Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 IETF 88 (Vancouver) November 6, 2013 Cullen Jennings V3.

Published byAugusta Brown Modified over 8 years ago

Similar presentations

Presentation on theme: "1 IETF 88 (Vancouver) November 6, 2013 Cullen Jennings V3."— Presentation transcript:

1 1 IETF 88 (Vancouver) November 6, 2013 Cullen Jennings V3

2 2 Separate the work into two buckets: 1) Signaling What fields are signed, signer/verifier behavior, canonicalization 2) Credentials How signers enroll, how verifiers acquire credentials, how to determine a credential’s authority for identity These are separable and modular pieces of work More consensus today on (1) than on (2) ? Could be separate drafts Could have only one approach to (2), or maybe more

3 3

4 4 Signature over a concatenation of To, From and Date From Signer and verifier must be able to recognize a TN If TN, sign only the canonicalized TN (more later) Date (straightforward, replay protection) To Sign TN only if there’s a TN? Does a TN in the To also need a canonicalization pass? Probably Calls may be retargeted/forwarded in transit How can a verifier know that a call is destined for them? Mostly useful for replay protection

5 5 … and one proposal added an optional field to the end RFC4474bis defines a Identity-Reliance header If present, the signature in Identity-Reliance is signed over with the From, To and Date Signer can opt to include it or not Verifier always checks the From/To/Date/I-R signature, but doesn’t have to check the signature in Identity-Reliance itself However, no one can fool the verifier into thinking the signer did not provide I- R if main signature survives

6 6 The motivation here is provide a way to link the identity protection to integrity protection over other parts of the message Won’t be useful in all environments, but might be in some Most of what we want to protect is in the body Protecting keying material fingerprints This is our best story for how to actually secure SIP media MESSAGE-like cases where body is content Ultimately, all we need to decide now is whether to allow this point of extensibility With the opt-in properties on the last slide Identity-Reliance is just an example

7 7 Proposal: Identity is in the From, always Some discussion about alternate headers (PAI) More to talk about there? Some services have a reply-to semantic But, the From header field value is what UAs render Intermediaries may tweak numbers in transit No bounds on intermediary behavior Some behaviors might make canonicalization impossible In that case, it just doesn’t work If this takes off, hopefully policies will make this easy Both the signer and verifier must canonicalize Must arrive at the same result, or the verifier will fail it

8 8 So how do we do it? Strip special characters, append a country code if missing (crib from ENUM procedures?) End up with a format like: +17004561000 (should we include the +) What if country code can’t be inferred (at either side)? Two possible options: Guess that it’s from this nation and append a cc, if the call is international, it fails Leave it without a country code and don’t include a +? What about special numbers? Especially if we’re canonicalizing To as well Short codes, emergency codes, many corner cases

9 9 Signers and verifiers must be able to recognize a TN in the From Potentially non-trivial, we can’t depend on user=phone or a + sip:67463@shortcode.com So, STIR implementations will necessarily be aware of non-TN URIs The proposals so far favor doing both For the signaling module, what would we do differently, really? How much new work is there for non-TNs? RFC4474 has a good story about this Once you fix the signature fields, as above DANE support is the only new wrinkle But the dns: URI could go in Identity-Info…

10 10 Use Identity as the name of the header (or not)? We do want people to use the results of STIR rather than RFC4474 But, we want to keep all the response codes and related apparatus 428 “Use Identity” – verifier requires signed Identity 436 “Bad Identity” – verifier couldn’t verify it Punt on Identity-Info as part of the credential piece

Download ppt "1 IETF 88 (Vancouver) November 6, 2013 Cullen Jennings V3."

Similar presentations

SIP Session-ID draft-kaplan-sip-session-id-02 Hadriel Kaplan.

SIP Session-ID draft-kaplan-sip-session-id-02 Hadriel Kaplan.
Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen.

Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen.
STIR Credentials IETF 88 (Vancouver) Wednesday Session Jon & Hadriel.

STIR Credentials IETF 88 (Vancouver) Wednesday Session Jon & Hadriel.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.

Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.
4 August 2005draft-burger-simple-imdn-011 Instant Message Delivery Notification (IMDN) for Presence and Instant Messaging (CPIM) Messages draft-burger-simple-imdn-01.

4 August 2005draft-burger-simple-imdn-011 Instant Message Delivery Notification (IMDN) for Presence and Instant Messaging (CPIM) Messages draft-burger-simple-imdn-01.
Proxy Authentication of the Emergency Status of SIP Calls draft-barnes-ecrit-auth-00 Richard Barnes IETF 69, Chicago, IL, USA.

Proxy Authentication of the Emergency Status of SIP Calls draft-barnes-ecrit-auth-00 Richard Barnes IETF 69, Chicago, IL, USA.
1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri

1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri
Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net

Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net
Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.

Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.

Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
S/MIME and CMS Presentation for CSE712 By Yi Wen Instructor: Dr. Aidong Zhang.

S/MIME and CMS Presentation for CSE712 By Yi Wen Instructor: Dr. Aidong Zhang.
Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.
1 A Path Forward on Identity Agreement on a problem space –We all agree that E.164 numbers don’t work well with RFC4474 –Less agreement about the requirements.

1 A Path Forward on Identity Agreement on a problem space –We all agree that E.164 numbers don’t work well with RFC4474 –Less agreement about the requirements.
DKIM Reporting Murray S. Kucherawy. The Problems to Solve Senders want to know when their brands are being violated –Mail being forged as coming from.

DKIM Reporting Murray S. Kucherawy. The Problems to Solve Senders want to know when their brands are being violated –Mail being forged as coming from.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
STIR Charter (discussion) STIR BoF Berlin, DE 7/30/2013.

STIR Charter (discussion) STIR BoF Berlin, DE 7/30/2013.
Fall 2002CS 395: Computer Security1 Chapter 11: Message Authentication and Hash Functions.

Fall 2002CS 395: Computer Security1 Chapter 11: Message Authentication and Hash Functions.

Similar presentations

Ads by Google