IETF Logo Mail Archive

Re: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt

"Peterson, Jon" <jon.peterson@team.neustar> Wed, 20 April 2022 12:37 UTC

Return-Path: <prvs=9109f208f2=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13A963A118D; Wed, 20 Apr 2022 05:37:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar header.b=vgOQTMwX; dkim=pass (1024-bit key) header.d=neustar.onmicrosoft.com header.b=GjOCLg5h
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05j8ocdFdZ61; Wed, 20 Apr 2022 05:37:14 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF6273A1169; Wed, 20 Apr 2022 05:37:12 -0700 (PDT)
Received: from pps.filterd (m0078664.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23KAEGGh022390; Wed, 20 Apr 2022 08:37:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=team-neustar; bh=OMEGu/Qfx4yeLyEgMBdWj5dA9Y9JiEy02OBULhaiuRs=; b=vgOQTMwX505/wHWW3wcMJWtelRkiqy8uMsiy2uGjLFgelMg9qD1zzi95xZMQl9J1pvom oQiF6jcS/ckWQm6CgpmhKs59DGW0ddp6rfYa+7B0kvjiNmTZU2ee4mPxLVkrObGe2Zp9 YWvoQZ5Ae/ZzSZB0q6ghkvL5f5GsMJMtdDaXTr1nCSYPkvmW9s4Bg8OaSaWy3Sa+VJSA 54d3ZlSHWSErmDFkAI6l96hUNuWQK+yhX2MoY7WJmkWroG7lahYK6+g4KFXcyRD0H5zF httyF/+A06R9TmzvzGScIsZS2rbJvuvhw44EIoKqhnQtI/JmnTM9LqSPqeQlg/bMzLpD Sw==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2100.outbound.protection.outlook.com [104.47.55.100]) by mx0a-0018ba01.pphosted.com (PPS) with ESMTPS id 3ffrevxnj1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Apr 2022 08:37:10 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dm9tppOwqxxthgt7NQ0YdvetWygLXTiXRfcvQs4UsY9YudXXYfOX5QOYvsIbM0qWNEruk/1ZQW7phObV8MoLx8U8q6LbQuDqgJWh1isDEWMuA0qKvVU26fZtlaj8zQquf0BrnsXPdT4Q4CzIfpPj+FcwZxxYRVIGYuxc3BNlKmdQib+DxhngRaL3s45nXtN8etsQyZepfehQHEVrhS0JqsSxaE1Kg9kSKb1qRy9PNwk7jQ/FCgCSJ9VgodslE1eWOOojUQGfVQmKmwu/MfxOLGZz3GtOm8893P4vz9H9NaFAv1ccp3unMbJW5CLvPFFp5rFbe7dTtZ3hfWscDAMAMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OMEGu/Qfx4yeLyEgMBdWj5dA9Y9JiEy02OBULhaiuRs=; b=k6TOZhrfLZDSbRvIdkvDmmE0vJN0aHx13QGtqWwA56m1QLJDbHl1HB46Spcp/QDLRqN6PRvVtTp7pm/jQQK4wbr8OPibEEUKBwV6fhN4mFv/pStzIuGZ0EWCIKReqRxV3+DPCLgEK9ZdPlmKjFQ2mYARHCCoomnimVG+Er5YYc7VgU7ARiqL7lAaWOBZKu44DGgOBMgD2WvFnTucN9PnDv+ACVMGNxvbW/4dGlY9XsO2Hs9akUu0YLYR47hGvDfEhihqGcLZsfBXdZ7ykKwtjZx0PXcv2q7loVfbV5tRy+4sciHeNFh/ssd6aZea5P76GttBYjEy9r2TOYsDimx1gg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.neustar; dmarc=pass action=none header.from=team.neustar; dkim=pass header.d=team.neustar; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.onmicrosoft.com; s=selector1-neustar-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OMEGu/Qfx4yeLyEgMBdWj5dA9Y9JiEy02OBULhaiuRs=; b=GjOCLg5hyRmSt+iKxMOhL8cVh6oofWKx189vJPeZk9w9zD6ivnHpW2R/brei91BfAMIqtaSs555917CXHNaEP73+GTa9BiD42W584JAlU7cdopN4SbAECw6Ple2wv4azhfUUir9tOFd+xwF4K7zsvhKGBCcF/Vq9fQR//vNY9+4=
Received: from BY5PR17MB3569.namprd17.prod.outlook.com (2603:10b6:a03:1b9::20) by BY3PR17MB5330.namprd17.prod.outlook.com (2603:10b6:a03:3c5::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14; Wed, 20 Apr 2022 12:37:08 +0000
Received: from BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::296a:e55e:1e99:f02]) by BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::296a:e55e:1e99:f02%7]) with mapi id 15.20.5186.013; Wed, 20 Apr 2022 12:37:08 +0000
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org>, Chris Wendt <chris-ietf@chriswendt.net>
CC: IETF STIR Mail List <stir@ietf.org>
Thread-Topic: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt
Thread-Index: AdhUq3qrU+Ax8JRGQQK5YjwK4fuk1f//zKwA
Date: Wed, 20 Apr 2022 12:37:08 +0000
Message-ID: <69A84698-6A53-4471-B7AF-8B2A0ACB8F8A@team.neustar>
References: <HE1PR83MB03785B2FB3892677D05A7EE988F59@HE1PR83MB0378.EURPRD83.prod.outlook.com>
In-Reply-To: <HE1PR83MB03785B2FB3892677D05A7EE988F59@HE1PR83MB0378.EURPRD83.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.1b.201012
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 64a0e63f-32dd-471e-0b6a-08da22ca7bec
x-ms-traffictypediagnostic: BY3PR17MB5330:EE_
x-microsoft-antispam-prvs: <BY3PR17MB5330BDC953328CD147AFB65FE2F59@BY3PR17MB5330.namprd17.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wQw4V79ZhzvwniOHmZo1C6AUIFKtBtuCtSKfO58PgHtwvs0rgNBP4eh49CjvsIQJAuqgnFU/F9b9j9KIufs7OoECcokD61vtyju1sPBKcxlQmpMgyI7z/34D+h7PmDnkwjEkuVbX0PtEbDZ8PfOx2i9Ai4phTpTtseVcSeyUN+nUYZnW2cadSiUiTBpDq0eo16ZQNkSP/ziMikUP/osNBAw9y/kZyneBKv6ScZByXKP3MO0XuAmfm+bq1Tn6o5lXxgMCCKJ4FcOOgibGcCYAezfQ8q7YdVoAFHRDvjsKykKYtcgwavAoGCRGq+Pvtej94kWXFaQrjheyDC8C8BubZz7jm79Y4y7+gHFuzU5tY89me4sbaMrTO4bePNTdfPPto6cNBYdDfMa/9jMctVb7eiqCqQZqO6UCK1gcwHhKZ2f4qTdhn5Rb4QClDeUpz6JW9U2IvIoXGdpzis1AO+SUzf4rsqdS/IJfE8J9pvnoZ7MMF++VLOL7vjuCa7MkejB+upnVRnsAXd0M/usvYO8LeTkYILuLYbckbK8UfTZjL0kkVI/FHUtewPFXiRs9r2cioKK7+Xy+fGbRyAZtJN27Whhp+uW+Go+ZlLinpJNxJ8mfm3mjv0ONdsALOTuFJKJXe/OkQTrELvd6JouL/kfI3GOnRxxZJPBNw2Kg7Nd3+37MAp5GH/ao1uAl3ER1+F4dm28WMhXxo+esxJrYH+5IORhV3M+Rof1wlu1kVOZZJoS8Qjar9Ro2RkwQCMqfCdANAGyyLHrFtmt9j90kPqU9lQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR17MB3569.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(122000001)(38100700002)(38070700005)(110136005)(316002)(8676002)(4326008)(64756008)(66476007)(66446008)(83380400001)(66946007)(66556008)(91956017)(76116006)(508600001)(33656002)(71200400001)(6506007)(26005)(6512007)(6486002)(2906002)(5660300002)(86362001)(186003)(8936002)(2616005)(46492015)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: RYe4c8aHHPSmB/hAiWJR9TcIT+9RyL6yDDAns71p7uyZVSzUNdw993xbbhYZMj6c3C+tdoqtqdtXJCDpWZ1XKFzfzBvAopmm0M9wS+EA5ItSKSmAiOgS/HqlU+IM26/g9gDbdKZGQFlV5Rlf8xs7RauICbC3eGC08Oot27Ph660vQe9Dqb9Q1eQmUEtaCnxszUIATltbc6PK8P0NfCRGLYiKxh9maAAOIVnNCVX71LBphDdZfBOn1buIDNxn3jT0MyWS8PVuLdUzp9maL43Y4Z2hPjUk2QraMmdrx2SI34ObyvVIaai11IGLV8A28J8aPiGKE8gUuFmG4Vt1J1x7/GCtATfcQwMOZ1hOEOzJTyT7CpPhsrVpMMUfyjn7+ODjc0JvXzyzbjgHpXClD5f0/xC7iLurA7jk7p1WWfuz4qUWmtefkZsU28VjDL86EJ/We/qjC/o4gMRUNdiayvOIb/dIp/ojEggbO0EpfjUoPEj6G3DHnj+ymVwVtzfnAb+EVmoU/eXMvZ+8huOwhlz+U7DG5ONIETjJoFjMLczifvgqPY34LW6OZJFyDJlxYNqn542ueKmoXsARFJzruE+zzRngsy6ntEteobE8guB8p4yOApysXIZemrZrSqc/y7j+jvypoHz9ibqMdtgs7pskua0B21HWAyPbQ52mN3lTaX9PvWK5QG4rbCgu+YU05KYiK6F7GYeUSp6uVvbI/Pc7OwxZO1nsf13PFn1wJagCjbL/kMoGtSSqYrAAwzi0Aah877pVc3uhGYOr0hL0rbgtP80D0n07ZMkZhUtm9GqRVYx9XfWfZgsaM1YyY9x4pMqlb5kjO4u3bxuSI8kBWz1VZAE7owvQUsDiI/CTeTyDnxd0khelKWvazPsTWu/byIKI8hWcvSGa+dkHoLZBWAVo8zJllxQESr7MiBYF5jKDX+19cvHuOzRPR2rcXqjWZIvxexH4HSCGwKAq1D7XmBNgeL9/db7eZkRNPvX1rD7FugKmyuD3zL9O89DAmTjo1/iLPHnVre5El+3zEmEGJZUiYprPj/iCQTf072bBc6c11u6rTt2PrcgI53VlxfnbCvZRXZvGIbGl6KntH5kV0rVf/SsEpRWFrxNn7o4Sf7DXfbyhI35Br839VXL4yX3tQZhyQpHpmXOOKceT6N2gUeIcqoPHruVtzzUeIdIq2sVhP3RD/xuCvx8e6MxRfSFXlo4X/xaOWjWMe9mgA61PcX2Mh3JWblbNIpECqdG32q0xv38MmR7PjgbK1tGH2cMoaZqsbQbA3tExwcp7Sw3lV//VjH69wY/uM12kvBoRGOuDSoqIceMltuoQ3KqHqVu1cG3bkiPKcE+G4H5d0eVUpHgRt5kFNwflNQlkJk7L1ROIk5uhwlTi5oyPt/DXMvnR8bg9scqsVBwVsygTOPEw5ywc9rCpuP9ZvcjsQtbHUcSovpmwN2QbNwMPcWfRUzuvppqShRcGMSBV9XYL5SsjKy8nDrEJiYZenuZd59kAAPBJzG6trggUTee4G+tVJRp3zAVDgRrqgtN0goI0c8dmYaIKDgUAub8mlDYZXbS70JW/AW6tC7UOnFnJLFWDQpzd6bJ2dQY50bHXO702NGEHLY7FImMU4EFYiDJTYE2VA7zk+BtK4vLNNfgrusgx7vmcfUoCmy/cTTb405cnFR8c3554CjTSsBfYszuMfrRphuU7cggeaoU1tfKxX+fnRNUFrwe9VBYoHY1rb/+A8tEWQTt6gpdQyF1kt9KohDJ76AStzEo=
Content-Type: multipart/alternative; boundary="_000_69A846986A534471B7AF8B2A0ACB8F8Ateamneustar_"
MIME-Version: 1.0
X-OriginatorOrg: team.neustar
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR17MB3569.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 64a0e63f-32dd-471e-0b6a-08da22ca7bec
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Apr 2022 12:37:08.3682 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 73a2bbc1-f307-47c4-8f94-5f379c68bc30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: FKaTwHMiKziG1rLISqcFV1KubTdUFMHH7bfWLjxFnBkV8NPs9SXQ9sCkVvqTyfSCowLr1Rsu+ODqEoSGxyU64rn5sI2Ctgr3AVneJIcqAV4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY3PR17MB5330
X-Proofpoint-ORIG-GUID: fRnPhiqTm5hhGVBPGDC35JiaTihv4SDP
X-Proofpoint-GUID: fRnPhiqTm5hhGVBPGDC35JiaTihv4SDP
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-20_03,2022-04-20_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 malwarescore=0 phishscore=0 clxscore=1011 mlxscore=0 priorityscore=1501 adultscore=0 impostorscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204200076
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/YNmVc2Z_QCJPtAUTlNVuDgzCe-c>
Subject: Re: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2022 12:37:19 -0000

Currently intermediaries are not able to add RCD passports: RFC 8224 Section 6.1 states “The authentication service MUST then determine whether or not the originator of the request is authorized to claim the identity given in the identity field.  In order to do so, the authentication service MUST authenticate the originator of the message.”. As that clause applies to all passports, is not overridden by anything in the RCD spec, and intermediaries will not be able to authenticate the caller, they are not allowed to authenticate the caller. (I believe this issue affects RPH too). For intermediaries to be able to put RCD passports on a call that section must be overridden in the RCD standard.

It was overridden by the “div” spec (and as you say probably the “rph” spec), let alone the “rcd” spec. “div” PASSports are still PASSporTs, and they don’t have this requirement. The entire “third-party usage” section of the “rcd” spec is quite clear that the intention of “rcd” PASSporTs in the third-party case is not to authenticate the original user. I’m not sure any further text is needed to “overwrite” RFC8224 here.
For a more concrete scenario as to why this is a problem:
Imagine an ecosystem where shaken passports are not required to authenticate a call, base passports are considered enough to say “I, <credential>, have authenticated the caller and they are allowed to use this identity” (I’m pretty sure this is compliant with RFC 8224). If you are an intermediary who has a credential that everyone trusts for everything, then you cannot put an RCD passport on the call, if you did then the callee would think that you are asserting that the caller is allowed to use the identity even though you have no idea if that’s the case!

If I recall the basic idea for intermediary “rcd” usage was that the “iss” field, if present in the JWT header, differentiated PASSporTs that were not intended to assert the identity of the caller from those that were (combined of course with the “rcd” PPT). I guess I view “iss” PASSporTs as sort of like “div” PASSporTs, which again would not be naively mistaken for PASSporTs generated by the RFC8224 6.1 rules to assert who someone is – just like with “div”, you need a separate PASSporT asserting the calling number for an “iss” PASSporT to be usable by relying parties. The further backstop against mistakenly treating this as an RFC8224 PASSporT is the signing certificate itself.

That said, I agree that the language in the second paragraph of 15 is too strong regarding JWT Claim Constraints – though it doesn’t seem to be normative.

Jon Peterson
Neustar, Inc. (a TransUnion company)

v2.23.0 | Report a Bug | By Email