IETF Logo Mail Archive

Re: [stir] STIR/SHAKEN Privacy Concerns

Josh Brown <josh9051@gmail.com> Mon, 08 January 2024 18:54 UTC

Return-Path: <josh9051@gmail.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E274C18DBA4 for <stir@ietfa.amsl.com>; Mon, 8 Jan 2024 10:54:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nL67r4rNZK2W for <stir@ietfa.amsl.com>; Mon, 8 Jan 2024 10:54:40 -0800 (PST)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B798C1519AA for <stir@ietf.org>; Mon, 8 Jan 2024 10:54:40 -0800 (PST)
Received: by mail-qk1-x735.google.com with SMTP id af79cd13be357-783269124a8so55324685a.1 for <stir@ietf.org>; Mon, 08 Jan 2024 10:54:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704740079; x=1705344879; darn=ietf.org; h=content-transfer-encoding:in-reply-to:content-language:references :to:subject:from:user-agent:mime-version:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=f9zfmVru37oUILWKAS5zDf3TBtJesYQHutrYgbt/THM=; b=EhfJOUi6HvKnfk7aq9/cJdGHmli+Z8pHMj2BgKOQCIZ+wV+8l3j00TTmKeQiQgjU1x KMqQTl/eED4SD+uzXYKO00/yhlKExAlUzc15SSJyTmkiUwJLOxNyv/I9QIpWS9/eh/Am +biTBJVmDvhEL2/MrNmHqwJU57RtR75UZwXoxsg2SO2+FOeMYIQqea4+BO4mILmDg/qA dYf1g738DuGXkzaRqLc5qys6ZyMI8b/taEsGDSiingJQ81DP5u0dMZwpWdqvtnLzOsNf jXTdFoJuZfGu+OZgnQvOBNfBo730b2pVMUd7RMH2aVOdP/0pGsP32UTtm8ArAvvf5jNu hjLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704740079; x=1705344879; h=content-transfer-encoding:in-reply-to:content-language:references :to:subject:from:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=f9zfmVru37oUILWKAS5zDf3TBtJesYQHutrYgbt/THM=; b=XhVKMMR4e1bykBkCIy1wt5Ft2l1dEqe1bfORuNSi8adQ2ubg3hFE4s3eU1fxPL0pCv XADVwX+jtuf5o0peVGRXvzWnYVp8BQLLHl6NQWoAS0nKO8WM5q7pHqctz5HQdt213MwI BQeJSaqIVwM829tHt610mmsA6purUz2oahUZvh8ONyw8+X47QnWY+6jpy2tTnFwjDC/5 ieVKj4NZU9hSkffnuandSdCrAGzoDrVfaNSR+Di7hCvDb44HzK1IGyVqPGDJX4k5FCqN Rtv6bYBBTOJpviAJtbMvs1p/2nhBGDMRGO3PtUlytT5Van6SQ2ft37PNVtdQBNu/hnBx Vx2w==
X-Gm-Message-State: AOJu0YzAkU9C4f5ptyWs8CW04UDZcF57ckK/iYEdFPvsUgLpo/dlc327 7UvY2CFlKRZC5piqjyhPMpC99FKjKQ==
X-Google-Smtp-Source: AGHT+IFN17ouWWh9VF5YDjAEmgJIp3CrqvBhHVoZGkB6khOsmsq0gjb4iRkdx19PbfzC5H94Qtz3vA==
X-Received: by 2002:a05:620a:6892:b0:781:8a2e:36d6 with SMTP id rv18-20020a05620a689200b007818a2e36d6mr4728258qkn.72.1704740079236; Mon, 08 Jan 2024 10:54:39 -0800 (PST)
Received: from [10.0.10.1] (pool-68-129-114-155.nycmny.fios.verizon.net. [68.129.114.155]) by smtp.gmail.com with ESMTPSA id h20-20020a05620a10b400b007832104bba9sm118034qkk.23.2024.01.08.10.54.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 Jan 2024 10:54:38 -0800 (PST)
Message-ID: <d8f6cec7-e63b-458f-8780-bab9c0abd730@gmail.com>
Date: Mon, 08 Jan 2024 13:54:36 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: Josh Brown <josh9051@gmail.com>
To: "Peterson, Jon" <Jon.Peterson@transunion.com>, "stir@ietf.org" <stir@ietf.org>
References: <57C3B58B-8ACD-4709-8D35-B48FF9462BD1@gmail.com> <CO6PR17MB497839B38D93D5F21378110EFD81A@CO6PR17MB4978.namprd17.prod.outlook.com>
Content-Language: en-US
In-Reply-To: <CO6PR17MB497839B38D93D5F21378110EFD81A@CO6PR17MB4978.namprd17.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/TJgAnCgOamosJJaOte_PJnQcrbo>
Subject: Re: [stir] STIR/SHAKEN Privacy Concerns
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2024 18:54:42 -0000

Hi Jon,

Happy New Year and thank you for your detailed response! I have a few 
follow up questions.

> I would not consider it a reliable historical artifact in isolation; 
> the use case of presenting a PASSporT to “convince” someone that a 
> call occurred at some time in the past is not in our scope, and would 
> in fact require external corroboration for it to be reliable, for 
> reasons I can go into if it would be helpful

Could you explain why a signed PASSporT would not be sufficient and what 
"external corroboration" would be required?

> speaking broadly, regulatory environments and carrier infosec policies 
> shape the data governance constraints under which such services operate
Could you elaborate on this section? If you don't believe this mailing 
list is the appropriate place, please feel free to reply directly.

Best,
Josh

On 12/1/23 2:05 PM, Peterson, Jon wrote:
>
> Hi Josh,
>
> Best wishes for your work, this could all use more eyes on it than it 
> has had, I’m sure.
>
>
> “Our first concern lies with non-repudiability in the STIR/SHAKEN 
> protocol. In the absence of STIR/SHAKEN, there exists no cryptographic 
> mechanism to definitively prove the occurrence of a call - only 
> someone observing the call as it happens knows it took place. However, 
> with the implementation of STIR/SHAKEN, originating providers sign 
> call metadata during the creation of the PASSporT. This means that a 
> party possessing the signature can now convince anyone a call took 
> place - or, more precisely, convince anyone that the originating 
> provider said the call took place. (For context, a similar 
> non-repudiability property of DKIM signatures for emails is now 
> regarded by many researchers as a serious design flaw.)”
>
> At a high level, I’d say there’s a disconnect between STIR as 
> specified in the IETF and the historical use of logged PASSporTs you 
> seem to be envisioning.
>
> The baseline metadata captured by STIR (calling number, called number, 
> and timestamp) has long been retained by a variety of parties for a 
> variety of purposes across the global telephone network. The 
> difference between saving PASSporTs and simply logging the metadata of 
> calls sent or received is indeed the signature, as you say. But a 
> PASSporT is an object that is supposed to rapidly expire after call 
> processing, and I would not consider it a reliable historical artifact 
> in isolation; the use case of presenting a PASSporT to “convince” 
> someone that a call occurred at some time in the past is not in our 
> scope, and would in fact require external corroboration for it to be 
> reliable, for reasons I can go into if it would be helpful. If 
> something needs to be fixed here, it is perhaps letting people know 
> that STIR doesn’t support that use case.
>
> (As an aside, email has a store-and-forward requirement that telephone 
> calls and similar real-time communications do not. Also, because the 
> metadata of telephone calls is decoupled from the contents of the 
> call, I’m not sure the situation is entirely analogous to email, but 
> that would be a longer conversation.)
>
> Overall, I don’t believe just signing this metadata erodes the privacy 
> properties of the overall telephone system (which were far from ideal 
> to begin with). For the most part, the entities with access to 
> PASSporTs are “observing the call” in the signaling path, and can (and 
> probably do) log the same metadata in the absence of PASSporTs. I 
> gather the main concern here arises from the possibility that 
> PASSporTs might leak to entities extraneous to the call path – and so 
> we go to…
>
> “Our second concern is with the wide popularity of third-party 
> authentication and verification services. Numerous companies offer 
> these products as a service. Originating providers use the third party 
> authentication service to generate signatures for their call metadata. 
> Terminating providers use the third party verification service to 
> verify said signatures and other information pertaining to the call 
> metadata. Put simply, when using STIR/SHAKEN these third parties have 
> complete access to all call metadata. This is concerning because call 
> metadata is often very sensitive and the working group even has 
> proposals to expand the amount of metadata included.”
>
> Metadata associated with calls has long been shared by carriers with a 
> variety of analytics providers, service bureaus, agencies, and other 
> third parties – including for everyday functions like number 
> portability, mobile roaming, freephone translation, caller name 
> applications, and billing. This is not an appropriate venue to discuss 
> laws or business agreements, but speaking broadly, regulatory 
> environments and carrier infosec policies shape the data governance 
> constraints under which such services operate. I don’t think it would 
> be news to anyone in this working group that “call metadata is often 
> very sensitive”; expressing “concern” about that does not reveal a 
> protocol defect that needs to be rectified.
>
> I would also say “complete access to all call metadata” is not 
> required for baseline STIR, nor any or all of the proposed extensions 
> to it, even. Third party authentication and verification services can 
> integrate with carrier equipment in a variety of ways, but common 
> HTTPS APIs used for this purpose share only the subset of signaling 
> that is necessarily for the STIR authentication and verification 
> services to do their work. Casting this as if these third-party 
> vendors have unfettered access, let alone utilization rights, to “all 
> call metadata” would not reflect the deployment reality.
>
> I might add that in our era of cloud-based microservices, the 
> boundaries between vendors, third-party service providers, and indeed 
> carriers have gotten a lot less crisp. The distinction between 
> something running on “carrier equipment” and a cloud service is not so 
> stark as it was a decade or so ago. Ultimately, carriers decide to 
> license or author AS/VS code to run themselves, or to rely on hosted 
> solutions, based on a variety of business and operational factors 
> unrelated to the protocol design work we do here at the IETF.
>
> “Our third concern is in the Out-of-Band SHAKEN protocol, which is 
> used for legacy providers that use pre-digital telephony 
> infrastructure. Out-of-Band SHAKEN requires the use of a third party 
> that stores metadata about calls in pre-digital telephone networks. 
> This third party has access, again, to all call metadata.”
>
> OOB SHAKEN is an ATIS specification, which is not under IETF change 
> control. RFC 8816, the IETF OOB specification, does not require 
> revealing PASSporTs to third party services operating a Call Placement 
> Service, provided that encryption keys can be exchanged between 
> parties (which admittedly is not trivial). But more recent work here 
> on OOB has focused on making its data collection risks equal your 
> second concern above – effectively by coupling the CPS with the 
> verification service function.
>
> Hope that helps, happy to follow up,
>
> Jon Peterson
>
> TransUnion (Neustar)
>

v2.23.0 | Report a Bug | By Email