IETF Logo Mail Archive

Re: [stir] [Technical Errata Reported] RFC8224 (6499)

Cullen Jennings <fluffy@cisco.com> Sun, 28 March 2021 21:56 UTC

Return-Path: <fluffy@cisco.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E991D3A2796 for <stir@ietfa.amsl.com>; Sun, 28 Mar 2021 14:56:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.609
X-Spam-Level:
X-Spam-Status: No, score=-9.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wdVzShP2MbTt for <stir@ietfa.amsl.com>; Sun, 28 Mar 2021 14:56:16 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5764E3A2799 for <stir@ietf.org>; Sun, 28 Mar 2021 14:56:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4021; q=dns/txt; s=iport; t=1616968576; x=1618178176; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=CNMalBnFO74bwp+3TiubT5yoT255zq97iyJ6SaWFK9Y=; b=OCwGO/IcWay2ojRjECDNZp57Xz5wOezZQJtjiRCG4VFylLxOMZL7XAnt +PgggluHH2CF1iPIgMjIxaRSSgI8T4ZczWuw2zPBs/x6o77O3SF31MtBh LsZWH/oGF/sSkq3yJS/BDbCOV7GUyVARaJGB8O7anSRe8GaY4vn4bpI4X 0=;
X-IronPort-AV: E=Sophos;i="5.81,285,1610409600"; d="scan'208";a="685260656"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Mar 2021 21:56:15 +0000
Received: from [192.168.4.53] (sjc-fluffy-nitro8.cisco.com [10.19.228.217]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 12SLuC49019958 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 28 Mar 2021 21:56:13 GMT
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Cullen Jennings <fluffy@cisco.com>
In-Reply-To: <F39D942E-717B-4CE8-833C-F7D25CF6D600@vigilsec.com>
Date: Sun, 28 Mar 2021 15:56:05 -0600
Cc: IETF STIR Mail List <stir@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>, Francesca Palombini <francesca.palombini@ericsson.com>, Jon Peterson <jon.peterson@neustar.biz>, Eric Rescorla <ekr@rtfm.com>, Robert Sparks <rjsparks@nostrum.com>, Marc Petit-Huguenin <marc@petit-huguenin.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <40111C58-5A2E-4B36-BBB4-42D639FCC630@cisco.com>
References: <20210327204839.06FA2F4076D@rfc-editor.org> <F39D942E-717B-4CE8-833C-F7D25CF6D600@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>, Chris Wendt <chris-ietf@chriswendt.net>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-Outbound-SMTP-Client: 10.19.228.217, sjc-fluffy-nitro8.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/Rdi6Kn0EiXx6SATAcHL5N-IHwRA>
Subject: Re: [stir] [Technical Errata Reported] RFC8224 (6499)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Mar 2021 21:56:22 -0000

@Chris …. 

Uh, I’m not sure. I’m not up to speed on this enough and certainly defer to the people that know more than me. 

I agree the passport is bas64url encoded, but are the strings we are talking about here done the same way? It looks like 4474 has them as base64 encoded. 

My read was the passport string was base64url encoded, then that string was used with combined and encdoed a second time with base64 encode to go in the identity header.

Anyways, I have no idea what should happen here but the more I looked at it, the less obvious it was to me. 

 I’d love to hear from Chris ?

Anyways … as a practical point, If you move the Identity header from using base64 in 4474, to base64url in 8224, it seems likely that lots of SBC will reject them. That will be particularly frustrating to debug given it will not reject all of them where the different characters in the alphabet don’t occur. 




> On Mar 28, 2021, at 10:48 AM, Russ Housley <housley@vigilsec.com> wrote:
> 
> I think this errata should be approved.
> 
> Russ
> 
>> On Mar 27, 2021, at 4:48 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
>> 
>> The following errata report has been submitted for RFC8224,
>> "Authenticated Identity Management in the Session Initiation Protocol (SIP)".
>> 
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid6499
>> 
>> --------------------------------------
>> Type: Technical
>> Reported by: Marc Petit-Huguenin <marc@petit-huguenin.org>
>> 
>> Section: 4
>> 
>> Original Text
>> -------------
>> Identity = "Identity" HCOLON signed-identity-digest SEMI
>>         ident-info *( SEMI ident-info-params )
>> signed-identity-digest = 1*(base64-char / ".")
>> ident-info = "info" EQUAL ident-info-uri
>> ident-info-uri = LAQUOT absoluteURI RAQUOT
>> ident-info-params = ident-info-alg / ident-type /
>>   ident-info-extension
>> ident-info-alg = "alg" EQUAL token
>> ident-type = "ppt" EQUAL token
>> ident-info-extension = generic-param
>> 
>> base64-char = ALPHA / DIGIT / "/" / "+"
>> 
>> 
>> Corrected Text
>> --------------
>> Identity = "Identity" HCOLON signed-identity-digest SEMI
>>         ident-info *( SEMI ident-info-params )
>> signed-identity-digest = 1*(base64url-char / ".")
>> ident-info = "info" EQUAL ident-info-uri
>> ident-info-uri = LAQUOT absoluteURI RAQUOT
>> ident-info-params = ident-info-alg / ident-type /
>>   ident-info-extension
>> ident-info-alg = "alg" EQUAL token
>> ident-type = "ppt" EQUAL token
>> ident-info-extension = generic-param
>> 
>> base64url-char = ALPHA / DIGIT / "-" / "_"
>> 
>> 
>> Notes
>> -----
>> RFC 8225 makes it clear that the encoding is BASE4URL, not the standard BASE64 encoding.
>> 
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party  
>> can log in to change the status and edit the report, if necessary. 
>> 
>> --------------------------------------
>> RFC8224 (draft-ietf-stir-rfc4474bis-16)
>> --------------------------------------
>> Title               : Authenticated Identity Management in the Session Initiation Protocol (SIP)
>> Publication Date    : February 2018
>> Author(s)           : J. Peterson, C. Jennings, E. Rescorla, C. Wendt
>> Category            : PROPOSED STANDARD
>> Source              : Secure Telephone Identity Revisited
>> Area                : Applications and Real-Time
>> Stream              : IETF
>> Verifying Party     : IESG
>> 
>> _______________________________________________
>> stir mailing list
>> stir@ietf.org
>> https://www.ietf.org/mailman/listinfo/stir
>

v2.23.0 | Report a Bug | By Email