[stir] 8224: "end users"
Michael Thomas <mike@mtcc.com> Tue, 28 April 2020 19:50 UTC
Return-Path: <mike@fresheez.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 866793A0B2B
for <stir@ietfa.amsl.com>; Tue, 28 Apr 2020 12:50:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=mtcc-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id IFNZ1qA8l6td for <stir@ietfa.amsl.com>;
Tue, 28 Apr 2020 12:50:15 -0700 (PDT)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com
[IPv6:2607:f8b0:4864:20::629])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 220B43A0B29
for <stir@ietf.org>; Tue, 28 Apr 2020 12:50:15 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id t7so2970020plr.0
for <stir@ietf.org>; Tue, 28 Apr 2020 12:50:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mtcc-com.20150623.gappssmtp.com; s=20150623;
h=to:from:subject:message-id:date:user-agent:mime-version
:content-language;
bh=JzbVvDZILwXp13djjtoKqKUjQQsusF29r3Sb+Ech9+0=;
b=zOmRzvXBEF7Uvf4x0qk2yMMeqINJJ5PsVyPBeNdotHsrdeodO2EZ1qa+go1IF/hOFw
U2j0U0mKCV7XY4stTBHyBQk5Ar15N3xj1M68to2uYOL6BXDMI8VJKlfNrOLVcj7BV3V9
nop5QglqRRs3PTQ0FNOArqY8FfZB7XmPjbFrfQRvyF6BWxn0gmcixcoIw4FGOI2T442F
V/cWx6QCGCEF9gyj1PJeKOIL5XxrG3NA+HnxFAjAOp9vwf8M5ppnVE3CDojNzL6YyPMj
AFPJIQ2KbqnaKpJjSWXg2ui1ABjl+QXq1bd40snVxKzVoz5qfutbT9S2Zzl3fmVe6C68
mOcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:to:from:subject:message-id:date:user-agent
:mime-version:content-language;
bh=JzbVvDZILwXp13djjtoKqKUjQQsusF29r3Sb+Ech9+0=;
b=shIFZc1gP8cKOulDjsw2r99hRWfrHUdKmuP1Vt69Fjv61QEQSOSBy9+iiNHSzH5bTO
WMeEgdxkbkMH1W3RtUmPFmelNy7f6yiAAe5fQIaecytQ8LYwCewwUuQEi/4/YCAZTt6D
K4LsdeKSwsL55RuyYaC/f7iHeK9PzVxvJK2BSH0fw81E0HEfjMFJpZ4rG4HLtAyiSsOo
9PcYl3Y8Qprh57fX9AcWwprQgWocyxnALdDUx+0vnkAsa/7Wi2+HOhEVxrVoSDvy7LrJ
TNSjVMcB8PzOcOT5xd4285khhjtmvf3Zit3N8vJaMcv0nB+B51gsJkIZieK2cbxNGzIF
bM7Q==
X-Gm-Message-State: AGi0PubkMakA7J5b1dtlfciXKjuoMBoCR3xxNhPC4WowSIoS3Mn+hUE6
y96HcN+y/ETSQpTX5wg8e2PAA6rYssI=
X-Google-Smtp-Source: APiQypK+VW3wQcFRt12/yNU8TjkLQrXs2PDrfvPI/wKSuh/SIf+1zCEEpbzf8Xj3YJVBfm0q/q8ngA==
X-Received: by 2002:a17:902:ed4a:: with SMTP id
y10mr13315997plb.227.1588103413983;
Tue, 28 Apr 2020 12:50:13 -0700 (PDT)
Received: from mike-mac.lan ([170.75.128.30])
by smtp.gmail.com with ESMTPSA id w2sm15825297pfc.194.2020.04.28.12.50.12
for <stir@ietf.org>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Tue, 28 Apr 2020 12:50:13 -0700 (PDT)
To: stir@ietf.org
From: Michael Thomas <mike@mtcc.com>
Message-ID: <350f7a78-52b6-4c45-5ecf-0d30db8b8f4b@mtcc.com>
Date: Tue, 28 Apr 2020 12:50:17 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0)
Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------474ADE3FB4CA6154723522A0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/M2-gVZsCLbb73qaViggfJeS46jU>
Subject: [stir] 8224: "end users"
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>,
<mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>,
<mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 19:50:17 -0000
The Abstract says:
The baseline security mechanisms in the Session Initiation Protocol
(SIP) are inadequate for cryptographically assuring the identity of
the end users that originate SIP requests, especially in an
interdomain context. This document defines a mechanism for securely
identifying originators of SIP requests. It does so by defining a
SIP header field for conveying a signature used for validating the
identity and for conveying a reference to the credentials of the
signer.
Given the rest of the document, "end user" and "originators" is highly
misleading. The document acknowledges that although UA's can potentially
create Identity headers, it is not a very normal use case, and that its
deployment would be relatively rare. What the abstract, etc seems to be
asserting is that the verifier should, in fact, be able to trust that
the user-part of a sip: URI as being authenticated. Putting aside the
telephone numbers scraped out of sip: uri's, that implication is wrong.
The receiving party cannot know what the sending party's practices are
unless it either whitelisted them, or more likely was informed by some
third party service which audits their practices. A sender making such a
claim is no better than rfc3514's security protections.
This seems to be sprinkled all over the document, and I haven't taken
exact notes as to where all of this is implied or more, but this is an
error and a pretty serious one. If the receiver makes decisions with
that supposed guarantee in mind, that is exploitable. Even if that is
not the intent (which is not at all clear), it distinctly leaves the
reader with that implication. The document should make it completely
clear that the receiver cannot trust the rfc 8224 sender's word about
the user-part, and that that is not in scope.
This is should be corrected.
Mike
- [stir] 8224: "end users" Michael Thomas
- Re: [stir] 8224: "end users" Holmes, David W [CTO]
- Re: [stir] 8224: "end users" Michael Thomas