Re: [stir] [Technical Errata Reported] RFC8224 (6499)
Marc Petit-Huguenin <marc@petit-huguenin.org> Sun, 28 March 2021 22:42 UTC
Return-Path: <marc@petit-huguenin.org>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8F0B3A28A6 for <stir@ietfa.amsl.com>; Sun, 28 Mar 2021 15:42:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id exWms60Xh4O5 for <stir@ietfa.amsl.com>; Sun, 28 Mar 2021 15:42:43 -0700 (PDT)
Received: from implementers.org (implementers.org [IPv6:2001:4b98:dc0:45:216:3eff:fe7f:7abd]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 078B73A28A5 for <stir@ietf.org>; Sun, 28 Mar 2021 15:42:42 -0700 (PDT)
Received: from [IPv6:2601:648:8400:8e7d:d250:99ff:fedf:93cd] (unknown [IPv6:2601:648:8400:8e7d:d250:99ff:fedf:93cd]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "Marc Petit-Huguenin", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 748D9AE21E; Mon, 29 Mar 2021 00:42:37 +0200 (CEST)
From: Marc Petit-Huguenin <marc@petit-huguenin.org>
To: Cullen Jennings <fluffy=40cisco.com@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, Chris Wendt <chris-ietf@chriswendt.net>
Cc: Eric Rescorla <ekr@rtfm.com>, Jon Peterson <jon.peterson@neustar.biz>, IETF STIR Mail List <stir@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>, Francesca Palombini <francesca.palombini@ericsson.com>, Robert Sparks <rjsparks@nostrum.com>
References: <20210327204839.06FA2F4076D@rfc-editor.org> <F39D942E-717B-4CE8-833C-F7D25CF6D600@vigilsec.com> <40111C58-5A2E-4B36-BBB4-42D639FCC630@cisco.com>
Message-ID: <34471c8e-1ce7-3f84-431c-753bb150dbce@petit-huguenin.org>
Date: Sun, 28 Mar 2021 15:42:35 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <40111C58-5A2E-4B36-BBB4-42D639FCC630@cisco.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/XQXzBVdeUcDE7QMX3iTRfLi2NtU>
Subject: Re: [stir] [Technical Errata Reported] RFC8224 (6499)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Mar 2021 22:42:48 -0000
See the examples in section 4.1.1 of RFC 8224. On 3/28/21 2:56 PM, Cullen Jennings wrote: > > @Chris …. > > Uh, I’m not sure. I’m not up to speed on this enough and certainly defer to the people that know more than me. > > I agree the passport is bas64url encoded, but are the strings we are talking about here done the same way? It looks like 4474 has them as base64 encoded. > > My read was the passport string was base64url encoded, then that string was used with combined and encdoed a second time with base64 encode to go in the identity header. > > Anyways, I have no idea what should happen here but the more I looked at it, the less obvious it was to me. > > I’d love to hear from Chris ? > > Anyways … as a practical point, If you move the Identity header from using base64 in 4474, to base64url in 8224, it seems likely that lots of SBC will reject them. That will be particularly frustrating to debug given it will not reject all of them where the different characters in the alphabet don’t occur. > > > > >> On Mar 28, 2021, at 10:48 AM, Russ Housley <housley@vigilsec.com> wrote: >> >> I think this errata should be approved. >> >> Russ >> >>> On Mar 27, 2021, at 4:48 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: >>> >>> The following errata report has been submitted for RFC8224, >>> "Authenticated Identity Management in the Session Initiation Protocol (SIP)". >>> >>> -------------------------------------- >>> You may review the report below and at: >>> https://www.rfc-editor.org/errata/eid6499 >>> >>> -------------------------------------- >>> Type: Technical >>> Reported by: Marc Petit-Huguenin <marc@petit-huguenin.org> >>> >>> Section: 4 >>> >>> Original Text >>> ------------- >>> Identity = "Identity" HCOLON signed-identity-digest SEMI >>> ident-info *( SEMI ident-info-params ) >>> signed-identity-digest = 1*(base64-char / ".") >>> ident-info = "info" EQUAL ident-info-uri >>> ident-info-uri = LAQUOT absoluteURI RAQUOT >>> ident-info-params = ident-info-alg / ident-type / >>> ident-info-extension >>> ident-info-alg = "alg" EQUAL token >>> ident-type = "ppt" EQUAL token >>> ident-info-extension = generic-param >>> >>> base64-char = ALPHA / DIGIT / "/" / "+" >>> >>> >>> Corrected Text >>> -------------- >>> Identity = "Identity" HCOLON signed-identity-digest SEMI >>> ident-info *( SEMI ident-info-params ) >>> signed-identity-digest = 1*(base64url-char / ".") >>> ident-info = "info" EQUAL ident-info-uri >>> ident-info-uri = LAQUOT absoluteURI RAQUOT >>> ident-info-params = ident-info-alg / ident-type / >>> ident-info-extension >>> ident-info-alg = "alg" EQUAL token >>> ident-type = "ppt" EQUAL token >>> ident-info-extension = generic-param >>> >>> base64url-char = ALPHA / DIGIT / "-" / "_" >>> >>> >>> Notes >>> ----- >>> RFC 8225 makes it clear that the encoding is BASE4URL, not the standard BASE64 encoding. >>> >>> Instructions: >>> ------------- >>> This erratum is currently posted as "Reported". If necessary, please >>> use "Reply All" to discuss whether it should be verified or >>> rejected. When a decision is reached, the verifying party >>> can log in to change the status and edit the report, if necessary. >>> >>> -------------------------------------- >>> RFC8224 (draft-ietf-stir-rfc4474bis-16) >>> -------------------------------------- >>> Title : Authenticated Identity Management in the Session Initiation Protocol (SIP) >>> Publication Date : February 2018 >>> Author(s) : J. Peterson, C. Jennings, E. Rescorla, C. Wendt >>> Category : PROPOSED STANDARD >>> Source : Secure Telephone Identity Revisited >>> Area : Applications and Real-Time >>> Stream : IETF >>> Verifying Party : IESG >>> -- Marc Petit-Huguenin Email: marc@petit-huguenin.org Blog: https://marc.petit-huguenin.org Profile: https://www.linkedin.com/in/petithug
- [stir] [Technical Errata Reported] RFC8224 (6499) RFC Errata System
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Russ Housley
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Cullen Jennings
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Marc Petit-Huguenin
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Chris Wendt
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Marc Petit-Huguenin
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Christer Holmberg
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Cullen Jennings