IETF Logo Mail Archive

Re: [stir] On OCSP, TNs, and Privacy

Richard Shockey <richard@shockey.us> Wed, 29 July 2015 02:07 UTC

Return-Path: <richard@shockey.us>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 385101A1B5A for <stir@ietfa.amsl.com>; Tue, 28 Jul 2015 19:07:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.066
X-Spam-Level:
X-Spam-Status: No, score=-1.066 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_54=0.6, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 76AmJoJtIqzb for <stir@ietfa.amsl.com>; Tue, 28 Jul 2015 19:07:27 -0700 (PDT)
Received: from qproxy2.mail.unifiedlayer.com (qproxy2-pub.mail.unifiedlayer.com [69.89.16.161]) by ietfa.amsl.com (Postfix) with SMTP id EFB5F1A1B59 for <stir@ietf.org>; Tue, 28 Jul 2015 19:07:26 -0700 (PDT)
Received: (qmail 1068 invoked by uid 0); 29 Jul 2015 02:07:25 -0000
Received: from unknown (HELO cmgw2) (10.0.90.83) by qproxy2.mail.unifiedlayer.com with SMTP; 29 Jul 2015 02:07:25 -0000
Received: from box462.bluehost.com ([74.220.219.62]) by cmgw2 with id y1nF1q00f1MNPNq011nJjg; Tue, 28 Jul 2015 19:47:23 -0600
X-Authority-Analysis: v=2.1 cv=O9qq4nNW c=1 sm=1 tr=0 a=jTEj1adHphCQ5SwrTAOQMg==:117 a=jTEj1adHphCQ5SwrTAOQMg==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=15FYYZ9mYYQA:10 a=IkcTkHD0fZMA:10 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=ZZnuYtJkoWoA:10 a=8WrITzYgnNwA:10 a=YQA3agX6zLcA:10 a=zOBTXjUuO1YA:10 a=48vgC7mUAAAA:8 a=ll-iCDY8AAAA:8 a=M0OflfRGAAAA:8 a=N7-_X-PFAAAA:8 a=zQP7CpKOAAAA:8 a=VfgTrTGYAAAA:8 a=HLLxP2VMAAAA:8 a=izV7ms69AAAA:8 a=0pPj3hHQnHfLbYAIOaQA:9 a=jV0tfMMF-RLq_ghK:21 a=tAh4Jrgy399YKpU9:21 a=QEXdDO2ut3YA:10 a=ivbTfD_dPm4A:10 a=DzjOOp_o1eYA:10 a=-h7pEDzCGw4A:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=shockey.us; s=default; h=Content-transfer-encoding:Content-type:Mime-version:In-Reply-To:References:Message-ID:CC:To:From:Subject:Date; bh=oiXT6MBHzw61Ntn1k6rkFS/hagWiXG823iEaM8d/mz8=; b=K+314sRBkJm6SesjO+PwO9I5ZSIJRgAwjT2Cee1b9CichuXMYgIDfWOYaeYtbq9Qe9x2Bi2dBUq0J6JBxjNgbvb+q9iLjlklkX2S52uQHXe58Rrnp6t/7K5CdFwHUBQx;
Received: from [100.36.26.202] (port=49246 helo=[192.168.1.12]) by box462.bluehost.com with esmtpa (Exim 4.84) (envelope-from <richard@shockey.us>) id 1ZKGSj-0004e4-9R; Tue, 28 Jul 2015 19:47:17 -0600
User-Agent: Microsoft-MacOutlook/14.5.3.150624
Date: Tue, 28 Jul 2015 21:47:12 -0400
From: Richard Shockey <richard@shockey.us>
To: Richard Barnes <rlb@ipv.sx>
Message-ID: <D1DDA6B5.2B4CD%richard@shockey.us>
Thread-Topic: [stir] On OCSP, TNs, and Privacy
References: <CAL02cgS_5HrsbeK13T=j31j101hOuSxpjzzRKT93_2zze1xuAg@mail.gmail.com> <BAFABE68-20A7-4C91-9F15-E33E3D5379B5@brianrosen.net> <4B1956260CD29F4A9622F00322FE0531011D3D1D5043@BOBO1A.bobotek.net> <8bcb891a0db145d6882b17374210fd21@PLSWE13M08.ad.sprint.com> <CAL02cgTiZnLxpmcHb57f31NEFcLu-XY=hRQ-5jrsn11x6mtZBQ@mail.gmail.com> <0f678e7a59904ae5b2a2dabce1a4e0a2@PLSWE13M08.ad.sprint.com> <CY1PR09MB06343E53B0B396964D6EF811EA8D0@CY1PR09MB0634.namprd09.prod.outlook.com> <38726EDA2109264987B45E29E758C4D60586269A@MISOUT7MSGUSRDD.ITServices.sbc.com> <CAL02cgR+5wCUcUSGQ4q0LsBMxdgXuo-O92QCj4h74Eh49BxTXA@mail.gmail.com> <D1DD78E9.2B457%richard@shockey.us> <CAL02cgT+_WuczP+xeKLNH1VQovpVTeNYdw_tEaDwvtrOj5yFrg@mail.gmail.com>
In-Reply-To: <CAL02cgT+_WuczP+xeKLNH1VQovpVTeNYdw_tEaDwvtrOj5yFrg@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
X-Identified-User: {3286:box462.bluehost.com:shockeyu:shockey.us} {sentby:smtp auth 100.36.26.202 authed with richard+shockey.us}
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/wAwIPy0dDjLUaExCKVYMvqdAxo8>
Cc: "stir@ietf.org" <stir@ietf.org>, "Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com>, "PFAUTZ, PENN L" <pp3129@att.com>, Henning Schulzrinne <Henning.Schulzrinne@fcc.gov>
Subject: Re: [stir] On OCSP, TNs, and Privacy
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 02:07:30 -0000

Richard.  That is the core problem here. As far as some of us believe
there are no silver bullets and STIR in itself is not the ultimate
solution. It was in the beginning a multifaceted problem. We knew that the
goal was to suppress the problem sufficiently in order to restore public
confidence in the system.

Perfection is not the goal.  Goodness knows I don’t think ENUM is now the
solution for database distrbution.  The model to be sure but we have much
better tools and HTTPS now for distributed databases.

Focus on tools and not policy.




On 7/28/15, 6:57 PM, "stir on behalf of Richard Barnes"
<stir-bounces@ietf.org on behalf of rlb@ipv.sx> wrote:

>On Tue, Jul 28, 2015 at 6:30 PM, Richard Shockey <richard@shockey.us>
>wrote:
>>
>> Richard .. Be reasonable here its not a perfect world and IETF
>>protocols,
>
>You are correct that if we build a putative security solution based on
>public keys passed DNS, it will not be an IETF protocol.  It will not
>become an RFC because it will not meet the IETF's security standards.
>
>And in any case, it's not that much harder to do the really secure
>thing.  Even if you want a central registry, do it over HTTPS, and
>it'll be just as fast and 100% more secure.
>
>--Richard
>
>
>> especially its security protocols are not perfect.  At some point the
>> limited competency of the IETF will move into the realm of policy.
>>
>> In the US that means the usual suspects will have to weigh in. ATIS INC,
>> the NANC,FCC. Its only a matter of time this ends up being a FCC Docket.
>> This is not to say engineering concerns do not drive policy, far from it
>> look at spectrum issues for instance.
>>
>> But its their [FCC CRTC OFCOM ART BeNetA FICORA) numbers and we (IETF)
>>do
>> not dictate policy. Only offer options.
>>
>>
>> ‹
>> Richard Shockey
>> Shockey Consulting LLC
>> Chairman of the Board SIP Forum
>> www.shockey.us
>> www.sipforum.org
>> richard<at>shockey.us
>> Skype-Linkedin-Facebook rshockey101
>> PSTN +1 703-593-2683
>>
>>
>>
>>
>>
>> On 7/28/15, 4:06 PM, "stir on behalf of Richard Barnes"
>> <stir-bounces@ietf.org on behalf of rlb@ipv.sx> wrote:
>>
>>>http://www.afldreamers.com/wp-content/uploads/2014/01/why-not-have-both-
>>>30
>>>0x187.png
>>>
>>>You could have a database of certs+OCSP responses as an optimization.
>>>IIRC, Identity-Info only has pointers to certs anyway.
>>>
>>>On Tue, Jul 28, 2015 at 3:13 PM, PFAUTZ, PENN L <pp3129@att.com> wrote:
>>>> Forgive me but my reptile brain keeps whispering in my ear that this
>>>>would be a lot easier if we simply had a numbering registry, whether
>>>>distributed or centralized - like we need anyway for at least for
>>>>number
>>>>portability - that also contained the public keys. No tedious mucking
>>>>about in cyberspace with certs, CRLs, or OCSP.
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Henning
>>>>Schulzrinne
>>>> Sent: Tuesday, July 28, 2015 10:24 AM
>>>> To: Gorman, Pierce A [CTO]
>>>> Cc: stir@ietf.org
>>>> Subject: Re: [stir] On OCSP, TNs, and Privacy
>>>>
>>>> In the US alone, we have about 4000 carriers. Managing the reputation
>>>>of that many entities, reliably (i.e., without making false
>>>>positive/negative mistakes) seems a whole lot more manual effort than
>>>>storing bags of bits. Storage and automation is cheap, human judgement
>>>>and dealing with mistakes is expensive.
>>>>
>>>> Obviously, nothing in the architecture prevents wildcard certificates.
>>>>
>>>> -----Original Message-----
>>>> From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Gorman, Pierce
>>>>A
>>>>[CTO]
>>>> Sent: Tuesday, July 28, 2015 10:14 AM
>>>> To: Richard Barnes <rlb@ipv.sx>
>>>> Cc: stir@ietf.org; Alex Bobotek <alex@bobotek.net>; Brian Rosen
>>>><br@brianrosen.net>
>>>> Subject: Re: [stir] On OCSP, TNs, and Privacy
>>>>
>>>> I thought the discussion was on key/cert management.  I'm asking if I
>>>>understood the suggestion to minimize requirements.  How is that off
>>>>topic?
>>>>
>>>> Best regards,
>>>>
>>>>
>>>> Pierce Gorman
>>>> Core Network Planning
>>>> O: 913-439-4368
>>>> pierce.gorman@sprint.com
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Richard Barnes [mailto:rlb@ipv.sx]
>>>> Sent: July 28, 2015 9:12 AM
>>>> To: Gorman, Pierce A [CTO] <Pierce.Gorman@sprint.com>
>>>> Cc: Alex Bobotek <alex@bobotek.net>; Brian Rosen <br@brianrosen.net>;
>>>>stir@ietf.org
>>>> Subject: Re: [stir] On OCSP, TNs, and Privacy
>>>>
>>>> On Tue, Jul 28, 2015 at 9:51 AM, Gorman, Pierce A [CTO]
>>>><Pierce.Gorman@sprint.com> wrote:
>>>>> "Large scale certificate management is expensive, and TN-specific
>>>>>certificates are unneeded for securing calls placed by parties who
>>>>>choose to place calls through a single reputable telephone service
>>>>>provider."
>>>>>
>>>>> Are you saying that for "on-net" calls, STIR methodology is
>>>>>unnecessary?
>>>>
>>>> This seems a little off-topic for this list.
>>>>
>>>> --Richard
>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>>
>>>>> Pierce Gorman
>>>>> Core Network Planning
>>>>> O: 913-439-4368
>>>>> pierce.gorman@sprint.com
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Alex Bobotek [mailto:alex@bobotek.net]
>>>>> Sent: July 27, 2015 11:36 PM
>>>>> To: Brian Rosen <br@brianrosen.net>; Richard Barnes <rlb@ipv.sx>
>>>>> Cc: stir@ietf.org
>>>>> Subject: Re: [stir] On OCSP, TNs, and Privacy
>>>>>
>>>>> What motivation would a carrier have to choose any model other than
>>>>>carrier signing using one of a very limited set of carrier-owned keys?
>>>>>Large scale certificate management is expensive, and TN-specific
>>>>>certificates are unneeded for securing calls placed by parties who
>>>>>choose to place calls through a single reputable telephone service
>>>>>provider.  Anyone can get many certificates, even a free ones
>>>>>anonymously from some issuers.  It is typically a combination of the
>>>>>strength of the end-user authentication performed by the service
>>>>>provider (or certificate issuer in a provider-agnostic model) and the
>>>>>identity's history that are most useful in security.
>>>>>
>>>>> If we're trying to secure the current telephone system, DNS-like key
>>>>>repositories a la DKIM or perhaps a small number (compared to the
>>>>>number of TNs) of certificates are far more practical.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Alex
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Brian Rosen
>>>>>> Sent: Monday, July 27, 2015 7:40 PM
>>>>>> To: Richard Barnes <rlb@ipv.sx>
>>>>>> Cc: stir@ietf.org
>>>>>> Subject: Re: [stir] On OCSP, TNs, and Privacy
>>>>>>
>>>>>> What this means in practice is that it¹s TN per cert.
>>>>>>
>>>>>> I wouldn¹t say that it¹s impossible for a carrier to maintain dozens
>>>>>> of copies of millions of private keys securely, but it¹s hard.  You
>>>>>> need multiple copies because you have multiple elements that can
>>>>>> initiate a call, and you don¹t want to depend on a centralized
>>>>>> resource to do something as basic as create a call.
>>>>>>
>>>>>> I think it¹s hard enough that REQUIRING cert per TN is not
>>>>>>acceptable.
>>>>>>
>>>>>> Folks with more intimate knowledge of carrier SIP infrastructure
>>>>>> might have more insight than I do.  It may be acceptable to have a
>>>>>> centralized resource to manage millions of keys.
>>>>>>
>>>>>> Brian
>>>>>>
>>>>>> > On Jul 27, 2015, at 6:13 PM, Richard Barnes <rlb@ipv.sx> wrote:
>>>>>> >
>>>>>> > After the STIR meeting in Prague, Henning and I spent a few
>>>>>>minutes
>>>>>> > talking through options for revocation checking and certificate
>>>>>> > scoping, and I think we have a better idea of what the optimal
>>>>>> > solution looks like.  Some notes are below, and some slides with
>>>>>> > pictures attached.
>>>>>> >
>>>>>> > tl;dr: We should:
>>>>>> > * Keep TNs in certificates and not bother with any OCSP extensions
>>>>>> > * Require Identity-Info to include OCSP responses for all certs in
>>>>>> > the chain
>>>>>> >
>>>>>> >
>>>>>> > # Background: Revocation in the web PKI
>>>>>> >
>>>>>> > In an HTTPS transaction, the HTTPS server provides the client with
>>>>>> > a certificate, and it can optionally include an OCSP response
>>>>>>("staple"
>>>>>> > it to the transaction).
>>>>>> >
>>>>>> > A certificate contains a validity interval, a key, and some
>>>>>>names/TNs.
>>>>>> > An OCSP responses contains a validity interval, a certificate ID
>>>>>> > (i.e., a hash), and a status (good/revoked/unknown).  In the web
>>>>>> > PKI, certificates are required to be no more than 39 months long,
>>>>>> > and OCSP responses no more than 10 days.
>>>>>> >
>>>>>> > Ideally, a client only considers a certificate valid if it is
>>>>>> > accompanied by an OCSP response.  In practice, this is not always
>>>>>> > possible; because OCSP queries fail around 3% of the time,
>>>>>>browsers
>>>>>> > can't require OCSP.  This operational fact will be important
>>>>>>below,
>>>>>> > but we will continue to have scoping cert lifetimes as an
>>>>>>objective.
>>>>>> >
>>>>>> > In the web PKI, there are basically three revocation checking
>>>>>>modalities:
>>>>>> >
>>>>>> > 1. Live OCSP checking [RFC6069]
>>>>>> > 2. OCSP stapling / must_staple [RFC6066,
>>>>>> > draft-hallambaker-tlsfeature] 3. Short-lived certificates (~OCSP
>>>>>> > lifetime)
>>>>>> >
>>>>>> > (The last of these is relatively novel, and has not been deployed.
>>>>>> > Neither has must-staple.  But they're both pretty trivial, and
>>>>>> > could be folded into a STIR architecture pretty easily.)
>>>>>> >
>>>>>> > Right now, about 90% of TLS transactions use live OCSP, and about
>>>>>>10%.
>>>>>> > CAs and browsers dearly want the world to move toward stapled OCSP
>>>>>> > or short-lived certs, because these reduces latency and improve
>>>>>>the
>>>>>> > quality of revocation information.
>>>>>> >
>>>>>> > Revocation for CA certificates is currently done by having
>>>>>>browsers
>>>>>> > download a list from a centralized server, since there's no way to
>>>>>> > staple more than one OCSP response.  That solution works OK for
>>>>>>the
>>>>>> > web, but if I were designing something de novo, I would probably
>>>>>> > use multi-stapling as well.
>>>>>> >
>>>>>> >
>>>>>> > # Applying this experience to STIR
>>>>>> >
>>>>>> > Most of the below appear to be desired properties by the WG:
>>>>>> >
>>>>>> > * Verifier neeeds to know that a cert is valid for a specific
>>>>>> > number
>>>>>> > * Scoped cert lifetime: Limit certs to ~1week lifetime (by OCSP if
>>>>>> > issued longer)
>>>>>> > * Caller privacy: Don't report what calls someone receives to a
>>>>>> > central server
>>>>>> > * Carrier privacy: Don't allow a third party to figure out all the
>>>>>> > numbers a carrier holds
>>>>>> > * Minimize the rate at which the CA has to sign things
>>>>>> > * Tolerate outages at the CA
>>>>>> >
>>>>>> > I'm going to assume for now that we will not do live OCSP.  It
>>>>>> > violates the caller privacy requirement, and as discussed above,
>>>>>>it
>>>>>> > just sucks operationally.  So STIR should require OCSP to be sent
>>>>>> > in "stapled" form, which probably means sending it in
>>>>>>Identity-Info.
>>>>>> > And while we're at it, we should also do "multi-stapling" -- send
>>>>>> > an OCSP response for CA certs as well.
>>>>>> >
>>>>>> > So if we consider a server with 50k TNs / blocks, that leaves us
>>>>>> > with basically 3 options:
>>>>>> >
>>>>>> > 1. 50k short-lived certs (no OCSP)
>>>>>> > 2. 50k long-lived certs scoped to TNs + generic OCSP 3. 1
>>>>>> > long-lived cert not scoped to TN (or a few loosely scoped) + OCSP
>>>>>> > with TN info
>>>>>> >
>>>>>> > (As I didn't quite get to say in the meeting, regardless of the
>>>>>> > approach, you have to have 50k of *something*.)  Of these, it
>>>>>>seems
>>>>>> > like the preference order is 2 > 1 > 3.
>>>>>> >
>>>>>> > Option 3 is bad from several perspectives:
>>>>>> > * Putting TN info in the OCSP response enables someone to trawl
>>>>>>for
>>>>>> > numbers unless you access-control the OCSP server, so you inherit
>>>>>>a
>>>>>> > requirement to do that.
>>>>>> > * With the rate of churn in number assignments, you're probably
>>>>>> > going to have to update the long-lived cert pretty frequently
>>>>>>anyway.
>>>>>> > * Putting TN-specific stuff in certs is better than putting it in
>>>>>> > OCSP.  As bad as X.509 libraries can be, OCSP libraries are much
>>>>>> > worse.
>>>>>> >
>>>>>> > Option 1 is mainly bad from the perspective of CA load and
>>>>>>outages.
>>>>>> > With Option 2, if the CA goes down, client can continue to use the
>>>>>> > long-lived cert and just not bother doing OCSP (vs. tolerating an
>>>>>> > expired cert).  Slightly cleaner.  Plus, there's a lot more
>>>>>> > experience caching OCSP than new certs.  OCSP signing can also be
>>>>>> > delegated, so you can have the recurring operation done by a
>>>>>>lower-risk key.
>>>>>> >
>>>>>> > Option 2 should be pretty easy to automate.  You can probably
>>>>>> > re-use tooling for OCSP stapling that has already been developed
>>>>>> > for use with HTTPS.  If you're a big box signing for a bunch of
>>>>>> > numbers, you do need to select the right cert and OCSP response
>>>>>>for
>>>>>> > a given call, but that's a pretty simple lookup table.
>>>>>> > <STIR.pptx>_______________________________________________
>>>>>> > stir mailing list
>>>>>> > stir@ietf.org
>>>>>> > https://www.ietf.org/mailman/listinfo/stir
>>>>>>
>>>>>> _______________________________________________
>>>>>> stir mailing list
>>>>>> stir@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/stir
>>>>>
>>>>> ________________________________
>>>>>
>>>>> This e-mail may contain Sprint proprietary information intended for
>>>>>the sole use of the recipient(s). Any use by others is prohibited. If
>>>>>you are not the intended recipient, please contact the sender and
>>>>>delete all copies of the message.
>>>>
>>>> ________________________________
>>>>
>>>> This e-mail may contain Sprint proprietary information intended for
>>>>the
>>>>sole use of the recipient(s). Any use by others is prohibited. If you
>>>>are not the intended recipient, please contact the sender and delete
>>>>all
>>>>copies of the message.
>>>> _______________________________________________
>>>> stir mailing list
>>>> stir@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/stir
>>>> _______________________________________________
>>>> stir mailing list
>>>> stir@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/stir
>>>> _______________________________________________
>>>> stir mailing list
>>>> stir@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/stir
>>>
>>>_______________________________________________
>>>stir mailing list
>>>stir@ietf.org
>>>https://www.ietf.org/mailman/listinfo/stir
>>
>>
>
>_______________________________________________
>stir mailing list
>stir@ietf.org
>https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email