IETF Logo Mail Archive

Re: [stir] New draft draft-rosenberg-stir-callback-00

"Peterson, Jon" <jon.peterson@team.neustar> Wed, 21 March 2018 11:41 UTC

Return-Path: <prvs=0618ae2bf9=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CE9712DA29 for <stir@ietfa.amsl.com>; Wed, 21 Mar 2018 04:41:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z2oQofKiPOEt for <stir@ietfa.amsl.com>; Wed, 21 Mar 2018 04:41:29 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A923D12D88D for <stir@ietf.org>; Wed, 21 Mar 2018 04:41:24 -0700 (PDT)
Received: from pps.filterd (m0078664.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2LBX0Ye026083; Wed, 21 Mar 2018 07:41:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : content-type : mime-version; s=selector1; bh=kZ5vG/MiEblyJ1VOcAs8lLhKmRCvIGNda5LuEUQ2Fvc=; b=bWetfuBPcL1yWUX+cJ59h35DHVzhG/tEV9AisTH/+aGiM6UFatBZp0NVBCBIiW+25j4m 3xdSi7GVsSAKGcBjbXjWC3WS9zKpiEUvp5KA8YnO/C2Bap2Xum8srQBdH7gnSutvwvIf E4ZxnMznmKpRfkFvLfiJElcUt1PECwp5xSeqivZOZOmQT0V3ZZNqICg2Cu4s+73KEGP/ CQ8Ix4sygJIQQmU0WqOVP31zthEy01PAD1fEUvb58UgVMAnjCFGrN3D6rGLGp1xr602c 2LKq+o35LTTAxnorAtlWzbg1xFqXGHocHyIoTbrVCAnjZFZmOx9Csw9fnscNjjgMAXov 9w==
Received: from stntexhc11.cis.neustar.com ([156.154.17.216]) by mx0a-0018ba01.pphosted.com with ESMTP id 2gueb88g0t-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 21 Mar 2018 07:41:23 -0400
Received: from STNTEXMB11.cis.neustar.com ([169.254.1.236]) by stntexhc11.cis.neustar.com ([::1]) with mapi id 14.03.0279.002; Wed, 21 Mar 2018 07:41:22 -0400
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Jonathan Rosenberg <jdrosen@jdrosen.net>
CC: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: Re: [stir] New draft draft-rosenberg-stir-callback-00
Thread-Index: AQHTvBAQ9S8lRhGli0md6LCm7RFBYg==
Date: Wed, 21 Mar 2018 11:41:21 +0000
Message-ID: <D6BF109B.1F7425%jon.peterson@neustar.biz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.b.0.180311
x-originating-ip: [10.96.13.96]
Content-Type: multipart/alternative; boundary="_000_D6BF109B1F7425jonpetersonneustarbiz_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-21_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803210141
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/txwRuSYAclNcOhjZH6tolWRkHwY>
Subject: Re: [stir] New draft draft-rosenberg-stir-callback-00
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 11:41:31 -0000

A couple more notes on the design choices of attesting effective control of a number via a CA vs. caching “callback on first-use” self-signed certs, as I’m doing slides for tomorrow…

The CA still becomes accountable for holding an accurate and authoritative database of numbers for (presumably) a very large number of users, for keeping it up to date, for handling corrections should an error get made (which invariably it will for some reason), for deciding how to price such a service,

So Let's Encrypt is now doing this sort of thing gratis for what, 50 million active certs or so? It doesn't have to be just one CA doing all the work: for various operational and administrative reasons, one size probably won’t fit all for STIR. And sure, no CA is perfect in terms of handling errors - but then again the "effective proof of control of a telephone number" attestation we're seeking for this particular use case is closer to TOFU than to heavyweight enrollment mechanisms for liability-grade certs. Our threat model can be mitigated with something weaker than liability-grade certs, anyway. So we just need to have a sane CP/CPS that does not overpromise on the level of assurance these certs provide.

for dealing with whatever local regulations their lawyers think they may be signing up for by being in the telco business. Since, regardless of how this database gets populate, they are in the telco business because they sell a telco database.

I don't know if you're implying something more specific here, but I guess I agree that any database used in communications could end up being regulated somewhere in the world. I'm sure that's as true of distributed databases as centralized ones. Certificates have always been able to have telephone numbers in them, including a telephone number in a cert doesn't polymorph its issuing CA into a "telco database" with a national flag sticking out of it.

Distributing the work distributes the accountability, and places it in the first party (the entity that consumes it) rather than the third party (with someone else). That is a dramatic difference.

ACME is just a protocol: who operates the CAs and the relationship of those entities to the communicating parties isn't prescribed by the architecture. So it doesn’t entail centralizing the accountability in one place or distancing it from the first (or second) party. Maybe some of the CSPs involved in STIR want to act as CAs themselves (or contract out for that as a white label service), in which case we should hesitate to consider them “third parties” at all. Moreover, where there are one or more third parties, or a federated consortium like Let's Encrypt, say, accountability is always limited by the policies used to issue certificates - which can be favorable or unfavorable to various user and/or government interests, sure.

But to the broader question here, I think there are other differences that matter, beyond just accountability. The design decision to have callers enroll to establish their identities prior to the first time they place a secure call to anyone, versus establishing their identity in real time every time they call someone new, has a host of architectural implications and associated trade-offs. How many times you need to prove your effective control, and whether you need to prove it within call set-up time, can lead to some pretty substantially differences in how the system behaves.

We’ve considered something similar when looking at models where you might require a new short-term cert for every signed call as an alternative to doing something like OCSP stapling in SIP for credential freshness - some of the same principles probably apply here. Any strategy that relies on called parties remembering the last cert you used incidentally limits certain ways of using short-term certs, and that has been our ostensible direction for certificate freshness here in STIR since we gave up on OCSP stapling.

A lot of scam calls these days impersonate government agencies or large enterprises - but those entities place a lot of legitimate calls too from one number, sometimes a large number of legal calls all at once, and in a COFU scheme that could cause vast amounts of simultaneous callbacks. In so far as we care about the potential post-dial delay due to the RTT in the reverse direction before connecting, those problems could be compounded in some of the harder use cases we hope to solve for.

As Christer mentioned there are probably some hard edges around forking and forwarding cases where a callback has trouble finding its way home or the whole thing is otherwise confused by unexpected retargeting. The difference between the way SIP requests are routed and how PSTN calls/messages are routed has always been a challenge in considering “pure SIP” callback mechanisms as a way to prove ownership of a telephone number – I know it’s kind of an assumption of the draft that this just works, but I worry enough about it that I think SMS routability tests are at least as viable, even with the limitations of SMS.

We sometimes talk about "legitimate spoofing" cases in STIR: cases where an entity (a doctor is the usual example) is authorized to use someone else's telephone number. Typically we would address that with certificate delegation, under the RFC8226 model. There are trade-offs related to implementing this with callbacks: if legitimate spoofing needs to be authorized in real time during call set-up, that requires the delegating authority to be available and responsive at the necessary moment. Sometimes that’s convenient but sometimes it might not be.

We can work through those trade-offs, but at the end of the day my biggest concern is that this isn’t moving the ball in the right direction. SIP isn't the only protocol used to originate robocalls, so we've spent some time here thinking about how to make PASSporT and the STIR architecture applicable when SIP isn't being used end-to-end, like in our out-of-band draft. I think we want entities that don't even support SIP to be able to use PASSporT. So while I think a SIP callback could be a way to help get credentials for STIR, it shouldn't be the only way - and the security association it creates should ideally be applicable to signing PASSporTs in non-SIP use cases. This is why at least I’ve been looking at a more generic credential architecture like ACME. Having the credentials just be bare self-signed keys that are only trusted because a recipient has seen them before doesn't seem like a promising incremental step in the direction we want to go. If we have certificates that show even effective proof of control over a telephone number they could be leveraged for other functions than beating impersonation as well, which we’re talking about elsewhere in the IETF.

I think there are probably paths here that have many of the desirable properties of a callback solution that nonetheless have a clearer transition path to our intended architecture, and which perhaps don’t incur some of the challenges that arise from doing this in real time.

Jon Peterson
Neustar, Inc.

v2.23.0 | Report a Bug | By Email