The document acknowledges that although UA's can potentially create Identity headers, it is not a very normal use case, and that its deployment would be relatively rare. What the abstract, etc seems to be asserting is that the verifier should, in fact, be able to trust that the user-part of a sip: URI as being authenticated. Putting aside the telephone numbers scraped out of sip: uri's, that implication is wrong. The receiving party cannot know what the sending party's practices are unless it either whitelisted them, or more likely was informed by some third party service which audits their practices. A sender making such a claim is no better than rfc3514's security protections. This seems to be sprinkled all over the document, and I haven't taken exact notes as to where all of this is implied or more, but this is an error and a pretty serious one. If the receiver makes decisions with that supposed guarantee in mind, that is exploitable. Even if that is not the intent (which is not at all clear), it distinctly leaves the reader with that implication. The document should make it completely clear that the receiver cannot trust the rfc 8224 sender's word about the user-part, and that that is not in scope. This is should be corrected. Mike
- [stir] 8224: "end users" Michael Thomas
- Re: [stir] 8224: "end users" Holmes, David W [CTO]
- Re: [stir] 8224: "end users" Michael Thomas