IETF Logo Mail Archive

Re: [stir] Questions on the draft-ietf-stir-passport-rcd-04 integrity mechanism

"Peterson, Jon" <jon.peterson@team.neustar> Fri, 13 September 2019 17:17 UTC

Return-Path: <prvs=815935a5f5=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 403B2120110 for <stir@ietfa.amsl.com>; Fri, 13 Sep 2019 10:17:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lOitjMhtKzNX for <stir@ietfa.amsl.com>; Fri, 13 Sep 2019 10:17:49 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DEBC12010F for <stir@ietf.org>; Fri, 13 Sep 2019 10:17:49 -0700 (PDT)
Received: from pps.filterd (m0049401.ppops.net [127.0.0.1]) by mx0b-0018ba01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x8DHEFUW026727; Fri, 13 Sep 2019 13:17:47 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=team-neustar; bh=RGfRwBjgDX6MgV6XTSJwAsNjXVDY3R3SwacGl8p563Y=; b=orW/Cg+6nNyZdzbNT2n7MkaTsZwQ5DR3KlyM4S1zj3BHOiYCxiOKD5h5DKE3pfsiDQcY GQF+gN2PH5kYpT/SV6IO8d0P+73mKe0tKLwtvX1axl8gWzeWoDA2MyFipaGIsOfN1ZH6 7FfJavrJpXQtkM9BwXRnio7RbOeAESO+WT0bjpPYKdhXA/rVGr0c4H56SAMOwvYEnkl6 7bXC7tOfqDF/WQH4jzh1h5TMDujJE8/jWugbPPc8k7FlZmsYf5TcAobdilwNnlWoCGbW Gn0G2NmwIZmoOHWlL0r0dn0qvFwl3RD1GC1sD6XoYXY/wuhjt6Rjp7VaFhzYQA838nrE XQ==
Received: from stntexhc10.cis.neustar.com ([156.154.17.216]) by mx0b-0018ba01.pphosted.com with ESMTP id 2uytcga7p1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 13 Sep 2019 13:17:47 -0400
Received: from STNTEXMB101.cis.neustar.com ([fe80::a831:d3b4:fb4e:e45b]) by stntexhc10.cis.neustar.com ([10.31.58.69]) with mapi id 14.03.0439.000; Fri, 13 Sep 2019 13:17:47 -0400
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Ben Campbell <ben@nostrum.com>, Chris Wendt <chris-ietf@chriswendt.net>
CC: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] Questions on the draft-ietf-stir-passport-rcd-04 integrity mechanism
Thread-Index: AQHVZ1r4qnzXep6GmUqKsFmNEr+1e6cprVCA
Date: Fri, 13 Sep 2019 17:17:46 +0000
Message-ID: <FE1ED9C6-2BDA-4A97-BCFC-CA6BDCAA9680@team.neustar>
References: <D0D57997-56AC-4E68-BC12-2CE07C52B711@nostrum.com> <0CCCD3F6-B0A5-4B0C-B563-2E85AC3E3B3A@nostrum.com> <9DA8A5FC-866B-4DF3-BA76-68AF733EAF4D@chriswendt.net> <5A3DFEE8-60E0-4870-9689-FEAAFA0D7BE8@nostrum.com>
In-Reply-To: <5A3DFEE8-60E0-4870-9689-FEAAFA0D7BE8@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.c.190715
x-originating-ip: [10.96.12.137]
Content-Type: multipart/alternative; boundary="_000_FE1ED9C62BDA4A97BCFCCA6BDCAA9680teamneustar_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.70,1.0.8 definitions=2019-09-13_08:2019-09-11,2019-09-13 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/n_iJDYm_WYfqhmhHg43CsWikmPo>
Subject: Re: [stir] Questions on the draft-ietf-stir-passport-rcd-04 integrity mechanism
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2019 17:17:52 -0000

At a high level, what we want out of certs here is a capability that empowers the issuer of a certificate to constrain the contents of RCD when the signer signs a PASSporT. I don’t think we want to say that RCD can only be used when the JWT Constraint is present, and I don’t think we want to say that the integrity check provided by “rcdi” can only be present in a PASSporT when the signing certificate has a JWT Constraint in it. Including “rcdi” in the JWT Constraints should be just a hook, that the issuer of a certificate can use to make sure that RCD isn’t being abused in cases where there are concerns about that.

Outside of the JWT Constraint, I was originally not immensely worried about link substitution attacks on the RCD system: that is, ones where the signer of an RCD PASSporT believes a URL in RCD points to an image of the Ford Motor Company, say, but while a SIP call is in transit, someone switches the resource that the URL indicates to an image of Chevrolet, so that when it is rendered on the terminating side the callee sees something different than the signer intended. The creator of the PASSporT, after all, picked that URL, and it just doesn’t make sense for them to pick a URL that they don’t have meaningful change control over. The only edge case where I see real concerns is one where the creator of the PASSporT and its signer are different administrative entities, and the creator tricks the signer into vouching for a URL that will be pointed to a different resource after it is signed. That edge case convinced me that there was at least some value to “rcdi” independent of the JWT Constraint; the “rcdi” lets the signer capture the resource as it was seen at signing time, which should help mitigate cases where naughty entities try to push malware or something through that URL. Is that enough motivation for a SHOULD for “rcdi”, at least for the referenced content case? We want that use case to work whether there are JWT Constraints present or not.

Jon Peterson
Neustar, Inc.

From: stir <stir-bounces@ietf.org> on behalf of Ben Campbell <ben@nostrum.com>
Date: Monday, September 9, 2019 at 3:07 PM
To: Chris Wendt <chris-ietf@chriswendt.net>
Cc: "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] Questions on the draft-ietf-stir-passport-rcd-04 integrity mechanism

Hi Chris,


Please see inline.

Also, I forgot one comment unrelated to the integrity mechanism: in section 5.1, the wikimedia folks would probably appreciate it we do not include a link to content hosted there in an example in an RFC :-)

Thanks!

Ben.


On Sep 9, 2019, at 2:02 PM, Chris Wendt <chris-ietf@chriswendt.net<mailto:chris-ietf@chriswendt.net>> wrote:

Hi Ben,

For 1, simple answer is yes the intention was to make the content tied to the cert.  My experience is that calling name and other info is not changed often, however, assuming your premise, why would that be a problem?  If you want to be changing your RCD info once a year, once a month, or once a day then why is it a problem to push everything through the integrity mechanism and generate a new cert each time?  I think this is pretty logical.  If you don’t do that, what is the alternative to keep the properties of integrity of the information protected by a signature?

I agree that tying the content to the cert makes sense for some use cases where there is a content policy “authority” either as part of the CA, or that easily fits in the workflow for issuing the cert (perhaps via some ACME-ish token) But I think there will also be use cases where it does not. In particular, cases where either there is no such authority, or the signer of the RCD PASSporT _is_ the authority.

For example, the policy authority could be a third-party signer as described in section 7. Why would such an authority need to tie content to the signing certificate? It would just make life more complicated for them. (I started to ask why a 3rd party signer would need the integrity mechanism at all, but perhaps they need to protect referenced content.).

I don’t object to having the _ability_ to tie content to the cert. But I think making that a MUST when using the integrity mechanism is too strong. I’d argue for a MAY, along with motivating text on why/when you might want to use it.

For similar reasons, I lean towards thinking the SHOULD for using the rcdi claim in the first place might be a bit strong. For example, it would serve little purpose in the third-party example above if the policy authority simply did not allow referenced content.



For 2, yes the intent was to iterate at each level of the URLs.  I suspect the number of nested URLs for most of the “common” cases, like name, logo and address, would be limited, but would need a framework that supports multiple levels of nesting or limit the number of levels or something if we are concerned.  I don’t think there is a lot of reason to be concerned but maybe i’m missing a case that would actually use a ton of nesting in any practical way.

If that is the intent, it needs to be clarified. I read 4.1.1 as iterating across all the URLs in the RCD input. I assume from your response that step 7 was intended to apply to retrieved content, but I initially assumed you mean to iterate over additionally identified URLs in the RCD claim itself.

Given the intent to recurse over multiple layers of indirect content, I think some operational guidance is even more important. My concerns were not so much around legitimate use cases for long URI chains so much as for more nefarious use cases (e.g. trying to sneak in uncontrolled web content, DOS attacks, etc.)  (Basically the concerns that Eric stated separately.)



-Chris


On Sep 7, 2019, at 12:50 PM, Ben Campbell <ben@nostrum.com<mailto:ben@nostrum.com>> wrote:

Minor correction below:


On Sep 6, 2019, at 4:31 PM, Ben Campbell <ben@nostrum.com<mailto:ben@nostrum.com>> wrote:

Signed PGP part
Hi,

I have a couple of high level questions about the new integrity mechanism in draft-ietf-stir-passport-04. Apologies if these have already been discussed.

1) Do I understand correctly that the certificate used to sign a PASSporT with an rcdi claim MUST include a constraint for the _value_ of the digest? That is, if someone makes any change to any of the information they would normally include in an rcd claim, the signing party must get a new cert?

My concern is that, for good or bad, commercial callers really like to control the customer experience. Many like to change things up all the time. I can imagine things like special date-specific logos (e.g. Google doodles), “sale” badges on logos, distinctive branding for different “campaigns”, etc.  I realize things like ACME make the process of getting a new cert lighter weight than it used to be, but is it reasonable to require a new cert for any change?

This might be worse for third-party signers who may sign on behalf of many callers, each of which keeps changing things.

2) If I understand correctly, if anything in the rcd claim includes a URL, the rcdi claim incorporates the associated content. What about URLs?

Uhm, I meant to say additional URLs


For example, lets say a jcl key links to a jCard, and that jCard has a LOGO element with a URI? Is the alleged logo content at that URI protected?

I assume the answer is that the answer is no; otherwise it could be URLs all the way down and we have to stop somewhere. This is probably a matter of signer or issuer) policy. If so, it might be worth having some operational guidance that they need to think about such things.





_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email