Re: [stir] Third WGLC: draft-ietf-stir-passport-rcd-12

Ben Campbell <> Mon, 13 September 2021 18:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F40E93A14B3 for <>; Mon, 13 Sep 2021 11:53:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.279
X-Spam-Status: No, score=-0.279 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, MAY_BE_FORGED=1, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EyMMyaw0p1lj for <>; Mon, 13 Sep 2021 11:53:13 -0700 (PDT)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5A12D3A14CB for <>; Mon, 13 Sep 2021 11:53:13 -0700 (PDT)
Received: from ( [] (may be forged)) (authenticated bits=0) by (8.17.1/8.16.1) with ESMTPSA id 18DIr4Pf072102 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 13 Sep 2021 13:53:05 -0500 (CDT) (envelope-from
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=default; t=1631559185; bh=IqqVKH5XbiC7+x+oJiJ0GRWKUoh7+sX01tyrSv1DoC8=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=cR+4xgNN8qhH+xPVmKBvy1++Jms+tnEjk0KCBI+lwoeK++NERpA6z+rSg2ZgZGW0I v8XnrcLhXE/BqkH+wN3zQglgFff3BLBOFmvz7qwAOU9Y0TGf49RyhrmwwzG0I/nWMk zwSp8XWNjhYhJk6GPADNScnHCLS9j0aNCjkvzhew=
X-Authentication-Warning: Host [] (may be forged) claimed to be
From: Ben Campbell <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D6813790-95C3-40C5-8C09-699487079329"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Mon, 13 Sep 2021 13:52:58 -0500
In-Reply-To: <>
Cc: Jon Peterson <>, IETF STIR Mail List <>
To: Chris Wendt <>
References: <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [stir] Third WGLC: draft-ietf-stir-passport-rcd-12
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Sep 2021 18:53:28 -0000

> On Sep 13, 2021, at 1:47 PM, Chris Wendt <> wrote:
> inline
>> On Sep 13, 2021, at 10:41 AM, Ben Campbell < <>> wrote:
>>> On Sep 13, 2021, at 7:36 AM, Chris Wendt < <>> wrote:
>>>>>> For an example use case related to these questions. Imagine a SHAKEN environment, where the caller UA signs an RCD passport with a delegate-certificate. The cert has JWTClaimConstraints for the “rcd” and “rcdi” claims. The UA also includes an rcdi claim, because the “rcd” claim points to an external icon.
>>>>>> The UA forwards the INVITE to an originating service provider (OSP). The OSP doesn’t care what’s in the “rcd” claims. All it wants to do is see that the call is signed with the private key associated with the caller’s certificate and verify that the cert has a TNAuthList extension that encompasses the number in the From header field. If that is true, the OSP adds it’s own SHAKEN passport with full attestation and forwards the INVITE to a Terminating Service Provider (TSP) with both passports.   As far as the OSP is concerned, it’s the TSP’s problem to verify the RCD bits.
>>>>>> Would the OSP be required to verify the JWTClaimConstraints and RCDi digest in this case? Consider that verifying the RCDI digest probably requires downloading an icon from a potentially arbitrary source, which the OSP might not be willing to do.
>>>>> I agree that in case of SHAKEN, OSP at a minimum only cares about telephone number for STI-VS and uses the delegate certificate TNAuthList telephone number and ‘orig’/From/Paid to determine attestation level.  That said, i think the mechanics of what OSP or TSP do with a delegate cert is a SHAKEN concept and doesn’t need to be addressed in the ‘rcd’ draft, so i’d prefer to leave that to IPNNI documents.
>>>> I agree we should not define SHAKEN semantics in STIR. But I think we need to avoid precluding expected SHAKEN behavior without a good reason.
>>>> From the new text in §9.1, I understand that in the example of an RCD PASSporT with an rcdi claim that covers content included by reference, a VS MUST verify the RCDi claim, which requires it to download the external content. At least for “ppt”:“rcd”. And and the AS that inserted the rcd passport MUST include the RCDi claim, due to the external content. 
>>>> Am I reading that right? If so, in the SHAKEN OSP example above, do you think it is reasonable to make the OSP download and verify an icon it will never use for potentially every call it processes? I fear that might be a barrier to the idea of an OSP using the TnAuthList from a delegate cert for SHAKEN attestation purposes. At least for RCD passports that reference logos and such.
>>>> OTOH, I realize that the idea of a partially-verified passport might be tricky to implement safely, so that nothing downstream of a VS accidentally relies on unverified claims.
>>>> […]
>>> RFC8225 does have the rule that you can ignore claims you don’t understand, and i think for ’shaken’ specifically, we don’t have a PASSporT extension type that includes both ’shaken’ claims and ‘rcd’ claims, even though people have talked about putting both in a single PASSporT, so i think we are ok.  I just feel uncomfortable trying to “cross the streams” and cover other extension types in this spec. Would we expect all future specs to cover every combination of claims/extension types?  I still think that is left for IPNNI type specs to define more specific usage.
>>> Put more simply, this spec is about “rcd” PASSporT rules, using “rcd” claims in another PASSporT type is not in scope for this spec.
>> Unless I misunderstand what people have in mind, the use case doesn’t involve mixing rcd and shaken claims in a single PPT. To be more precise:
>> 1. Caller AS signs an passport with a delegate cert. with “ppt” : “rcd”. It includes an RCD claim with external references, and therefore an “rcdi” claim.
>> 2. OSP VS verifies the RCD passport and checks that the “orig” claim is encompassed by the cert's TnAuthList. It wants to ignore the RCD claims because it doesn’t care about them, but IIUC it cannot ignore them because of the “rcd” value in “ppt”.
>> 3. OSP AS inserts a SHAKEN passport, with an attestation level (hopefully A), based on the results of step 2.
>> 4. OSP forwards the INVITE with both the SHAKEN and RCD passport.
>> The way I understand things, step 2 will require verification of the rcdi claim, and therefore downloading of the external content. Am I missing something? 
>> I think this means the caller is using the same passport for two purposes (authentication, RCD assertion) with two separate relying parties (OSP, TSP or recipient), Is this an invalid approach? I’m willing to accept that one should not do this, but I think it will surprise some consumers of the spec. I recognize this is not the only approach people are thinking about (e.g. the OSP might verify the RCD claims and insert them into its SHAKEN ppt.)
> Ok, that clarifies the use-case, but i think i still would like to stay a level higher. Focus on the security (and integrity) and not give excuses for half-steps or “optimizations”.  If the “identity” includes RCD information with integrity turned on encoded in a PASSporT, you should have to decode the entire PASSporT to achieve pass/fail. Otherwise, we get into some thorny scenarios, IMHO.
> Like i said before (even though i misunderstood your use-case), I think you provide one example on how the industry might implement this, but i could imagine others.  But, however things turn out, i don’t think we should change the fundamental rules of we have already established or create shortcuts in the protocol specifications.  RCD is fundamentally not about “A” attestation, although as we have said it’s a side benefit, that said, i would hate to cripple things for a shortcut or potentially create a hole.

Just to be clear, I agree we should stay at a higher level in the spec. I think from a higher level, the rules that would allow the use case I mentioned would be to say something like the VS MUST verify the signature and that any JWT Claim Constraints are satisfied, and MUST NOT rely on integrity-protected RCD claims without verifying the rcdi claim.

I’m perfectly okay if the answer is still “verify everything or rely on nothing”; I’m just probing to make sure we have considered how this will be used in practice.