Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen.

Slides:



Advertisements
Similar presentations
August 2, 2005SIPPING WG IETF 63 ETSI TISPAN ISDN simulation services Roland Jesske Denis Alexeitsev Miguel Garcia-Martin.
Advertisements

Indication of support for keep- alive draft-holmberg-sip-keep-03 Christer Holmberg
Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
STIR Credentials IETF 88 (Vancouver) Wednesday Session Jon & Hadriel.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
1 Creating and Tweaking Data HRP223 – 2010 October 24, 2011 Copyright © Leland Stanford Junior University. All rights reserved. Warning: This.
Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.
Proxy Authentication of the Emergency Status of SIP Calls draft-barnes-ecrit-auth-00 Richard Barnes IETF 69, Chicago, IL, USA.
Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.
DKIM Reporting Murray S. Kucherawy. The Problems to Solve Senders want to know when their brands are being violated –Mail being forged as coming from.
Doc.: IEEE /1096r0 Submission November 2005 Mike Moreton, STMicroelectronicsSlide 1 Emergency Call Support Notice: This document has been prepared.
S/MIME Certificates Cullen Jennings
Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
Certificate Credentials STIR WG IETF 91 (Honolulu) Sean Jon.
Peering Considerations for Directory Assistance and Operator Services - John Haluska Telcordia SPEERMINT, IETF 68 Prague, Czech Republic 20 March 2007.
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 IETF 72 SIP WG meeting SIP Identity issues John Elwell et alia.
Rfc4474bis-01 IETF 90 (Toronto) STIR WG Jon. First principles (yet again) Separating the work into two buckets: 1) Signaling – What fields are signed,
1 IETF 88 (Vancouver) November 6, 2013 Cullen Jennings V3.
SIP Call Package Jonathan Rosenberg dynamicsoft. Three Separate Pieces Call Leg State Package Conference Package To-Join/To-Replace.
Draft-huston-sidr-rfc6490-bis Geoff Huston Slide 1/6.
SIP Extensions for Network-Asserted Caller Identity and Privacy within Trusted Networks Flemming Andreasen W. Marshall, K. K. Ramakrishnan,
Passwords and Password Policies An Important Part of IT Control – by Craig Piercy.
End-to-middle Security in SIP draft-ono-sipping-end2middle-security-04 Kumiko Ono IETF62.
Rfc4474bis-03 IETF 92 (Texas) STIR WG Jon. First principles (yet again) Separating the work into two buckets: 1) Signaling – What fields are signed, signer/verifier.
Caller Preferences Jonathan Rosenberg dynamicsoft.
Location Conveyance in SIP draft-ietf-sip-location-conveyance-01 James M. Polk Brian Rosen 2 nd Aug 05.
March 20th, 2001 SIP WG meeting 50th IETF SIP WG meeting Overlap signalling handling
SIPPING Drafts Jonathan Rosenberg dynamicsoft. Conferencing Package Issues Only one – scope Depends on broader work in conferencing May include –Participant.
Globally Identifiable Number (GIN) Registration Adam Roach draft-martini-roach-gin-01 IETF 77 – Anaheim, CA, USA March 22, 2010.
Stir-cnam STIR WG / IETF 95 Buenos Aires, Apr 2016 Jon.
Draft-peterson-modern- problems-04 Jon Peterson MODERN WG IETF 95 (Buenos Aires)
The Data Large Number of Workbooks Each Workbook has multiple worksheets Transaction worksheets have large (LARGE) number of lines (millions of records.
Timeline – Standards & Requirements
Authenticated Identity
draft-rescorla-fallback-01
Cullen Jennings S/MIME Certificates Cullen Jennings
IP-NNI Joint Task Force Status Update
STIR WG / IETF 94 Yokohama, Nov 2015 Jon
Timeline - ATIS Involvement
TeRI and the MODERN Framework
Cryptography and Network Security
Request History Capability – Requirements & Solution
STIR WG / IETF 97 Seoul, Nov 2016 Jon
Request-URI Param Delivery
Chris Wendt, David Hancock (Comcast)
SIP Identity issues John Elwell, Jonathan Rosenberg et alia
Timeline - ATIS Involvement
IP-NNI Joint Task Force Status Update
How Can I Create A Gmail Account
Verstat Related Best Practices
RFC PASSporT Construction 6.2 Verifier Behavior
RFC PASSporT Construction 6.2 Verifier Behavior
IETF 101 (London) STIR WG Mar2018
Change Proposals for SHAKEN Documents
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
RFC Verifier Behavior Step 4: Check the Freshness of Date
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)
STIR Certificate delegation
Rich Call Data Integrity Mechanism
Presentation transcript:

rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen

First principles (again) Separating the work into two buckets: 1) Signaling – What fields are signed, signer/verifier behavior, canonicalization 2) Credentials – How signers enroll, how verifiers acquire credentials, how to determine a credentials authority for identity Last time, we agreed to accept this point of modularity rfc4474bis is now about (1) – But contains guidance for future specifications of (2)

Recap Identity Signature over To, From, Method, and Date The mechanism works for TNs, could also work for SIP URIs – Would need to specify credential systems for greenfield IDs Optional Identity-Reliance header – Optional for signer to add, optional for verifier to check if present – This too follows agreement from last meeting, and STRINT Identity-Info now much broader – Acts as a selector if multiple parties can sign for the name – Not just for certificates per RFC4474, more on this later Canonicalization (just a stub now) Keep much of the original RFC4474 apparatus – All the response codes, etc.

Credential Systems (5.4) All credential systems must specify: – What URI schemes are permitted in Identity-Info Any special procedures required to dereference those URIs – How the verifier learns the scope of credentials – Procedures required to extract keying material from the resource specified in Identity-Info – Any algorithms other than baseline required by those credentials With the caveat that new algorithms require Standards Action Is this the right list? This creates a point of modularity – We let multiple flowers bloom, or pick one, or something in between

Credentials Certificates – Would follow the original RFC4474 model X.509 certs have always contained telephone numbers – Assume a new CA (or set of CAs) issuing certs for this purpose – Ex: draft-peterson-stir-certificates DNS – Make keys (or pointers to keys) available through the DNS – Ex: draft-kaplan-stir-cider – If we were going down this route, more likely wed use DANE? Also, more likely wed use post-ENUM label syntax? Do we really need to choose between these? – DANE and certs are both options for the web, now – problem? – All credential systems need to meet base requirements, thats it

Canonicalization So how do we do it? (still just a stub in the draft) – Strip special characters, append a country code if missing (crib from ENUM procedures?) – End up with a format like: (should we include the +?) – What if country code cant be inferred (at either side)? Two possible options: – Guess that its from this nation and append a cc, if the call is international, it fails – Leave it without a country code and dont include a +? – What about special numbers? Especially if were canonicalizing To as well Short codes, emergency codes, many corner cases

Open Issues Plenty – Do we want something like a hash in Identity-Info to recognize that credentials have been seen before? – Do we want explicit, always-on integrity protection for keying material in SDP? – Is the signing algorithm right? Do we want to consider EC for smaller keys? – Biggest TBD: canonicalization This was a Frankenstein pass, editing needed

Way Forward Technical knobs and buttons now in place – Details may change, but theres a framework here Is roughly this how we want to go forward?

Back UP

Canonicalization Proposal: Identity is in the From, always – Some discussion about alternate headers (PAI) More to talk about there? – Some services have a reply-to semantic – But, the From header field value is what UAs render Intermediaries may tweak numbers in transit – No bounds on intermediary behavior – Some behaviors might make canonicalization impossible In that case, it just doesnt work If this takes off, hopefully policies will make this easy Both the signer and verifier must canonicalize – Must arrive at the same result, or the verifier will fail it

Replacing RFC4474 Use Identity as the name of the header (or not)? We do want people to use the results of STIR rather than RFC4474 – But, we want to keep all the response codes and related apparatus 428 Use Identity – verifier requires signed Identity 436 Bad Identity – verifier couldnt verify it Punt on Identity-Info as part of the credential piece

Just TNs, or other URIs? Signers and verifiers must be able to recognize a TN in the From – Potentially non-trivial, we cant depend on user=phone or a + – So, STIR implementations will necessarily be aware of non-TN URIs The proposals so far favor doing both – For the signaling module, what would we do differently, really? How much new work is there for non-TNs? – RFC4474 has a good story about this Once you fix the signature fields, as above – DANE support is the only new wrinkle But the dns: URI could go in Identity-Info…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.