Presentation is loading. Please wait.

Presentation is loading. Please wait.

Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner

Published byCharlene Chapman Modified over 9 years ago

Similar presentations

Presentation on theme: "Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner"— Presentation transcript:

1 Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner (turners@ieca.com)

2 The Path Forward Signaling protocol is coming along – But for credentials, we have big choices Two concrete proposals to date: – draft-kaplan-stir-cider – draft-peterson-stir-certificates – Both -00s. Read either? (show of hands) Are going to choose between them? – Possible to proceed with both – Signing mechanism designed to be agnostic However, that would require compatible keying

3 draft-peterson-stir-certificates-00 Attempt to provide a certificate-based STIR credential system – Still a lot to fill in, but this is the high-level idea Defines attributes for telephones numbers and number ranges Defines ways of acquiring the certs – Largely follows the Identity-Info paradigm Sketches techniques for real-time cert validation

4 draft-kaplan-stir-cider-00 (trying to characterize this fairly, not mine) DNS based approach – Creates an ENUM-like tree – Designed for ease of discovery, lightweight retrieval – Also reuses existing ENUM stacks Some modifications required Keys for each number – Potentially multiple keys per number

5 How to choose? There is basis for comparison – Key uniqueness (multiple keys per TN?) – Enrollment mechanisms (“golden root”?) – Credential acquisition (which protocol(s)?) – Rollover, expiry (easier with one or the other?) – Public or private credentials (requirement?) – Delegation (including partial delegation) Other important considerations? Do these give us enough to make a decision?

6 Choices or Hums Do we have consensus to do one, or both? – Or do we need another choice? Possible to skin either of these cats differently If not, what’s our path to get there? (detailed issues follow, time permitting)

7 DETAILED ISSUES

8 Which credentials do verifiers need? Can we uniquely identify the needed credential based on TN alone? – Depends on how many authorities there are How many authorities and delegates per number? – Some kind of hint needed to disambiguate Identity-Info CIDER “public key index value”

9 Enrollment Document assumes a threefold method – Direct assignment From numbering authorities, regulators, etc. – Delegation from above From other number holders – Proof of possession Last time here, we had “no opposition” to going forward with that Is there a “golden root”

10 Verifier Credential Acquisition Different methods of acquiring certs – Push (e.g., credential arrives with a SIP request) MIME multipart body – Pull (e.g., verifier acquires credential on receipt of request) Either dereferencing Identity-Info URI DNS: or creating a fetch based on the originating number – For certs, current recommendation is to use EST (RFC7030) – Prefetch (verifier gets top 500 keys) with pull SIP SUBSCRIBE/NOTIFY mentioned in the text – Others? Probably – no need to choose one (but MTI?) DANE? If you there’s a DNS tree…

11 Expiry, Revocation and Rollover All credentials will have a lifetime – Ordinary rollover Sometimes keys will be compromised before their expiry – But telephone numbers change owners, get ported, transfer normally Some sort of real-time checking required – DNS gets this for free (presuming no caching) – For certs, pull method could encompass this check As could the prefetch – OCSP checks, but adds some overhead More investigation to be done here

12 Open Issue: Handling Ranges But some entities will have authority over multiple numbers – Administrative domains could control millions of numbers In non-continuous ranges – Includes service providers, enterprises, resellers, etc. Ideally, a service provider should not have to have one credential per number – The draft contains new syntax for number ranges

13 Open Issue: Partial Delegation Authority over numbers conflates many powers Should it be possible to delegate authority over services? – e.g., my SMS provider can sign my texts (MESSAGE), but my voice provider signs my INVITEs Yes, example is kind of contrived Can I give my SMS provider a text-specific cert that would not enable to them to sign voice calls? Too complex? Do we need this?

14 Open Issue: Private Key Provisioning How do signers acquire and manage private keys? – Self-generated and provisioned at the authority? – Generated by the authority and downloaded to devices? Intermediaries and enterprises – Provision keys for number blocks, sign on behalf of calls/texts passing by – May possess many keys What’s the right tool to accomplish this?

15 Open Issue: Public or Confidential Credentials? How much information are we willing to make public? – Should credentials advertise a subject (e.g., “AT&T”) Okay when a call is received to know the originating carrier? – Receiving user vs. receiving carrier may be different More seriously, can an attacker mine a public database to reveal who owns all numbers? – Will we introduce VIPR-like privacy leaks? Can we restrict access to the credentials? – Identity-Info, say, could have short lived, unguessable URLs – How important is endpoint verification? Does trust become transitive if endpoints rely on intermediary verifiers?

Download ppt "Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner"

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen.

Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Access Control Methodologies

Access Control Methodologies
STIR Credentials IETF 88 (Vancouver) Wednesday Session Jon & Hadriel.

STIR Credentials IETF 88 (Vancouver) Wednesday Session Jon & Hadriel.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.

Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.

Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.
Location Hiding: Problem Statement, Requirements, (and Solutions?) Richard Barnes IETF 71, Philadelphia, PA, USA.

Location Hiding: Problem Statement, Requirements, (and Solutions?) Richard Barnes IETF 71, Philadelphia, PA, USA.
1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri

1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

Similar presentations

Ads by Google