IETF Logo Mail Archive

Re: [stir] Questions on the draft-ietf-stir-passport-rcd-04 integrity mechanism

Eric Burger <eburger@standardstrack.com> Sun, 03 November 2019 16:00 UTC

Return-Path: <eburger@standardstrack.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4EE71200F1 for <stir@ietfa.amsl.com>; Sun, 3 Nov 2019 08:00:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.688
X-Spam-Level:
X-Spam-Status: No, score=-1.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=standardstrack.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id br70GP2Yq1_l for <stir@ietfa.amsl.com>; Sun, 3 Nov 2019 08:00:34 -0800 (PST)
Received: from se5e-lax1.servconfig.com (se5e-lax1.servconfig.com [173.231.200.192]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57C801200CC for <stir@ietf.org>; Sun, 3 Nov 2019 08:00:34 -0800 (PST)
Received: from biz221.inmotionhosting.com ([192.145.239.201]) by se5-lax1.servconfig.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <eburger@standardstrack.com>) id 1iRIIk-000NtK-Cz for stir@ietf.org; Sun, 03 Nov 2019 11:00:34 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=standardstrack.com; s=default; h=Message-Id:In-Reply-To:To:References:Date: Subject:Mime-Version:Content-Type:From:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=+kqcqxazbJb78FLjelJE++lFLhXDESyqWJfkAFyC4IU=; b=Z3m9wqsMKiaR6oIAw5gLh9AyP G9MVW2Xzkr/Fy41Yb7Ff2B1tk5eiGB5siwkdpmGi/wyV7FB0V1aOymLdn9p/8xqShNq+9EmxhWt7w ZZMn3L4ZifaJr3n+Cth9JptZf6X49lTHWMp6UMEGmVtz63HHkqi/aUTGY1QEKDN4FmANQ=;
Received: from [68.100.101.142] (port=62458 helo=[192.168.10.23]) by biz221.inmotionhosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <eburger@standardstrack.com>) id 1iRIIO-004oOh-A5 for stir@ietf.org; Sun, 03 Nov 2019 08:00:16 -0800
From: Eric Burger <eburger@standardstrack.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_8E8799EB-E275-42DC-B109-C58D5E4C0672"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sun, 03 Nov 2019 11:00:03 -0500
References: <D0D57997-56AC-4E68-BC12-2CE07C52B711@nostrum.com> <0CCCD3F6-B0A5-4B0C-B563-2E85AC3E3B3A@nostrum.com> <9DA8A5FC-866B-4DF3-BA76-68AF733EAF4D@chriswendt.net> <5A3DFEE8-60E0-4870-9689-FEAAFA0D7BE8@nostrum.com> <FE1ED9C6-2BDA-4A97-BCFC-CA6BDCAA9680@team.neustar> <B66C4ABF-5E37-4796-BF45-B2074C95EC56@nostrum.com> <5394EB92-8148-420F-96E4-DBA979D5F3FC@chriswendt.net>
To: "stir@ietf.org" <stir@ietf.org>
In-Reply-To: <5394EB92-8148-420F-96E4-DBA979D5F3FC@chriswendt.net>
Message-Id: <BBFAC9EA-F67C-4EC6-9491-C92DBC0A7087@standardstrack.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-OutGoing-Spam-Status: No, score=-1.0
X-Get-Message-Sender-Via: biz221.inmotionhosting.com: authenticated_id: eburger+standardstrack.com/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: biz221.inmotionhosting.com: eburger@standardstrack.com
X-Originating-IP: 192.145.239.201
X-SpamExperts-Domain: biz221.inmotionhosting.com
X-SpamExperts-Username: 192.145.239.201
Authentication-Results: servconfig.com; auth=pass smtp.auth=192.145.239.201@biz221.inmotionhosting.com
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.09)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0T9zDZOvA8ND4p2eQxdfzLSpSDasLI4SayDByyq9LIhV+eRH1E1Bb0qN r5fHKWwLRETNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGD+8X2eAtGOeP0Z7XEw4vpH7gN zB/4Jkrw1eDLcif59furergBkjQCb4U2CctVX6UNU7Tmz6iKnkQL9gqsxD3473Y3lsYPr3virg95 tZ609xdKJaSO6x9h2WTFfkPgGUz1Sq2swcqdmOMtvfhrEkAbG7Taa7C549MeGeF5Sg18i8MnUiya RmA46OGY+YsgOdbd3VAnSZlBxACg67tWDDh3WMpOFwbgZzA7SHJpgzfyrZMpuUU9pQmhp2NdRojj VXAB3i4EXXSueZzMCpX2tfOqKM5soQ0R2jS4GxDcxPFGC79DsyPhMEwz2OC3hXjXYvpwQy17Ychx ni5a2VYVYiL6p0zFIS4eFFedtqTPxkQeRTMManwrT2CVoVKwL3beb5/7R86t2EiC6GwMws7Gvvoz wOxTyssp4L0plUGigax8zy4LpVxP5YFZg5fgueXLf6LKHDJ71JSXKkUqfqsTqwEEUOidX4Ts4xdG +C13IyWeZaKNiIsfSD0epcLKhJ4EtPPlrqwqnkchNW9DxJQbvGDeOUam66OKuVWrZCiiiX0U+0gF VVikJYXKyGo2lFnLPaHwOuqJPPu/Mw4caI9hNjB7gP3QzxUBjDlIxq/CY6GWA8+LBDMrD7q/cJog wbqzsuoksATD6B4YJw/xkJTvi2DZT2gxaUBTIJceeww0VXdyJ0kSsWssF1D+fA8Xvinm4Do0lYuo +5LdcKljdQ3K6PzLBzwJWw42swm4bO6gacpMpzJJAaQB6RGfbERqROM6OR63chyvPJpL6DooRBPw XkYc1RNWLRL0zEKCV1rC6yEoKMXwY8LwTJ3glwd29LcBySVMm98OiyQ6+7o3FFiI0zRNn0gvzxVp TGvrZrKdIxaZrH3oREI39Ng7w+jWwVgutjGnuuve+J5DMBKo4X0ih5QNkGE9sb8xJz7YLbS4YH6b pqcEiBscwRdrth+1+oWTDTjsecoU4vapvCGSUh6RXSeW2w==
X-Report-Abuse-To: spam@se1-lax1.servconfig.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/h4rxXrOZNWxy9u6Hhfm7Y1Xajwc>
Subject: Re: [stir] Questions on the draft-ietf-stir-passport-rcd-04 integrity mechanism
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2019 16:00:37 -0000

SHOULD works if there is a strong UNLESS.

In this case, the SHOULD is functionally equivalent to MAY. I do like Ben’s suggestion of “MAY use, MUST verify if present.” That is something actionable.

> On Sep 20, 2019, at 10:33 AM, Chris Wendt <chris-ietf@chriswendt.net> wrote:
> 
> We can talk on the call, but i think MAY seems a little too open ended to me.  I think high level there is three main levels of use-cases/security between use of “rcdi” and using JWT constraints.  I think i’d prefer to explicitly describe those scenarios, first not using “rcdi” at all, second using “rcdi” without constraints and then “rcdi” with constraints.  Does that make sense?
> 
> -Chris
> 
>> On Sep 16, 2019, at 5:41 PM, Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>> wrote:
>> 
>> 
>> 
>>> On Sep 13, 2019, at 12:17 PM, Peterson, Jon <jon.peterson@team.neustar <mailto:jon.peterson@team.neustar>> wrote:
>>> 
>>> 
>>> At a high level, what we want out of certs here is a capability that empowers the issuer of a certificate to constrain the contents of RCD when the signer signs a PASSporT. I don’t think we want to say that RCD can only be used when the JWT Constraint is present, and I don’t think we want to say that the integrity check provided by “rcdi” can only be present in a PASSporT when the signing certificate has a JWT Constraint in it. Including “rcdi” in the JWT Constraints should be just a hook, that the issuer of a certificate can use to make sure that RCD isn’t being abused in cases where there are concerns about that.
>> 
>> There’s nothing there I disagree with, but I don’t think that is quite what is captured in rcd-04.
>> 
>> Would it make sense to state the use of “rcdi” as MAY include and MUST verify if present.
>> 
>> 
>>> 
>>> Outside of the JWT Constraint, I was originally not immensely worried about link substitution attacks on the RCD system: that is, ones where the signer of an RCD PASSporT believes a URL in RCD points to an image of the Ford Motor Company, say, but while a SIP call is in transit, someone switches the resource that the URL indicates to an image of Chevrolet, so that when it is rendered on the terminating side the callee sees something different than the signer intended. The creator of the PASSporT, after all, picked that URL, and it just doesn’t make sense for them to pick a URL that they don’t have meaningful change control over. The only edge case where I see real concerns is one where the creator of the PASSporT and its signer are different administrative entities, and the creator tricks the signer into vouching for a URL that will be pointed to a different resource after it is signed. That edge case convinced me that there was at least some value to “rcdi” independent of the JWT Constraint; the “rcdi” lets the signer capture the resource as it was seen at signing time, which should help mitigate cases where naughty entities try to push malware or something through that URL. Is that enough motivation for a SHOULD for “rcdi”, at least for the referenced content case? We want that use case to work whether there are JWT Constraints present or not.
>> 
>> My personal preference would be to make it a MAY, and add non-normative guidance about when it would be a good idea to use it. I wouldn’t really object to making the JWT Constraint MAY if rcdi is present, and SHOULD in the specific use case you describe, but I wonder if we would not have problems thinking up an exhaustive list of all SHOULD cases in advance.
>> 
>> Thanks!
>> 
>> Ben.
>> 
>>> 
>>> Jon Peterson
>>> Neustar, Inc.
>>> 
>>> From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org>> on behalf of Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>>
>>> Date: Monday, September 9, 2019 at 3:07 PM
>>> To: Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net>>
>>> Cc: "stir@ietf.org <mailto:stir@ietf.org>" <stir@ietf.org <mailto:stir@ietf.org>>
>>> Subject: Re: [stir] Questions on the draft-ietf-stir-passport-rcd-04 integrity mechanism
>>> 
>>> Hi Chris,
>>> 
>>> 
>>> Please see inline.
>>> 
>>> Also, I forgot one comment unrelated to the integrity mechanism: in section 5.1, the wikimedia folks would probably appreciate it we do not include a link to content hosted there in an example in an RFC :-)
>>> 
>>> Thanks!
>>> 
>>> Ben.
>>> 
>>> 
>>>> On Sep 9, 2019, at 2:02 PM, Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net>> wrote:
>>>> 
>>>> Hi Ben,
>>>> 
>>>> For 1, simple answer is yes the intention was to make the content tied to the cert.  My experience is that calling name and other info is not changed often, however, assuming your premise, why would that be a problem?  If you want to be changing your RCD info once a year, once a month, or once a day then why is it a problem to push everything through the integrity mechanism and generate a new cert each time?  I think this is pretty logical.  If you don’t do that, what is the alternative to keep the properties of integrity of the information protected by a signature?
>>> 
>>> I agree that tying the content to the cert makes sense for some use cases where there is a content policy “authority” either as part of the CA, or that easily fits in the workflow for issuing the cert (perhaps via some ACME-ish token) But I think there will also be use cases where it does not. In particular, cases where either there is no such authority, or the signer of the RCD PASSporT _is_ the authority.
>>> 
>>> For example, the policy authority could be a third-party signer as described in section 7. Why would such an authority need to tie content to the signing certificate? It would just make life more complicated for them. (I started to ask why a 3rd party signer would need the integrity mechanism at all, but perhaps they need to protect referenced content.).
>>> 
>>> I don’t object to having the _ability_ to tie content to the cert. But I think making that a MUST when using the integrity mechanism is too strong. I’d argue for a MAY, along with motivating text on why/when you might want to use it.
>>> 
>>> For similar reasons, I lean towards thinking the SHOULD for using the rcdi claim in the first place might be a bit strong. For example, it would serve little purpose in the third-party example above if the policy authority simply did not allow referenced content.
>>> 
>>> 
>>>> 
>>>> For 2, yes the intent was to iterate at each level of the URLs.  I suspect the number of nested URLs for most of the “common” cases, like name, logo and address, would be limited, but would need a framework that supports multiple levels of nesting or limit the number of levels or something if we are concerned.  I don’t think there is a lot of reason to be concerned but maybe i’m missing a case that would actually use a ton of nesting in any practical way.
>>> 
>>> If that is the intent, it needs to be clarified. I read 4.1.1 as iterating across all the URLs in the RCD input. I assume from your response that step 7 was intended to apply to retrieved content, but I initially assumed you mean to iterate over additionally identified URLs in the RCD claim itself.
>>> 
>>> Given the intent to recurse over multiple layers of indirect content, I think some operational guidance is even more important. My concerns were not so much around legitimate use cases for long URI chains so much as for more nefarious use cases (e.g. trying to sneak in uncontrolled web content, DOS attacks, etc.)  (Basically the concerns that Eric stated separately.)
>>> 
>>> 
>>>> 
>>>> -Chris
>>>> 
>>>> 
>>>>> On Sep 7, 2019, at 12:50 PM, Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>> wrote:
>>>>> 
>>>>> Minor correction below:
>>>>> 
>>>>> 
>>>>>> On Sep 6, 2019, at 4:31 PM, Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>> wrote:
>>>>>> 
>>>>>> Signed PGP part
>>>>>> Hi,
>>>>>> 
>>>>>> I have a couple of high level questions about the new integrity mechanism in draft-ietf-stir-passport-04. Apologies if these have already been discussed.
>>>>>> 
>>>>>> 1) Do I understand correctly that the certificate used to sign a PASSporT with an rcdi claim MUST include a constraint for the _value_ of the digest? That is, if someone makes any change to any of the information they would normally include in an rcd claim, the signing party must get a new cert?
>>>>>> 
>>>>>> My concern is that, for good or bad, commercial callers really like to control the customer experience. Many like to change things up all the time. I can imagine things like special date-specific logos (e.g. Google doodles), “sale” badges on logos, distinctive branding for different “campaigns”, etc.  I realize things like ACME make the process of getting a new cert lighter weight than it used to be, but is it reasonable to require a new cert for any change?
>>>>>> 
>>>>>> This might be worse for third-party signers who may sign on behalf of many callers, each of which keeps changing things.
>>>>>> 
>>>>>> 2) If I understand correctly, if anything in the rcd claim includes a URL, the rcdi claim incorporates the associated content. What about URLs?
>>>>> 
>>>>> Uhm, I meant to say additional URLs
>>>>> 
>>>>> 
>>>>>> For example, lets say a jcl key links to a jCard, and that jCard has a LOGO element with a URI? Is the alleged logo content at that URI protected?
>>>>>> 
>>>>>> I assume the answer is that the answer is no; otherwise it could be URLs all the way down and we have to stop somewhere. This is probably a matter of signer or issuer) policy. If so, it might be worth having some operational guidance that they need to think about such things.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> stir mailing list
>>>>> stir@ietf.org <mailto:stir@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/stir <https://www.ietf.org/mailman/listinfo/stir>
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email