IETF Logo Mail Archive

Re: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt

Jack Rickard <jack.rickard@microsoft.com> Wed, 20 April 2022 11:44 UTC

Return-Path: <jack.rickard@microsoft.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 877D83A0ADE for <stir@ietfa.amsl.com>; Wed, 20 Apr 2022 04:44:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.11
X-Spam-Level:
X-Spam-Status: No, score=-7.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MFMg3x4Pps4o for <stir@ietfa.amsl.com>; Wed, 20 Apr 2022 04:44:18 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on20710.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::710]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDD0B3A0AA9 for <stir@ietf.org>; Wed, 20 Apr 2022 04:44:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dLVwl6UVhqHo5e59g710UdIY3IARyaV6Lq4YrFBGGlDOuWNfGjC8WczIppnGX5BVaYtle7e61591jhHlBMvWJp0ZZ/1CTI0U9ekQ0XOmlBG1ivZrEqDf6otHB7MmlU6/0wYCdOYMi8iKqZq1VcqTwBEPHjsEMaESnoAO1U9q9E94Eltf97mH+izL6hHSI7nf4qCCz9RZ7LQvu43jzE5WJ8Anf1zjABD9YF93eeStyZvGeSZZIagOC3sAI5ZnBHLEIP6086dm2Ox2CIdjU9HwVBdBB5mQloCJIhTXwvh4tvVeOkYLzAfSeerHIBmGxEZ1MGiY88U5OCKLlIIeY/OlNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZSj0VJztPkbdkQ5fwFEkLOepjzMZ8k+C5HApc8mXCc0=; b=eSTafA+wVX3jBSMxJf/qFIMJMIyJsxmnxagG15x3+EhFazCjaUQPm/MhLwTf7ROpPZmej5nf+drMkg06oaSMfCKSPBrzDEKqeqkdG4uWnF6a2OI74bUFomRZ9DPYga8TLQtQIaVJU8hvV0vavnU1ffUJUNjRUXwnXsOyzZAzUy7WibR7ESrohwhJVAiQO6h2qug8UVWFRMjRuwwqP/WBmIkfLQDoow982nPwiMw6d/fTlIr1QgOZCgfV4PihKIQ8epJjB7XFHr1YkshrnCnu1UTZdCMJgxLoYzvsJGaRyq5X/VN5eOh+rBhCTN++VkorPp2zmZLXk62s2NAr9xvrGA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZSj0VJztPkbdkQ5fwFEkLOepjzMZ8k+C5HApc8mXCc0=; b=YuCWU5bo1fudQ7TGJGwUF2E9V+20Lvm3Wu/AxLZ/90zEf6ormIT7ZKq1RGLmI+cF3jib1tBxmyTVcDU1/8PwILt9M9EwWgr0qWeSvSJnhcbxC5IceJOLe46tJ2Rab+3FsdxmhBxzneHjcG7asIZl88Mbq9TsLRyjdRJNgUSpPcQ=
Received: from HE1PR83MB0378.EURPRD83.prod.outlook.com (2603:10a6:7:63::11) by HE1PR83MB0217.EURPRD83.prod.outlook.com (2603:10a6:23:31::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.3; Wed, 20 Apr 2022 11:44:10 +0000
Received: from HE1PR83MB0378.EURPRD83.prod.outlook.com ([fe80::9d73:9d6d:7eb1:cc76]) by HE1PR83MB0378.EURPRD83.prod.outlook.com ([fe80::9d73:9d6d:7eb1:cc76%5]) with mapi id 15.20.5206.004; Wed, 20 Apr 2022 11:44:10 +0000
From: Jack Rickard <jack.rickard@microsoft.com>
To: Chris Wendt <chris-ietf@chriswendt.net>
CC: IETF STIR Mail List <stir@ietf.org>
Thread-Topic: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt
Thread-Index: AdhUq3qrU+Ax8JRGQQK5YjwK4fuk1Q==
Date: Wed, 20 Apr 2022 11:43:44 +0000
Deferred-Delivery: Wed, 20 Apr 2022 11:43:38 +0000
Message-ID: <HE1PR83MB03785B2FB3892677D05A7EE988F59@HE1PR83MB0378.EURPRD83.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=182e77bf-0302-448b-b368-2913a98acbe9; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-04-20T11:37:57Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4dcae39e-cd77-40ee-36f1-08da22c31562
x-ms-traffictypediagnostic: HE1PR83MB0217:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <HE1PR83MB0217330322068E5EECBBDB5288F59@HE1PR83MB0217.EURPRD83.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: j/P+sejRdWxncjPdTWxuiEz+SnsXerI00p1j0hCXnDCcjdIhJfMYaCg/EQ83XTHz7c8XKXwSw18LzOJJDvNrkajm4JhrWKsz1DG8CzbpuTZNKGmTmgGOeDdJuXi0GzItfgw3fAk6LcCrG/p6imnbdyng4zp2aLgMlYa58ICkotlWsqfKM7rRUagwyNzZjP2Qm9P3vToOeapUzrAvm6eIbE6Noht0LIdn0waL4f6qX6UN3mYqGOaQ4ZIctpt/Pld3k00v2v+jMoErDlMjVDtBFTk5BjmmEWYwLjDcZ798d4A2ptNqQ+ZIUCrs26Euj1A07XgSIAJkOYUsUdUqhU+G5SfHoeBjVNv1YFQ0xr/0aRwIdRC08oxnY2X1T9bMYDKFp+nE0QfTZ6nTYmNv+IkO9xSqXsfvaQ/Idu4lMYTGFphYD1k0QgksTEc/UXFESKFi6HkgUaoekYmPVk+RQUvHiu25yAOJop9Dw44XucykWLl8cvHOrhTcqnfdRi+Z0Z/ueqtM2WmT1Ylq0KKduYf+2XPQoPzATu5UnjpXxyLCA6QTnvGu8jBac6ZmiMo2nKqA0aYHVMSH9A54RFigNQr/G8Jg23srdyAigqr0o/rl1ivjp9z3duU3mm00MV9VZoKMeysypkur3x+yGhUo/C8aWsIG48Br4JZLELgw/XZnqRONV7Ftxt1po7T9U95e/WMVclqROi5piokjhjekPBbkZHhZ9j8BCc88t+8aU630uiPcDpAYh+P18esjOxOakJ7g
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR83MB0378.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(451199009)(9326002)(8936002)(44832011)(5660300002)(52536014)(8990500004)(38070700005)(86362001)(38100700002)(6666004)(122000001)(2906002)(82950400001)(82960400001)(316002)(83380400001)(9686003)(7696005)(33656002)(186003)(26005)(6916009)(66446008)(64756008)(4326008)(8676002)(6506007)(66476007)(53546011)(66556008)(76116006)(66946007)(508600001)(10290500003)(55016003)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bkXY/Yx7Pk7Up48wP/O9Cu1YK7R184AWjQK4uEnEWsWdWP0TwGiPKkzt5+owmMLq9c0VDZaIoz5AXFf15OskH3PLhYnrtD3UuIdlyb1GettNhvgP2c7Kkj9M4rmtFmFveghbVj9zEXwC4QdabLUUeQfeZ55qBI2PF4nzkdvyfm8wCcxuVtKzmDIDPmHJIuOfgKEGS+7F0mKoUCbxNITwLlXnf/kwqcu/c2dru3mOzaRAuGDr10epbrniDYMHdD/p+Wk0J5MRZ7UIIHrTDsAL1i23sREniu4oGFTjIxCfIZvJ/Qhcgz1go1QfcZ2IwoBMOpxXXs7XgdFaghzzcevF50E0NEtLfTwNbeoq7NOjUUKrzRf+XkOBUDdiPD322WIuYr/c5GuBwiUql2PiskU1bmYSebM7D8I+efpGTp6wgecdHEsniSr68u8AuXltDrJw4ETt7lJqT6ZlFd629IarBwC+SWG6hNF0bFyOkgJKuQGo07Qef/06UI/nMCApe5E3gNbus3ZKylbjUCWWXeT5xMGAwgpa7SKcVQZD6tHFyoG2XZ1uEXLcsbbVXH8Ywu7kDp2Zr4v45mSWhOl3R65vhIzRnJqlB44wbZe65vzrEZMXd5VmGSLmD8mmmYbvf/siAaelHqceqsLGESjUsq9A9103UXy9933B7wL61+HsiFaEwu44Bp5KHH/Ml+yvdvBGU1djjNxRexMpNkiaAUQdOrTkL7ldcb3IkDWKFgCt7aYT/+/z2/TBEPlTG73AkJ7BgR1tgnqUblKC5PSS0EYKX2RQ3hxXEui1uouB2hDD2uI08APGrqFeglEXmbDOZKcAWsGNmnpaQF7A/n6IJsv4ZDEoMKG7n/PUgEBGPdSilUba/h0TkPYsc3tjhsW7UJRrFBbDuFn5z87R1vK1Tj5zhPfrTlOzUT36OLREoVya6mc40COh7OMbi/MRTNrSHNmakNPy0CB9Ok2zNQwkOBamvUV6OCa0s2ddFPqB6hM/x3rJ56D6Md/86XBqUwsir0E/FhD8I+ry7ecDNIA41fZhfzxX/JQUZ5gMEnbeYmeJoi830KEL24M2m4UvPv4tlxy5ZOX7M3KnF+3PkpFWLVaSxxNICvmthwV6zp7M55Dwsl7bLwMkYK1n/srVQMSQtF02FxDhkM6gK4cCcmddOQ9jd8pBss+dHkqB40UlZ6XOX74spO28cKssmYJdBPR8j0C+TI/sFgszRXg/7DuIIpfikcsuAAS1ERl2eVLOFX37yszoePapuf8kQ2tjDs0i9BhtnYTbCfDXDsvFnHRDjIAsP7/RKzjE5G52vlAJnvpdMNRYbHTT31giWAjJiTTGD4tUeSn24IA2Zikxbcw8XGyYpAwpqriw8ufcgZFYkI2NUPhrrYHHs8Z1RLjCt05WKIoicM6OMamBJfUUBq+nv0tn6v56RBINJzYaTVfKvKVwFLqiNRiMCO22H1TiMwAAWWNgjVbRNCkpWoeuCk2Lt1+A4cABeWnqCo1T/E02G6Xw2KooS/Yt35GqqszfcLmiccCqyuH0qveMRqfNLOX4VUNliR/sGaoR5SHyiXQMTLmIVNpQVQfI6Qc3rB27MW+0SGqszpgRu4uge/a91/uHHlluKcWTTtZd66/h3/yXoE2tc9wXpbVIqGl8M/URFePsIjAVZh2K0RjoHPSssziNvYDzow==
Content-Type: multipart/alternative; boundary="_000_HE1PR83MB03785B2FB3892677D05A7EE988F59HE1PR83MB0378EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR83MB0378.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4dcae39e-cd77-40ee-36f1-08da22c31562
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Apr 2022 11:44:09.8321 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: q0mYyikG6Z3oEPIcPUBoOersksR/KlDwa/KCk5TM0fx9J/lmB9ew2ty23AIUd76It1CqKWAuLQrM9LroAPkt/9CtiynBlT4rJ2tkn9IZ+iU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR83MB0217
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/zbJ1Yi0H_djfaBmZ1Tw8fs0y1tE>
Subject: Re: [stir] I-D Action: draft-ietf-stir-passport-rcd-15.txt
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2022 11:44:24 -0000

Hi Chris,

I don't agree with one of your comments:

From: Chris Wendt <chris-ietf@chriswendt.net>
On Mar 9, 2022, at 1:44 PM, Jack Rickard <jack.rickard@microsoft.com<mailto:jack.rickard@microsoft.com>> wrote:

Section 15
The second paragraph seems to be suggesting that only certificates containing JWTClaimsConstraints should be trusted to add rcd information (without some other trust relationship), but I don't understand why this is the case? Surely, you either trust the entity that added the RCD information or you don't, why should extra constraints on the certificate have any impact on that? I expected this section to say something like "The verifier must validate that the signer is trusted to provide Rich Call Data, in addition to having authority over the originating address".

This also raises the question of whether an RCD passport authenticates the originator like a base passport? I don't think there's any text to suggest that it doesn't, but that would prevent intermediaries who have no authenticated relationship with the originator from adding RCD information.

An intermediary can add an RCD PASSporT.  Authenticated relationships are a "shaken" concept not an "rcd" concept, RCD information should be vetted and signed by a party the destination can trust did that validation specific to RCD for a given telephone number(s).  This is the key to what i am trying to clarify.  How can i have an SPC level "shaken" certificate for RCD information with integrity, it makes no sense.
I didn't remove the ability to put "rcd" infomation in other PASSporTs, but it's not something i think we should be recommending for mainstream cases.


Currently intermediaries are not able to add RCD passports: RFC 8224 Section 6.1 states "The authentication service MUST then determine whether or not the originator of the request is authorized to claim the identity given in the identity field.  In order to do so, the authentication service MUST authenticate the originator of the message.". As that clause applies to all passports, is not overridden by anything in the RCD spec, and intermediaries will not be able to authenticate the caller, they are not allowed to authenticate the caller. (I believe this issue affects RPH too). For intermediaries to be able to put RCD passports on a call that section must be overridden in the RCD standard.

For a more concrete scenario as to why this is a problem:
Imagine an ecosystem where shaken passports are not required to authenticate a call, base passports are considered enough to say "I, <credential>, have authenticated the caller and they are allowed to use this identity" (I'm pretty sure this is compliant with RFC 8224). If you are an intermediary who has a credential that everyone trusts for everything, then you cannot put an RCD passport on the call, if you did then the callee would think that you are asserting that the caller is allowed to use the identity even though you have no idea if that's the case!

Thanks,
Jack

v2.23.0 | Report a Bug | By Email