IETF Logo Mail Archive

Re: [stir] [Technical Errata Reported] RFC8224 (6499)

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 01 April 2021 07:00 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD04E3A084B for <stir@ietfa.amsl.com>; Thu, 1 Apr 2021 00:00:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gtVULf1HMdGt for <stir@ietfa.amsl.com>; Thu, 1 Apr 2021 00:00:22 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2059.outbound.protection.outlook.com [40.107.21.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EF703A0845 for <stir@ietf.org>; Thu, 1 Apr 2021 00:00:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FcaqxO2Iu+WvKDiC7kFMGG+Pj4lR2Zuad1uFG0/h9shvVX27Uxc15JhHkGbt6XmTLRXVbiYuplik/1DdWkT6vjFiEsmozw8JOtDKqhoQQXlO+LggMOEBltNug1wNxlIBE1dob0Zgmw2ouvJBYPwDCJtmhr7xElrc6QNJeRuTQ5nppD7aBta3P1tlHf1OAldKivx0SELiAmoxQ3M/SVtZH0oaqmultiS56SjaCMTCpUhsISXEHZJCB8j91RG1rOL2dM+PFsJwYnXPgSdDtcqV6CCMwMn6aP4w837lrvK6WxiEaumy1HgBS6YLQDZ3cW4QpoGh2p1ZJEp6olt8jXrgSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sVY3GqmZF1cJOPJSw4T2h9mY+4AwjnaNiVWm5oAaJOo=; b=eb7Ic3rWCdhxcu8bhP+V3veyTsMq1i/suLupdBa5gVygkDFr1PaIBR092hfJLDFbQFgt5zdc1p0ykMe/82C6ALmtCYIGMxcv+nwohOdHhoz0NLZFooyvdGvGfjkFlgYSCL61RFAvgZcbTpn8aV23fm39rGfwZKuKEHpf+UqhRsDs8t8q/SNM2BIXc51sX00iycUb71aVsMDyphtoBZH46XhnHz4cwJW+Ba7Khd0VteDIexBEvrc31/AXxnKbHj6ynhBblX0MSparnniE5gQbtPGdFjsKO+JYUxj6Ih9x4UnRGwDasH7R5rvTBxlrMql3X2dZmew60LGVBCyAajb33w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sVY3GqmZF1cJOPJSw4T2h9mY+4AwjnaNiVWm5oAaJOo=; b=P20r0Ttd+keCplHNzHGoo65w99vT/hSV7MnShaumFKfFK3ROUsm/10SmjiLLv6599LK5U5wFfS1pAdtFvRUhTugvwE/0B/iUpAN60P+AfPzBFqbBW83hufFhMyOistctfhmFDYgSCDOv3C4aBw4KjPs4FoyrWA4+QQEo1qtJ6aw=
Received: from AM0PR07MB3860.eurprd07.prod.outlook.com (2603:10a6:208:4c::18) by AM9PR07MB8003.eurprd07.prod.outlook.com (2603:10a6:20b:30b::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.18; Thu, 1 Apr 2021 07:00:11 +0000
Received: from AM0PR07MB3860.eurprd07.prod.outlook.com ([fe80::35d8:a4ac:4e0d:f0dd]) by AM0PR07MB3860.eurprd07.prod.outlook.com ([fe80::35d8:a4ac:4e0d:f0dd%4]) with mapi id 15.20.4020.008; Thu, 1 Apr 2021 07:00:11 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Cullen Jennings <fluffy=40cisco.com@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, Chris Wendt <chris-ietf@chriswendt.net>
CC: Eric Rescorla <ekr@rtfm.com>, Jon Peterson <jon.peterson@neustar.biz>, Marc Petit-Huguenin <marc@petit-huguenin.org>, IETF STIR Mail List <stir@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>, Francesca Palombini <francesca.palombini@ericsson.com>, Robert Sparks <rjsparks@nostrum.com>
Thread-Topic: [stir] [Technical Errata Reported] RFC8224 (6499)
Thread-Index: AQHXI+V0eJLTjFslo0et2xlN7PB2caqZnImAgABV+YCAARY5kA==
Date: Thu, 01 Apr 2021 07:00:11 +0000
Message-ID: <AM0PR07MB38602AA10088C7CFDC2771C0937E9@AM0PR07MB3860.eurprd07.prod.outlook.com>
References: <20210327204839.06FA2F4076D@rfc-editor.org> <F39D942E-717B-4CE8-833C-F7D25CF6D600@vigilsec.com> <40111C58-5A2E-4B36-BBB4-42D639FCC630@cisco.com>
In-Reply-To: <40111C58-5A2E-4B36-BBB4-42D639FCC630@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:80:6480:f834:6846:9eeb:95da]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f30888ae-8688-4248-1c91-08d8f4dbcb31
x-ms-traffictypediagnostic: AM9PR07MB8003:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM9PR07MB8003C15B0046708C6B29B588937B9@AM9PR07MB8003.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: w02q/XJx071UUsHrpjmnG+Co5xtDpLjchX1RYNZJ3yJEAGtmQEssb1XMjBVtV4OJf/Uuu/JDmiodGa8Mkux4w10nyvaiMRe6ePvWIs3rIEkANgtKZ4C5qbVS2c29hCqr7ip6i/ncTAiHU1Bv/iXaEytytui067TTceUzdOqnEhl/yk8opLgFRkIZoUP7pAA8MEFsNRsZgqRqBb2hAoBU4/5IfXAZwIg/jzzpAO7Sx8PO9WnqZdkpplk15g+vi6o7EjAa2uDWLhMSSlw4AIwUYruMLAlnWACf4HLd3yPlSB3thV3Fu3lrKSXKVKsn0D+10xcNs00rxRcOARmcfoolkG2VlMHSHlRUQ43mUQu/c/sAJJzoCOfx8Dik1mn7dILCn0pySS5jIcAL1d87KBUnPG53cFOajSQVTwgEOzlZeAkVYMXf3oW9fQTiA1Sq9K6uCVSJqsidpa6LrrmUPjh2v7nYbie+X9OMg3ngEwno1zy0rY0LNEWwe4oTYqHNZozkmZpWa2Lh2hwkYeQNytTWONGEueNVLRcMoNribqoDif1MSBqdNfiDdsocjXQaLzz4fcb3ylYH270ldXubkQkvuDnMPiTPcHaIrx6RTsbaN37DzKdTmyJLGK76tbbkcBENvl/fEBZz6nXWN5htIfq9ZvXB1mPIzhSXAsK7S4f3TVWYmHTTOSKrQa9dxde+sLuIiC0Fu08abJOQnkXKk0K0D3UTeqH/sCBeCW8Fwxq/ondJlqJac1/3/e//QP1L1uka
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB3860.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(396003)(366004)(136003)(376002)(346002)(19627235002)(91956017)(55016002)(52536014)(71200400001)(6506007)(186003)(38100700001)(76116006)(64756008)(66446008)(4326008)(2906002)(44832011)(9686003)(66556008)(316002)(66946007)(54906003)(966005)(110136005)(86362001)(33656002)(7696005)(8936002)(66476007)(166002)(478600001)(53546011)(5660300002)(8676002)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: tMcDucg2VrooBIjTGWQ842cXwcCklCV/xlCattKpjE6hpVFPdp96lq5g7nqEZR2VHn2cuZTsSSN0NN634T8z4H/tW/Ts4/a4yseKHY6Zo09YeGGvYCOac8CNx4tc61iIuSTO83eqOM4vjar2/0t+a/INu9szcHooLTcFxEMxS1TDZSpdzq8MFsNCDwBTGz9YIw4NmoV3zZnyWLHxoAXkQdjmHFsV8D8BPTDi0uYtm+MJ6MCYTMic1KzmfIT9uiP983PMbdWv8auz0Ydk1PhmOf8QrNfcdh1+EkdPfM7469IHAcDBwXSV8WDWkBZEVJouuCzVxTMA4FwYde9pnlG7KwGaanxQMnCTz9XH/JOd13U3wPS1rODC+G/2nSGv2vQh+uerb3UakzJIrejPuh2NTcMGMGCsjRLhTVj0oD4xGhvBxSnF+H1TGHlgmn0Tt8A7xwpvVlCn5bz++3lhkNhB1t8z6ugYM7T273+AlOGTW7Y8/0FEx3shZTTS0vOmSd5H/Zyvpa4FhJgY00KB23VcEc0/wWIn9/2uh1s6SuYgQ9DOV/vOw7jNEgVEGaF8tzkxQr6HXEMC+r+g9b0Zmq5LlW27rjmkukJ712s2EAosoaUjc6a94cBzf1VeAXla+Es5egXv7LRTGLrAMf72KjxVX0iyb8sNePbyVUx/daAh61mNYL55b87ci3ri5bVTbKe87FlM4356/TEJ53QoZ787c8ruiXdRVBh1opZMTW/RS6WGKeNOFxQZNK5/up1/geYW51vILvYOCN1LOvqqTKFDOsnJnyn6nGJ5AqszlSp82ULdT1BfUwhTH/AmY37wYIWD4okySufe7Xy1ozrQNJ335mv8YO56QUhiviTGWjsJ5hvFy017c7JfPGxHVlc3bY3fFT83OLNEW9XtJpA7NLSKKE4j/TWoYEI8sF6WDycYM68SblnbRf56n/JUsbYNbtqED/HICBTOiJ+HMtVngPiqcSRE2MB3qKmOdEPmYgN4A28kQq8qaUjxH+Lk8DLltmRCuXi4sJjpDogLmdzt8aj6Vgh85CR9kTBfUqWSveBFZ59n/6cWsYWldnLsC1Njae76NW1zzOyqKJGl5H/DZia45pC8A8GTmtSOpiXwFZjtvolB/gqKtF86xE03GqFghCUi+wFojRlclCVKTK2OqOIlND68ZbpoZ+a2UNKynar1DSTsaLzbegFJ1HqKC7hPSwdoXdzylUj98rD8RStXqhP2dTq48zR2xZlUD8GfOK7BN9mSpV/i7dLuKpaIcTI62LVnHXlWXEyJlWKCZZv0QUkymBiqzFS7viVRkNx4xWgt/DhwMfJ0DS3DUn/u/apCMylcFJ5iJphcrXaMourZ0RzObawbE5TxtOIoxltxZKvjFOmsKbcfuh9NXRmKtCIILWULAfcrKvvKSMbsvudDWJG/dw==
Content-Type: multipart/alternative; boundary="_000_AM0PR07MB38602AA10088C7CFDC2771C0937E9AM0PR07MB3860eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR07MB3860.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f30888ae-8688-4248-1c91-08d8f4dbcb31
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2021 07:00:11.5554 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LrePfYfq9pjs/yjNlajWAVX3q3N8as+t7mv8V4U8VRhAJNEQHFXXBPeeCZphFtUU/D6w/e0DSRR0dfuyWFRWJiyimxssqXxKWnh3QIf5sVk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR07MB8003
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/fL93W3UevJTbEePsSimLAf5aRoo>
X-Mailman-Approved-At: Thu, 01 Apr 2021 06:00:40 -0700
Subject: Re: [stir] [Technical Errata Reported] RFC8224 (6499)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 07:00:27 -0000

Hi,

>Uh, I’m not sure. I’m not up to speed on this enough and certainly defer to the people that know more than me.
>
>I agree the passport is bas64url encoded, but are the strings we are talking about here done the same way? It looks like 4474 has them as base64 encoded.
>
>My read was the passport string was base64url encoded, then that string was used with combined and encoded a second time with base64 encode to go in the identity header.

There is no "encoded second time" procedure defined, afaik.

Note that while RFC 8224 defines usage of BASE64 (as indicated in the errata), the examples in Section 4.1.1 of 8224 actually use BASE64URL encoding.

   Identity: eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwieDV1I \
   joiaHR0cHM6Ly9jZXJ0LmV4YW1wbGUub3JnL3Bhc3Nwb3J0LmNlciJ9.eyJ \
   kZXN0Ijp7InVyaSI6WyJzaXA6YWxpY2VAZXhhbXBsZS5jb20iXX0sImlhdC \
   I6IjE0NDMyMDgzNDUiLCJvcmlnIjp7InRuIjoiMTIxNTU1NTEyMTIifX0.r \
   q3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpjlk-cpFYpFYs \
   ojNCpTzO3QfPOlckGaS6hEck7w;info=<https://biloxi.example.org \
   /biloxi.cert>

   Identity: ..rq3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qj \
   pjlk-cpFYpFYsojNCpTzO3QfPOlckGaS6hEck7w;                    \
   info=<https://biloxi.example.org/biloxi.cert>

Note the "-" (dash) character in the signature values. Dash is used in BASE64URL, but not in BASE64.

The same goes for the examples in Section 5.1.

>Anyways, I have no idea what should happen here but the more I looked at it, the less obvious it was to me.
>
> I’d love to hear from Chris ?
>
> Anyways … as a practical point, If you move the Identity header from using base64 in 4474, to base64url in 8224, it seems likely that lots of SBC will reject them.
> That will be particularly frustrating to debug given it will not reject all of them where the different characters in the alphabet don’t occur.

In general I agree that it would be an issue.

However, note that even without the change in the errata the 8224 syntax is not 100% backwards compatible with 4474 - and that is explicitly indicated in 8224, so it is not a mistake.

And, as mentioned above, the examples in 8224 are using BASE64URL encoding.

Regards,

Christer




> On Mar 28, 2021, at 10:48 AM, Russ Housley <housley@vigilsec.com> wrote:
>
> I think this errata should be approved.
>
> Russ
>
>> On Mar 27, 2021, at 4:48 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
>>
>> The following errata report has been submitted for RFC8224,
>> "Authenticated Identity Management in the Session Initiation Protocol (SIP)".
>>
>> --------------------------------------
>> You may review the report below and at:
>> https://protect2.fireeye.com/v1/url?k=190c118c-4697288e-190c5117-869a
>> 14f4b08c-ac8e6db5f0d29493&q=1&e=4efdaf80-a661-41c1-8b98-b6dad7d3e0b7&
>> u=https%3A%2F%2Fwww.rfc-editor.org%2Ferrata%2Feid6499
>>
>> --------------------------------------
>> Type: Technical
>> Reported by: Marc Petit-Huguenin <marc@petit-huguenin.org>
>>
>> Section: 4
>>
>> Original Text
>> -------------
>> Identity = "Identity" HCOLON signed-identity-digest SEMI
>>         ident-info *( SEMI ident-info-params ) signed-identity-digest
>> = 1*(base64-char / ".") ident-info = "info" EQUAL ident-info-uri
>> ident-info-uri = LAQUOT absoluteURI RAQUOT ident-info-params =
>> ident-info-alg / ident-type /
>>   ident-info-extension
>> ident-info-alg = "alg" EQUAL token
>> ident-type = "ppt" EQUAL token
>> ident-info-extension = generic-param
>>
>> base64-char = ALPHA / DIGIT / "/" / "+"
>>
>>
>> Corrected Text
>> --------------
>> Identity = "Identity" HCOLON signed-identity-digest SEMI
>>         ident-info *( SEMI ident-info-params ) signed-identity-digest
>> = 1*(base64url-char / ".") ident-info = "info" EQUAL ident-info-uri
>> ident-info-uri = LAQUOT absoluteURI RAQUOT ident-info-params =
>> ident-info-alg / ident-type /
>>   ident-info-extension
>> ident-info-alg = "alg" EQUAL token
>> ident-type = "ppt" EQUAL token
>> ident-info-extension = generic-param
>>
>> base64url-char = ALPHA / DIGIT / "-" / "_"
>>
>>
>> Notes
>> -----
>> RFC 8225 makes it clear that the encoding is BASE4URL, not the standard BASE64 encoding.
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or rejected.
>> When a decision is reached, the verifying party can log in to change
>> the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC8224 (draft-ietf-stir-rfc4474bis-16)
>> --------------------------------------
>> Title               : Authenticated Identity Management in the Session Initiation Protocol (SIP)
>> Publication Date    : February 2018
>> Author(s)           : J. Peterson, C. Jennings, E. Rescorla, C. Wendt
>> Category            : PROPOSED STANDARD
>> Source              : Secure Telephone Identity Revisited
>> Area                : Applications and Real-Time
>> Stream              : IETF
>> Verifying Party     : IESG
>>
>> _______________________________________________
>> stir mailing list
>> stir@ietf.org
>> https://www.ietf.org/mailman/listinfo/stir
>

_______________________________________________
stir mailing list
stir@ietf.org
https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email