Presentation is loading. Please wait.

Presentation is loading. Please wait.

RFC PASSporT Construction 6.2 Verifier Behavior

Published byΦθα Δαμασκηνός Modified over 5 years ago

Similar presentations

Presentation on theme: "RFC PASSporT Construction 6.2 Verifier Behavior"— Presentation transcript:

1 iat content based on PASSporT issuance time Conflict Analysis against RFC8224 / ATIS-1000074

2 RFC8224 4.1 PASSporT Construction 6.2 Verifier Behavior
Third, the JSON key "iat" MUST appear. The authentication service SHOULD set the value of "iat" to an encoding of the value of the SIP Date header field as a JSON NumericDate (as UNIX time, per [RFC7519], Section 2), though an authentication service MAY set the value of "iat" to its own current clock time. If the authentication service uses its own clock time, then the use of the full form of PASSporT is REQUIRED. In either case, the authentication service MUST NOT generate a PASSporT for a SIP request if the Date header is outside of its local policy for freshness (sixty seconds is RECOMMENDED). Using local clock time as “iat” content is allowed if full form is used 6.2 Verifier Behavior Step 4: Check the Freshness of Date The verifier furthermore ensures that the value of the Date header field of the request meets local policy for freshness (sixty seconds is RECOMMENDED) and that it falls within the validity period of the credential used to sign the Identity header field. For more on the attacks this prevents, see Section If the full form of the PASSporT is present, the verifier SHOULD compare the "iat" value in the PASSporT to the Date header field value in the request. If the two are different, and the "iat" value differs from the Date header field value but remains within verification service policy for freshness, the verification service SHOULD perform the computation required by Step 5, using the "iat" value instead of the Date header field value. For full form, “iat”, Date header content being different is allowed That “iat” passes freshness check is sufficient

3 ATIS-1000074 5.3.1 PASSporT & Identity Header Verification
The verifier validates that the PASSporT token provided in the Identity header of the INVITE includes all of the baseline claims, as well as the SHAKEN extension claims. The verifier shall also follow the draft-ietf-stirrfc4474bis-defined verification procedures to check the corresponding date, originating identity (i.e., the originating telephone number) and destination identities (i.e., the terminating telephone numbers). Follows RFC8224, no new mandates regarding date check 5.3.3 Use of the Full Form of PASSporT Draft-ietf-stir-rfc4474bis supports the use of both full and compact forms of the PASSporT token in the Identity header. The full form of the PASSporT token shall be used to avoid any potential SIP network element interaction with headers, in particular the Date header field, which could lead to large numbers of 438 (‘Invalid Identity Header’) errors being generated. Use of full form mandated

Download ppt "RFC PASSporT Construction 6.2 Verifier Behavior"

Similar presentations

Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.

Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.
Proxy Authentication of the Emergency Status of SIP Calls draft-barnes-ecrit-auth-00 Richard Barnes IETF 69, Chicago, IL, USA.

Proxy Authentication of the Emergency Status of SIP Calls draft-barnes-ecrit-auth-00 Richard Barnes IETF 69, Chicago, IL, USA.
Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.

Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.
STIR Charter (discussion) STIR BoF Berlin, DE 7/30/2013.

STIR Charter (discussion) STIR BoF Berlin, DE 7/30/2013.
Certificate Credentials STIR WG IETF 91 (Honolulu) Sean Jon.

Certificate Credentials STIR WG IETF 91 (Honolulu) Sean Jon.
All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.

All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.
Use of the IPv6 Flow Label as a Transport-Layer Nonce draft-blake-ipv6-flow-nonce-02 Steven Blake IETF 76 November 2009.

Use of the IPv6 Flow Label as a Transport-Layer Nonce draft-blake-ipv6-flow-nonce-02 Steven Blake IETF 76 November 2009.
Rfc4474bis-01 IETF 90 (Toronto) STIR WG Jon. First principles (yet again) Separating the work into two buckets: 1) Signaling – What fields are signed,

Rfc4474bis-01 IETF 90 (Toronto) STIR WG Jon. First principles (yet again) Separating the work into two buckets: 1) Signaling – What fields are signed,
1 IETF 88 (Vancouver) November 6, 2013 Cullen Jennings V3.

1 IETF 88 (Vancouver) November 6, 2013 Cullen Jennings V3.
Andrew Allen Communication Service Identifier.

Andrew Allen Communication Service Identifier.
All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Zhibi Wang January, 2007.

All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Zhibi Wang January, 2007.
1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)

1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)
Stir-cnam STIR WG / IETF 95 Buenos Aires, Apr 2016 Jon.

Stir-cnam STIR WG / IETF 95 Buenos Aires, Apr 2016 Jon.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.

Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
TAG Presentation 18th May 2004 Paul Butler

TAG Presentation 18th May 2004 Paul Butler
Authenticated Identity

Authenticated Identity
draft-rescorla-fallback-01

draft-rescorla-fallback-01
STI Interworking with SIP-PBXs

STI Interworking with SIP-PBXs
TN Proof-of-Possession and Number Portability

TN Proof-of-Possession and Number Portability
OGSA-WG Basic Profile Session #1 Security

OGSA-WG Basic Profile Session #1 Security

Similar presentations

Ads by Google