Re: [stir] Malformed PASSporTs
Chris Wendt <chris-ietf@chriswendt.net> Tue, 18 January 2022 22:04 UTC
Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA4733A0EA0 for <stir@ietfa.amsl.com>; Tue, 18 Jan 2022 14:04:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uekw4Iz4xul4 for <stir@ietfa.amsl.com>; Tue, 18 Jan 2022 14:04:54 -0800 (PST)
Received: from mail-ua1-x932.google.com (mail-ua1-x932.google.com [IPv6:2607:f8b0:4864:20::932]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FF493A0E9C for <stir@ietf.org>; Tue, 18 Jan 2022 14:04:54 -0800 (PST)
Received: by mail-ua1-x932.google.com with SMTP id r15so858042uao.3 for <stir@ietf.org>; Tue, 18 Jan 2022 14:04:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20210112.gappssmtp.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=IaDRzIkhqpeBj++v3tWx1rbIq6p+cmYdyG1GtlwbGXU=; b=2jN3Gv6lTHQ5vaR1S/vq/JbOIe1JzPMYHLMCpqEsuTrpAwJCntXef/tBhlQAcjDemN I+8GBx9ZjSq/mZMaVCbV+nJ+mDWkaqZGEYkxIl7SBnZhqJoG8vDx2MS1EXZFzOI4eW8q ANQd9FxLnqH7jUoXDf4lExtL6dRkozoE/a8MKGDLhu0+ozTrxcLM/F+M4QKUuAIdn2y4 QB5TB3RjBDCAtuTBedmFx/R6g0hQCqzgWua6GYps46r9CeGfm4wt+ejOJRpw4pwcX6U0 Nogo0fDcSBM1MlDrKvHTAU+exjehJosVJIrDtdLKlQsw99bbbEPv5vll7XAXE0UphxsJ 9w6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=IaDRzIkhqpeBj++v3tWx1rbIq6p+cmYdyG1GtlwbGXU=; b=mTcNUYvi5/pCFYZbH12LK6Qhvn8hZ4/yM+6tYmZ/KUgDGs7ejDEEut4MbLyuwj92zP SQ7j9dHitRU7LumtocjD3j5j4YAHb/OHtKdH/iOEtOI16lmne9q4TyRsw5od69kRhhBZ 7nt2HNrOrhPv3zMVoEm6zIAWTOKsHfc9kZHzmJ5Tg2iA9dJ3btZImd6xul4YAVHnNDVz xkLOuItJItnNRROjivfICBvl1tapblEAIuPt89OCMgiymEG/ceR7fPA2+lwrr4PkI1R2 Mv4hrGICecd/lXYMvnaS21ESjoLoibD/veqE3O5uJP1ZazXn3jsffMmgLMlugXg1JAQ3 ZJHA==
X-Gm-Message-State: AOAM530mauVn+lIOhLst6ZFAiAiYmo076W4wj5EqaZ7p0nOZqTumyAjR UFx91k7pgvC7xnVB/rehXBT9fSEC1ThZSUPF
X-Google-Smtp-Source: ABdhPJy93uBed48CDQ35BUrzyVKOZOmxqNnu2E+jOoK+50QrTX4xll76jmdjVuBEuO+Ew7YmnokuFQ==
X-Received: by 2002:a67:ea4a:: with SMTP id r10mr10987563vso.87.1642543492632; Tue, 18 Jan 2022 14:04:52 -0800 (PST)
Received: from smtpclient.apple (c-69-242-46-71.hsd1.pa.comcast.net. [69.242.46.71]) by smtp.gmail.com with ESMTPSA id h25sm3978449vkf.31.2022.01.18.14.04.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jan 2022 14:04:52 -0800 (PST)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <37287F53-270A-4849-82BA-B50775A9B02A@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9E41E51E-1821-4B8C-8280-42A77FFCF98B"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.40.0.1.81\))
Date: Tue, 18 Jan 2022 17:04:50 -0500
In-Reply-To: <AM5PR83MB0355609D1C09E94888C034E088549@AM5PR83MB0355.EURPRD83.prod.outlook.com>
Cc: IETF STIR Mail List <stir@ietf.org>
To: Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org>
References: <AM5PR83MB0355609D1C09E94888C034E088549@AM5PR83MB0355.EURPRD83.prod.outlook.com>
X-Mailer: Apple Mail (2.3693.40.0.1.81)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/EnmCRMc6zgEUmYb6kRd23JAVLu8>
Subject: Re: [stir] Malformed PASSporTs
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2022 22:04:57 -0000
Hi Jack, Generally, we do have MUST level requirements for the defined claims in RFC8225, for example, MUST be canonicalized according to RFC8224 for “orig". And as you point out, if there is claim keys that aren’t defined or are not understood by the implementation they should be ignored. Let me look specifically at all of your cases and see if there is anything missing, but above is the general intent. Note that SHAKEN specs to provide additional guidance, but this is above and beyond the basics of JSON rules and the specific claim guidance. -Chris > On Jan 14, 2022, at 11:28 AM, Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org> wrote: > > Hi all, > > What’s the intended behaviour of a verification service when it encounters a PASSporT with badly formed claims, but is otherwise valid? > > There’s a progression of possibilities here which range from being able to do nothing to being entirely ignorable. I’m worried there are interop or security issues I haven’t thought of with being maximally permissive. > > Fundamental field totally invalid > “orig”: [2] > It’s impossible to validate this passport no matter how lenient you are as there’s no way to verify this against the From header. > Fundamental field partially invalid > “dest”: { “tn”: [“12345556789”], “uri”: 6 } > Theoretically you could validate this passport if the INVITE was to 12345556789, however processing this would be awkward, and for the sake of the ecosystem it may be better to reject it. > Extra field invalid > “ppt”: ”rph”, “rph”: “invalid” > This is not a useable RPH passport but could degrade to a base passport and provide some authority. RPH may be a bad example because I’m not sure it’s meant to attest to the caller, however if the ppt field was malformed you wouldn’t know that… > Optional field invalid > “ppt”: “shaken”, “rcd”: {} > The field isn’t mandatory, nor is it the primary focus of this passport. Ignoring the “rcd” field would do very little harm, bar allowing dodgy implementations to proliferate. > Unnecessary non-STIR field invalid > “aud”: 6 > I doubt many STIR implementations even check if non-STIR fields exist, let alone whether they have the right type. Completely ignoring this feels like the right thing to do, however rejecting it would also be reasonable, if everyone agreed. > Although, not checking this specific field is in violation of the JWT standard, so maybe this should be rejected? > Completely unexpected field > “foo”: “bar” > AS this is JSON I’m pretty sure this should be accepted and ignored. > > I haven’t been able to find much in the standards addressing this, so I’m interested to know your opinions. I’ve been unable to come to much of an opinion myself, being permissive feels sensible, but could have negative effects on the ecosystem and generally raises more questions than answers. Being draconian is probably simplest, but could cause interop problems, especially as things change. > > Thanks, > Jack Rickard > he/him > Software Engineer > jack.rickard@microsoft.com <mailto:jack.rickard@microsoft.com> > > <image001.png> > > > _______________________________________________ > stir mailing list > stir@ietf.org <mailto:stir@ietf.org> > https://www.ietf.org/mailman/listinfo/stir <https://www.ietf.org/mailman/listinfo/stir>
- [stir] Malformed PASSporTs Jack Rickard
- Re: [stir] Malformed PASSporTs Alec Fenichel
- Re: [stir] Malformed PASSporTs Chris Wendt
- Re: [stir] Malformed PASSporTs Chris Wendt
- Re: [stir] Malformed PASSporTs Jack Rickard