IETF Logo Mail Archive

Re: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt

Jack Rickard <jack.rickard@microsoft.com> Wed, 20 April 2022 12:15 UTC

Return-Path: <jack.rickard@microsoft.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E708D3A0DBA for <stir@ietfa.amsl.com>; Wed, 20 Apr 2022 05:15:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IhbrcAN0JVKK for <stir@ietfa.amsl.com>; Wed, 20 Apr 2022 05:15:17 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on20702.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1b::702]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96F893A0DD3 for <stir@ietf.org>; Wed, 20 Apr 2022 05:15:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ctotNFOXk49dOHWUBehGXuXw0IzVeQczIvCcxjpZo4o2wEEJzxtjaAZ2eY91nug90mwmY9ryHXRczcA3lRz0CdJZ/1Dqx+taAfFMT5vDJXexyHgSbhLPlzHrqU1TQJbM7hVqfnG6HJRuKNamaMr5MEeiCRmNIeSc437rxei+cQcDEBfBFuEtF3Etbt3rfxeeGEozqDH6Q9xMiIdxHYyBNFUktNnIU22FOAoujlRX968c8rWO3pN/AB0wGfYGU5JLLQYtGJWLZx5PEVI6gwl8DkscGSgOu0UthWLQcyfMpRE2wjviZy6AZm2WkghpwyrikC40Y/ghvgxyl58usrkAxw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=boFZ3I1iKNhmLU9DEYBesMAls3nCB2uC6GHI9TCEXrw=; b=FJRPA4e22Svgge+bj4lz7y84VVKOi6t1SjU5QkIvtcg8zv9v9WpGrZZaeHlDUM9T0f4S3iSoYe1mvWtYFaAoEyxPICPu13ipMQOW3ECTr7ql0/zf369qOYxL6LSzLKOUCQ9x55VPb5pwo9V4o9mXOjhw3Vb4s/2xvKWBbRdGNYm4jeUkNphAa1fqGBNbdBex5U9x6nnFru9tTj4mVaCcl0bw3FY8ChvLdbxv6WsMFFNgQUOtvak14pv7p+ne/NvqNdQygwi1kqy9MQzlAQiBOgYUlt+V4j0h6QeJw9tM6HqEerVaa4iu1a0el7iqx6GapjthNQ25/RSOK8s395ve0g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=boFZ3I1iKNhmLU9DEYBesMAls3nCB2uC6GHI9TCEXrw=; b=fWLnFCiRR+HlJ44jyO2anI2hPCMTGD3aYGenM3kyHMhiC0VtFtZN9oC9Ym8Ncd8CX8oVUI88TJXFjXfuQhcyLqJ+JELMsUB2k4065INWZVrCPYCss/LIxC+kL6jM7S+HXpM/HCC1do38uLxeasVbLaG+Ar6K7w55GkiiHOB32uo=
Received: from HE1PR83MB0378.EURPRD83.prod.outlook.com (2603:10a6:7:63::11) by VI1PR83MB0400.EURPRD83.prod.outlook.com (2603:10a6:800:19e::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.4; Wed, 20 Apr 2022 12:15:10 +0000
Received: from HE1PR83MB0378.EURPRD83.prod.outlook.com ([fe80::9d73:9d6d:7eb1:cc76]) by HE1PR83MB0378.EURPRD83.prod.outlook.com ([fe80::9d73:9d6d:7eb1:cc76%5]) with mapi id 15.20.5206.004; Wed, 20 Apr 2022 12:15:09 +0000
From: Jack Rickard <jack.rickard@microsoft.com>
To: Chris Wendt <chris-ietf@chriswendt.net>, Ben Campbell <ben@nostrum.com>
CC: Alec Fenichel <alec.fenichel@transnexus.com>, IETF STIR Mail List <stir@ietf.org>
Thread-Topic: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt
Thread-Index: AdhUrZ4zqcFqLWlqT9Sk1mXuV8wVew==
Date: Wed, 20 Apr 2022 12:15:05 +0000
Deferred-Delivery: Wed, 20 Apr 2022 12:14:31 +0000
Message-ID: <HE1PR83MB037840BE60C332A62848FEF788F59@HE1PR83MB0378.EURPRD83.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=7f04fefa-60c2-4f88-b38e-eb4bdd4fd2e7; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-04-20T11:56:00Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 260dbdcb-75ee-4c2d-85f5-08da22c769f8
x-ms-traffictypediagnostic: VI1PR83MB0400:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <VI1PR83MB0400D2155AADCE5A75640D6A88F59@VI1PR83MB0400.EURPRD83.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hDuUPR5lLOaV+jPUELlrLVnc468Xtwc9LnUTaR9l98cJgHFzkjVjSQhbgzs3zdYTBMIAY8Jbkd4BM64htWDrf0/H8XerXYfuxB+9EgOAVJV2FfKGWoycc7CVu81LinsZKtpQ/2luFtLNikePvVaV7+kiDyLVgZJhlrDbyVZPL0hWp4BlhRtycpMwFFIHZz3VoJQqgso9yPu4lU9FqNrgTeMvQtFJ7FEoVk62oaWPJ4cBoxk8yRqK+wnHdmeVZQWJGJAhIWybsrL103s00X9aW5WkRRcouSwQhMOv3iHfIxcVeYlmmkZL+AQYstQ0DC2L8g9mhtg+/YJiUnVLsz7fWTdGYfBdo5RNIGD3ahqYEa8tTc1iSwt2eUIpGqPq2/amOFUjjs3Wfc6RxigN3LDRclKWWX+Rx8x2+YtvDunX1RlYaqypYZCj0sUwKGO8OhrgHaZbcZICjEM/GImjm5piYKlNLHltnNejTh1hTFjvp/z8X8tDcaf3tuPvlnHVq6TgzRQy9QBHoDSzkHNy+yVe65xGOMbngI4mUMqyQHyS3gJhmpH5T+kb8DI5tYZVd0ixU1+C1H73epExP1nZCEin2j8HzjSRagur9zEcQKI+em75FRTKVPsTYSGPU1X8OdrT/3JNl5/wxgDJ8yMlBe88ohzLG4K3lOvkQAGvQX71K145WnMaJrFTF4h46IjMuXX7pnr9ndzxn5aPnCbqy8OIWAm1cP6Ui/tAN0igSDGLvJMYmuNe6IzDLwhANBODhvfBeSudMRLK7PQxH8pBVEpyP08jacTyBXIhCUCP7U/wK1cBbTQ31WWtTcsF+jLBvmZJAmWAZuP84IRivnb80CWDUw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR83MB0378.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(451199009)(54906003)(110136005)(316002)(86362001)(40140700001)(10290500003)(186003)(83380400001)(508600001)(71200400001)(55016003)(966005)(9686003)(8990500004)(33656002)(26005)(6666004)(7696005)(6506007)(53546011)(8936002)(52536014)(166002)(44832011)(2906002)(38070700005)(122000001)(5660300002)(38100700002)(82960400001)(82950400001)(66946007)(8676002)(66556008)(76116006)(66476007)(66446008)(64756008)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: C0Xn8cL7Utw+NHxiRx0iEYcORm7kbFXOIP4r4cXVEBKQKcwpMEHJtW6KtTy7iVa4+gpp7OeCmiEdJMIJhIdvn+s66hQzMMNdnLOi4IK7mUkFSY22Z38lEcVeVCx2nhJz6GOHjgJLx59bv6gQhMPjXcwxSMXiBvnNjyStC0IrsRKmFQhUI0I54C56r8xwsoO+qwM3jOc45DLe9sTkggds4MWZlJz2OXvroA1wdXSztL3qqR+tXLYbuGucNZkhIfhCb7O/UxIB4UUJVMW3dW4z/qedTbyWP5+0JQdg1XwI5uPqq31WLrpITyQ8ACpxkltN+X64JcEUa/+LsB2qaJrTIcBEgE6mGXMSGha0LIm1JgnFYA3fKazJaOP2x9+hPpxrGixwwQ4wcyw5js1ulnWVu5afntqzj8ZXuq8zqdlkrHysshH0nFLPiRhCv/ZGfPKrPMdDpGOhsAU2eM8ERbs7/pUs9gKB5cni8K2KUC1RdTS9juRSmU34HIJOu2vmf/asoViCTO1wCp6FCmX4JItK0V1l5o7R+zmHj5DS+iFbybUWlQeg6SsTPTOsJmY1I6CYkqGDe6OXjI80w6Zffs3+mg8GqEHUvFDBZU7GRnm1VDVUQ7xA56tOG9RCTuvR3YvZ4SsbnlGW4dN8rjJrHJsGKVua2IFrgI5Cc1J7s+x9sg7C0fXMr4XnP0s6OtdEuQeFUrnp6d9w0LkKfhEflqy8uepb8Y7wh2tm0TwDZNfOiSRNg9amWASKcuErJ0QtvuAHLvKKuoQvN+RcqavF8S+9neO8vCkP0fbITCKbBEhqbGoSHa5w5XLhjbyfoouM8rSiESrlp8avDjsUKZqoR506C8/JnzF5NtmAoO2PpyQFZEGBEZZJzorw6VOHip01hQcENfg56ykGzWtSvTzD+6UAA4PO2j86OlbCf4RtvQoJjHKhw0cScE3ftiLqZKOEKc9Ks2VoFH7PFNewRpl5ynDcjDzyBp+rFOFUJRIRXdekwKfg1B9e7Kq90lh9S31OlLn9QsmtMzNMncQeJjEcuTAibPkc2xd5ZGCHK6TUnQibdXl4Zsnvy8i2SBC614UGlTpumqnPHAhjmY8j+JsfZk7p7LUkdGeUgUrcGxBMKZRK2S8vyuxHe3R5FBknIDwTbe2K8nE0f6lANYOanODrJIrNwLQnmBcCdJsLUNiHVG6XLJQ9xb+T7sPDYUalhg1OJz8yqMcDiRC3laswYBjRz/vOWAQrPSCA4VQBI5xIQkES7WCcfPUMRVRqot+qmGMKyIAqJcrjPD2g3FW7Bg99IfRofZkq1wZksqCCgpTwox5grIcUChTp5olSHHtJvcp2pcuN5byC9KfsoUtNs7SegBWQ86Pz6xDYlMmoYOBN4fdR+IqX3HyUoWqJu+0eKfEbzK2k/fNKFxvnfiuUYzXKgOFPnRJaCVtlnm9rc/HqNXkJOx27dM4D3GErWzxMkiZFDuBR6mPC1PatlRdaVFg807M5u7Zk7TtdIg/iMlUwLuHK033/XEXodpJuFhitXaR1fVOSXRp+HHFy86OE0S8BU5wp9XN8Ia7394P0eAJWfDAhUpn/PjOpkSuB88wTqv1QvX8UUYimWPimgcQPtQYDNmr9b76zGeGSxq+H9m3f7KB8k5Dyx4FvdWQWDN4ohTeWXV7x5Rf3VILjTfhBwtj/4ADOYw==
Content-Type: multipart/alternative; boundary="_000_HE1PR83MB037840BE60C332A62848FEF788F59HE1PR83MB0378EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR83MB0378.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 260dbdcb-75ee-4c2d-85f5-08da22c769f8
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Apr 2022 12:15:09.7977 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bQO2vBoXSI0NGCgsZKkKq9dkzu+wz6ojVxsTsbVZq9xPNSmUN4cy8AlijURDsg+0kxkjWmXhJO0tkXa8HlrAZn/P1yQrhR5gkpNgf0f1A4c=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR83MB0400
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/aMOJ1gOKnKHteCwgPSkCl-3dhLI>
Subject: Re: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2022 12:15:22 -0000

The relying party doesn't really care. In the stir/shaken ecosystem you must trust the CAs to do the right thing, they can give essentially whatever certificates they like to whoever they like. You have to trust that the CA gave a restricted certificate out to those that can't be trusted with a unrestricted one, and that they gave unrestricted certs out to those that can.

More generally, that paragraph says (paraphrased so this may be the source of the confusion):
(JWT Claims constraints must exist in the signing credential) unless (the verifier has a separate trust relationship with the credential)
However, because so far the IETF has mostly avoided the question of who should trust who for what, RFC 8224 says:
the verifier must have a separate trust relationship with the credential

Hopefully that formulation makes it clear that the "unless" clause is always going to be true, so the bit before the unless carries no meaning.

Jack

From: Chris Wendt <chris-ietf@chriswendt.net>
Sent: 19 April 2022 23:46
To: Ben Campbell <ben@nostrum.com>
Cc: Alec Fenichel <alec.fenichel@transnexus.com>; Jack Rickard <jack.rickard@microsoft.com>; IETF STIR Mail List <stir@ietf.org>
Subject: [EXTERNAL] Re: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt

How does relying party have any indication?  You could negotiate different types of certs from different trusted relationships, or you could just have a single consistent policy across the board.  I more than worry about the former approach will erode trust unless we are consistent, will give excuses to take short-cuts because some feel like they are more trusted than others, but i think that is wrong attitude.  And we need to set the bar very high for trust across eco-system in particular for RCD.

I think we are going beyond scope of our work at IETF, but I understand we need example for conversation.

For IETF spec, i would prefer for "rcd" PASSporT specifically (as opposed to other PASSporTs) we set bar of current text.  Like i said, i didn't remove the other option, but we can have these conversations in other context as well.


On Apr 19, 2022, at 6:34 PM, Ben Campbell <ben@nostrum.com<mailto:ben@nostrum.com>> wrote:

If an OSP vets and signs RCD, would  you expect the signing cert to have claim constraints? It would have to issue itself a different cert for each caller, right? Or do you have some sort of RCD constraint delegation in mind?

I have assumed constraints to be a way to decouple vetting from signing. It seems like a waste of effort if the signer _is_ the vetting party.

Ben.


On Apr 19, 2022, at 5:07 PM, Chris Wendt <chris-ietf@chriswendt.net<mailto:chris-ietf@chriswendt.net>> wrote:

Constraints is the way to tie RCD information, TNAuthList is way to tie SPC->TN.  I believe both are necessary for explicit trust for relying party.  To make assumptions about subject or issuer being able to just "be trusted" enough to not have RCD represented in the cert doesn't provide that level of consistency for calls coming from signers of all trust levels.


On Apr 19, 2022, at 5:45 PM, Ben Campbell <ben@nostrum.com<mailto:ben@nostrum.com>> wrote:

I agree the model should be consistent, but that doesn't mean every cert used to sign RCD claims needs constraints.

A relying party gets a passport with RCD claims. Are there claim constraints in the cert? If so, then does it trust the certificate issuer? If there are no constraints, does it trust the signer (i.e. the subject of the cert)?  And of course, there's the "constraints on some but not all RCD claims" case, so does it trust some of both?

I am carefully not saying "RCD passports".

All that being said, I know of at least one mobile provider that appears to let you set your own (I assume arbitrary) calling-name :-)

Ben.


On Apr 19, 2022, at 4:24 PM, Chris Wendt <chris-ietf@chriswendt.net<mailto:chris-ietf@chriswendt.net>> wrote:

I'm not saying this isn't possible, i'm just saying the signing/certificate/constraint model needs to be consistent across all.  You can't say one SPC is more trusted than other SPC.  And as long as the terminating party trusts the certificate of that mobile phone provider.  Again, this is not shaken attestation model.


On Apr 19, 2022, at 5:15 PM, Alec Fenichel <alec.fenichel@transnexus.com<mailto:alec.fenichel@transnexus.com>> wrote:

Chris,

Mobile phone providers generally do a credit check before they give a consumer a post-pay account. I would think that is more than enough confidence of a consumer's name to include an rcd nam claim in a shaken PASSporT without any additional vetting by a third party. What is the issue with just trusting the shaken PASSporT signed with the mobile phone provider's regular SHAKEN certificate?

Sincerely,

Alec Fenichel
Chief Technology Officer
TransNexus<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftransnexus.com%2F&data=05%7C01%7Cjack.rickard%40microsoft.com%7Ce41473cf3efd41e52fab08da22565247%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637860051420662717%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xJtBxMVEmZAgybrLK7dS8ToiEwTl60dj%2F2jHwqDzKXk%3D&reserved=0>
alec.fenichel@transnexus.com<mailto:alec.fenichel@transnexus.com>
+1 (404) 369-2407<tel:+14043692407>

From: stir <stir-bounces@ietf.org<mailto:stir-bounces@ietf.org>> on behalf of Chris Wendt <chris-ietf@chriswendt.net<mailto:chris-ietf@chriswendt.net>>
Date: Tuesday, April 19, 2022 at 17:10
To: Ben Campbell <ben@nostrum.com<mailto:ben@nostrum.com>>
Cc: IETF STIR Mail List <stir@ietf.org<mailto:stir@ietf.org>>, Jack Rickard <jack.rickard@microsoft.com<mailto:jack.rickard@microsoft.com>>
Subject: Re: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt
Yes, scope should be SPC, but if RCD is associated with TN, i think it has to be signed in that context.



On Apr 19, 2022, at 5:02 PM, Ben Campbell <ben@nostrum.com<mailto:ben@nostrum.com>> wrote:

I agree this is not about delegate certs for A attestation. I think you are arguing that, if an OSP signs RCD, they can't use their SHAKEN certificate.  I'm missing the "why" part. What sort of certificate do you think an OSP that does it's own RCD vetting should use? Keeping in mind that, at least for the STI usage, delegate certificate scope is also tied to a service provider SPC.

Thanks!

Ben.




On Apr 19, 2022, at 3:38 PM, Chris Wendt <chris-ietf@chriswendt.net<mailto:chris-ietf@chriswendt.net>> wrote:

Hi Ben,

Something that has become clearer to me, and i think i'm not the only one saying it, is that for RCD vs shaken, and this is not about delegate certificates used for "A" attestation, this is for RCD being received at the TSP, the RCD information needs to be signed by a party that the TSP can trust. Whether that is 3rd party service, or delegate certificate that has constraints by the vetting party, or whatever the model, even if it is an OSP that is signing the information, the bar has to be consistent for RCD information, and the bar needs to be high.

Whether you are the biggest OSP in the world, or the smallest, we can't rely on SPC level "shaken" signing model to trust RCD data.  So, this is what i'm trying to get to.

-Chris



On Apr 19, 2022, at 3:22 PM, Ben Campbell <ben@nostrum.com<mailto:ben@nostrum.com>> wrote:





On Apr 19, 2022, at 1:33 PM, Chris Wendt <chris-ietf@chriswendt.net<mailto:chris-ietf@chriswendt.net>> wrote:



Section 15
The second paragraph seems to be suggesting that only certificates containing JWTClaimsConstraints should be trusted to add rcd information (without some other trust relationship), but I don't understand why this is the case? Surely, you either trust the entity that added the RCD information or you don't, why should extra constraints on the certificate have any impact on that? I expected this section to say something like "The verifier must validate that the signer is trusted to provide Rich Call Data, in addition to having authority over the originating address".

This also raises the question of whether an RCD passport authenticates the originator like a base passport? I don't think there's any text to suggest that it doesn't, but that would prevent intermediaries who have no authenticated relationship with the originator from adding RCD information.

An intermediary can add an RCD PASSporT.  Authenticated relationships are a "shaken" concept not an "rcd" concept, RCD information should be vetted and signed by a party the destination can trust did that validation specific to RCD for a given telephone number(s).  This is the key to what i am trying to clarify.  How can i have an SPC level "shaken" certificate for RCD information with integrity, it makes no sense.
I didn't remove the ability to put "rcd" infomation in other PASSporTs, but it's not something i think we should be recommending for mainstream cases.


I have to disagree here. I think it's perfectly reasonable that an OSP could properly vet RCD information and that a relying party could trust its SHAKEN-credential signature over the RCD claims. I don't see why that is harder to believe than to believe that the issuer of a delegate cert could properly vet RCD values to create claim constraints in the certificate. In both cases, the relying party must decide who to trust.

I think this really comes down to two cases of authority (and liability)
1) RCD signed with a delegate-cert with JWTClaimConstraints -- The certificate issuer is the RCD on the hook for vetting RCD
2) RCD signed with a cert with no JWTClaimConstraints (e.g. SHAKEN cert): The passport signer is on the hook for vetting RCD.

For case 2, I don't expect anyone to trust the signature of a typical caller that signs its own calls. But I think it highly likely people will trust an established OSP. Especially if they already trust that OSP to attest to the calling-number validity.

Don't get me wrong, I like the delegate-cert with claim constraints models better. But I fully expect that some OSPs will prefer to put RCD claims in SHAKEN passport. (I also expect some won't).

Ben.



_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fstir&data=05%7C01%7Cjack.rickard%40microsoft.com%7Ce41473cf3efd41e52fab08da22565247%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637860051420662717%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=okycV9X8HIhM7ZCOQ2oTW7YZNguKQLFirrAXKuNAFxg%3D&reserved=0>

v2.23.0 | Report a Bug | By Email