IETF Logo Mail Archive

Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?

"Peterson, Jon" <jon.peterson@team.neustar> Tue, 30 January 2018 22:19 UTC

Return-Path: <prvs=95687978ce=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B51212EB44 for <stir@ietfa.amsl.com>; Tue, 30 Jan 2018 14:19:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o6aVKy9c-Uz2 for <stir@ietfa.amsl.com>; Tue, 30 Jan 2018 14:18:58 -0800 (PST)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F210A12F4E2 for <stir@ietf.org>; Tue, 30 Jan 2018 14:18:57 -0800 (PST)
Received: from pps.filterd (m0078664.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0UMDjm1002159; Tue, 30 Jan 2018 17:18:53 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : content-type : content-id : content-transfer-encoding : mime-version; s=selector1; bh=foHJt7Bz1bnFux1ApQ1XaRQEOiXbiaf3I0gODyS6hUI=; b=HqSDtjaQGEVsewT/vbWLvTO0z/7iwqfM2T5cuugNx5gxlczFGA2srgFmnSahwAg9i2CC 5bGlom6NvFOS/zuWFGVFD/PkMqWRKkCkc8McJBtZ1uOFBAZisjclnPV2MhjexPx2ZqTs ydRn0EJXfHNM6EVsNgBrNLs7iAmpqb1L2eBJGZYQWXKEHxVDIHBruOl750ElOnsx67S9 RCTSDPqT5gPpXWEM2Mm/R+P3cub3YS5IkdXnN+YQ86P+FO/3N6jOidZ01BIqIK00kYfM 27WjEUTvOyyicwpb3CwxYd0RL8+jWIZ9MynWWdf8e4I318WLRHRUELexGnlQldclZuB/ Pw==
Received: from stntexhc12.cis.neustar.com ([156.154.17.216]) by mx0a-0018ba01.pphosted.com with ESMTP id 2frmy0xydy-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 30 Jan 2018 17:18:52 -0500
Received: from STNTEXMB11.cis.neustar.com ([169.254.1.47]) by stntexhc12.cis.neustar.com ([::1]) with mapi id 14.03.0279.002; Tue, 30 Jan 2018 17:18:51 -0500
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Julio Martinez-Minguito <julio.martinez-minguito@ericsson.com>, Christer Holmberg <christer.holmberg@ericsson.com>, Chris Wendt <chris-ietf@chriswendt.net>
CC: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [EXTERNAL] Re: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
Thread-Index: AQHTmhhNxwncwLCIhkCTLcv50WoH5A==
Date: Tue, 30 Jan 2018 22:18:50 +0000
Message-ID: <D6962DB9.1F5701%jon.peterson@neustar.biz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
x-originating-ip: [10.96.13.206]
Content-Type: text/plain; charset="euc-kr"
Content-ID: <F3CD918C739E1E49876E7A9B4B3DDB1D@neustar.biz>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-30_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801300271
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/RQD_pX7GgWiktg24iEJLQP-qq8c>
Subject: Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2018 22:19:00 -0000

I certainly hope that the semantics are basically the same, yes, that the
only real difference is in how nested "div" is carried in the signaling.
The main reason for embedding right now is forward compatibility with OOB,
correct. If we ever decided we wanted to be able to encrypt PASSporTs
carried in-band, this would also be very handy. In general it seems like
kind of a nuisance to hand a verification service a pile of Identity
headers and say "you figure out what goes with what" - when I started
pondering cases with spirals in signaling, for example, I got a little
worried.

The next revision to the document is going to talk a bit about an issue
that has arisen in implementation (already) with the Diversion header and
3xx responses. There probably should be a means for a 3xx to carry a
nested PASSporT in the response that could be tucked into an Identity
header by any entity sending new INVITEs based on the Contacts in the 3xx
- but there are a few potential pitfalls there we need to avoid, or at
least carefully mark.

Jon Peterson
Neustar, Inc.

On 1/26/18, 9:27 AM, "stir on behalf of Julio Martinez-Minguito"
<stir-bounces@ietf.org on behalf of julio.martinez-minguito@ericsson.com>
wrote:

>Hi,
>
>I see in the nested divert that the new PASSporT has a claim "opt" which
>includes the PASSporT of the originating network, including the
>signature. 
>The PASSporT added by the diverting network includes a claim "orig",
>which is copied from the 'original' PASSporT.
>In this case , for a PASSporT ppt:div, the diverting network mays not
>have authority over the claim "orig", but only over the claim 'div'. A
>verifier will have to check the embedded PASSporT, verify the signature
>and check that the orig in the different PASSporT matches.
>
>Though in another cases, if the originating number and the diverting are
>served by the same operator, the operator has authority over both orig
>and div claims. A nested PASSporT would not be needed in this case.
>
>The end result is quite similar as if we have multiple Identity headers.
>In the end there are multiple PASSporT objects, the difference is how
>they are conveyed in the signaling.
>
>I assume the main reason for the embedding is because of the oob
>solution, or?
>
>Regards, Julio
>
>> -----Original Message-----
>> From: Christer Holmberg [mailto:christer.holmberg@ericsson.com]
>> Sent: den 24 januari 2018 15:06
>> To: Chris Wendt <chris-ietf@chriswendt.net>
>> Cc: stir@ietf.org
>> Subject: Re: [stir] PASSPorT: "orig" and "dest" mandatory in all
>>PASSPorTs?
>> 
>> Hi,
>> 
>> >I guess i¹m not following what¹s not clear, if you MUST only have one
>> >orig claim and one identity in that claim, that seems to be pretty
>> >clear to me that you cannot either not have an orig claim or have more
>> >than one.  I guess maybe i¹m missing something subtle in your point.
>> 
>> It is clear that you cannot have more than one claim, but I think it
>>could be
>> made more clear that you always must have a claim to begin with :)
>> 
>> >For extensions, and in general with any PASSporT, once the PASSporT is
>> >signed, that¹s it, you cannot modify claims or "re-sign".  If you want
>> >new PASSporT claim information that you want to sign, you must have a
>> >new PASSporT or new identity header.
>> 
>> Correct, I should have made that clear.
>> 
>> So, if you have two (or more) Identity header fields, do they all have
>>to
>> contain the same ³orig² value? Or, is one allowed to change it?
>> 
>> Does the same apply for ³dest²? And, if you want to change the ³dest²
>>you
>> need to use the divert extension? You can¹t just add a new passport
>>with a
>> new ³dest² value. Or?
>> 
>> >Currently for divert, the approach is to embed a PASSporT inside a new
>> >PASSporT, which is a valid technique also and result in a new identity
>> >header also (but you should remove the old identity header in this
>>case).
>> 
>> My colleague Julio sent some questions and issues regarding the
>> ³embedding²/³nesting² approach. I would be happy if you look at those :)
>> 
>> Regards,
>> 
>> Christer
>> 
>> 
>> >
>> >-Chris
>> >
>> >> On Jan 23, 2018, at 2:19 PM, Christer Holmberg
>> >><christer.holmberg@ericsson.com> wrote:
>> >>
>> >> Hi Chris,
>> >>
>> >>>> Question for clarification:
>> >>>>
>> >>>> Section 5.2.1 of draft-passport says:
>> >>>>
>> >>>>      "There MUST be exactly one "orig" claim with exactly one
>> >>>>identity claim object in a PASSporT object."
>> >>>>
>> >>>> Q1: Does the text above mean that
>> >>>>
>> >>>>      a) a passport must always contain one, one only one, "orig"
>> >>>>claim; or
>> >>>>      b) that if a passport contains an "orig" claim, if can only
>> >>>>contains one?
>> >>>
>> >>> It can only contain one key value pair with the key ³orig² and the
>> >>>claim value can only be one identity.
>> >>>
>> >>> In other words you cannot claim to originate multiple identities
>> >>>with a single passport object.
>> >>
>> >> Correct. The question is whether "orig" is mandatory (alternative a)
>> >>or not (alternative b). But, based on your reply to Q2 below, I assume
>> >>the answer is alternative a).
>> >>
>> >> I think it would be good to make that more clear.
>> >>
>> >>>> Q2: If a), does it apply to passport extensions too?
>> >>>
>> >>> All extensions must include the base passport claims and follow all
>> >>>rules of the claims, so yes.
>> >>
>> >> I think it should be more clear whether a node can modify claims or
>> >>not when adding an extension, or whether an extension needs to
>> >>explicitly allow it. Currently the text only says (AFAIK) that claims
>> >>cannot be removed.
>> >>
>> >> For example, if I have a base passport, and add an RPH passport, I
>> >>assume I cannot change the value of the "dest" claim. I would need to
>> >>use a divert claim for that.
>> >>
>> >> Also, as the passports may be added and signed by different
>> >>authorities, and as each passport will contain the base claims, it
>> >>means that the base claims will be signed multiple times, and they may
>> >>be signed by different authorities. I assume that is ok.
>> >>
>> >> Regards,
>> >>
>> >> Christer
>> >>
>> >
>> 
>
>_______________________________________________
>stir mailing list
>stir@ietf.org
>https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_
>listinfo_stir&d=DwIFAw&c=MOptNlVtIETeDALC_lULrw&r=dQ51tLfoGuuFjanmfeKC0weX
>HNMl9xZnnsIiwRd6IgY&m=CYEKQetxoYJFWkCYlTjULI4cuXYtswc-ksgANHWODz0&s=n8n5Xn
>LoHH1N9qVTNdWCn5VNUcQIQMajN21qTivbnD8&e=

v2.23.0 | Report a Bug | By Email