IETF Logo Mail Archive

Re: [stir] STIR/SHAKEN Privacy Concerns

Alec Fenichel <alec.fenichel@transnexus.com> Fri, 01 December 2023 19:19 UTC

Return-Path: <alec.fenichel@transnexus.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D16C5C2395F7 for <stir@ietfa.amsl.com>; Fri, 1 Dec 2023 11:19:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=transnexus.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vXBG0wvWt4wl for <stir@ietfa.amsl.com>; Fri, 1 Dec 2023 11:19:35 -0800 (PST)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2064.outbound.protection.outlook.com [40.107.94.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 326DBC15199C for <stir@ietf.org>; Fri, 1 Dec 2023 11:19:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KhLXSFKGPgygmmsXytYaO5ZfOiHE4KQb7v6TfQ/MWVwrvKg4pMvXv1O26ZJcfIqouEtEsZ6CtPo6/x+fCP1XsEBA5vRSdPfASc0svymafu2OowAzJTHkW5WA4K5AeSBG8LKN6BRprEks9t8ApyADnFawz4ubYiZKUD9TOPUpr1Y2dCSHK1xSXqfAk5X22mtBlu2JxboJi49pAYr5j9RzHMwrhCAHc7Pd0iEC24l2cQE8LHAavfK9zZ+1Hs4hZ5o31/DZl2WoOskBgVKFiauZnKX6+LlV8HqEmM81uIklQCeFEL+e09rULtDrgjH24E82nvE2EAd6YyCnLlOI3XnjxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Cf/Nn99wtfDrvQ0odKAftMbWq/lBTdM5Pjrlt07b8jY=; b=QPgFgKA//6zi9TWXHsnSPn26hvcC+WHlKtjMmJkIrm9DP4CUOMYDn34W1vZt1sf4PT0KM/viXRnf15bm8YW2L5nF28/A6seJ6SvdvVKDInEL+cwPzqCGEVC5OQ7Yi02+Kg/SnxOD3Pgr23+PNphrB2yyFyAqgmNaAW7X785kH1LPXNhz78aFdKMUUzY0zOTy3Wx/jpHFAeyLmkP1aWXPChejFI+KV7VytdLJFfcI8cWsjVxu3bqjWoO0RIFiDrMDLOTNjF+cwFB7bP/EAPZUBVd/lVpaiJT4fSIefw1Z2MFDq3y/PM1K9oMzJ25C05M3e3MTc3LoWV+dqetFEGupUg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=transnexus.com; dmarc=pass action=none header.from=transnexus.com; dkim=pass header.d=transnexus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transnexus.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cf/Nn99wtfDrvQ0odKAftMbWq/lBTdM5Pjrlt07b8jY=; b=rOgKQsZMy8twIVQuyJu0gJ8IVu5VLduO5IrJehVGqwdFJe+kmlOkYFN7aCpSbd/YZNAC6r7rTOFgVzhtIHpMzxD8Kaq3TjmSeA8mHYK44j21uo/IaI3OANlS7aC+quh+Z2Y/6Z6ph6TgnJY1PRU7kgPdZ2FQ4K/Ovcorcm02fVc=
Received: from SJ2PR11MB8402.namprd11.prod.outlook.com (2603:10b6:a03:545::18) by CH0PR11MB5268.namprd11.prod.outlook.com (2603:10b6:610:e3::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7046.27; Fri, 1 Dec 2023 19:19:26 +0000
Received: from SJ2PR11MB8402.namprd11.prod.outlook.com ([fe80::c13c:9c9a:90e1:c521]) by SJ2PR11MB8402.namprd11.prod.outlook.com ([fe80::c13c:9c9a:90e1:c521%4]) with mapi id 15.20.7046.024; Fri, 1 Dec 2023 19:19:26 +0000
From: Alec Fenichel <alec.fenichel@transnexus.com>
To: "Peterson, Jon" <Jon.Peterson=40transunion.com@dmarc.ietf.org>, Josh Brown <josh9051@gmail.com>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] STIR/SHAKEN Privacy Concerns
Thread-Index: AQHaI8aJTJeRZPw7DUqXOMw1pDM+xrCUyxKAgAADrb4=
Date: Fri, 01 Dec 2023 19:19:26 +0000
Message-ID: <SJ2PR11MB840269FD78F810242B850B549981A@SJ2PR11MB8402.namprd11.prod.outlook.com>
References: <57C3B58B-8ACD-4709-8D35-B48FF9462BD1@gmail.com> <CO6PR17MB497839B38D93D5F21378110EFD81A@CO6PR17MB4978.namprd17.prod.outlook.com>
In-Reply-To: <CO6PR17MB497839B38D93D5F21378110EFD81A@CO6PR17MB4978.namprd17.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=transnexus.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ2PR11MB8402:EE_|CH0PR11MB5268:EE_
x-ms-office365-filtering-correlation-id: 2de311e9-fa24-49fa-d7bb-08dbf2a26edf
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HODCQ55YOae0Gx25lnbl3sb8hx0C3uGSqGJw/JgzgSAhw2uSPRYD2QdtB1zdPqJKJ3Tt6NUuOSxL8xRoSZV+VDjX/olmDCPT7hzBrcSgO9lGH6fHttHJid5J7gDBL0PWwsAJJ6hINos/gAaHrqo6xdSZqX+M74ZhLTFTJFN2sBLefYc8cmhl0YkePuHKU6ikUOSIFmWAvkT9kturVic8nFQGuE26AHOcIN3OmdA83VfmZAe+oNksRDGjVCh58kQnqrCyGREx0GmJ2SnkyfEkLHWxcjxRPKew5Z/AyUdaFjz2wAXtkvsoGtTMN54VUzXWa36/WBWEYHLCjXe03yXuRZLkqAlz0kuolqtXtFn8B5XtU59BsVDWOlCZgfRtIBuJGvUGF6cF9BoKmgMq/GmzegPGInv3kdAmkM17mpZFvL9RhXgDuP3hXcen0Tp/JJiC9gYoxvIjZSh3ah+c6k/DoQ3ABMxwmIUOyGAqHJCt92+w4FDBTS4N5V+JeyANxWXWGH3SZ61ZE4prBVH1KJuEynqeFQYLGkoy9PS8HQL/HzcYwXQzMRY7OfswqNM5eSG4bEYLZ/dcTynYi71uGGrenUY8GXlsowIo9AoFXSg6suP8faGvL+6edJYcbmuwa8Uxo1S0Ca3mjms8ETNKMAcfLkgnnlEGpMBVQHQ/xwH3O4g=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ2PR11MB8402.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(376002)(136003)(346002)(366004)(39840400004)(230273577357003)(230173577357003)(230922051799003)(1800799012)(451199024)(64100799003)(186009)(66899024)(83380400001)(38100700002)(122000001)(38070700009)(33656002)(166002)(86362001)(66946007)(110136005)(76116006)(55016003)(91956017)(8676002)(8936002)(66476007)(66446008)(52536014)(66556008)(316002)(64756008)(19627235002)(5660300002)(2906002)(19627405001)(53546011)(44832011)(9686003)(478600001)(71200400001)(7696005)(6506007)(41300700001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2TkOHtBwSxjuTWS/3H/KpVj+Sq7TlIeRLTx62wIrS6LcvjGiugqLaDo9UPqG+BjOEBNlbBUH6Cvf/PrGE2ZWKjCQ/7zCWTriFaE9M948Ikj5K7bsBIQzukXvZjtdQln6fB0VRe9fryJSuaJTFFoboAeelgMjua5ToCBqdXsO3652HdLYnbYYa8vaxi91JxULCOAyzb5pJbSdXnQdk1vZEFSGIQFw+Sr4Zmq+IQtkSR7FEoFVaivdpvLcYyl39TV+pLj90cLzsaVII00xy1HpaJZe9sF07A9mGI0ZB/VcfijfvDGunTsip8ByjCVLd0N7wz7N6NnHwRpfJeDfPGnN+cZECpHS+KoCvVFaCeNN79ZnQsqsogTS8V7N5ubMHqZQhEGXmqhBDT5riX7DlZYz6ggbxqHVwSFGJKLwYjB3Zvw07wEsgbal3dsN/pQuj/FqBqLqfBNXbPVQhMEE+24ptBC4lD5V0o3i17EGB3Hs3vVYhowI3eHeqrgI8WOjohROfBm467cM4AdrVMShENrTXeMImnoLPgZzf5X2Jy/+lVdoKRTsUrqPkZuYxjVRJJP8ONSrteylZrYWZgEu1ITkdAw+Gq5r++bT8kUq6EeUarftofjDsX1CqTx9Ieryo3njUdU/ZxyjBlwWHRx6qadLodenm0VNh5vyk8hVH4xWe9LIC8IwQoqPtOUlIWGuFl9eT+JYNGx/bdqsTsPW1/qoLygj694SRnShDeF0rj6m3HGnxE9puf3mqC8D5sETkKNw8wA8bV12dWlcHc1kSJFzIK1NZih3VOs4bXo3nRY/u7GSafUNuBa9FT+KEwGIWRq72lx8DCu3aNhNEyBjj/wzfsRz7Sb/G2GtiRy31uBtR7aZMM6skXCspD4hAyORrLAd1h1UT6oMt47i9ssgFsK1+kKpEfkIGVTMHz0eoU/ngxqQtrpIJdgZqPnQt8p54cADxQkca63HvB9r0eD77E/tbaLDQiGqFOLEyTjcf48zO/4KGVy1WdpKk/yQOCSdXfS/u44H8JoHrzBkz+fer5Mj2z8fwMvXBcH2eiBVvOlGV4PNz/KdXEU+N6qvpZjLRRsZazBG9D4a3benX57PGC0xUhu9iTJlGJAI+9QKBk0Vdxe4xP1wZbvNhW4ASEn1YsWnIEI0KanJSNr+PTe8EGHARkwz++S2bXyrEK7347h7At9RHZdIcOZmBYVOSI25LvAKjXn92Evf6LjAneQ2gnQP4PqRJJtMPuEYTedTaJsQMMdTOhzpvd8K4rwpbzHaiXiQP1B13pkQ03EuvPSXfeILiTUcZRSX0xgVp1IX0jbjRCG0I2g1acX9e7Q10JeAhfYK5CJXps9JXRKMxpZ44IllSd0BA7XT6zNW1Amr7ZWIANRn2/dXrIFZnrLFa7jThY2nRaUqMMENaAry/TDDMFaT3mUf7lDoH7QZF8OwyB6lzU5MuK5r4rnPWu6U2blXwvzjzEy3lIv25ZJAF5NbWeUKSbFge7wxoqmkIaBSKT868zYwNUqo4xqnsX3FKIoik9gVv8dm2LZjOkciXp3cFBK+cV8z0pMdS6Tv6vPvpogIYSiQCNLh2W7EiG/Fds2oEHCZ75fr8IW0Uu0IT69Zhtte2YyemelEa3BsRm3ChCWs+Kc=
Content-Type: multipart/alternative; boundary="_000_SJ2PR11MB840269FD78F810242B850B549981ASJ2PR11MB8402namp_"
MIME-Version: 1.0
X-OriginatorOrg: transnexus.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ2PR11MB8402.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2de311e9-fa24-49fa-d7bb-08dbf2a26edf
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2023 19:19:26.1265 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8e2972a2-d21d-49ac-b005-18e8ceaadee3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: puux9Hp/qSDCsChmGDnoITKX5r0+MkRwLyAWz6TseSJuzSYhebHeFsAagPSdMg6tnh0WEHDesA0woilmr0jwNX+EvdCFo2YvZxw4y+MyfjA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR11MB5268
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/L4rjN__KFO2RV_bO6y0e7qdHlTg>
Subject: Re: [stir] STIR/SHAKEN Privacy Concerns
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2023 19:19:39 -0000

FYI, the new version of ATIS OOB SHAKEN (not yet published) does not require a third-party STI-CPS or any STI-CPS to STI-CPS communication. I anticipate it will be published early next year.


Sincerely,


Alec Fenichel


________________________________
From: stir <stir-bounces@ietf.org> on behalf of Peterson, Jon <Jon.Peterson=40transunion.com@dmarc.ietf.org>
Sent: Friday, December 1, 2023 14:05
To: Josh Brown <josh9051@gmail.com>; stir@ietf.org <stir@ietf.org>
Subject: Re: [stir] STIR/SHAKEN Privacy Concerns

Some people who received this message don't often get email from jon.peterson=40transunion.com@dmarc.ietf.org. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>

Hi Josh,



Best wishes for your work, this could all use more eyes on it than it has had, I’m sure.

“Our first concern lies with non-repudiability in the STIR/SHAKEN protocol. In the absence of STIR/SHAKEN, there exists no cryptographic mechanism to definitively prove the occurrence of a call - only someone observing the call as it happens knows it took place. However, with the implementation of STIR/SHAKEN, originating providers sign call metadata during the creation of the PASSporT. This means that a party possessing the signature can now convince anyone a call took place - or, more precisely, convince anyone that the originating provider said the call took place. (For context, a similar non-repudiability property of DKIM signatures for emails is now regarded by many researchers as a serious design flaw.)”



At a high level, I’d say there’s a disconnect between STIR as specified in the IETF and the historical use of logged PASSporTs you seem to be envisioning.



The baseline metadata captured by STIR (calling number, called number, and timestamp) has long been retained by a variety of parties for a variety of purposes across the global telephone network. The difference between saving PASSporTs and simply logging the metadata of calls sent or received is indeed the signature, as you say. But a PASSporT is an object that is supposed to rapidly expire after call processing, and I would not consider it a reliable historical artifact in isolation; the use case of presenting a PASSporT to “convince” someone that a call occurred at some time in the past is not in our scope, and would in fact require external corroboration for it to be reliable, for reasons I can go into if it would be helpful. If something needs to be fixed here, it is perhaps letting people know that STIR doesn’t support that use case.



(As an aside, email has a store-and-forward requirement that telephone calls and similar real-time communications do not. Also, because the metadata of telephone calls is decoupled from the contents of the call, I’m not sure the situation is entirely analogous to email, but that would be a longer conversation.)



Overall, I don’t believe just signing this metadata erodes the privacy properties of the overall telephone system (which were far from ideal to begin with). For the most part, the entities with access to PASSporTs are “observing the call” in the signaling path, and can (and probably do) log the same metadata in the absence of PASSporTs. I gather the main concern here arises from the possibility that PASSporTs might leak to entities extraneous to the call path – and so we go to…



“Our second concern is with the wide popularity of third-party authentication and verification services. Numerous companies offer these products as a service. Originating providers use the third party authentication service to generate signatures for their call metadata. Terminating providers use the third party verification service to verify said signatures and other information pertaining to the call metadata. Put simply, when using STIR/SHAKEN these third parties have complete access to all call metadata. This is concerning because call metadata is often very sensitive and the working group even has proposals to expand the amount of metadata included.”



Metadata associated with calls has long been shared by carriers with a variety of analytics providers, service bureaus, agencies, and other third parties – including for everyday functions like number portability, mobile roaming, freephone translation, caller name applications, and billing. This is not an appropriate venue to discuss laws or business agreements, but speaking broadly, regulatory environments and carrier infosec policies shape the data governance constraints under which such services operate. I don’t think it would be news to anyone in this working group that “call metadata is often very sensitive”; expressing “concern” about that does not reveal a protocol defect that needs to be rectified.



I would also say “complete access to all call metadata” is not required for baseline STIR, nor any or all of the proposed extensions to it, even. Third party authentication and verification services can integrate with carrier equipment in a variety of ways, but common HTTPS APIs used for this purpose share only the subset of signaling that is necessarily for the STIR authentication and verification services to do their work. Casting this as if these third-party vendors have unfettered access, let alone utilization rights, to “all call metadata” would not reflect the deployment reality.



I might add that in our era of cloud-based microservices, the boundaries between vendors, third-party service providers, and indeed carriers have gotten a lot less crisp. The distinction between something running on “carrier equipment” and a cloud service is not so stark as it was a decade or so ago. Ultimately, carriers decide to license or author AS/VS code to run themselves, or to rely on hosted solutions, based on a variety of business and operational factors unrelated to the protocol design work we do here at the IETF.



“Our third concern is in the Out-of-Band SHAKEN protocol, which is used for legacy providers that use pre-digital telephony infrastructure. Out-of-Band SHAKEN requires the use of a third party that stores metadata about calls in pre-digital telephone networks. This third party has access, again, to all call metadata.”



OOB SHAKEN is an ATIS specification, which is not under IETF change control. RFC 8816, the IETF OOB specification, does not require revealing PASSporTs to third party services operating a Call Placement Service, provided that encryption keys can be exchanged between parties (which admittedly is not trivial). But more recent work here on OOB has focused on making its data collection risks equal your second concern above – effectively by coupling the CPS with the verification service function.



Hope that helps, happy to follow up,



Jon Peterson

TransUnion (Neustar)

v2.23.0 | Report a Bug | By Email