Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen.

Published byBrodie Loveman Modified over 10 years ago

Similar presentations

Presentation on theme: "Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen."— Presentation transcript:

1 rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen

2 First principles (again) Separating the work into two buckets: 1) Signaling – What fields are signed, signer/verifier behavior, canonicalization 2) Credentials – How signers enroll, how verifiers acquire credentials, how to determine a credentials authority for identity Last time, we agreed to accept this point of modularity rfc4474bis is now about (1) – But contains guidance for future specifications of (2)

3 Recap Identity Signature over To, From, Method, and Date The mechanism works for TNs, could also work for SIP URIs – Would need to specify credential systems for greenfield IDs Optional Identity-Reliance header – Optional for signer to add, optional for verifier to check if present – This too follows agreement from last meeting, and STRINT Identity-Info now much broader – Acts as a selector if multiple parties can sign for the name – Not just for certificates per RFC4474, more on this later Canonicalization (just a stub now) Keep much of the original RFC4474 apparatus – All the response codes, etc.

4 Credential Systems (5.4) All credential systems must specify: – What URI schemes are permitted in Identity-Info Any special procedures required to dereference those URIs – How the verifier learns the scope of credentials – Procedures required to extract keying material from the resource specified in Identity-Info – Any algorithms other than baseline required by those credentials With the caveat that new algorithms require Standards Action Is this the right list? This creates a point of modularity – We let multiple flowers bloom, or pick one, or something in between

5 Credentials Certificates – Would follow the original RFC4474 model X.509 certs have always contained telephone numbers – Assume a new CA (or set of CAs) issuing certs for this purpose – Ex: draft-peterson-stir-certificates DNS – Make keys (or pointers to keys) available through the DNS – Ex: draft-kaplan-stir-cider – If we were going down this route, more likely wed use DANE? Also, more likely wed use post-ENUM label syntax? Do we really need to choose between these? – DANE and certs are both options for the web, now – problem? – All credential systems need to meet base requirements, thats it

6 Canonicalization So how do we do it? (still just a stub in the draft) – Strip special characters, append a country code if missing (crib from ENUM procedures?) – End up with a format like: +17004561000 (should we include the +?) – What if country code cant be inferred (at either side)? Two possible options: – Guess that its from this nation and append a cc, if the call is international, it fails – Leave it without a country code and dont include a +? – What about special numbers? Especially if were canonicalizing To as well Short codes, emergency codes, many corner cases

7 Open Issues Plenty – Do we want something like a hash in Identity-Info to recognize that credentials have been seen before? – Do we want explicit, always-on integrity protection for keying material in SDP? – Is the signing algorithm right? Do we want to consider EC for smaller keys? – Biggest TBD: canonicalization This was a Frankenstein pass, editing needed

8 Way Forward Technical knobs and buttons now in place – Details may change, but theres a framework here Is roughly this how we want to go forward?

9 Back UP

10 Canonicalization Proposal: Identity is in the From, always – Some discussion about alternate headers (PAI) More to talk about there? – Some services have a reply-to semantic – But, the From header field value is what UAs render Intermediaries may tweak numbers in transit – No bounds on intermediary behavior – Some behaviors might make canonicalization impossible In that case, it just doesnt work If this takes off, hopefully policies will make this easy Both the signer and verifier must canonicalize – Must arrive at the same result, or the verifier will fail it

11 Replacing RFC4474 Use Identity as the name of the header (or not)? We do want people to use the results of STIR rather than RFC4474 – But, we want to keep all the response codes and related apparatus 428 Use Identity – verifier requires signed Identity 436 Bad Identity – verifier couldnt verify it Punt on Identity-Info as part of the credential piece

12 Just TNs, or other URIs? Signers and verifiers must be able to recognize a TN in the From – Potentially non-trivial, we cant depend on user=phone or a + sip:67463@shortcode.com – So, STIR implementations will necessarily be aware of non-TN URIs The proposals so far favor doing both – For the signaling module, what would we do differently, really? How much new work is there for non-TNs? – RFC4474 has a good story about this Once you fix the signature fields, as above – DANE support is the only new wrinkle But the dns: URI could go in Identity-Info…

Download ppt "Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen."

Similar presentations

August 2, 2005SIPPING WG IETF 63 ETSI TISPAN ISDN simulation services Roland Jesske Denis Alexeitsev Miguel Garcia-Martin.

August 2, 2005SIPPING WG IETF 63 ETSI TISPAN ISDN simulation services Roland Jesske Denis Alexeitsev Miguel Garcia-Martin.
Indication of support for keep- alive draft-holmberg-sip-keep-03 Christer Holmberg

Indication of support for keep- alive draft-holmberg-sip-keep-03 Christer Holmberg
Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
STIR Credentials IETF 88 (Vancouver) Wednesday Session Jon & Hadriel.

STIR Credentials IETF 88 (Vancouver) Wednesday Session Jon & Hadriel.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
1 Creating and Tweaking Data HRP223 – 2010 October 24, 2011 Copyright © 1999-2011 Leland Stanford Junior University. All rights reserved. Warning: This.

1 Creating and Tweaking Data HRP223 – 2010 October 24, 2011 Copyright © Leland Stanford Junior University. All rights reserved. Warning: This.
Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.

Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.
Proxy Authentication of the Emergency Status of SIP Calls draft-barnes-ecrit-auth-00 Richard Barnes IETF 69, Chicago, IL, USA.

Proxy Authentication of the Emergency Status of SIP Calls draft-barnes-ecrit-auth-00 Richard Barnes IETF 69, Chicago, IL, USA.
Masud Hasan 03-60-475 Secure Email Project 1. Secure Email It uses Digital Certificate combined with S/MIME capable email clients to digitally sign and.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.
DKIM Reporting Murray S. Kucherawy. The Problems to Solve Senders want to know when their brands are being violated –Mail being forged as coming from.

DKIM Reporting Murray S. Kucherawy. The Problems to Solve Senders want to know when their brands are being violated –Mail being forged as coming from.
Doc.: IEEE 802.11-05/1096r0 Submission November 2005 Mike Moreton, STMicroelectronicsSlide 1 Emergency Call Support Notice: This document has been prepared.

Doc.: IEEE /1096r0 Submission November 2005 Mike Moreton, STMicroelectronicsSlide 1 Emergency Call Support Notice: This document has been prepared.
S/MIME Certificates Cullen Jennings

S/MIME Certificates Cullen Jennings
Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner

Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner

Similar presentations

Ads by Google