IETF Logo Mail Archive

Re: [stir] STIR/SHAKEN Privacy Concerns

"Peterson, Jon" <Jon.Peterson@transunion.com> Fri, 01 December 2023 19:05 UTC

Return-Path: <Jon.Peterson@transunion.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24C79C14F5EA for <stir@ietfa.amsl.com>; Fri, 1 Dec 2023 11:05:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transunion.com header.b="DxqeB4ZI"; dkim=pass (1024-bit key) header.d=transunion.onmicrosoft.com header.b="ovrmJmX5"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qSc8QHkSCNpa for <stir@ietfa.amsl.com>; Fri, 1 Dec 2023 11:05:21 -0800 (PST)
Received: from mx0a-00030c01.pphosted.com (mx0a-00030c01.pphosted.com [148.163.156.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EF24C14F5E3 for <stir@ietf.org>; Fri, 1 Dec 2023 11:05:21 -0800 (PST)
Received: from pps.filterd (m0216092.ppops.net [127.0.0.1]) by mx0a-00030c01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3B1IiWcx014417 for <stir@ietf.org>; Fri, 1 Dec 2023 13:05:20 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transunion.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=tuppdkim; bh=EpvkhbVPsKGUSfX1LrI7ZfOUGoEuQNtkn6guzXHtmK4=; b=DxqeB4ZI6sr9q/yKvMktuTNCorJ1I49zBBiuPt+M7dCqHsbn4U9A7X+/U3BNZoEcPqIZ aiADv9EsSinhSQFcSJpiozkgv1h3fB711HM0BjFXfDB7FCoUKgKeZIjm03KXTGvLI9gD bwcOBJ4oif+bG8dwN2z1oVOe4ts8LnjnxCy1mAhhv5RhCyfe2KMat/HmRy0/Tpg75hE2 FkZHrfme1qOnp547wkNHMEB9gW0MKYKfw1266TgSckW5IqvMBFTR664KliiFWEQ8UunG B/Ox+LOYubKkhZ/VQOINuufQxJybvB3eeFaVPpxE/ir0tHN9Xv5gjPPibhZSHY26yVZs AQ==
Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-00030c01.pphosted.com (PPS) with ESMTPS id 3uqh1dse68-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <stir@ietf.org>; Fri, 01 Dec 2023 13:05:19 -0600
Received: from m0216092.ppops.net (m0216092.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 3B1J5JYR017603 for <stir@ietf.org>; Fri, 1 Dec 2023 13:05:19 -0600
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2101.outbound.protection.outlook.com [104.47.58.101]) by mx0a-00030c01.pphosted.com (PPS) with ESMTPS id 3uqh1dse64-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 01 Dec 2023 13:05:19 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fYFoDJahTaQgzZjUZblUc5LZFx2yXY91q4tPSwhe4Ugzu0yylBs1FEbLC8RP6Dj5q7Pg3l0tUEfT1t4wyy4T2l60SMYVKH+C1jlp7pLgWx1s0ptHrpjDAJ9xXvl3lPxvBXB/Y3jtELP9sggcCEPcSWKbMSKPAKuSoVEeyCgyrG/w4XtsTAfh33Ss4EXlyMP8TemHiGmETijXDD/f7FhV0zMos55wjXw9TqvzZyOAOJJ6xQm7mPB1+6R+3AE3SPlCNNHPyi+6kpo13ash72QPY2dbeUdRcrr8H8MxACJJ88eij4jrg7dW/e5N/xuEeW2rbNmehwVewUH9Bqi7MYb16g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EpvkhbVPsKGUSfX1LrI7ZfOUGoEuQNtkn6guzXHtmK4=; b=H7MXBIYmVM63IWYzcZTndEnOTi3bvctTRDzVIQic2sZ0a4ZdfEz3GAIb0c0vmSXf1PdHxbqbr1Z/sCn5KG4U9vAACqqWbJ3sxSXqC/gBNh8gYmhizUo1eATV1k4McOLmZapf3S5EdJ2mhEVxjplG49nPw/YmVru+0H/Tglrw9YoHdaz5vWxlQgrxVyyLL2RV7n8AKb+BM2VFGUXfzg0d1AtoIWoUNCja4GUdt6CkxnweXgLmhRnGpsmKECzpDs4Ne6iXqAz2/lk0m6u1ONqW9j6XS/iemcTDHU3ZYRLhGomkVi7OusbmOcwqlDnEM89kYVD5bCbzF/Fzn+DZmay7gA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=transunion.com; dmarc=pass action=none header.from=transunion.com; dkim=pass header.d=transunion.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transunion.onmicrosoft.com; s=selector2-transunion-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EpvkhbVPsKGUSfX1LrI7ZfOUGoEuQNtkn6guzXHtmK4=; b=ovrmJmX5Dp6a8B/W+ytvhmU55Voi69JwQWaLE+GS2KN/sMCeK9tjRPujNkPKj1RaqaKjekuxxSBjKaykIx614peYdg9KRlWlwxhuCtEXPJ3IBqzKAlWnD+mqDrsib+pROGtfieni80Cn83OgO/G+huGcgF+gygJXp2yPwSr7Ax0=
Received: from CO6PR17MB4978.namprd17.prod.outlook.com (2603:10b6:303:139::23) by IA0PR17MB6324.namprd17.prod.outlook.com (2603:10b6:208:436::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7046.21; Fri, 1 Dec 2023 19:05:16 +0000
Received: from CO6PR17MB4978.namprd17.prod.outlook.com ([fe80::f7bb:1f3d:d14c:9b0c]) by CO6PR17MB4978.namprd17.prod.outlook.com ([fe80::f7bb:1f3d:d14c:9b0c%3]) with mapi id 15.20.7068.016; Fri, 1 Dec 2023 19:05:13 +0000
From: "Peterson, Jon" <Jon.Peterson@transunion.com>
To: Josh Brown <josh9051@gmail.com>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] STIR/SHAKEN Privacy Concerns
Thread-Index: AQHaI8cQiYcH8rNRokCHgQMl8lkVdbCUR+7s
Date: Fri, 01 Dec 2023 19:05:13 +0000
Message-ID: <CO6PR17MB497839B38D93D5F21378110EFD81A@CO6PR17MB4978.namprd17.prod.outlook.com>
References: <57C3B58B-8ACD-4709-8D35-B48FF9462BD1@gmail.com>
In-Reply-To: <57C3B58B-8ACD-4709-8D35-B48FF9462BD1@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO6PR17MB4978:EE_|IA0PR17MB6324:EE_
x-ms-office365-filtering-correlation-id: 3ee21af9-3ea7-41be-0cd6-08dbf2a0725e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mJzZ6LkQxtmEjz/4reAJfwK/Amlr0vkv7/gXteAfxY+UYDmRUXxgeLZ6Pb8QJqKTgWyW/5NdIQt2kh679h5Ww6Bp6wPwhy8A9TYjq97LxHPg2UjELPyU8oQ4iEdedlHMT9+FfRi59eY3OXf/nR6AFNL/KE1qu6Pru8FACqfnxM/WeJ0Yel9dEhePRHF+mKLEcBVflrp6zyMm5J9q9OrmFvoXwW/O92OlbJkNLwD2TO91igIyv5X5DYyOE4+hxsa1L/R3CHyJVuvpXQbqtld5KDD4bIkIPLTd+DzyJ9hb6Dup9BHWljOKyscy8IbxZ8CnRcT7BdjH7wU4h7ZWh5DNqyhoLAbqHkeSZGTjf50Yk6D2BmKch/Y7J/FGaq+oqMHeLoS96U8uGywKBGYA5rc6ZKHFjkI2qTMJeqyQ/AMg/jyL9yqLDY2Hwi3tVqMqSwgJvn45lVg3gBI0uuR4siiJ5gdWpdJVclnmlRlZOET2RntZcTOYy5ac8vWZF3K5q3AKwnEzJmqkFgkLeQo/gp+jzOJ1c7HN2sNsPKyrarDAnhGpFUV+O1prtGKmoWYuWI7pJCGmlLfH5yQq2aj0r3k5njWvmgQ0KZ9K3R06q3k4W7PGTrlbqT2C43tnK2Td6ks5UeVQAayiHmoFpHzatHrcMMfaAIQBq3IUErqxRD9NOFM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO6PR17MB4978.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(346002)(39860400002)(396003)(376002)(366004)(230922051799003)(230273577357003)(230173577357003)(186009)(1800799012)(451199024)(64100799003)(7696005)(71200400001)(38070700009)(55016003)(5660300002)(2906002)(26005)(86362001)(83380400001)(38100700002)(41300700001)(6506007)(9686003)(478600001)(66899024)(66556008)(66946007)(122000001)(110136005)(316002)(9326002)(76116006)(33656002)(66446008)(52536014)(66476007)(8936002)(8676002)(64756008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: u++KjzkTZeFkYj1p074Wcd12UoudV5yh/1M4rsv51AuJo9NqzxbG3TTiexeCcvm/XLnpIwYwpEh8zVA/0hjkDzw5WKjNt9F69YAny3h9LZkOUCEFTr7Wn93eytaRHac/P3uP6B/muWW0NuQz/+2a1TDLi3/kocfMwxlh9Q/oQBiQFKoUjsyA5d4EDVfENFywr3oqBnUxMTqvDD3UWJWbRWbiourFWXOiKtWIC9dhTfTg9lrHsIm8JSl05R6QZvSTWBWsN6cGhhyhMn2NrFl1mNWvrTtQNJQHcFa5H4vp1SU+klsjoPqiwV2FxEJFDOCv93NKWvPFkJFkb27nhbii6Mg0jx3B7xIGBq8y7+S+PxPVEaDMUOcM7662zWIQ0/e2W8HK0Bh1mtyAhZqb762jMiHzvB2BCrv0iSYE1ak0V5qlzkynrkVlCf1UjynbIqtgfZQCKG+9OodoHo1ziiYYwgGvUn9xzMc+Zwh80SteFo7J6HX2YGQrvjxQ+tC0HzMgColceY4LoFKfjkrwaHQq9vEb5xmt2L0yMiN83ioZL03XH/fc2yIfk6ZWMXxEBZxgT/rtQZebM1yv/zlV0Jg2hBfDnEqQhUHGNhhFHctGYZ4LhDSUnwgsa2qZUUfxv4Mny++nTQY/TUvJr0izvNO+7fphTyJdFu1zTq+Vp4upqvi8FyDq4WB56YePeDvszLcbXgBBpqgWn2KHz2wWliXd0a5NwayIpz3+P+a1/T99vBvMwipaWn2/3HOBEDG50p1IRU9cH9xVbXIE2O12MWQKQ2I1jmQCniTNkqsWfZ49chjAaJOUrItIpgYrxXIgK68jANONczziZU5muGGSr95QaB+1no0aTj/Ufla7ak51Dg7TDqR50++RFLxdevpFhTg9XgqyLfXHJozH2g0pIeztDEeC5JvPr3WPEQFVqUm4jiQycSV7XKm8AANSoVL3PT4pqWOLHT2BErMRuwxhxuPgQvIf7aprDMw/EA7Uyc6+2eoLBgYC7O+1eGOkiDkS5V+9MnGIVP+IVts51XBbIA9VkRROC7giFwc4+C8q+LxBzSbwiFQPchxspRc84X/6YZvt7JQjqQ+iroZruTSwaT6D8FSDQkleC2HSe9lVAXz3efYpSo4UuZ1NQEVeHXGMkifGAgrD/tdvLymerjTnGQ5Efeb5+4ICczFKJsC/pvunQsZJ9H6u68nk2kqZk2JdSfLf4kN/gybay2w8Rf5AkWweFyxk7DL2US9rX0NQeHSQ9GfaG8VkExlQonDfPw0kRylBJ7XgwmLfGi1mLs6NmP/pvOLsNriogzTNyy3rgrXYULOxSTZ+bq0yVUizIUjSm199fh8k5rpr+z3TS0thyOsPVqyg1olBzNGHbTer3Se8yt6/MNRjmxkzf9Bfm3rh5XZzOXAZFk8ddo9zVj53IA2Q8QDPqm1AmcMllJafrWRr/l03bz/YK/Goxgx2UOdciH9arNZkc0TevDDgHyr0P80D+sutpSlB1gT6HWEAf5NZ1WMi8xGGQ+Jm+j1LJAuRlegDMc4c8ptkh1pqBACmufohZ54hf3O6AyRLSoNjzQex52WcfCXSQZ/G23DFRwxN5unHKZgKquaS3uSdilTNFnYy4MHp7qtbEE4oDYacjlE4tBk=
Content-Type: multipart/alternative; boundary="_000_CO6PR17MB497839B38D93D5F21378110EFD81ACO6PR17MB4978namp_"
MIME-Version: 1.0
X-OriginatorOrg: transunion.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO6PR17MB4978.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3ee21af9-3ea7-41be-0cd6-08dbf2a0725e
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2023 19:05:13.0231 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0685d760-4332-4f24-b2ea-ffbbc2383f15
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ih2KXFy7hrwZow3kJ2k6C9mNuzUPyjeylKD8VcIgjPxvFIHpvcmXg4+DT3YU17x7em7P5N55tDXI9pdd15344rh9bWZk19cUDvKI92HmIxg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR17MB6324
X-Proofpoint-GUID: Hv0WYZ-Q8rfeeuFxjOQm6YFuGDsruMaH
X-Proofpoint-ORIG-GUID: a-6DX6-O6HVGzDoiCXk6kZnDrHpJhbPg
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-01_17,2023-11-30_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 suspectscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 mlxlogscore=999 clxscore=1011 impostorscore=0 bulkscore=0 priorityscore=1501 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311060000 definitions=main-2312010123
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/F_nyRhtucGJgmT3UdZuCmr8qJuQ>
Subject: Re: [stir] STIR/SHAKEN Privacy Concerns
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2023 19:05:25 -0000

Hi Josh,

Best wishes for your work, this could all use more eyes on it than it has had, I’m sure.

“Our first concern lies with non-repudiability in the STIR/SHAKEN protocol. In the absence of STIR/SHAKEN, there exists no cryptographic mechanism to definitively prove the occurrence of a call - only someone observing the call as it happens knows it took place. However, with the implementation of STIR/SHAKEN, originating providers sign call metadata during the creation of the PASSporT. This means that a party possessing the signature can now convince anyone a call took place - or, more precisely, convince anyone that the originating provider said the call took place. (For context, a similar non-repudiability property of DKIM signatures for emails is now regarded by many researchers as a serious design flaw.)”

At a high level, I’d say there’s a disconnect between STIR as specified in the IETF and the historical use of logged PASSporTs you seem to be envisioning.

The baseline metadata captured by STIR (calling number, called number, and timestamp) has long been retained by a variety of parties for a variety of purposes across the global telephone network. The difference between saving PASSporTs and simply logging the metadata of calls sent or received is indeed the signature, as you say. But a PASSporT is an object that is supposed to rapidly expire after call processing, and I would not consider it a reliable historical artifact in isolation; the use case of presenting a PASSporT to “convince” someone that a call occurred at some time in the past is not in our scope, and would in fact require external corroboration for it to be reliable, for reasons I can go into if it would be helpful. If something needs to be fixed here, it is perhaps letting people know that STIR doesn’t support that use case.

(As an aside, email has a store-and-forward requirement that telephone calls and similar real-time communications do not. Also, because the metadata of telephone calls is decoupled from the contents of the call, I’m not sure the situation is entirely analogous to email, but that would be a longer conversation.)

Overall, I don’t believe just signing this metadata erodes the privacy properties of the overall telephone system (which were far from ideal to begin with). For the most part, the entities with access to PASSporTs are “observing the call” in the signaling path, and can (and probably do) log the same metadata in the absence of PASSporTs. I gather the main concern here arises from the possibility that PASSporTs might leak to entities extraneous to the call path – and so we go to…

“Our second concern is with the wide popularity of third-party authentication and verification services. Numerous companies offer these products as a service. Originating providers use the third party authentication service to generate signatures for their call metadata. Terminating providers use the third party verification service to verify said signatures and other information pertaining to the call metadata. Put simply, when using STIR/SHAKEN these third parties have complete access to all call metadata. This is concerning because call metadata is often very sensitive and the working group even has proposals to expand the amount of metadata included.”

Metadata associated with calls has long been shared by carriers with a variety of analytics providers, service bureaus, agencies, and other third parties – including for everyday functions like number portability, mobile roaming, freephone translation, caller name applications, and billing. This is not an appropriate venue to discuss laws or business agreements, but speaking broadly, regulatory environments and carrier infosec policies shape the data governance constraints under which such services operate. I don’t think it would be news to anyone in this working group that “call metadata is often very sensitive”; expressing “concern” about that does not reveal a protocol defect that needs to be rectified.

I would also say “complete access to all call metadata” is not required for baseline STIR, nor any or all of the proposed extensions to it, even. Third party authentication and verification services can integrate with carrier equipment in a variety of ways, but common HTTPS APIs used for this purpose share only the subset of signaling that is necessarily for the STIR authentication and verification services to do their work. Casting this as if these third-party vendors have unfettered access, let alone utilization rights, to “all call metadata” would not reflect the deployment reality.

I might add that in our era of cloud-based microservices, the boundaries between vendors, third-party service providers, and indeed carriers have gotten a lot less crisp. The distinction between something running on “carrier equipment” and a cloud service is not so stark as it was a decade or so ago. Ultimately, carriers decide to license or author AS/VS code to run themselves, or to rely on hosted solutions, based on a variety of business and operational factors unrelated to the protocol design work we do here at the IETF.

“Our third concern is in the Out-of-Band SHAKEN protocol, which is used for legacy providers that use pre-digital telephony infrastructure. Out-of-Band SHAKEN requires the use of a third party that stores metadata about calls in pre-digital telephone networks. This third party has access, again, to all call metadata.”

OOB SHAKEN is an ATIS specification, which is not under IETF change control. RFC 8816, the IETF OOB specification, does not require revealing PASSporTs to third party services operating a Call Placement Service, provided that encryption keys can be exchanged between parties (which admittedly is not trivial). But more recent work here on OOB has focused on making its data collection risks equal your second concern above – effectively by coupling the CPS with the verification service function.

Hope that helps, happy to follow up,

Jon Peterson
TransUnion (Neustar)

v2.23.0 | Report a Bug | By Email