Re: [stir] Third WGLC: draft-ietf-stir-passport-rcd-12

Ben Campbell <> Fri, 13 August 2021 22:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 53C9D3A27F5 for <>; Fri, 13 Aug 2021 15:02:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.279
X-Spam-Status: No, score=-0.279 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, MAY_BE_FORGED=1, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pZ-7BOVJK8QJ for <>; Fri, 13 Aug 2021 15:02:02 -0700 (PDT)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 93E5E3A27F3 for <>; Fri, 13 Aug 2021 15:02:01 -0700 (PDT)
Received: from ( [] (may be forged)) (authenticated bits=0) by (8.16.1/8.16.1) with ESMTPSA id 17DM1sYc065035 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 13 Aug 2021 17:01:55 -0500 (CDT) (envelope-from
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=default; t=1628892116; bh=i54s8mID4/OP3F6JmEeEk3eUkMZE1jEtAhH9cwbV9BA=; h=From:Subject:Date:References:To:In-Reply-To; b=eHbjyg/BdmITcGfzSv/lrSz4eqb/nogTvghK43fbNlncMK9mlCxNtKBIW8eJCK1Ok Jr2ws1Vc1Hca5dRJL1sUnmqQhwDEv2rG9IYmWd4wSQNPx+QdCAWio5GS1oqkacolG9 ohN8TABKDnDJ2iGpLjOjg9E3V64o1u+O9MSsmngg=
X-Authentication-Warning: Host [] (may be forged) claimed to be
From: Ben Campbell <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_31E6C1EB-AA36-4233-9C8F-4FE5857DDB9E"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Fri, 13 Aug 2021 17:01:48 -0500
References: <>
To: Chris Wendt <>, Jon Peterson <>, IETF STIR Mail List <>
In-Reply-To: <>
Message-Id: <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [stir] Third WGLC: draft-ietf-stir-passport-rcd-12
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 Aug 2021 22:02:08 -0000

(No Hats)

I have a few comments. The biggest one is I think we need more explanation of verifier behavior for JWTClaimConstraints and RCDi. The rest are pretty minor and hopefully easy to address.





I still have some questions about expected verifier behavior after multiple passes. I think that the verification service discussion should be expanded to address the following:
Is a verifier _required_ to verify that all claims are valid according to any JWTClaimConstraints? What does it mean if a given claim violates the constraints? Is the whole ppt considered invalid and discarded? Can relying parties still use parts of the passport that were either not constrained or did not violate the constraints?
Same questions for RCDi digest verification.
If RCDi digest verification is optional, does that change if there is a claim constraint on it? 
For an example use case related to these questions. Imagine a SHAKEN environment, where the caller UA signs an RCD passport with a delegate-certificate. The cert has JWTClaimConstraints for the “rcd” and “rcdi” claims. The UA also includes an rcdi claim, because the “rcd” claim points to an external icon.

The UA forwards the INVITE to an originating service provider (OSP). The OSP doesn’t care what’s in the “rcd” claims. All it wants to do is see that the call is signed with the private key associated with the caller’s certificate and verify that the cert has a TNAuthList extension that encompasses the number in the From header field. If that is true, the OSP adds it’s own SHAKEN passport with full attestation and forwards the INVITE to a Terminating Service Provider (TSP) with both passports.   As far as the OSP is concerned, it’s the TSP’s problem to verify the RCD bits.

Would the OSP be required to verify the JWTClaimConstraints and RCDi digest in this case? Consider that verifying the RCDI digest probably requires downloading an icon from a potentially arbitrary source, which the OSP might not be willing to do.

§2: So we’re sticking with that RFC 6919 reference? :-)   (But seriously, we should probably us RFC 8174 boilerplate.)

§5.1.1: “This key MUST be included once and MUST be included as part of the "rcd"  claim value JSON object.“

That second MUST seems non-constraining. I’m not sure where else one might put it.

§6: “implementations MUST support the following hash algorithms, "SHA256", "SHA384", or "SHA512”.”
Should “or” be “and”?

§6.1, last paragraph (list item 3):

The previous paragraph requires JSOn serialization for by-value JSON strings. List item 3 does not appear to require serialization of referenced JSON objects. Is that intentional?

Should the “should” in “If the content is binary format it should be Base64 encoded“ be normative?

§8.1: Does you envision a use case where one might want to constrain a claim value if it is present, but it’s okay for it to not be present at all?

§10.2: “… so if "rcdi" is required compact form should not be used.”

Should that be a normative SHOULD? Or maybe MUST?

§14.2: “ Optionally, if there exists a Call-Info header field…”

Is this really “optional”? Is the verifier expected to know whether the AS included information from the Call-Info field in the signature?

§18, last paragraph:

This recommends that the creator of an rcdi claim “detect evil” on any referenced content, to avoid sending things might be harmful to the verifier. Shouldn’t the verifier also check that? It seems dangerous for the verifier to trust that the sender got this right.

Along those lines, I wonder if there is something we can reference for server-side request forgery attack mitigation? (I don’t know of anything offhand.)


§4, first paragraph: “… there should be the desire to pre-certify or "vet" the specific use of rich call data. “

Is “should” the right word here? Do we mean to suggest that this pre-certification is really something one should do vs something one _might_ do?  (I recognize its not normative, but even a non-normative should carries a moral judgement.)

§5.1.3: “The jCard object value referenced in the URI value for "jcl" MUST only have referenced content for URI values that do not further reference URIs. “

That’s a little hard to parse—maybe it would be better constructed as a “MUST NOT”?

§6.1: “avoid any possibility of substitution or insertion attacks that may be possible to avoid integrity detection, even though unlikely. “

I suggest avoiding predictions of likelihood here, since we already specify a countermeasure.

> On Jul 29, 2021, at 2:19 PM, Russ Housley <> wrote:
> As we discussed on the IETF 111 session today, significant changes were made to address concerns that were raised during the second WGLC.
> This note begins a third WGLC for draft-ietf-stir-passport-rcd-12 (PASSporT Extension for Rich Call Data).  See
> Please send reviews to the STIR mail list by the end of day 19 August 2021.
> Russ and Robert
> _______________________________________________
> stir mailing list