IETF Logo Mail Archive

Re: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt

Jack Rickard <jack.rickard@microsoft.com> Wed, 20 April 2022 12:57 UTC

Return-Path: <jack.rickard@microsoft.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35B703A1252 for <stir@ietfa.amsl.com>; Wed, 20 Apr 2022 05:57:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PhYwQzBUwwTM for <stir@ietfa.amsl.com>; Wed, 20 Apr 2022 05:57:15 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on20710.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1a::710]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73F653A1246 for <stir@ietf.org>; Wed, 20 Apr 2022 05:57:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RsSm/Wwbllfi8vbnc5SVL2dF9VgQgznsybaP+6Ic1WZ9VlsRFMkhpqmV8/qnPS/+lltsV95RBnZC6lA7dXQyww664YgeEOn6KZuhQ6GgBNPcAH16YDnHNp2U9gL+BtccyFs6kGDnQtglcg/wdUru/fZyfXduJbpn+xCIm+MwbVztgT0VTHUJUbFit4obIot26N4R9Epqzpu9eAynnZAMFn9kVS8QCkC1dKejkr0HRn/8VtzwIM3P7Rw7WZQeEut6coGmHBcRMzNkKRZsB+ANPJysWtxlEuBFqSrqYveNsvlXxV276zyliFLphuAd3vf9120JzZdUiEe8qf9WgzXhTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RAxVU7oKOUgpjKaqv2FJVfPWkEbq8DiLZH3JfCG+EZI=; b=LV59voYvVgLzGow2Agr6NPfk2e+wofNRuSMLg7nJ8AkjmuG/DnUFsvBKxiqwl7v2kU2yU/0tu1NxyMIOvLkBlAvTm98riSlPiNPIeeBYovKOB3NiKvJW3/igUmFVYDRPaxiGvrFZru6csyopstgPb9MQn50NkaqMLsihfC3dsZMoeOdA+cM4ICqJV7NqfYt4SG6M8x9GCSt4RPOk89iMeDMn9PNFl3uYXdNhRRy7vTIn7ivFfNhu3w6TEH0nll+bx5W8ccECIANfcAM/5YGOh/k5gQ2DmQNVvTBuS1Fi6X8PYY9ZvhqnSvuNKdHjUnxhBmdqiWtrL+1TesmKfXQkVw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RAxVU7oKOUgpjKaqv2FJVfPWkEbq8DiLZH3JfCG+EZI=; b=aVtY92jsZgj5Q76tjCqRCAK1sqpNIR7Ft7wTp9YfJOWdUa4u35Z3I1LrUbtDVlw1/Gdneya2l7OsTShlOWPwuNt7V1Nxf6EITvgSyORYwqGO9CJyQ5J7yG6TEQa7fgyAJd6/jHEf9HDcPslGzSyW8oBEqyChoZlO9QvEqwfh7OI=
Received: from HE1PR83MB0378.EURPRD83.prod.outlook.com (2603:10a6:7:63::11) by DB7PR83MB0316.EURPRD83.prod.outlook.com (2603:10a6:10:b::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.4; Wed, 20 Apr 2022 12:57:10 +0000
Received: from HE1PR83MB0378.EURPRD83.prod.outlook.com ([fe80::9d73:9d6d:7eb1:cc76]) by HE1PR83MB0378.EURPRD83.prod.outlook.com ([fe80::9d73:9d6d:7eb1:cc76%5]) with mapi id 15.20.5206.004; Wed, 20 Apr 2022 12:57:10 +0000
From: Jack Rickard <jack.rickard@microsoft.com>
To: "Peterson, Jon" <jon.peterson=40team.neustar@dmarc.ietf.org>, Chris Wendt <chris-ietf@chriswendt.net>
CC: IETF STIR Mail List <stir@ietf.org>
Thread-Topic: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt
Thread-Index: AQHYVLNk/yJ3ANLoWk23Ff15uZZ+paz4wOag
Date: Wed, 20 Apr 2022 12:56:43 +0000
Deferred-Delivery: Wed, 20 Apr 2022 12:55:53 +0000
Message-ID: <HE1PR83MB0378A95955EEFA7D7D9CECAF88F59@HE1PR83MB0378.EURPRD83.prod.outlook.com>
References: <HE1PR83MB03785B2FB3892677D05A7EE988F59@HE1PR83MB0378.EURPRD83.prod.outlook.com> <69A84698-6A53-4471-B7AF-8B2A0ACB8F8A@team.neustar>
In-Reply-To: <69A84698-6A53-4471-B7AF-8B2A0ACB8F8A@team.neustar>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=d62470d0-7068-4fcb-9ace-bc3ce977f6bd; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-04-20T12:50:02Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8de84906-fbd2-4cb7-acb9-08da22cd480b
x-ms-traffictypediagnostic: DB7PR83MB0316:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <DB7PR83MB031660818E57806449C8F57188F59@DB7PR83MB0316.EURPRD83.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JpbAYHunj3LMNI6UPB5jmD/RxKsbUddut3bBFRkZOQcZwF4/dLFCSEMXpYdwdzGfOvPz7qqwenm8u5UTVJLCW1JoQgq3s/jfBxYG3i9yVRL/gBB/crp8hYcm5rxj1XemZjS1N82pt32n49617gPT6+NU4jjwW841zOUMZIoDXu6ZEkeP4gOO5wvJPBju6JRGuPBLqrJan9yS3DTwpnx1vgnOV/rMh5Tg1AKFsvbjRqBobgX1l/Px7pZJfaHFq/WQw5QQycTo7vJmp8lq1vbKNf1Ef6wNab4QkhWUGd1sn0iHsw9YWSG7/GWri8GLPVF/DpHJR8bDAuwH7zMu63oNcOMTalIvBKuspxJtdESTc+uY7l3B2x/UT7ZpvWrBAv3dEcXkG74+bwXf0BhKHnCHWMLzy7SS2hPTR7UO9Pg6MHH+JPMzaWZzkK5L65eNf1NStAZTw1eAm8Xs0ySqcJ/lOOOHisab8IcRce3r63VhQqio5yjQZme5GRtdR1kFv3y+9hTD0FRH4CXjENdO3z0kRDR2G9DRCE+CGr+KkF3Ffu/V0vWtWQrqt4nb0qZXGGev8N+4GRAPX8szEFYdFFVqQozdPSvb6vviw0cvCg5B8Bk1QQOFeEZ/vg8qRBOso9X1Y7sgYc4R6HyWf6tBbR5HMI4lnmfIicclXbQmqZJOryDgXPxpcKSSTI+zCBF30+8V7dfjLB3wQLAMOhiEYXe2UTcbOjCBpOWhrcrg+m14VwHSFgcot9Yu+sPBx9PbJoB/
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR83MB0378.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(451199009)(316002)(8990500004)(33656002)(44832011)(2906002)(8936002)(55016003)(5660300002)(52536014)(71200400001)(9686003)(4326008)(86362001)(26005)(66476007)(122000001)(66946007)(83380400001)(66556008)(76116006)(82960400001)(8676002)(64756008)(66446008)(186003)(10290500003)(110136005)(6666004)(53546011)(7696005)(82950400001)(38100700002)(38070700005)(508600001)(6506007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: iF7YMt9PKmyJpKx6ruycbYQ0w9CsKGSlkUm5Y7TOjM/ZSeGB6rxnj+/WOFWuNMtHE4b0C9qRH2A2FAorrDV5hQoQsDJHqVVU/StJ+cQ0g/XnYKlOry4qBjKi6e7IDH7Qns9CPZglYsi4uBA8uM85Rp4C5WTFu9B9DNb8SzFBRLVS4kFl42DljMXirYaafJoTTYKEf3JTt5xFkQgXzxwrP7JVNDFMWI50tIS28xhr7AzLbeEQixkJtTTeRDQgEzbr1AkScD6yedwPSV+SvsZV4zf1k3NyRhDGmnmPbaE4Of59J4WzrWo/6/CtwdXEonPDFtVU73e3HfFglqo3VClMsXfk6axSsKg6KsO3wOR+OzFaCsUgOKFSTKAnfGkS3oe435yrs20t7Jg9smxK40foqYAlDYbKMb3nPB6Fddsob0mM17rZUYXSV42ZhM2hwWG4AGSSTTEQBpIWnD/0ZIcozS2Jz/1+tr8foq/6OrtGu9fVQ192B/9mguvfMPCHYFje8Q3hglkAzGTmPZKZ5Z2KfMe8eLqvyj712q1Q4X1Nh9W0z8Uq7aPXdgoiSEG7CYZbjV5mR8cUGUGSZQ1kMZEb6i1MLoIBC6C0Kgdl7oEmVk3Mk5ZSDKV2GoY7iG9f36jFEUl543AG1SaLJB+E8BbHffTP/lPLnTB67it4QAVOo6wMqsNiMKKTu3DuNnxEvFilQJCosfpwBxBvOaHTkQ6aWskf2xYWDILLk12me1aM4g3ieK+Rxm+MTjDbZpBKSn4gE/Hwlx8dUJ8e34gUCFNsCAdkxT2Vl9N+q7YsqYA386r31TidpaNuR7osstIV61Te8hExJwKlcUAJFaGOnG/Mzgr1cDpRyLdLKuSLYmOMJV84fJU6XaOg6T7L8bbrvoPeznSk8jY67q220Z18DAmyPiTwKo7/1tKySZEOpVuqQb1lHUJJws71jSPWtiSSxtkq+52+oYMvjDjqDU4hX63DCUcfdjOxuvSrcVSfNQ8YpaDWK1bUw8hZCmgsXtbCx+rBqM6YJpOwIST21Wf23kqRV4Fnmm0ygZbSiAmVbSS0bSSj3RcaDg2MMiss1ZWSIjPLZj4mpEV25/mfHegwAWEj+T2Na+LLOei0QHQ/FYZ3w0n8kZ8lG9v6rpNnAT38bb3/taYL2h1r/p25NvE9vapTjcBq2mBIv+jKXBPraCqGf5LWvwqWH+6uqqJhG+Utu/pjQ9ze39Ry7tgZFmTFn/7UL7JyWB86vvCmPlhTbv1PLw9WP1xtihlH8iICisSuuf/j3VDL7DFh6IskAUx5bBAMt4PnEt7s+qc3A69x5rksfRj2NIejlXn/rqVYwVJHBkdpKwhHvb63RUvlc04vY0PLh+aYdU/eLqv9SAmtd50v1E7lA68vDHCUCwNn/kYeOJiULzu2gxZKEXHrIGcJLxe4/2nYsf2SjIQezv+I1/OWLtvvupMXddA2j8pdPH36WwcaxvXdvix3pNn+x5YaY/XbPLpIDXhH1mLvPim+KI7PiYIjYw08TN45Eiji6rR4QH1Vk7pqBp9+dafhsi/KDp5YQ6yUzQpqGhdp1E+i6E+FKdZF3QrLO4CcIWgu+2qzDCt/7kFqBFbDPz6zX1PKUcvRsXTuyEUbpdzBqAZ9OpB96KuQ7fZcFigqoqQEhETtMoQ9zuIaAYJxtEShC60470Dhyg==
Content-Type: multipart/alternative; boundary="_000_HE1PR83MB0378A95955EEFA7D7D9CECAF88F59HE1PR83MB0378EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR83MB0378.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8de84906-fbd2-4cb7-acb9-08da22cd480b
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Apr 2022 12:57:09.7761 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9CNb5wOlQ0xzfwOUkOlGAmDJtLdczgLFNo+pe62OsAT44ovyIMaO1HHqccgFi7f1/7I8c2txSR/a1GIs+gcYSQ0H+nPKZENLjFYM0P1lb9c=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR83MB0316
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/Pjv9yIios2qcIJoYMjwoXYiKfaY>
Subject: Re: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2022 12:57:24 -0000

Woops, I'd completely forgotten about the "iss" part of this standard, re-reading it I do think that solves all of this. I'd like the "Verification Service behaviour" section to mention that if "iss" exists then it can't treat this passport as asserting the identity, but that's a readability concern more than anything else.

From: Peterson, Jon <jon.peterson=40team.neustar@dmarc.ietf.org>
Sent: 20 April 2022 13:37
To: Jack Rickard <jack.rickard@microsoft.com>; Chris Wendt <chris-ietf@chriswendt.net>
Cc: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt

Currently intermediaries are not able to add RCD passports: RFC 8224 Section 6.1 states "The authentication service MUST then determine whether or not the originator of the request is authorized to claim the identity given in the identity field.  In order to do so, the authentication service MUST authenticate the originator of the message.". As that clause applies to all passports, is not overridden by anything in the RCD spec, and intermediaries will not be able to authenticate the caller, they are not allowed to authenticate the caller. (I believe this issue affects RPH too). For intermediaries to be able to put RCD passports on a call that section must be overridden in the RCD standard.

It was overridden by the "div" spec (and as you say probably the "rph" spec), let alone the "rcd" spec. "div" PASSports are still PASSporTs, and they don't have this requirement. The entire "third-party usage" section of the "rcd" spec is quite clear that the intention of "rcd" PASSporTs in the third-party case is not to authenticate the original user. I'm not sure any further text is needed to "overwrite" RFC8224 here.

For a more concrete scenario as to why this is a problem:
Imagine an ecosystem where shaken passports are not required to authenticate a call, base passports are considered enough to say "I, <credential>, have authenticated the caller and they are allowed to use this identity" (I'm pretty sure this is compliant with RFC 8224). If you are an intermediary who has a credential that everyone trusts for everything, then you cannot put an RCD passport on the call, if you did then the callee would think that you are asserting that the caller is allowed to use the identity even though you have no idea if that's the case!

If I recall the basic idea for intermediary "rcd" usage was that the "iss" field, if present in the JWT header, differentiated PASSporTs that were not intended to assert the identity of the caller from those that were (combined of course with the "rcd" PPT). I guess I view "iss" PASSporTs as sort of like "div" PASSporTs, which again would not be naively mistaken for PASSporTs generated by the RFC8224 6.1 rules to assert who someone is - just like with "div", you need a separate PASSporT asserting the calling number for an "iss" PASSporT to be usable by relying parties. The further backstop against mistakenly treating this as an RFC8224 PASSporT is the signing certificate itself.

That said, I agree that the language in the second paragraph of 15 is too strong regarding JWT Claim Constraints - though it doesn't seem to be normative.

Jon Peterson
Neustar, Inc. (a TransUnion company)

v2.23.0 | Report a Bug | By Email