IETF Logo Mail Archive

Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation

Chris Wendt <chris-ietf@chriswendt.net> Mon, 25 October 2021 18:25 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E0083A0D2D for <stir@ietfa.amsl.com>; Mon, 25 Oct 2021 11:25:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.796
X-Spam-Level:
X-Spam-Status: No, score=-1.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQkB-Ui5D2ML for <stir@ietfa.amsl.com>; Mon, 25 Oct 2021 11:25:24 -0700 (PDT)
Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3701B3A1178 for <stir@ietf.org>; Mon, 25 Oct 2021 11:20:53 -0700 (PDT)
Received: by mail-qv1-xf2c.google.com with SMTP id d10so3386905qvl.13 for <stir@ietf.org>; Mon, 25 Oct 2021 11:20:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20210112.gappssmtp.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=GMT269IgUTV+POHQRe3KUAUUbUHVCqpGjTx/xvAvO9U=; b=RQGhBadgmyWVL0PD6SPkAupBtEpMiTJCXEgTiPAS0CoQGgHO40nIWD4MrxOvPASZvd QmTZx//0N8Bvjen55xExHjfOH6DN1oBJNnSuIOTo9+E24U8X8KjWWvnBKhRYkvcU+YUQ n6ZFPqflxxfWBeQ8hahnn2B9CsUaehBYtGfdTCBPwjDr3IWVrWAqoeCfWb5NRSOToYMd 2DXJHROAHqOl2Nu2f5thRicIMW7FCABYgCxNZA9VLsLMcN+55WJkNLj2SVd9Ga0AUz6E h/4ajrnheCeeVnsVDbPQTrbke+eZd9hrIHbaxXuqAPdQfzjub29Rbv8Fuz81VIoJFtEb +Z2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=GMT269IgUTV+POHQRe3KUAUUbUHVCqpGjTx/xvAvO9U=; b=CPlh8ohtuytYlvmU6s4l/vC8e+HMDlYzs8sW45dM4P1Oo7lHoJLMxnSCgEPg4BUKg7 UYPVnruXLWn96qFARX68HlVEnkxssiM596l/wC0AF98dmS0qZ+K5fc+dBm8rOneuXGZh VRJRNJLf2lOsKJs13C3MyB4UCAtL1EY7pCQWyQqciR3IA/3npl0uOJF/ZqBfJl0htAIG qqb0TWAHh+HkENCGRuB3hmdylhzDRinewjbxG7bDRTXW28+UmFj/vC4uVwu/7FhTPppX rWS+Tv2kyxjOGRjmfNqhWpHc+0Kcp4mulvkRPjG9lwiEJoh/LxoS7JFwC3Ew9c8khtcO s6Ug==
X-Gm-Message-State: AOAM533FGZeB7OzJBuxss3Wao74fqgv0ed0CfJMoNBAlRsBYx6kQQfhJ gFsrYbqCi5X26PI0LoAfEzXTuA==
X-Google-Smtp-Source: ABdhPJwB3cEf/CZq4LqrxHXPdRtqgWTy18gh/HovHpNsfbVDh7B2GzhrRlozGu+IZSx/ymi6Ulz2VQ==
X-Received: by 2002:ad4:41cb:: with SMTP id a11mr14035016qvq.40.1635186050569; Mon, 25 Oct 2021 11:20:50 -0700 (PDT)
Received: from smtpclient.apple (static-71-185-213-147.phlapa.fios.verizon.net. [71.185.213.147]) by smtp.gmail.com with ESMTPSA id l12sm8917990qtq.57.2021.10.25.11.20.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Oct 2021 11:20:50 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <8DDD70F9-587C-4A77-A1DA-9F781E387076@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3768F262-4B46-4B23-9D88-A293BF283982"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Mon, 25 Oct 2021 14:20:48 -0400
In-Reply-To: <AM5PR83MB0355DC26C1C4C8F1011DA1FB88839@AM5PR83MB0355.EURPRD83.prod.outlook.com>
Cc: Alec Fenichel <alec.fenichel=40transnexus.com@dmarc.ietf.org>, Ben Campbell <ben@nostrum.com>, IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
To: Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org>
References: <AM5PR83MB035516622330F5CD32DF0B5588BE9@AM5PR83MB0355.EURPRD83.prod.outlook.com> <BB62785D-A43F-43FA-A61A-ABFF6FBF6043@nostrum.com> <BN6PR11MB3921F8D627E293A0F80D088C99839@BN6PR11MB3921.namprd11.prod.outlook.com> <08113F61-C401-4D0B-9DA7-261284221FFE@nostrum.com> <BN6PR11MB392164563BF5D7E389AC7BD699839@BN6PR11MB3921.namprd11.prod.outlook.com> <D5A360AF-685C-496D-B9DC-B2DBBDD5E1DA@nostrum.com> <BN6PR11MB39217E246AC4168581E182E699839@BN6PR11MB3921.namprd11.prod.outlook.com> <AM5PR83MB0355DC26C1C4C8F1011DA1FB88839@AM5PR83MB0355.EURPRD83.prod.outlook.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/dFXuNyb6fQtXRDD5xet6WfJuN6M>
Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 18:25:29 -0000

I will be submitting a new draft very soon, but here is the paragraph i added to the verification section (without modifying the existing text)  Hopefully this is a good compromise, I sort of think it is and captures what everyone has been discussing, but let me know.  

-Chris

"In some middle box scenarios, a relying party may not have the need to validate content that is referenced by URIs (e.g. only wanting to validate base PASSporT info like "orig" and "dest" or other "rcd" info like "nam" or "apn"). In these scenarios, this proceedure while not considered a full verification, can be performed without verifying the full integrity checks of URI referenced content."


> On Oct 25, 2021, at 1:38 PM, Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org> wrote:
> 
> I’d also lean towards SHOULD NOT, for the same reasons. Anyone who wants to check the digests is only going to cause harm unless they are in a very odd situation.
>  
> Jack 
>  
> From: stir <stir-bounces@ietf.org> On Behalf Of Alec Fenichel
> Sent: 25 October 2021 17:41
> To: Ben Campbell <ben@nostrum.com>
> Cc: IETF STIR Mail List <stir@ietf.org>; Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org>; Russ Housley <housley@vigilsec.com>
> Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation
>  
> Ben,
>  
> I am flexible on the strength of the language in the spec. I just think we need to be very clear in the spec that the OSP verifying the integrity is all but useless. Resources are going to be cached. I would expect that just like certificates, the cache hit ratio will be extremely high (we see 99.99%+). So it is likely that one or both parties are just checking their cached copy of the resources, not the actual resources. So the OSP checking that the integrity matches does not indicate that it will match when the dereferencing entity checks the integrity.
>  
>  
>  
> > I think some of the big OSPs might choose not to send RCD claims at all if they cannot fully verify them at the time of transmission.
>  
> This check provides a false sense of security not any actual security. I just think we need to make sure that is understood.
>  
>  
>  
> > Local policy? Again, I suspect some operators will have a local policy of “send nothing I can’t be sure of”, even if that means “don’t send the other parts that might be fine."
>  
> They can’t be sure of it even if they check. Again, I think it is important that we make sure everyone understands that the OSP checking does not mean, or even imply, it will match when the dereferencing entity checks.
>  
>  
>  
> > No expectation to dereference is different than an expectation not to dereference. I support the former, not the latter, at least in the IETF spec.
>  
> I’m good with either so long as we make it clear what checking the integrity accomplishes (or in the OSP case, does not accomplish).
>  
>  
>  
> > But in any case, I’m not going to die on this hill. I prefer ‘MAY, or even just not saying anything. But If others want “SHOULD NOT”, I can live with it.
>  
> If we just say that the OSP MAY check, then this may be interpreted as something that is optional but provides better security, which it does not. So if we say MAY, then I think it is important to explain how checking doesn’t accomplish anything.
>  
>  
> Sincerely,
>  
> Alec Fenichel
> Senior Software Architect
> alec.fenichel@transnexus.com <mailto:alec.fenichel@transnexus.com>
> +1 (407) 760-0036
> TransNexus
>  
> From: Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>>
> Date: Monday, October 25, 2021 at 12:10
> To: Alec Fenichel <alec.fenichel@transnexus.com <mailto:alec.fenichel@transnexus.com>>
> Cc: Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org <mailto:jack.rickard=40microsoft.com@dmarc.ietf.org>>, IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org>>, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>
> Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation
> 
> Hi, see inline:
>  
> 
> On Oct 25, 2021, at 10:45 AM, Alec Fenichel <alec.fenichel@transnexus.com <mailto:alec.fenichel@transnexus.com>> wrote:
>  
> I think SHOULD NOT is what we want.
>  
> What happens if the integrity check fails? I would argue the OSP should still send it downstream including inserting it into their “shaken” PASSporT. So dereferencing the resources just adds post dial delay if the outcome of checking the integrity doesn’t change the expected behavior.
>  
> I think some of the big OSPs might choose not to send RCD claims at all if they cannot fully verify them at the time of transmission. I recognize that is not ideal from an end-to-end trust model for RCD and delegate certs, but the current status quo is OSPs don’t send RCDl, and I get the impression that some operators are nervous about the idea of doing it in the first place.
>  
> I do suspect that, when they fully understand the cost of verifying RCDi for every call, they will choose not to do so. But I think that is their choice to make,
>  
>  
> 
>  
> Also, there could be a dozen resources (logos of various sizes). What if one of them failed to download (server 404) but the rest worked? How do you handle a partial failure? I think we want to avoid having to address this scenario.
>  
> Local policy? Again, I suspect some operators will have a local policy of “send nothing I can’t be sure of”, even if that means “don’t send the other parts that might be fine."
>  
>  
> We should make it clear that there is absolutely no expectation that the OSP dereferences the resources. The OSPs simply passes what they receive (assuming all of the other validation checks pass).
>  
> No expectation to dereference is different than an expectation not to dereference. I support the former, not the latter, at least in the IETF spec. (I could imagine IP-NNI strengthening the requirement to the latter). 
>  
> But in any case, I’m not going to die on this hill. I prefer ‘MAY, or even just not saying anything. But If others want “SHOULD NOT”, I can live with it.
>  
> Ben.
>  
> 
>  
> Sincerely,
>  
> Alec Fenichel
> Senior Software Architect
> alec.fenichel@transnexus.com <mailto:alec.fenichel@transnexus.com>
> +1 (407) 760-0036
> TransNexus
>  
> From: Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>>
> Date: Monday, October 25, 2021 at 11:29
> To: Alec Fenichel <alec.fenichel@transnexus.com <mailto:alec.fenichel@transnexus.com>>
> Cc: Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org <mailto:jack.rickard=40microsoft.com@dmarc.ietf.org>>, IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org>>, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>
> Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation
> 
> Do you mean the second sentence to have the strength of a SHOULD NOT? I can imagine an OSP that might prefer not to transmit any RCD content without confirming it is valid at the time of transmission. Perhaps for liability or contractual reasons. Would we want to strongly discourage that, or just leave it as local policy? 
>  
> One particular use case I can imagine is an OSP that copies RCD claims into it's SHAKEN certificate to be signed with its own credentials. While that might not really require them to verify integrity if they include the RCDi claim, they may well have an aversion to signing something that they haven’t completely verified.  (Assuming they don’t also rehost the external content as part of this, in which case they would need to verify integrity)
>  
> Thanks!
>  
> Ben.
>  
>  
> 
> On Oct 25, 2021, at 10:18 AM, Alec Fenichel <alec.fenichel@transnexus.com <mailto:alec.fenichel@transnexus.com>> wrote:
>  
> Another way of putting it: the entity dereferencing the resource must verify that the resource matches the supplied integrity. The resource should not be dereferenced for the sake of verifying the integrity.
>  
> Sincerely,
>  
> Alec Fenichel
> Senior Software Architect
> alec.fenichel@transnexus.com <mailto:alec.fenichel@transnexus.com>
> +1 (407) 760-0036
> TransNexus
>  
> From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org>> on behalf of Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>>
> Date: Monday, October 25, 2021 at 11:07
> To: Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org <mailto:jack.rickard=40microsoft.com@dmarc.ietf.org>>
> Cc: IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org>>, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>
> Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation
> 
> (as individual)
>  
> I think I agree with you in general. To paraphrase the conclusions:
>  
> The VS MUST verify the passport signature and the claim constraints. That verifies that the claim values are correct has signed by the  AS, for example that the value in the rcdi is the correct value. Any party that uses RCD claims that are covered by an rcdi hash MUST verify that hash before trusting that content. Other parties MAY verify it according to local policy.
>  
> Does that match your thoughts?
>  
> 
> On Oct 20, 2021, at 6:37 AM, Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org <mailto:jack.rickard=40microsoft.com@dmarc.ietf.org>> wrote:
>  
> Hi all,
>  
> To clarify things, and hopefully reduce the number of rounds of review, this is a write-up of my position (and hopefully some alternative positions) on rcdi validation.
>  
> rcdi is a mechanism to ensure the integrity of the rcd information, and so any entity that retrieves/uses the rcd information clearly must validate that information against the rcdi digests, otherwise it could not trust what it had downloaded.
>  
> However, any verification service that does not need to retrieve the RCD information, cannot and possibly should not always retrieve and validate it, for a few reasons:
> There isn’t enough time – downloading and validating all the data (or in fact any data) takes a prohibitively long time, especially as an intermediate verification service does not know which bits of data are going to be used.
> The data could change – even if an intermediate does perform the validation, the end entity must repeat this as the information it retrieves could very well be different to what the intermediate validated.
> There was discussion in the meeting of a TSP that rehosted the RCD information, in that case it is the end entity in this discussion and realistically needs its own integrity mechanism on what it has rehosted.
> An intermediate could reject something that the end entity would accept – downloading information from the internet is not perfectly reliable, there could be firewall issues, or just temporary server issues that cause an intermediate validator to not be able to get the RCD information, in which case it would fail to validate the passport and throw out all the rcd information (and potentially all the STIR information). An end entity does not have to do this, it might be able to retrieve items the intermediate cannot, it might not want all the information in the first place, and in the worst case it can gracefully degrade the rcd information it cannot access.
>  
> Taking all of that, I believe that the rcd and rcdi information should be treated as “valid” in the context of PASSporT verification if the data in the PASSporT is correct (this would include checking JWTClaimConstraints), but not depend on any of the referenced information’s integrity.
>  
> There is a question there about “/rcd”,”/nam”, and “/apn” digests, for the sake of simplicity I’d suggest they also aren’t required to be checked by the verifier, but I don’t believe it matters.
>  
> There are some issues with this approach though:
> Security is more complicated – this split validation model introduces extra complexity to the security of RCD information in PASSporTs. As far as I can tell, this wouldn’t introduce any new attack vectors, but does place a greater burden on the end entity doing things correctly.
> This introduces a new entity – I don’t believe any previous documents have made a distinction between the end entity and verification services, just focusing on authentication services and verification services. This introduces actions that this end entity must perform for the system to conform to the standard.
>  
>  
> Those issues are not enough to change my mind; however, I welcome different opinions and there are almost certainly more I haven’t thought of or weren’t discussed.
>  
> Thanks,
> Jack Rickard 
> he/him 
> Software Engineer 
> jack.rickard@microsoft.com <mailto:jack.rickard@microsoft.com> 
> 
> <Picture (Device Independent Bitmap) 1.jpg>
>  
>  
>  
>  
> _______________________________________________
> stir mailing list
> stir@ietf.org <mailto:stir@ietf.org>
> https://www.ietf.org/mailman/listinfo/stir <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fstir&data=04%7C01%7Cjack.rickard%40microsoft.com%7Cc9e78e642ef44f53c38f08d997d638db%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637707768647923466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MKx0x0OiVcvQLQ8IJldfNOzav2R1Hv0R5optcZUT0Js%3D&reserved=0>
>  
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email