Re: [stir] OOB for Service Providers
"Peterson, Jon" <jon.peterson@team.neustar> Fri, 20 March 2020 00:59 UTC
Return-Path: <prvs=4348621b58=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 635133A13A7 for <stir@ietfa.amsl.com>; Thu, 19 Mar 2020 17:59:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_NOVOWEL=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YebkIJMcMC0K for <stir@ietfa.amsl.com>; Thu, 19 Mar 2020 17:59:38 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF1F23A13B1 for <stir@ietf.org>; Thu, 19 Mar 2020 17:59:37 -0700 (PDT)
Received: from pps.filterd (m0078664.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 02K0iEsV031280; Thu, 19 Mar 2020 20:59:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=team-neustar; bh=jmpKCL8LOnM93vKHchRNruljnDpsuK92ey5DxqNmfLc=; b=xudgNS0W1ru5d6HrUonCTvmKjepIw0g1T7kpmk8ZI9eX1kdEluMuuL2DM+mPphPjgAoJ NL/LQBcwI1rWvE3LZnzrg9YyBWGAAcDJ7W6W97vMNXq+UFff6PKORCbqRByJcY6/NxMV eA1CzG8g09GUvlF99c3uwOtc7aa23R2sf5K5o7hm1bk2ZKuov7MrMyv7n4Fv/2O0OB0x LFGjV00qiQYJ0D92SwcoLQfveEZ7oFttjS3z5fiOGuJypZvFD/AfNX8c8P/Kj0K2nfRa Ak5ccqtN6PWL0mnNFPfg2B9imu2g2fAqx05gI+lL0vyWGY9fbySkLb6bokBrOgN4OSQi sw==
Received: from stntexhc10.cis.neustar.com ([156.154.17.216]) by mx0a-0018ba01.pphosted.com with ESMTP id 2yu76v3u46-12 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 19 Mar 2020 20:59:37 -0400
Received: from STNTEXMB103.cis.neustar.com ([fe80::3c08:d7b1:b8d1:dac]) by stntexhc10.cis.neustar.com ([10.31.58.69]) with mapi id 14.03.0439.000; Thu, 19 Mar 2020 20:58:15 -0400
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Jonathan Rosenberg <jdrosen@jdrosen.net>
CC: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] OOB for Service Providers
Thread-Index: AQHV+Xrip2oTAfx8hUCxz6kMIrr2iKhIrw8AgAfQ9QA=
Date: Fri, 20 Mar 2020 00:58:15 +0000
Message-ID: <9C615D64-1D4B-41BE-9C21-DA863705DC9F@team.neustar>
References: <9B2AD795-CC46-44E4-A19D-2F708D217F2B@team.neustar> <CA+23+fGutMD9QPCnbHVqsuShYgK9GxGV0PJ_GERuoNzAXM9XuQ@mail.gmail.com>
In-Reply-To: <CA+23+fGutMD9QPCnbHVqsuShYgK9GxGV0PJ_GERuoNzAXM9XuQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.12.200112
x-originating-ip: [10.96.14.67]
Content-Type: multipart/alternative; boundary="_000_9C615D641D4B41BE9C21DA863705DC9Fteamneustar_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.645 definitions=2020-03-19_10:2020-03-19, 2020-03-19 signatures=0
X-Proofpoint-Spam-Reason: orgsafe
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/tangO0wlxzExIlHHv_xEcgGRqBA>
Subject: Re: [stir] OOB for Service Providers
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 00:59:47 -0000
Well, the draft today sketches a couple of ways that CPS discovery might happen, which in the short term could be just bilateral agreements. Indeed, if we’re willing to assume a monolithic CPS serving a particular closed service provider community, you could easily solve this with a flat file. That might prove the easiest way to get something like this started. A mature architecture would need some more universal CPS discovery mechanism. This is indeed analogous to the call routing problem: industry databases exist today that let you looking up the OCN’s associated with called numbers, so even if the CPS advertisement is signed with an OCN cert, that might actually be sufficient for relying parties with access to those databases. The extent that we expect relying parties to look behind the OCNs at individual numbers is still controversial in some circles, but at the end of the day, I think we need to get there one way or another. For example, an RFC8226 certificate can hold a URL pointing to a by-reference list of telephone numbers associated with the certificate (which may indeed be nothing but a shim layer in front of the aforementioned databases), and at the time of certification, such a by-reference list could be added, which could allow a calling party to figure out if CPS advertisements are legitimate or not. So we have a couple ways to do this that may have some promise. What will work for a given environment may vary. For an IETF spec anyway – even one headed for standards track - I think we may want to enumerate approaches, some of which are mandatory-to-implement, but leave it to deployment profiles to narrow in on particular solutions. Jon Peterson Neustar, Inc. From: Jonathan Rosenberg <jdrosen@jdrosen.net> Date: Saturday, March 14, 2020 at 11:37 AM To: "Peterson, Jon" <jon.peterson@team.neustar> Cc: "stir@ietf.org" <stir@ietf.org> Subject: Re: [stir] OOB for Service Providers Thanks Jon - very interesting concept. In order for this to work, a call originator needs to figure out which carrier's CPS to send the passport to, for a given dialed number. The draft proposes that this info can be obtained from the TNAuthList in the carriers certificate used to sign the cps advertisement. This presumes that terminating carriers are willing to actually enumerate the set of TNs they own in a certificate, and make this available to enterprises, contact centers or other entities which are going to place calls to those numbers. I think the jury is still out on whether these certs will end up containing actual numbers and prefixes, as opposed to OCNs. Classic inbound STIR and OOB can work without number lists, whereas this draft requires the TN list in order to facilitate routing (i.e., identifying the terminating cps). So - I think the key question is whether this routing is going to be feasible in practice or not. Thx, Jonathan R. On Fri, Mar 13, 2020 at 5:04 PM Peterson, Jon <jon.peterson=40team.neustar@dmarc.ietf.org<mailto:40team.neustar@dmarc.ietf.org>> wrote: So we'll all be sad not to meet in Vancouver this time, but given that we're scheduling a virtual meeting, I did want to give a pointer to a new draft: https://tools.ietf.org/html/draft-peterson-stir-servprovider-oob-00<https://urldefense.com/v3/__https:/tools.ietf.org/html/draft-peterson-stir-servprovider-oob-00__;!!N14HnBHF!vycse32NSVgY87Yd4_4liS413HMx-_Y1pOERQmzLoYDyvuZTsVrmbxuMlPQwOxbZLfCnog$> This draft works toward a more concrete protocol implementation of out-of-band STIR, for the case where a service provider (could be a carrier, large enterprise, or an OTT service) advertises a CPS that collects PASSporTs for calls that would terminate on its network. Because it is tightly coupled to the terminating side of the call, this flavor of CPS has a different security posture than a public CPS that is necessarily decoupled from call signaling entirely. I know there is some talk out there about "OOB SHAKEN" these days, and to be clear, this is not an "OOB SHAKEN" draft - this looks at general tools that might ultimately support efforts to deliver SHAKEN out-of-band, but it does not limit its consideration of the problem space to the way that SHAKEN currently handles certification and signing. The plan is to deliver a mechanism that is applicable to a variety of potential policies in that regard. If folks here are interested in working on this, let's discuss it a bit, and maybe find some agenda time for it. Jon Peterson Neustar, Inc. _______________________________________________ stir mailing list stir@ietf.org<mailto:stir@ietf.org> https://www.ietf.org/mailman/listinfo/stir<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/stir__;!!N14HnBHF!vycse32NSVgY87Yd4_4liS413HMx-_Y1pOERQmzLoYDyvuZTsVrmbxuMlPQwOxbVIpJxmQ$> -- Jonathan Rosenberg, Ph.D. jdrosen@jdrosen.net<mailto:jdrosen@jdrosen.net> http://www.jdrosen.net<https://urldefense.com/v3/__http:/www.jdrosen.net__;!!N14HnBHF!vycse32NSVgY87Yd4_4liS413HMx-_Y1pOERQmzLoYDyvuZTsVrmbxuMlPQwOxbMEtLRUQ$>
- [stir] OOB for Service Providers Peterson, Jon
- Re: [stir] OOB for Service Providers Jonathan Rosenberg
- Re: [stir] OOB for Service Providers Richard Shockey
- Re: [stir] OOB for Service Providers Gorman, Pierce A [CTO]
- Re: [stir] OOB for Service Providers Peterson, Jon
- Re: [stir] OOB for Service Providers Peterson, Jon