Re: [stir] Third WGLC: draft-ietf-stir-passport-rcd-12

[Chris Wendt <chris-ietf@chriswendt.net>]

And of course, right after i give that example :)  Apologize, i confused myself, it is URI values more generally that are allowed to exist in the card, it’s just the content that they reference should not have any URI references as part of that content.  But of course, there is an exception, which is ‘url’ property in jcard, which is intended to be used by end user to point specifically to a webpage and the sipcore-callinfo document has the necessary caveats about that.  But the main reason we don’t want to deal with recursive URIs is for security, complexity as stated before, in particular with the integrity/‘rcdi’.

I will review the language again to make sure that’s clearer, but of course other comments are welcome.


> On Sep 10, 2021, at 2:04 PM, Chris Wendt <chris-ietf@chriswendt.net> wrote:
> 
> We allow one level of URI, like your example, but we don’t want recursive levels of URI indirection which delves into security issues and complexity we don’t want to address in the specification now, and don’t believe there is really a use case for currently.  For example, we don’t want people to point to an HTML page that includes links to javascript and CSS and other content, or other similar use-cases.
> 
> -Chris
> 
>> On Sep 10, 2021, at 1:16 PM, Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net>> wrote:
>> 
>> Hi Pierce,
>> 
>> This is referring only to the URI property value in jCard, not the other properties.  So i think we are good, although maybe i could update it to say “referenced in the “uri” property value” to make it a little clearer, since there is multiple URI references :)
>> 
>> -Chris
>> 
>>> On Sep 10, 2021, at 11:03 AM, Gorman, Pierce <Pierce.Gorman@t-mobile.com <mailto:Pierce.Gorman@t-mobile.com>> wrote:
>>> 
>>> §5.1.3: “The jCard object value referenced in the URI value for "jcl" MUST only have referenced content for URI values that do not further reference URIs. “ <>
>>>  
>>> That’s a little hard to parse—maybe it would be better constructed as a “MUST NOT”?
>>>  
>>> :) yeah that was a tough sentence, changed to "The jCard object referenced by the URI value for "jcl" MUST NOT contain any further referenced content (i.e. URIs as values in the referenced jCard object)”
>>>  
>>>  
>>> A jCard is a JSON encoded vCard.  Several parameters and properties of vCard are explicitly URI data type, and for example, in the case of TEL it SHOULD be a URI.
>>>  
>>> Are you creating a restriction that none of the allowed (and in some cases required) URI data type parameters or properties of a jCard (vCard) referenced from an RCD PASSporT are permitted?
>>>  
>>> I’m probably ignorant of, or misunderstanding something, so please be kind.  J
>>>  
>>> Pierce
>>>  
>>> From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org>> On Behalf Of Chris Wendt
>>> Sent: Thursday, September 9, 2021 7:27 PM
>>> To: Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>>
>>> Cc: Jon Peterson <jon.peterson@team.neustar <mailto:jon.peterson@team.neustar>>; IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org>>
>>> Subject: Re: [stir] Third WGLC: draft-ietf-stir-passport-rcd-12
>>>  
>>> [External]
>>>  
>>> HI Ben, 
>>>  
>>> Thanks for the review!  Comments inline:
>>> 
>>> 
>>> On Aug 13, 2021, at 6:01 PM, Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>> wrote:
>>>  
>>> (No Hats)
>>>  
>>> I have a few comments. The biggest one is I think we need more explanation of verifier behavior for JWTClaimConstraints and RCDi. The rest are pretty minor and hopefully easy to address.
>>>  
>>> Thanks!
>>>  
>>> Ben.
>>>  
>>> Substantive:
>>>  
>>> General:
>>>  
>>> I still have some questions about expected verifier behavior after multiple passes. I think that the verification service discussion should be expanded to address the following:
>>> Is a verifier _required_ to verify that all claims are valid according to any JWTClaimConstraints? What does it mean if a given claim violates the constraints? Is the whole ppt considered invalid and discarded? Can relying parties still use parts of the passport that were either not constrained or did not violate the constraints?
>>> Same questions for RCDi digest verification.
>>> If RCDi digest verification is optional, does that change if there is a claim constraint on it? 
>>> The simple answer is that we think the entire PASSporT validation should fail if any part of it fails validation either because of signature, JWTConstraint, or rcdi integrity failure.  I will add text to make this clear.
>>> 
>>> 
>>> For an example use case related to these questions. Imagine a SHAKEN environment, where the caller UA signs an RCD passport with a delegate-certificate. The cert has JWTClaimConstraints for the “rcd” and “rcdi” claims. The UA also includes an rcdi claim, because the “rcd” claim points to an external icon.
>>>  
>>> The UA forwards the INVITE to an originating service provider (OSP). The OSP doesn’t care what’s in the “rcd” claims. All it wants to do is see that the call is signed with the private key associated with the caller’s certificate and verify that the cert has a TNAuthList extension that encompasses the number in the From header field. If that is true, the OSP adds it’s own SHAKEN passport with full attestation and forwards the INVITE to a Terminating Service Provider (TSP) with both passports.   As far as the OSP is concerned, it’s the TSP’s problem to verify the RCD bits.
>>>  
>>> Would the OSP be required to verify the JWTClaimConstraints and RCDi digest in this case? Consider that verifying the RCDI digest probably requires downloading an icon from a potentially arbitrary source, which the OSP might not be willing to do.
>>>  
>>> I agree that in case of SHAKEN, OSP at a minimum only cares about telephone number for STI-VS and uses the delegate certificate TNAuthList telephone number and ‘orig’/From/Paid to determine attestation level.  That said, i think the mechanics of what OSP or TSP do with a delegate cert is a SHAKEN concept and doesn’t need to be addressed in the ‘rcd’ draft, so i’d prefer to leave that to IPNNI documents.
>>> 
>>> 
>>>  
>>> §2: So we’re sticking with that RFC 6919 reference? :-)   (But seriously, we should probably us RFC 8174 boilerplate.)
>>>  
>>> Updated 
>>> 
>>> 
>>>  
>>> §5.1.1: “This key MUST be included once and MUST be included as part of the "rcd"  claim value JSON object.“
>>>  
>>> That second MUST seems non-constraining. I’m not sure where else one might put it.
>>>  
>>> Removed second MUST
>>> 
>>> 
>>>  
>>> §6: “implementations MUST support the following hash algorithms, "SHA256", "SHA384", or "SHA512”.”
>>> Should “or” be “and”?
>>>  
>>> changed to and
>>> 
>>> 
>>>  
>>> §6.1, last paragraph (list item 3):
>>>  
>>> The previous paragraph requires JSOn serialization for by-value JSON strings. List item 3 does not appear to require serialization of referenced JSON objects. Is that intentional?
>>>  
>>> Added this: "If the URI referenced content is JSON formatted, follow the procedures defined in list item 2 above."
>>> 
>>>  
>>> Should the “should” in “If the content is binary format it should be Base64 encoded“ be normative?
>>>  
>>> I actually made it a MUST but also other text was modified/clarified based on comments from Jack R.
>>> 
>>> 
>>>  
>>> §8.1: Does you envision a use case where one might want to constrain a claim value if it is present, but it’s okay for it to not be present at all?
>>>  
>>> Yes, i believe that is handled by not having a “mustInclude” for the claim, but having “permittedValues” for the constrained claim value.
>>> 
>>> 
>>>  
>>> §10.2: “… so if "rcdi" is required compact form should not be used.”
>>>  
>>> Should that be a normative SHOULD? Or maybe MUST?
>>>  
>>> Yes MUST NOT, fixed
>>> 
>>> 
>>>  
>>> §14.2: “ Optionally, if there exists a Call-Info header field…”
>>>  
>>> Is this really “optional”? Is the verifier expected to know whether the AS included information from the Call-Info field in the signature?
>>>  
>>> Yes, correct, removed word Optionally and replaced with "Additionally"
>>> 
>>> 
>>>  
>>> §18, last paragraph:
>>>  
>>> This recommends that the creator of an rcdi claim “detect evil” on any referenced content, to avoid sending things might be harmful to the verifier. Shouldn’t the verifier also check that? It seems dangerous for the verifier to trust that the sender got this right.
>>>  
>>> Along those lines, I wonder if there is something we can reference for server-side request forgery attack mitigation? (I don’t know of anything offhand.)
>>>  
>>> I put a note at the end to reference that verification services should use precautions to avoid attacks based on accessing URI linked content.
>>> 
>>> 
>>>  
>>> Editorial:
>>>  
>>> §4, first paragraph: “… there should be the desire to pre-certify or "vet" the specific use of rich call data. “
>>>  
>>> Is “should” the right word here? Do we mean to suggest that this pre-certification is really something one should do vs something one _might_ do?  (I recognize its not normative, but even a non-normative should carries a moral judgement.)
>>>  
>>> Changed to might, i think you are right we can’t exactly be normative, even though most applications hopefully would desire vetting of RCD content.
>>> 
>>> 
>>>  
>>> §5.1.3: “The jCard object value referenced in the URI value for "jcl" MUST only have referenced content for URI values that do not further reference URIs. “
>>>  
>>> That’s a little hard to parse—maybe it would be better constructed as a “MUST NOT”?
>>>  
>>> :) yeah that was a tough sentence, changed to "The jCard object referenced by the URI value for "jcl" MUST NOT contain any further referenced content (i.e. URIs as values in the referenced jCard object)”
>>> 
>>> 
>>>  
>>> §6.1: “avoid any possibility of substitution or insertion attacks that may be possible to avoid integrity detection, even though unlikely. “
>>>  
>>> I suggest avoiding predictions of likelihood here, since we already specify a countermeasure.
>>>  
>>> Removed 
>>> 
>>> 
>>>  
>>> 
>>> 
>>> On Jul 29, 2021, at 2:19 PM, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
>>>  
>>> As we discussed on the IETF 111 session today, significant changes were made to address concerns that were raised during the second WGLC.
>>> 
>>> This note begins a third WGLC for draft-ietf-stir-passport-rcd-12 (PASSporT Extension for Rich Call Data).  Seehttps://datatracker.ietf.org/doc/draft-ietf-stir-passport-rcd/ <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-stir-passport-rcd%2F&data=04%7C01%7Cpierce.gorman%40t-mobile.com%7Ce4ae20a10484490bbdb108d973f1d02e%7Cbe0f980bdd994b19bd7bbc71a09b026c%7C0%7C0%7C637668304682004296%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6HRJAR7xEH4FU5asHwnBoDspzkqXfRQMstbYtGblWTE%3D&reserved=0>.
>>> 
>>> Please send reviews to the STIR mail list by the end of day 19 August 2021.
>>> 
>>> Russ and Robert
>>> _______________________________________________
>>> stir mailing list
>>> stir@ietf.org <mailto:stir@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/stir <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fstir&data=04%7C01%7Cpierce.gorman%40t-mobile.com%7Ce4ae20a10484490bbdb108d973f1d02e%7Cbe0f980bdd994b19bd7bbc71a09b026c%7C0%7C0%7C637668304682014288%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=TkcfnUee3iuPwUjP9ZA9xySqE6Aif%2BC74OLL2kOZjVg%3D&reserved=0>
>