IETF Logo Mail Archive

Re: [stir] [Technical Errata Reported] RFC8224 (6499)

Chris Wendt <chris-ietf@chriswendt.net> Mon, 29 March 2021 00:45 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5A9A3A2B2E for <stir@ietfa.amsl.com>; Sun, 28 Mar 2021 17:45:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nftqzOzBFIyH for <stir@ietfa.amsl.com>; Sun, 28 Mar 2021 17:45:37 -0700 (PDT)
Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4ACC3A2B2C for <stir@ietf.org>; Sun, 28 Mar 2021 17:45:37 -0700 (PDT)
Received: by mail-qv1-xf31.google.com with SMTP id q12so5725922qvc.8 for <stir@ietf.org>; Sun, 28 Mar 2021 17:45:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=FTPau95yKNVIjY7HofnECBsuIiIZ6ZoTi1hRt5pJGKo=; b=izVF4dyw0Hrr0qEAg5qskxXs+Cik8TWXKJRAj29TSkn3oeGpZM6J76XQCtQktCK5tZ 8Vv3dVETmuTEHaDr8WcP+22YHuTajxMBzqojgLdKanVbELpJ35gxo3S8kfKlMNr9LCi6 TpXp8HzRzU/AT0cxHCblS0xLzN2m1T/4z/uFuEE+CibyT5xxkQg+uQO7gD78hc4kn95O RTn7cF4b7MDnFiyX19Az6BBhOQck5DTOMIqGXw9fDxlT7feUtKQvLX6QRnLMY2fxx3A0 67USJZvY1ps3F/oZcN2ggn8uXSlf7p6qf4IG4RErhPhkTaGnfbNeHz6CUlnKI+ZwpdyD ATiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=FTPau95yKNVIjY7HofnECBsuIiIZ6ZoTi1hRt5pJGKo=; b=petpOYz5SO7uZms8XXkcrP7oRbmbEpK6Z50Lx5ujNqvEQnaW6a+1lZUxf6Q6+UgB1o TieaVECkJ91zwQP0Gi0Wu311uC2nvbmmQbQO/gY4dH82XedV20Y3Gp0eY7lZFUKq5Edk e1y8JMZTtKRJDVTTCxcsRX0V3Fxz0uR57KyLQ/xmH+HGREMUxJh8QtTeNl96AdO4klhD zX0tMwD87sP6jkiNOHzVg2bTKS1SPLyq1jrCudycRhFDuInqjylYjWN08Qh907iqQJAm Gk4/Dm3Ewh2N+X0ObHjJ/LMAOlj4PqIDpwOqXs1vyY9qlON18zKYprPwdVh35YkRKiIw graA==
X-Gm-Message-State: AOAM530Hm2+f4KGGp5/7A1IqdeXdgswSFbIGkTEWT/KV5fSClqqp+teO VEmoAfQNs00r/bbS931OSUrq+w==
X-Google-Smtp-Source: ABdhPJx3Wvku0Tk4zhWMpCKHc42qK3/55lRk/1Ep/jkEC6uf2XdMZbH/wtX1YJ9i/xuEGYY6q/uk3g==
X-Received: by 2002:a0c:b303:: with SMTP id s3mr23021173qve.22.1616978735879; Sun, 28 Mar 2021 17:45:35 -0700 (PDT)
Received: from [192.168.0.246] (c-68-82-121-87.hsd1.pa.comcast.net. [68.82.121.87]) by smtp.gmail.com with ESMTPSA id j10sm10220556qti.94.2021.03.28.17.45.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 28 Mar 2021 17:45:35 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <70D5DE5F-88A7-4D5D-A06C-6403983F4B75@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7D3DDB23-3282-4BD4-BE8B-30F5C4806C59"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Sun, 28 Mar 2021 20:45:31 -0400
In-Reply-To: <34471c8e-1ce7-3f84-431c-753bb150dbce@petit-huguenin.org>
Cc: Cullen Jennings <fluffy=40cisco.com@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, Eric Rescorla <ekr@rtfm.com>, Jon Peterson <jon.peterson@neustar.biz>, IETF STIR Mail List <stir@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>, Francesca Palombini <francesca.palombini@ericsson.com>, Robert Sparks <rjsparks@nostrum.com>
To: Marc Petit-Huguenin <marc@petit-huguenin.org>
References: <20210327204839.06FA2F4076D@rfc-editor.org> <F39D942E-717B-4CE8-833C-F7D25CF6D600@vigilsec.com> <40111C58-5A2E-4B36-BBB4-42D639FCC630@cisco.com> <34471c8e-1ce7-3f84-431c-753bb150dbce@petit-huguenin.org>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/XuKa0yF6N5UX7bN0UijB7yLBTiQ>
Subject: Re: [stir] [Technical Errata Reported] RFC8224 (6499)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Mar 2021 00:45:44 -0000

Yes, so just to explain, we inherited base64url from RFC7519 JWT, so i think the errata is correct, but I believe no-one, i’m aware of at least, actually followed base64 vs base64url for implementing 8224 simply because JWT implementation and interop is so widely accepted at this point (although i didn’t do the homework to see what the potential breakage would be).  To be clear this is only for the PASSporT/JWT value in the identity header not any of the parameters that come afterword.

To Cullen’s point, i think because from 4474 to 8224 the switch as i recall was just a signature to a JWT/PASSporT, this probably is different enough that any implementation of 4474 identity would not be compatible to begin with, if the SBC would even touch the contents of the header values. But again, we have a lot of 8224 identity headers passing in SP networks and i have not heard of any interop issues, from everything i’ve heard most networks have been turning on identity headers passing through SBCs for the first time.  And i believe most SBCs do not evaluate the identity header, only until you get to the point where the verification service is the value parsed, as far as i’m aware.

-Chris

> On Mar 28, 2021, at 6:42 PM, Marc Petit-Huguenin <marc@petit-huguenin.org> wrote:
> 
> See the examples in section 4.1.1 of RFC 8224.
> 
> On 3/28/21 2:56 PM, Cullen Jennings wrote:
>> @Chris ….
>> Uh, I’m not sure. I’m not up to speed on this enough and certainly defer to the people that know more than me.
>> I agree the passport is bas64url encoded, but are the strings we are talking about here done the same way? It looks like 4474 has them as base64 encoded.
>> My read was the passport string was base64url encoded, then that string was used with combined and encdoed a second time with base64 encode to go in the identity header.
>> Anyways, I have no idea what should happen here but the more I looked at it, the less obvious it was to me.
>>  I’d love to hear from Chris ?
>> Anyways … as a practical point, If you move the Identity header from using base64 in 4474, to base64url in 8224, it seems likely that lots of SBC will reject them. That will be particularly frustrating to debug given it will not reject all of them where the different characters in the alphabet don’t occur.
>>> On Mar 28, 2021, at 10:48 AM, Russ Housley <housley@vigilsec.com> wrote:
>>> 
>>> I think this errata should be approved.
>>> 
>>> Russ
>>> 
>>>> On Mar 27, 2021, at 4:48 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
>>>> 
>>>> The following errata report has been submitted for RFC8224,
>>>> "Authenticated Identity Management in the Session Initiation Protocol (SIP)".
>>>> 
>>>> --------------------------------------
>>>> You may review the report below and at:
>>>> https://www.rfc-editor.org/errata/eid6499
>>>> 
>>>> --------------------------------------
>>>> Type: Technical
>>>> Reported by: Marc Petit-Huguenin <marc@petit-huguenin.org>
>>>> 
>>>> Section: 4
>>>> 
>>>> Original Text
>>>> -------------
>>>> Identity = "Identity" HCOLON signed-identity-digest SEMI
>>>>         ident-info *( SEMI ident-info-params )
>>>> signed-identity-digest = 1*(base64-char / ".")
>>>> ident-info = "info" EQUAL ident-info-uri
>>>> ident-info-uri = LAQUOT absoluteURI RAQUOT
>>>> ident-info-params = ident-info-alg / ident-type /
>>>>   ident-info-extension
>>>> ident-info-alg = "alg" EQUAL token
>>>> ident-type = "ppt" EQUAL token
>>>> ident-info-extension = generic-param
>>>> 
>>>> base64-char = ALPHA / DIGIT / "/" / "+"
>>>> 
>>>> 
>>>> Corrected Text
>>>> --------------
>>>> Identity = "Identity" HCOLON signed-identity-digest SEMI
>>>>         ident-info *( SEMI ident-info-params )
>>>> signed-identity-digest = 1*(base64url-char / ".")
>>>> ident-info = "info" EQUAL ident-info-uri
>>>> ident-info-uri = LAQUOT absoluteURI RAQUOT
>>>> ident-info-params = ident-info-alg / ident-type /
>>>>   ident-info-extension
>>>> ident-info-alg = "alg" EQUAL token
>>>> ident-type = "ppt" EQUAL token
>>>> ident-info-extension = generic-param
>>>> 
>>>> base64url-char = ALPHA / DIGIT / "-" / "_"
>>>> 
>>>> 
>>>> Notes
>>>> -----
>>>> RFC 8225 makes it clear that the encoding is BASE4URL, not the standard BASE64 encoding.
>>>> 
>>>> Instructions:
>>>> -------------
>>>> This erratum is currently posted as "Reported". If necessary, please
>>>> use "Reply All" to discuss whether it should be verified or
>>>> rejected. When a decision is reached, the verifying party
>>>> can log in to change the status and edit the report, if necessary.
>>>> 
>>>> --------------------------------------
>>>> RFC8224 (draft-ietf-stir-rfc4474bis-16)
>>>> --------------------------------------
>>>> Title               : Authenticated Identity Management in the Session Initiation Protocol (SIP)
>>>> Publication Date    : February 2018
>>>> Author(s)           : J. Peterson, C. Jennings, E. Rescorla, C. Wendt
>>>> Category            : PROPOSED STANDARD
>>>> Source              : Secure Telephone Identity Revisited
>>>> Area                : Applications and Real-Time
>>>> Stream              : IETF
>>>> Verifying Party     : IESG
>>>> 
> 
> 
> -- 
> Marc Petit-Huguenin
> Email: marc@petit-huguenin.org <mailto:marc@petit-huguenin.org>
> Blog: https://marc.petit-huguenin.org <https://marc.petit-huguenin.org/>
> Profile: https://www.linkedin.com/in/petithug <https://www.linkedin.com/in/petithug>

v2.23.0 | Report a Bug | By Email