IETF Logo Mail Archive

Re: [stir] On OCSP, TNs, and Privacy

"DOLLY, MARTIN C" <md3135@att.com> Tue, 28 July 2015 19:36 UTC

Return-Path: <md3135@att.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31DF11B2E61 for <stir@ietfa.amsl.com>; Tue, 28 Jul 2015 12:36:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YO3kcDbjtrNY for <stir@ietfa.amsl.com>; Tue, 28 Jul 2015 12:36:10 -0700 (PDT)
Received: from nbfkord-smmo07.seg.att.com (nbfkord-smmo07.seg.att.com [209.65.160.93]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5856D1B2E5F for <stir@ietf.org>; Tue, 28 Jul 2015 12:36:07 -0700 (PDT)
Received: from unknown [144.160.229.24] (EHLO alpi155.enaf.aldc.att.com) by nbfkord-smmo07.seg.att.com(mxl_mta-7.2.4-5) with ESMTP id 7a9d7b55.2b9bb0813940.643056.00-2482.1839445.nbfkord-smmo07.seg.att.com (envelope-from <md3135@att.com>); Tue, 28 Jul 2015 19:36:07 +0000 (UTC)
X-MXL-Hash: 55b7d9a7507a0b78-dfe6c185ffde44033fc8057e4a121b058578d910
Received: from unknown [144.160.229.24] (EHLO alpi155.enaf.aldc.att.com) by nbfkord-smmo07.seg.att.com(mxl_mta-7.2.4-5) over TLS secured channel with ESMTP id c99d7b55.0.642923.00-2343.1839024.nbfkord-smmo07.seg.att.com (envelope-from <md3135@att.com>); Tue, 28 Jul 2015 19:35:56 +0000 (UTC)
X-MXL-Hash: 55b7d99c6b756e6b-965b2adbb8675fff6dae1f7af6bfe547972be377
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t6SJZtog019277; Tue, 28 Jul 2015 15:35:56 -0400
Received: from mlpi407.sfdc.sbc.com (mlpi407.sfdc.sbc.com [130.9.128.239]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t6SJZfip018937 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 28 Jul 2015 15:35:48 -0400
Received: from MISOUT7MSGHUBAD.ITServices.sbc.com (MISOUT7MSGHUBAD.itservices.sbc.com [130.9.129.148]) by mlpi407.sfdc.sbc.com (RSA Interceptor); Tue, 28 Jul 2015 19:35:29 GMT
Received: from MISOUT7MSGUSRDB.ITServices.sbc.com ([169.254.2.200]) by MISOUT7MSGHUBAD.ITServices.sbc.com ([130.9.129.148]) with mapi id 14.03.0224.002; Tue, 28 Jul 2015 15:35:29 -0400
From: "DOLLY, MARTIN C" <md3135@att.com>
To: Henning Schulzrinne <Henning.Schulzrinne@fcc.gov>
Thread-Topic: [stir] On OCSP, TNs, and Privacy
Thread-Index: AQHQyLmIvVsjGeB+H0aKZAlcHlFXg53wbvsAgAAgjQCAAJs4gIAABZ6AgAAApQCAAALJAIAAUN+AgAADzgD//78yoQ==
Date: Tue, 28 Jul 2015 19:35:29 +0000
Message-ID: <7DE72B93-5458-4DF9-943C-D0F331254EC4@att.com>
References: <CAL02cgS_5HrsbeK13T=j31j101hOuSxpjzzRKT93_2zze1xuAg@mail.gmail.com> <BAFABE68-20A7-4C91-9F15-E33E3D5379B5@brianrosen.net> <4B1956260CD29F4A9622F00322FE0531011D3D1D5043@BOBO1A.bobotek.net> <8bcb891a0db145d6882b17374210fd21@PLSWE13M08.ad.sprint.com> <CAL02cgTiZnLxpmcHb57f31NEFcLu-XY=hRQ-5jrsn11x6mtZBQ@mail.gmail.com> <0f678e7a59904ae5b2a2dabce1a4e0a2@PLSWE13M08.ad.sprint.com> <CY1PR09MB06343E53B0B396964D6EF811EA8D0@CY1PR09MB0634.namprd09.prod.outlook.com> <38726EDA2109264987B45E29E758C4D60586269A@MISOUT7MSGUSRDD.ITServices.sbc.com>, <CY1PR09MB0634E8BB71B6A01765E77D23EA8D0@CY1PR09MB0634.namprd09.prod.outlook.com>
In-Reply-To: <CY1PR09MB0634E8BB71B6A01765E77D23EA8D0@CY1PR09MB0634.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-RSA-Inspected: yes
X-RSA-Classifications: NUMBER PORTABILITY, public
X-AnalysisOut: [v=2.0 cv=ONaQK1mB c=1 sm=1 a=dhB6nF3YHL5t/Ixux6cINA==:17 a]
X-AnalysisOut: [=zQP7CpKOAAAA:8 a=zOBTXjUuO1YA:10 a=izV7ms69AAAA:8 a=48vgC]
X-AnalysisOut: [7mUAAAA:8 a=VfgTrTGYAAAA:8 a=HLLxP2VMAAAA:8 a=eYoRx4E0BzAe]
X-AnalysisOut: [EVvbwusA:9 a=pILNOxqGKmIA:10 a=DzjOOp_o1eYA:10 a=xmyk6UmIt]
X-AnalysisOut: [EXoxf5e:21 a=r428_A1QsAua6M77:21]
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2015072801)]
X-MAIL-FROM: <md3135@att.com>
X-SOURCE-IP: [144.160.229.24]
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/b_tYux5eV0QMp3WbR-9g8mTSQW4>
Cc: "stir@ietf.org" <stir@ietf.org>, "Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com>, "PFAUTZ, PENN L" <pp3129@att.com>
Subject: Re: [stir] On OCSP, TNs, and Privacy
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2015 19:36:14 -0000

It has to be easy and deplorable, without creating a business case for some 3rd party or we may just have white/black lists

Sent from my iPhone

> On Jul 28, 2015, at 3:27 PM, Henning Schulzrinne <Henning.Schulzrinne@fcc.gov> wrote:
> 
> That was certainly one of the models that have been discussed in the past. Particularly for small carriers, this would likely reduce the operational impact to a configuration option in the SBC.
> 
> The disadvantage of this model is caller privacy: If the cert is stored at a numbering authority, it would be easy for that authority to know which carrier is receiving calls from whom. (It's not the complete meta data since it's lacking the callee information.)
> 
> However, unless the TN-to-LRN (in the US) mapping is cached, this "leak" already exists today.
> 
> -----Original Message-----
> From: PFAUTZ, PENN L [mailto:pp3129@att.com] 
> Sent: Tuesday, July 28, 2015 3:14 PM
> To: Henning Schulzrinne <Henning.Schulzrinne@fcc.gov>; Gorman, Pierce A [CTO] <Pierce.Gorman@sprint.com>
> Cc: stir@ietf.org
> Subject: RE: [stir] On OCSP, TNs, and Privacy
> 
> Forgive me but my reptile brain keeps whispering in my ear that this would be a lot easier if we simply had a numbering registry, whether distributed or centralized - like we need anyway for at least for number portability - that also contained the public keys. No tedious mucking about in cyberspace with certs, CRLs, or OCSP.
> 
> 
> 
> -----Original Message-----
> From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Henning Schulzrinne
> Sent: Tuesday, July 28, 2015 10:24 AM
> To: Gorman, Pierce A [CTO]
> Cc: stir@ietf.org
> Subject: Re: [stir] On OCSP, TNs, and Privacy
> 
> In the US alone, we have about 4000 carriers. Managing the reputation of that many entities, reliably (i.e., without making false positive/negative mistakes) seems a whole lot more manual effort than storing bags of bits. Storage and automation is cheap, human judgement and dealing with mistakes is expensive.
> 
> Obviously, nothing in the architecture prevents wildcard certificates.
> 
> -----Original Message-----
> From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Gorman, Pierce A [CTO]
> Sent: Tuesday, July 28, 2015 10:14 AM
> To: Richard Barnes <rlb@ipv.sx>
> Cc: stir@ietf.org; Alex Bobotek <alex@bobotek.net>; Brian Rosen <br@brianrosen.net>
> Subject: Re: [stir] On OCSP, TNs, and Privacy
> 
> I thought the discussion was on key/cert management.  I'm asking if I understood the suggestion to minimize requirements.  How is that off topic?
> 
> Best regards,
> 
> 
> Pierce Gorman
> Core Network Planning
> O: 913-439-4368
> pierce.gorman@sprint.com
> 
> 
> -----Original Message-----
> From: Richard Barnes [mailto:rlb@ipv.sx]
> Sent: July 28, 2015 9:12 AM
> To: Gorman, Pierce A [CTO] <Pierce.Gorman@sprint.com>
> Cc: Alex Bobotek <alex@bobotek.net>; Brian Rosen <br@brianrosen.net>; stir@ietf.org
> Subject: Re: [stir] On OCSP, TNs, and Privacy
> 
>> On Tue, Jul 28, 2015 at 9:51 AM, Gorman, Pierce A [CTO] <Pierce.Gorman@sprint.com> wrote:
>> "Large scale certificate management is expensive, and TN-specific certificates are unneeded for securing calls placed by parties who choose to place calls through a single reputable telephone service provider."
>> 
>> Are you saying that for "on-net" calls, STIR methodology is unnecessary?
> 
> This seems a little off-topic for this list.
> 
> --Richard
> 
>> 
>> Best regards,
>> 
>> 
>> Pierce Gorman
>> Core Network Planning
>> O: 913-439-4368
>> pierce.gorman@sprint.com
>> 
>> 
>> -----Original Message-----
>> From: Alex Bobotek [mailto:alex@bobotek.net]
>> Sent: July 27, 2015 11:36 PM
>> To: Brian Rosen <br@brianrosen.net>; Richard Barnes <rlb@ipv.sx>
>> Cc: stir@ietf.org
>> Subject: Re: [stir] On OCSP, TNs, and Privacy
>> 
>> What motivation would a carrier have to choose any model other than carrier signing using one of a very limited set of carrier-owned keys?  Large scale certificate management is expensive, and TN-specific certificates are unneeded for securing calls placed by parties who choose to place calls through a single reputable telephone service provider.  Anyone can get many certificates, even a free ones anonymously from some issuers.  It is typically a combination of the strength of the end-user authentication performed by the service provider (or certificate issuer in a provider-agnostic model) and the identity's history that are most useful in security.
>> 
>> If we're trying to secure the current telephone system, DNS-like key repositories a la DKIM or perhaps a small number (compared to the number of TNs) of certificates are far more practical.
>> 
>> Regards,
>> 
>> Alex
>> 
>>> -----Original Message-----
>>> From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Brian Rosen
>>> Sent: Monday, July 27, 2015 7:40 PM
>>> To: Richard Barnes <rlb@ipv.sx>
>>> Cc: stir@ietf.org
>>> Subject: Re: [stir] On OCSP, TNs, and Privacy
>>> 
>>> What this means in practice is that it’s TN per cert.
>>> 
>>> I wouldn’t say that it’s impossible for a carrier to maintain dozens 
>>> of copies of millions of private keys securely, but it’s hard.  You 
>>> need multiple copies because you have multiple elements that can 
>>> initiate a call, and you don’t want to depend on a centralized 
>>> resource to do something as basic as create a call.
>>> 
>>> I think it’s hard enough that REQUIRING cert per TN is not acceptable.
>>> 
>>> Folks with more intimate knowledge of carrier SIP infrastructure 
>>> might have more insight than I do.  It may be acceptable to have a 
>>> centralized resource to manage millions of keys.
>>> 
>>> Brian
>>> 
>>>> On Jul 27, 2015, at 6:13 PM, Richard Barnes <rlb@ipv.sx> wrote:
>>>> 
>>>> After the STIR meeting in Prague, Henning and I spent a few minutes 
>>>> talking through options for revocation checking and certificate 
>>>> scoping, and I think we have a better idea of what the optimal 
>>>> solution looks like.  Some notes are below, and some slides with 
>>>> pictures attached.
>>>> 
>>>> tl;dr: We should:
>>>> * Keep TNs in certificates and not bother with any OCSP extensions
>>>> * Require Identity-Info to include OCSP responses for all certs in 
>>>> the chain
>>>> 
>>>> 
>>>> # Background: Revocation in the web PKI
>>>> 
>>>> In an HTTPS transaction, the HTTPS server provides the client with 
>>>> a certificate, and it can optionally include an OCSP response ("staple"
>>>> it to the transaction).
>>>> 
>>>> A certificate contains a validity interval, a key, and some names/TNs.
>>>> An OCSP responses contains a validity interval, a certificate ID 
>>>> (i.e., a hash), and a status (good/revoked/unknown).  In the web 
>>>> PKI, certificates are required to be no more than 39 months long, 
>>>> and OCSP responses no more than 10 days.
>>>> 
>>>> Ideally, a client only considers a certificate valid if it is 
>>>> accompanied by an OCSP response.  In practice, this is not always 
>>>> possible; because OCSP queries fail around 3% of the time, browsers 
>>>> can't require OCSP.  This operational fact will be important below, 
>>>> but we will continue to have scoping cert lifetimes as an objective.
>>>> 
>>>> In the web PKI, there are basically three revocation checking modalities:
>>>> 
>>>> 1. Live OCSP checking [RFC6069]
>>>> 2. OCSP stapling / must_staple [RFC6066, 
>>>> draft-hallambaker-tlsfeature] 3. Short-lived certificates (~OCSP
>>>> lifetime)
>>>> 
>>>> (The last of these is relatively novel, and has not been deployed.
>>>> Neither has must-staple.  But they're both pretty trivial, and 
>>>> could be folded into a STIR architecture pretty easily.)
>>>> 
>>>> Right now, about 90% of TLS transactions use live OCSP, and about 10%.
>>>> CAs and browsers dearly want the world to move toward stapled OCSP 
>>>> or short-lived certs, because these reduces latency and improve the 
>>>> quality of revocation information.
>>>> 
>>>> Revocation for CA certificates is currently done by having browsers 
>>>> download a list from a centralized server, since there's no way to 
>>>> staple more than one OCSP response.  That solution works OK for the 
>>>> web, but if I were designing something de novo, I would probably 
>>>> use multi-stapling as well.
>>>> 
>>>> 
>>>> # Applying this experience to STIR
>>>> 
>>>> Most of the below appear to be desired properties by the WG:
>>>> 
>>>> * Verifier neeeds to know that a cert is valid for a specific 
>>>> number
>>>> * Scoped cert lifetime: Limit certs to ~1week lifetime (by OCSP if 
>>>> issued longer)
>>>> * Caller privacy: Don't report what calls someone receives to a 
>>>> central server
>>>> * Carrier privacy: Don't allow a third party to figure out all the 
>>>> numbers a carrier holds
>>>> * Minimize the rate at which the CA has to sign things
>>>> * Tolerate outages at the CA
>>>> 
>>>> I'm going to assume for now that we will not do live OCSP.  It 
>>>> violates the caller privacy requirement, and as discussed above, it 
>>>> just sucks operationally.  So STIR should require OCSP to be sent 
>>>> in "stapled" form, which probably means sending it in Identity-Info.
>>>> And while we're at it, we should also do "multi-stapling" -- send 
>>>> an OCSP response for CA certs as well.
>>>> 
>>>> So if we consider a server with 50k TNs / blocks, that leaves us 
>>>> with basically 3 options:
>>>> 
>>>> 1. 50k short-lived certs (no OCSP)
>>>> 2. 50k long-lived certs scoped to TNs + generic OCSP 3. 1 
>>>> long-lived cert not scoped to TN (or a few loosely scoped) + OCSP 
>>>> with TN info
>>>> 
>>>> (As I didn't quite get to say in the meeting, regardless of the 
>>>> approach, you have to have 50k of *something*.)  Of these, it seems 
>>>> like the preference order is 2 > 1 > 3.
>>>> 
>>>> Option 3 is bad from several perspectives:
>>>> * Putting TN info in the OCSP response enables someone to trawl for 
>>>> numbers unless you access-control the OCSP server, so you inherit a 
>>>> requirement to do that.
>>>> * With the rate of churn in number assignments, you're probably 
>>>> going to have to update the long-lived cert pretty frequently anyway.
>>>> * Putting TN-specific stuff in certs is better than putting it in 
>>>> OCSP.  As bad as X.509 libraries can be, OCSP libraries are much 
>>>> worse.
>>>> 
>>>> Option 1 is mainly bad from the perspective of CA load and outages.
>>>> With Option 2, if the CA goes down, client can continue to use the 
>>>> long-lived cert and just not bother doing OCSP (vs. tolerating an 
>>>> expired cert).  Slightly cleaner.  Plus, there's a lot more 
>>>> experience caching OCSP than new certs.  OCSP signing can also be 
>>>> delegated, so you can have the recurring operation done by a lower-risk key.
>>>> 
>>>> Option 2 should be pretty easy to automate.  You can probably 
>>>> re-use tooling for OCSP stapling that has already been developed 
>>>> for use with HTTPS.  If you're a big box signing for a bunch of 
>>>> numbers, you do need to select the right cert and OCSP response for 
>>>> a given call, but that's a pretty simple lookup table.
>>>> <STIR.pptx>_______________________________________________
>>>> stir mailing list
>>>> stir@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/stir
>>> 
>>> _______________________________________________
>>> stir mailing list
>>> stir@ietf.org
>>> https://www.ietf.org/mailman/listinfo/stir
>> 
>> ________________________________
>> 
>> This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.
> 
> ________________________________
> 
> This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email