Re: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
Julio Martinez-Minguito <julio.martinez-minguito@ericsson.com> Fri, 26 January 2018 17:28 UTC
Return-Path: <julio.martinez-minguito@ericsson.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF017126C23 for <stir@ietfa.amsl.com>; Fri, 26 Jan 2018 09:28:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.321
X-Spam-Level:
X-Spam-Status: No, score=-4.321 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h5SCvwiQ49zF for <stir@ietfa.amsl.com>; Fri, 26 Jan 2018 09:28:13 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74400126C19 for <stir@ietf.org>; Fri, 26 Jan 2018 09:28:13 -0800 (PST)
X-AuditID: c1b4fb30-11d5e9c000006bc7-03-5a6b652b6e04
Received: from ESESSHC019.ericsson.se (Unknown_Domain [153.88.183.75]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 0A.78.27591.B256B6A5; Fri, 26 Jan 2018 18:28:11 +0100 (CET)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (153.88.183.145) by oa.msg.ericsson.com (153.88.183.75) with Microsoft SMTP Server (TLS) id 14.3.352.0; Fri, 26 Jan 2018 18:27:32 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=kUjK4E2gyfxIIz+eAc34091r6nnZjQs2Dj/bAfOLseo=; b=k/3KuqKxK2rZBeNqk+lTuYPLOio1MK3pqsR31LoeKk+Sd/JrovCnIhhSJ0GONyomOVzWNWLak46v/DftSCKuBfQKiacMgAxkRBFqhpGDkniY5UnTw5+y1sOnBpnyXfRd0SWp06QvOt1EIWRBB1X9YGIocFdKp+ZK/58mVCmEP10=
Received: from HE1PR0701MB2298.eurprd07.prod.outlook.com (10.168.127.21) by HE1PR0701MB2107.eurprd07.prod.outlook.com (10.168.35.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.464.6; Fri, 26 Jan 2018 17:27:31 +0000
Received: from HE1PR0701MB2298.eurprd07.prod.outlook.com ([fe80::8da1:3cf3:9492:1102]) by HE1PR0701MB2298.eurprd07.prod.outlook.com ([fe80::8da1:3cf3:9492:1102%17]) with mapi id 15.20.0444.016; Fri, 26 Jan 2018 17:27:30 +0000
From: Julio Martinez-Minguito <julio.martinez-minguito@ericsson.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>, Chris Wendt <chris-ietf@chriswendt.net>
CC: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
Thread-Index: AQHTlU39MZeu8zQEQ0iuJP091fWPp6OGZ5tQ
Date: Fri, 26 Jan 2018 17:27:30 +0000
Message-ID: <HE1PR0701MB2298006A17E91252B3C87A1CC7E00@HE1PR0701MB2298.eurprd07.prod.outlook.com>
References: <7594FB04B1934943A5C02806D1A2204B6C13837A@ESESSMB109.ericsson.se> <41C6125A-C90A-4187-9B6E-267DAE44DF8B@chriswendt.net> <7594FB04B1934943A5C02806D1A2204B6C13B5EB@ESESSMB109.ericsson.se> <26D4A77C-8860-41A0-8608-2FCE10FE9942@chriswendt.net> <D68E5F00.29A79%christer.holmberg@ericsson.com>
In-Reply-To: <D68E5F00.29A79%christer.holmberg@ericsson.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=julio.martinez-minguito@ericsson.com;
x-originating-ip: [192.176.1.87]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR0701MB2107; 7:Ho0uxFi+A366u6cDF3MMsgrf02C81jtgd1/XmpYEDlEt+8orZknsJRtQr+6wZz44Tc75FOI4cPLF1cokhqL+IAPvu1lzpgspItmvasUX/5eu70u3Rka6OXBK/DAakuOLSiNCfMfq2b93UmbI5EF+3TCIB21CMI0J7n7hM7FvQmzEPDkmqVyfwFOk4SQ4EGmNwGiqyLBdu63UdoevrRc264dKfg3S5Mk/Ga5g5bjKEwZXNpZGY/NH0RDNHIEbQ1mD
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 0045f131-e846-4664-e650-08d564e2145a
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:HE1PR0701MB2107;
x-ms-traffictypediagnostic: HE1PR0701MB2107:
x-ld-processed: 92e84ceb-fbfd-47ab-be52-080c6b87953f,ExtAddr
x-microsoft-antispam-prvs: <HE1PR0701MB2107A395F8FCCE6CBB9FB6A0C7E00@HE1PR0701MB2107.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(17755550239193);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(10201501046)(3231023)(2400081)(944501161)(93006095)(93001095)(3002001)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123560045)(20161123562045)(20161123564045)(6072148)(201708071742011); SRVR:HE1PR0701MB2107; BCL:0; PCL:0; RULEID:; SRVR:HE1PR0701MB2107;
x-forefront-prvs: 05641FD966
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(396003)(346002)(39380400002)(39860400002)(366004)(13464003)(189003)(199004)(110136005)(6506007)(6116002)(105586002)(97736004)(7736002)(2906002)(93886005)(33656002)(26005)(14454004)(3846002)(55016002)(6436002)(478600001)(229853002)(99286004)(2950100002)(81166006)(5250100002)(66066001)(3660700001)(9686003)(8676002)(68736007)(81156014)(7696005)(3280700002)(74316002)(102836004)(59450400001)(53936002)(8936002)(6246003)(5660300001)(76176011)(53546011)(106356001)(86362001)(25786009)(305945005)(2900100001)(316002)(4326008); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2107; H:HE1PR0701MB2298.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: lxy2kGpvWFDWcmqJIaJZEv22/4vEfCTfIN4ESFF6oRsoZ3JDMivuan476AWwUEzYgPiz+ljP79FlEsADkh4/Yg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0045f131-e846-4664-e650-08d564e2145a
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jan 2018 17:27:30.7806 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2107
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SbUhTURzGOfdl3kmT05r5byLJxMLMNSVCSNSiwnwBJQLbh3LqZS51rl0T Xz603r4o2IYv06mosRQlLVPnQklnELMPakaikgYl2koJpdCsNO+uQd9+z/N/+D/nHA5DSu/Q ckanL2SNek2eQuRL1acPJEWEs7lq1UxbSLR1fZCMbu9yEPFEgrnyMZ1gt/8kUgm1b0w2m6cr Yo0nYjN8c/oqK0nD86PFzncW2oRuHy5HDAP4JLhWgsuRLyPFLxH0rPSJBOFGYJtponlB4XUC PndbCWFiI6Bj6g0piGUEzfNVu0LMiPA5mHPPI55lWAMjPR0+fAeJQ2B7MI63D+AkeNG5RQmR ZDBv/Cb5iAxHwZdX0bxN4VDo/OikeZbgDDDXmSihqpeAqvZZb5UYx0DPwBLBM8JB8GFjwbuT xAEwt9js9QFjsA9NkAL7g+fTNi3ktbBxd5wWrh8M9j+HhEgQTDVXIL4LsIMAS1MzJQyU0G9Z RQKngLNhbW9nLYLuR9kCH4f71d9EAsdAXYV1L1MAjnkTLXAirDSu7nEjCV0dt8xIZfvv2AIr YaamWiRwOLS1fiVt3rfYD2P1i1QLojqRP8dymfnaqCgla9RlcVyBXqlnC5+h3Z/h6vulciLP 8plRhBmk2CdJvJyrltKaIq4kfxQBQypkklPiXUuSrSkpZY0F14w381huFAUylCJAMnZRopZi raaQzWVZA2v8NyUYsdyEAid9Lrlr530wlfJg1mHLSu1NpdIeyqYfiVq4056whQBL5kj3JnhU 0nvjsa01ydf9Dt5YjX3dFr+pPtswIp84Erf4ffnJhVC33fV+x3IluWzyx5rcZbjqFxHXv5OY 8VTXXx5ZvbSFi6e11rK3hoywYYNhaPB8WulkGhM/nL6loLgcTeQx0shp/gI4PBAjFQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/tFWW4oW2VG1thlEzDLO-pWroHmA>
Subject: Re: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jan 2018 17:28:16 -0000
Hi, I see in the nested divert that the new PASSporT has a claim "opt" which includes the PASSporT of the originating network, including the signature. The PASSporT added by the diverting network includes a claim "orig", which is copied from the 'original' PASSporT. In this case , for a PASSporT ppt:div, the diverting network mays not have authority over the claim "orig", but only over the claim 'div'. A verifier will have to check the embedded PASSporT, verify the signature and check that the orig in the different PASSporT matches. Though in another cases, if the originating number and the diverting are served by the same operator, the operator has authority over both orig and div claims. A nested PASSporT would not be needed in this case. The end result is quite similar as if we have multiple Identity headers. In the end there are multiple PASSporT objects, the difference is how they are conveyed in the signaling. I assume the main reason for the embedding is because of the oob solution, or? Regards, Julio > -----Original Message----- > From: Christer Holmberg [mailto:christer.holmberg@ericsson.com] > Sent: den 24 januari 2018 15:06 > To: Chris Wendt <chris-ietf@chriswendt.net> > Cc: stir@ietf.org > Subject: Re: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs? > > Hi, > > >I guess i¹m not following what¹s not clear, if you MUST only have one > >orig claim and one identity in that claim, that seems to be pretty > >clear to me that you cannot either not have an orig claim or have more > >than one. I guess maybe i¹m missing something subtle in your point. > > It is clear that you cannot have more than one claim, but I think it could be > made more clear that you always must have a claim to begin with :) > > >For extensions, and in general with any PASSporT, once the PASSporT is > >signed, that¹s it, you cannot modify claims or "re-sign". If you want > >new PASSporT claim information that you want to sign, you must have a > >new PASSporT or new identity header. > > Correct, I should have made that clear. > > So, if you have two (or more) Identity header fields, do they all have to > contain the same ³orig² value? Or, is one allowed to change it? > > Does the same apply for ³dest²? And, if you want to change the ³dest² you > need to use the divert extension? You can¹t just add a new passport with a > new ³dest² value. Or? > > >Currently for divert, the approach is to embed a PASSporT inside a new > >PASSporT, which is a valid technique also and result in a new identity > >header also (but you should remove the old identity header in this case). > > My colleague Julio sent some questions and issues regarding the > ³embedding²/³nesting² approach. I would be happy if you look at those :) > > Regards, > > Christer > > > > > >-Chris > > > >> On Jan 23, 2018, at 2:19 PM, Christer Holmberg > >><christer.holmberg@ericsson.com> wrote: > >> > >> Hi Chris, > >> > >>>> Question for clarification: > >>>> > >>>> Section 5.2.1 of draft-passport says: > >>>> > >>>> "There MUST be exactly one "orig" claim with exactly one > >>>>identity claim object in a PASSporT object." > >>>> > >>>> Q1: Does the text above mean that > >>>> > >>>> a) a passport must always contain one, one only one, "orig" > >>>>claim; or > >>>> b) that if a passport contains an "orig" claim, if can only > >>>>contains one? > >>> > >>> It can only contain one key value pair with the key ³orig² and the > >>>claim value can only be one identity. > >>> > >>> In other words you cannot claim to originate multiple identities > >>>with a single passport object. > >> > >> Correct. The question is whether "orig" is mandatory (alternative a) > >>or not (alternative b). But, based on your reply to Q2 below, I assume > >>the answer is alternative a). > >> > >> I think it would be good to make that more clear. > >> > >>>> Q2: If a), does it apply to passport extensions too? > >>> > >>> All extensions must include the base passport claims and follow all > >>>rules of the claims, so yes. > >> > >> I think it should be more clear whether a node can modify claims or > >>not when adding an extension, or whether an extension needs to > >>explicitly allow it. Currently the text only says (AFAIK) that claims > >>cannot be removed. > >> > >> For example, if I have a base passport, and add an RPH passport, I > >>assume I cannot change the value of the "dest" claim. I would need to > >>use a divert claim for that. > >> > >> Also, as the passports may be added and signed by different > >>authorities, and as each passport will contain the base claims, it > >>means that the base claims will be signed multiple times, and they may > >>be signed by different authorities. I assume that is ok. > >> > >> Regards, > >> > >> Christer > >> > > >
- [stir] PASSPorT: "orig" and "dest" mandatory in a… Christer Holmberg
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Chris Wendt
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Christer Holmberg
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Chris Wendt
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Christer Holmberg
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Julio Martinez-Minguito
- Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "d… Peterson, Jon
- Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "d… Christer Holmberg
- Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "d… Peterson, Jon
- Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "d… Christer Holmberg