Re: [stir] "iat" value to use during PASSPorT construction
"Asveren, Tolga" <tasveren@rbbn.com> Fri, 20 July 2018 18:18 UTC
Return-Path: <tasveren@rbbn.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4847E130E9E for <stir@ietfa.amsl.com>; Fri, 20 Jul 2018 11:18:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.489
X-Spam-Level:
X-Spam-Status: No, score=-2.489 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=sonusnetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5jKb9DvuJn1d for <stir@ietfa.amsl.com>; Fri, 20 Jul 2018 11:18:29 -0700 (PDT)
Received: from us-smtp-delivery-181.mimecast.com (us-smtp-delivery-181.mimecast.com [216.205.24.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 557E412DD85 for <stir@ietf.org>; Fri, 20 Jul 2018 11:18:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=SonusNetworks.onmicrosoft.com; s=selector1-rbbn-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hm2meC37WmZbLaEAO6HMp4ta4wX1YiDDKSIRv06qa7Y=; b=IOBqgez3Xp4EtEARDnfxdFX82Zctt96lxpkpBPN5gx/TYRc5YuJQyQgb/zh2bBUt7/a3V1ujWbNAEmvCgKTbuO9Q68py8CgENrOSOWvRBpebKQpZFLriTFpZpR4tn4GHXGRUhQXRdMEjoemi+aC90KHsstWDp/+yNRvsm8WxyKU=
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02lp0050.outbound.protection.outlook.com [207.46.163.50]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-245-C8X5bOoZNuuTCAH2Vc4U1A-1; Fri, 20 Jul 2018 14:18:25 -0400
Received: from MWHPR03MB2815.namprd03.prod.outlook.com (10.175.135.9) by MWHPR03MB2478.namprd03.prod.outlook.com (10.169.200.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.20; Fri, 20 Jul 2018 18:18:21 +0000
Received: from MWHPR03MB2815.namprd03.prod.outlook.com ([fe80::c5c3:5bad:a1f7:52e9]) by MWHPR03MB2815.namprd03.prod.outlook.com ([fe80::c5c3:5bad:a1f7:52e9%9]) with mapi id 15.20.0973.018; Fri, 20 Jul 2018 18:18:21 +0000
From: "Asveren, Tolga" <tasveren@rbbn.com>
To: williw <wilhelm@wimmreuter.de>
CC: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] "iat" value to use during PASSPorT construction
Thread-Index: AdPrT9q/oUbx39SISTyhzIa9uuwWlA07J40AAAUuR2A=
Date: Fri, 20 Jul 2018 18:18:21 +0000
Message-ID: <MWHPR03MB2815E6CDBA2DF7CD0D8E5BD0A5510@MWHPR03MB2815.namprd03.prod.outlook.com>
References: <CY4PR03MB3160EE4F4502CCF974B070CFA59C0@CY4PR03MB3160.namprd03.prod.outlook.com> <0C2B7B00-AB77-48E1-A666-F76A592DDC51@wimmreuter.de>
In-Reply-To: <0C2B7B00-AB77-48E1-A666-F76A592DDC51@wimmreuter.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [73.29.251.142]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR03MB2478; 20:xkPi0bn4hbwAQgSrA8Ft8iaZzYXh1qwNDTimtxOZc+5a01Qnbr0grPDd9nyOlRl+djJ+xzdhUjgQ241172IkHW91HOMk9voSJzDgCVQExaYZ0G2CyDy7myugZWUP/i/vtDaijk4K9vbHdiItqPdbK/B72ITv59q5Ih9MMKvuzPo=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: b72833b7-f029-4924-7577-08d5ee6d2cda
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600053)(711020)(2017052603328)(7153060)(7193020); SRVR:MWHPR03MB2478;
x-ms-traffictypediagnostic: MWHPR03MB2478:
x-microsoft-antispam-prvs: <MWHPR03MB24785B8DE1FAC4606E95B09AA5510@MWHPR03MB2478.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(159968658992688)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(93006095)(93001095)(3231311)(944501410)(52105095)(149027)(150027)(6041310)(20161123562045)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:MWHPR03MB2478; BCL:0; PCL:0; RULEID:; SRVR:MWHPR03MB2478;
x-forefront-prvs: 073966E86B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(136003)(39850400004)(346002)(396003)(376002)(189003)(199004)(26005)(5660300001)(25786009)(81166006)(81156014)(8936002)(33656002)(8676002)(55016002)(6306002)(9686003)(229853002)(54896002)(236005)(6436002)(606006)(53936002)(106356001)(105586002)(6916009)(4326008)(6246003)(97736004)(476003)(19609705001)(11346002)(316002)(6116002)(790700001)(966005)(3846002)(486006)(446003)(14454004)(478600001)(2906002)(102836004)(14444005)(86362001)(256004)(53546011)(68736007)(6506007)(186003)(66066001)(7736002)(5250100002)(99286004)(76176011)(7696005)(74316002)(2900100001); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR03MB2478; H:MWHPR03MB2815.namprd03.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-microsoft-antispam-message-info: SNuJCwNN3NcCCY3UMlqmKx4fIaA0NFWgbOutK7VyVZq3ten7NzBInwMCoLWdwT/rVv5LEXJaUcadOKMvfNKbfl+r3cjGdoqU5CI6ZVthfwCM2qyNbgk7cMxZAoZKqUQQ5pRmxKCfMBdEPxxLyaSJWu4Sl3A8DlozB7H4FU7nX6T0yVl/eccO03eOSmAhfRmLVGNwHbLaFjh/TjFaI7SKPoklJCvMcH9WE+RDus1x7h8uZcwRPB6bM92USX7uoU6aR0Dc3A2mVzs8y/yzwzuFFakSD4E0U5iFMq3d5bAsKTlZIFi1ipbMeKoLlADHM2kNdwA7ff1olGxSLcE5HcMuzrQCxzFnBsw9v1LQ1pLOjog=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-OriginatorOrg: rbbn.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b72833b7-f029-4924-7577-08d5ee6d2cda
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2018 18:18:21.2802 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 29a671dc-ed7e-4a54-b1e5-8da1eb495dc3
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR03MB2478
X-MC-Unique: C8X5bOoZNuuTCAH2Vc4U1A-1
Content-Type: multipart/alternative; boundary="_000_MWHPR03MB2815E6CDBA2DF7CD0D8E5BD0A5510MWHPR03MB2815namp_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/mLdakamrek-gx131YcwNh1no4rs>
Subject: Re: [stir] "iat" value to use during PASSPorT construction
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 18:18:33 -0000
I don’t think that is an issue as that signature is cryptographically valid doesn’t mean that is “completely fine”. It also should be checked that signing organization is authoritative for the claimed (and verified) origination. Please consider that the scenario you mention is not related with “originating network signs only if the call leaves the network” policy. It can happen for any case: an intermediary (maybe with malicious intent) just can generate a valid signature for any call by using its own key; but then the above check I mentioned would detect that signer is not authoritative for the origination, i.e. signature is not generated by the originating network. Thanks, Tolga From: stir <stir-bounces@ietf.org> On Behalf Of williw Sent: Friday, July 20, 2018 11:15 AM To: Asveren, Tolga <tasveren@rbbn.com> Cc: stir@ietf.org Subject: Re: [stir] "iat" value to use during PASSPorT construction ________________________________ NOTICE: This email was received from an EXTERNAL sender ________________________________ Sorry, I unsuccessfully submitted my concern on jabber list during the meeting. However, this could be valid in this and applies possibly other areas of stir as well. My concern that came up while seeing the cat slides in meeting was the following: Signing outbound / E-gres calls only. This emulates the old PSTN paradigm and enables impersonation as we have it in SS7. Without originating signatures this seems to be a big impersonation hole I assume. In fact, operators will happily sign my robocalls and other malicious stuff. And this will guarantee that my robocalls have a valid signature that will also be perfect for OOB signalling etc. Is this concern valid? Sorry this did not come through the scribe and to the mic. Thanks Willi _______________________________________________ stir mailing list stir@ietf.org<mailto:stir@ietf.org> https://www.ietf.org/mailman/listinfo/stir<https://www.ietf.org/mailman/listinfo/stir>
- [stir] "iat" value to use during PASSPorT constru… Asveren, Tolga
- Re: [stir] "iat" value to use during PASSPorT con… Chris Wendt
- Re: [stir] "iat" value to use during PASSPorT con… Asveren, Tolga
- Re: [stir] "iat" value to use during PASSPorT con… Asveren, Tolga
- Re: [stir] "iat" value to use during PASSPorT con… Chris Wendt
- Re: [stir] "iat" value to use during PASSPorT con… Asveren, Tolga
- Re: [stir] "iat" value to use during PASSPorT con… Peterson, Jon
- Re: [stir] "iat" value to use during PASSPorT con… williw
- Re: [stir] "iat" value to use during PASSPorT con… Asveren, Tolga
- Re: [stir] "iat" value to use during PASSPorT con… Gorman, Pierce A [CTO]
- Re: [stir] "iat" value to use during PASSPorT con… Asveren, Tolga
- Re: [stir] "iat" value to use during PASSPorT con… Gorman, Pierce A [CTO]
- Re: [stir] "iat" value to use during PASSPorT con… Asveren, Tolga
- Re: [stir] "iat" value to use during PASSPorT con… Gorman, Pierce A [CTO]
- Re: [stir] "iat" value to use during PASSPorT con… Asveren, Tolga