[stir] STIR certificate delegation
"Peterson, Jon" <jon.peterson@team.neustar> Tue, 12 March 2019 14:01 UTC
Return-Path: <prvs=297490e4fd=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8B16130DF6 for <stir@ietfa.amsl.com>; Tue, 12 Mar 2019 07:01:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.532
X-Spam-Level:
X-Spam-Status: No, score=-0.532 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=1.468, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUncjbbclVxH for <stir@ietfa.amsl.com>; Tue, 12 Mar 2019 07:01:27 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A873130DCB for <stir@ietf.org>; Tue, 12 Mar 2019 07:01:26 -0700 (PDT)
Received: from pps.filterd (m0078664.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2CDrru2005408 for <stir@ietf.org>; Tue, 12 Mar 2019 10:01:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : subject : date : message-id : content-type : content-id : content-transfer-encoding : mime-version; s=selector1; bh=Q1eWGdLJsK2s6w//Od6a3seutFZ+OYSxsrTJ68aHcbQ=; b=ZwISRj31J8WEXoO2jlCoqG1ofKctGa9rjytQdrbKJJjxlrhWTXjsftZV+waFgaqe9V4O thO1H14YNhX5hZDnraDhuR7k7Z0LIK4PLyWemFzmpxbJy77h0ov1//+Wn/vKp21JyDbJ aMMsCzTb5e0Xpak6dOgQ1B2u2BzMb2klaCpyPtYc85M0mT70+GwPmBqSPFfyPHgAgeKP BfLH9j1yPf9t/YCdUxHRIHtmm72XdpKCsDAzxgALCyxmsQ38vFKDEe/Dc3u3rtK2PLKo 5CtemjNxe0/AXEbKrY+OKH6txACejO63WSufYf5/3hf62WVtPlHGpQe+peXdwr5Zo38U 3Q==
Received: from stntexhc10.cis.neustar.com ([156.154.17.216]) by mx0a-0018ba01.pphosted.com with ESMTP id 2r4912x9hb-4 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT) for <stir@ietf.org>; Tue, 12 Mar 2019 10:01:26 -0400
Received: from STNTEXMB101.cis.neustar.com ([fe80::40e3:3b2:1d62:c68e]) by stntexhc10.cis.neustar.com ([10.31.58.69]) with mapi id 14.03.0279.002; Tue, 12 Mar 2019 10:01:17 -0400
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: STIR certificate delegation
Thread-Index: AQHU2NwQZmKigZ+/4UG2GY8hdblF3A==
Date: Tue, 12 Mar 2019 14:01:17 +0000
Message-ID: <63E9BF16-DA95-4E1B-9550-A4A45FDAC547@team.neustar>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.7.190210
x-originating-ip: [10.96.12.11]
Content-Type: text/plain; charset="utf-8"
Content-ID: <B70F52366EF563429903D30B1AB5E136@neustar.biz>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-12_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 mlxlogscore=455 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903120099
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/YVRfILEUu0yZaHMIMc3hIcEQPug>
Subject: [stir] STIR certificate delegation
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 14:01:30 -0000
Hello, I've submitted a new draft which takes a first stab at specifying a way to delegate certificates in STIR. This would allow a carrier, say, to delegate to an enterprise authority for one or more telephone numbers so that the enterprise can run its own authentication service and sign calls itself. https://www.ietf.org/id/draft-peterson-stir-cert-delegation-00.txt Basically, this document proposes that delegation of STIR certificates rely on something a bit like the RPKI "encompassing" mechanism: that is, rather than having some explicit constraint in a certificate that indicates which names it can delegate to, that instead the TNAuthList is itself the constraint, so that relying parties who receive calls signed by this certificate, as they inspect a certificate chain, verify that each child certificate's scope of TNAuthList authority is encompassed by its parent's. This can be a bit messy when delegating from SPC to TN ranges, but that messiness probably isn’t avoidable. It also, perhaps controversially, has an optimization that allows certificates that can sign delegate certificate (and thus have their CA boolean set to "true") to actually sign PASSporTs as well. This document has a few interactions with the ACME mechanisms using the Authority Token for TNAuthLists as well, which we are still ironing out a bit, but which is reflected in those drafts today. Comments welcome! We should find some time to discuss in Prague. Jon Peterson Neustar, Inc,
- [stir] STIR certificate delegation Peterson, Jon
- Re: [stir] STIR certificate delegation Chris Wendt
- Re: [stir] STIR certificate delegation Mary Barnes
- Re: [stir] STIR certificate delegation Richard Barnes