From nobody Wed May 3 10:20:03 2017 Return-Path: X-Original-To: stir@ietfa.amsl.com Delivered-To: stir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD9B8128B91 for ; Wed, 3 May 2017 10:20:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.819 X-Spam-Level: X-Spam-Status: No, score=0.819 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4DKKZd6V8Bih for ; Wed, 3 May 2017 10:19:59 -0700 (PDT) Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 357E9129457 for ; Wed, 3 May 2017 10:17:51 -0700 (PDT) Received: from unescapeable.local ([47.186.26.91]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id v43HHo2G018837 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Wed, 3 May 2017 12:17:50 -0500 (CDT) (envelope-from rjsparks@nostrum.com) X-Authentication-Warning: raven.nostrum.com: Host [47.186.26.91] claimed to be unescapeable.local To: stir@ietf.org References: <8b4e6872-7078-5a6f-cf8a-da37e40b8c79@nostrum.com> From: Robert Sparks Message-ID: <6bf3e0bd-fef4-5e70-489b-03b27c9014ff@nostrum.com> Date: Wed, 3 May 2017 12:17:50 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <8b4e6872-7078-5a6f-cf8a-da37e40b8c79@nostrum.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [stir] Potential dates for a STIR virtual interim X-BeenThere: stir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Secure Telephone Identity Revisited List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 May 2017 17:20:02 -0000 Reminder - please add yourself to this doodle as soon as you can. I hope to pick a time next Monday. RjS On 4/28/17 11:12 AM, Robert Sparks wrote: > We are planning to hold a STIR virtual interim before we get to IETF99 > to move the out-of-band, certificate freshness, and passport > extensions work forward. > > The candidate dates are May 25 (noon eastern US), May 26 (noon or 1400 > eastern US), and June 16 (1400 eastern US) > > If you plan to participate, please use the doodle poll at > https://doodle.com/poll/y7p6uif344rxguem to indicate your availability. > > RjS > > > _______________________________________________ > stir mailing list > stir@ietf.org > https://www.ietf.org/mailman/listinfo/stir From nobody Tue May 9 05:40:50 2017 Return-Path: X-Original-To: stir@ietf.org Delivered-To: stir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 90325127137; Tue, 9 May 2017 05:40:41 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: stir@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.50.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <149433364154.31731.3963330256296760966@ietfa.amsl.com> Date: Tue, 09 May 2017 05:40:41 -0700 Archived-At: Subject: [stir] I-D Action: draft-ietf-stir-certificates-14.txt X-BeenThere: stir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Secure Telephone Identity Revisited List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2017 12:40:42 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Telephone Identity Revisited of the IETF. Title : Secure Telephone Identity Credentials: Certificates Authors : Jon Peterson Sean Turner Filename : draft-ietf-stir-certificates-14.txt Pages : 20 Date : 2017-05-09 Abstract: In order to prevent the impersonation of telephone numbers on the Internet, some kind of credential system needs to exist that cryptographically asserts authority over telephone numbers. This document describes the use of certificates in establishing authority over telephone numbers, as a component of a broader architecture for managing telephone numbers as identities in protocols like SIP. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-stir-certificates/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-stir-certificates-14 https://datatracker.ietf.org/doc/html/draft-ietf-stir-certificates-14 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-stir-certificates-14 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue May 9 05:42:53 2017 Return-Path: X-Original-To: stir@ietfa.amsl.com Delivered-To: stir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D084127137 for ; Tue, 9 May 2017 05:42:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2GaoyRup4c57 for ; Tue, 9 May 2017 05:42:50 -0700 (PDT) Received: from mail-qt0-x236.google.com (mail-qt0-x236.google.com [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25401129C4D for ; Tue, 9 May 2017 05:42:50 -0700 (PDT) Received: by mail-qt0-x236.google.com with SMTP id t26so59870455qtg.0 for ; Tue, 09 May 2017 05:42:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=Nzp9bsxx0o4BbG6OailzJcsmq1f1oAg1IeoiK3FucFA=; b=D93C7ryNBHgNxDT4N6iaTjZTMTTpPWvZZ+KRGCKx1cEqD/yS80KJsoAyH8FDem13yO Wh3yxrUv/U2A8ynEXxWbryVI8jIt/5FOwzvHT4UFiSDitV8U60sFflneqDQ2o/W0sOGG sdkwWnFLfyuVrsjqhZ7rep7vyL1BLI/GwOCrE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=Nzp9bsxx0o4BbG6OailzJcsmq1f1oAg1IeoiK3FucFA=; b=m8u19VQfaO2Hhim9xoV08DilfgYFTFCC2PCcuMfkk3oVtGmbU8DejgGowzy41w1lTZ 4+yXTCwJHwBg3J4XEja59073Lnc7MB3Tj+31WaHuRqG+5ebNlNo+6MK1ZJL47BK7st9k lusxypXtSIbArYGXLcc/dKDXlqI1Q0gJat/QSvTyyBjuZkL4IpxxOTi7bWszvj1g5L7Q 8kE2VvWOMVmtBMcGAMqh/qcUkv+KMUYVBceUpSWzusQbjfqUWT4MZRUrWW3IbqzDxo01 19K+yoMxCfFcnCzedkXmu5hLNd2gWcRphdD0H6laYmaWKADchk+sb6CwdNtD/TyeUshU wong== X-Gm-Message-State: AODbwcBxhJgLFH7zNBsIgXBXYYDdu2IxEdG/WjJ9A4ZYJ+TvWQbHuwNu WF04CjlOiBVoA/nkxkE= X-Received: by 10.200.54.199 with SMTP id b7mr15791410qtc.145.1494333769038; Tue, 09 May 2017 05:42:49 -0700 (PDT) Received: from [172.16.0.18] ([96.231.219.90]) by smtp.gmail.com with ESMTPSA id c21sm1147184qtd.60.2017.05.09.05.42.47 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 May 2017 05:42:48 -0700 (PDT) From: Sean Turner Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Tue, 9 May 2017 08:42:46 -0400 References: <149433364154.31731.3963330256296760966@ietfa.amsl.com> To: IETF STIR Mail List In-Reply-To: <149433364154.31731.3963330256296760966@ietfa.amsl.com> Message-Id: X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [stir] I-D Action: draft-ietf-stir-certificates-14.txt X-BeenThere: stir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Secure Telephone Identity Revisited List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2017 12:42:51 -0000 This change incorporates the 4 changes I noted on the list last month. = I also believe this address all known outstanding comments from the = Chicago meeting. spt > On May 9, 2017, at 08:40, internet-drafts@ietf.org wrote: >=20 >=20 > A New Internet-Draft is available from the on-line Internet-Drafts = directories. > This draft is a work item of the Secure Telephone Identity Revisited = of the IETF. >=20 > Title : Secure Telephone Identity Credentials: = Certificates > Authors : Jon Peterson > Sean Turner > Filename : draft-ietf-stir-certificates-14.txt > Pages : 20 > Date : 2017-05-09 >=20 > Abstract: > In order to prevent the impersonation of telephone numbers on the > Internet, some kind of credential system needs to exist that > cryptographically asserts authority over telephone numbers. This > document describes the use of certificates in establishing authority > over telephone numbers, as a component of a broader architecture for > managing telephone numbers as identities in protocols like SIP. >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-stir-certificates/ >=20 > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-stir-certificates-14 > https://datatracker.ietf.org/doc/html/draft-ietf-stir-certificates-14 >=20 > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-stir-certificates-14 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ >=20 > _______________________________________________ > I-D-Announce mailing list > I-D-Announce@ietf.org > https://www.ietf.org/mailman/listinfo/i-d-announce > Internet-Draft directories: http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt From nobody Tue May 9 09:09:55 2017 Return-Path: X-Original-To: stir@ietfa.amsl.com Delivered-To: stir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 787AA129461 for ; Tue, 9 May 2017 09:09:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.819 X-Spam-Level: X-Spam-Status: No, score=0.819 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0Q88yJcxpBn for ; Tue, 9 May 2017 09:09:53 -0700 (PDT) Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5407D12420B for ; Tue, 9 May 2017 09:09:45 -0700 (PDT) Received: from unescapeable.local ([47.186.26.91]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id v49G9heb047800 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Tue, 9 May 2017 11:09:44 -0500 (CDT) (envelope-from rjsparks@nostrum.com) X-Authentication-Warning: raven.nostrum.com: Host [47.186.26.91] claimed to be unescapeable.local To: stir@ietf.org References: <8b4e6872-7078-5a6f-cf8a-da37e40b8c79@nostrum.com> From: Robert Sparks Message-ID: <42392d09-4e40-5271-8f85-b48443368e33@nostrum.com> Date: Tue, 9 May 2017 11:09:43 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <8b4e6872-7078-5a6f-cf8a-da37e40b8c79@nostrum.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: [stir] STIR Virtual Interim: June 16 (was Re: Potential dates for a STIR virtual interim) X-BeenThere: stir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Secure Telephone Identity Revisited List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2017 16:09:54 -0000 We will hold this virtual interim meeting on June 16 at 1400 eastern US. Entries for it in the datatracker will appear soon, RjS On 4/28/17 11:12 AM, Robert Sparks wrote: > We are planning to hold a STIR virtual interim before we get to IETF99 > to move the out-of-band, certificate freshness, and passport > extensions work forward. > > The candidate dates are May 25 (noon eastern US), May 26 (noon or 1400 > eastern US), and June 16 (1400 eastern US) > > If you plan to participate, please use the doodle poll at > https://doodle.com/poll/y7p6uif344rxguem to indicate your availability. > > RjS > > > _______________________________________________ > stir mailing list > stir@ietf.org > https://www.ietf.org/mailman/listinfo/stir From nobody Fri May 12 06:34:16 2017 Return-Path: X-Original-To: stir@ietf.org Delivered-To: stir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8851112EB53; Fri, 12 May 2017 06:34:08 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: IESG Secretary To: "IETF-Announce" Cc: stir@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.50.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <149459604825.13523.4250742326648347738@ietfa.amsl.com> Date: Fri, 12 May 2017 06:34:08 -0700 Archived-At: Subject: [stir] Secure Telephone Identity Revisited (stir) WG Virtual Meeting: 2017-06-16 X-BeenThere: stir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Secure Telephone Identity Revisited List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2017 13:34:09 -0000 The Secure Telephone Identity Revisited (stir) Working Group will hold a virtual interim meeting on 2017-06-16 from 13:00 to 14:30 America/Chicago. Agenda: This interim is to move the out-of-band, certificate freshness, and passport extensions work forward. A more specific agenda will be available before the call. Information about remote participation: https://ietf.webex.com/ietf/j.php?MTID=m6f6300057f2ed3a84c61c03bc6fd74db From nobody Fri May 26 07:14:17 2017 Return-Path: X-Original-To: stir@ietf.org Delivered-To: stir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 77D03129A8D; Fri, 26 May 2017 07:13:57 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: The IESG To: "IETF-Announce" X-Test-IDTracker: no X-IETF-IDTracker: 6.51.0 Auto-Submitted: auto-generated Precedence: bulk Cc: The IESG , draft-ietf-stir-rfc4474bis@ietf.org, rfc-editor@rfc-editor.org, stir@ietf.org, Robert Sparks , aroach@mozilla.com, stir-chairs@ietf.org, rjsparks@nostrum.com MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-ID: <149580803748.8672.12204736246246860485.idtracker@ietfa.amsl.com> Date: Fri, 26 May 2017 07:13:57 -0700 Archived-At: Subject: [stir] Protocol Action: 'Authenticated Identity Management in the Session Initiation Protocol (SIP)' to Proposed Standard (draft-ietf-stir-rfc4474bis-16.txt) X-BeenThere: stir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Secure Telephone Identity Revisited List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2017 14:13:58 -0000 The IESG has approved the following document: - 'Authenticated Identity Management in the Session Initiation Protocol (SIP)' (draft-ietf-stir-rfc4474bis-16.txt) as Proposed Standard This document is the product of the Secure Telephone Identity Revisited Working Group. The IESG contact persons are Adam Roach, Alexey Melnikov and Ben Campbell. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-stir-rfc4474bis/ Technical Summary The baseline security mechanisms in the Session Initiation Protocol (SIP) are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document defines a mechanism for securely identifying originators of SIP requests. It does so by defining a SIP header field for conveying a signature used for validating the identity, and for conveying a reference to the credentials of the signer. The changes from RFC4474 are significant, and detailed in the document. The syntax defined in this document is not backwards compatible with RFC4474 (and this is discussed explicitly in the document). There are no known deployed implementations of RFC4474. Working Group Summary This document has undergone heavy review. The syntax and expressivity of the protocol changed significantly during its development, particularly when reconciling early tension with the SHAKEN effort. The feedback from that effort led to the use of the passport concepts defined in draft-ietf-stir-passport. Recent versions of this document were implemented and tested at the SIP Forum SIPit test event in September. Feedback from that event informed improvements to both the protocol and the prose in the document. Those implementations are tracking the changes made in the latest versions. The document suite has been through three working group last calls, the third of which was abbreviated to one week. The first last call stimulated significant discussion, some of which was heated. Dave Crocker, in particular, provided a large amount of feedback during the first last call, indicating disagreement with the overall approach the working group has taken. Working through the comments led to improvements in the documents. Document Quality This document is a component of a toolset for combating robocalling. In the US, the FCC is applying significant pressure to the industry to deter robocalling (with deadlines in the last part of 2016). An industry-led strike force is moving towards deployment of a solution that uses that toolset. The ATIS/SIP Forum IPNNI Task Force's SHAKEN solution relies on the toolset defined by STIR and profiles it for deployment in the North American market. Personnel The document shepherd is Robert Sparks. The responsible AD is Adam Roach. RFC Editor Note Please fix the following editorial nits introduced in this version: Introduction; old text: identity can provide a much stronger and assurance of identity than New text: identity can provide a much stronger assurance of identity than Section 6.1.1; old text: would retry such a request as a ssequential for, by re-processing the New text: would retry such a request as a sequential fork, by re-processing the (note two typos fixed: the spelling of "sequential", and the change from "for" to "fork"). From nobody Fri May 26 07:18:21 2017 Return-Path: X-Original-To: stir@ietf.org Delivered-To: stir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A06F7129C20; Fri, 26 May 2017 07:18:07 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: The IESG To: "IETF-Announce" X-Test-IDTracker: no X-IETF-IDTracker: 6.51.0 Auto-Submitted: auto-generated Precedence: bulk Cc: The IESG , draft-ietf-stir-passport@ietf.org, rfc-editor@rfc-editor.org, stir@ietf.org, Robert Sparks , aroach@mozilla.com, stir-chairs@ietf.org, rjsparks@nostrum.com MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-ID: <149580828765.8616.4630097449338981159.idtracker@ietfa.amsl.com> Date: Fri, 26 May 2017 07:18:07 -0700 Archived-At: Subject: [stir] Protocol Action: 'Personal Assertion Token (PASSporT)' to Proposed Standard (draft-ietf-stir-passport-11.txt) X-BeenThere: stir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Secure Telephone Identity Revisited List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2017 14:18:08 -0000 The IESG has approved the following document: - 'Personal Assertion Token (PASSporT)' (draft-ietf-stir-passport-11.txt) as Proposed Standard This document is the product of the Secure Telephone Identity Revisited Working Group. The IESG contact persons are Adam Roach, Alexey Melnikov and Ben Campbell. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-stir-passport/ Technical Summary This document defines a method for creating and validating a token that cryptographically verifies an originating identity, or more generally a URI or telephone number representing the originator of personal communications. The PASSporT token is cryptographically signed to protect the integrity of the identity the originator and to verify the assertion of the identity information at the destination. The cryptographic signature is defined with the intention that it can confidently verify the originating persona even when the signature is sent to the destination party over an insecure channel. PASSporT is particularly useful for many personal communications applications over IP networks and other multi-hop interconnection scenarios where the originating and destination parties may not have a direct trusted relationship. Working Group Summary This document has undergone heavy review. It was introduced into the suite of STIR documents as part of aligning with the SHAKEN effort. Recent versions of this document were implemented and tested at the SIP Forum SIPit test event in September. Feedback from that event informed significant improvements to both the protocol and the prose in the document. Those implementations are tracking the changes made in the latest versions. The document suite has been through three working group last calls, the third of which was abbreviated to one week. The first last call stimulated significant discussion, some of which was heated. Document Quality This document is a component of a toolset for combating robocalling. In the US, the FCC is applying significant pressure to the industry to deter robocalling (with deadlines in the last part of 2016). An industry-led strike force is moving towards deployment of a solution that uses that toolset. The ATIS/SIP Forum IPNNI Task Force's SHAKEN solution relies on the toolset defined by STIR and profiles it for deployment in the North American market. Personnel The document shepherd is Robert Sparks. The responsible AD is Adam Roach. RFC Editor Note Several trivial editorial issues were raised during IESG evaluation. Abstract; old text: the identity the originator New text: the identity of the originator Section 5.1.1; old text: As defined the "iat" should be set to the date and time of issuance of the JWT and MUST the origination of the personal communications. The time value should be of the format defined in [RFC7519] Section 2 NumericDate. New text: As defined the "iat" should be set to the date and time of issuance of the JWT and MUST indicate the date and time of the origination of the personal communications. The time value should be of the format defined in [RFC7519] Section 2 NumericDate. Section 5.2.2; old text: 2. Sort the lines based on the UTF8 encoding New text: 2. Sort the lines based on the UTF8 [RFC3629] encoding (and add RFC3629 as a normative reference) From nobody Tue May 30 14:58:22 2017 Return-Path: X-Original-To: stir@ietf.org Delivered-To: stir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id BE3A1129467; Tue, 30 May 2017 14:58:20 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: The IESG To: "IETF-Announce" X-Test-IDTracker: no X-IETF-IDTracker: 6.52.0 Auto-Submitted: auto-generated Precedence: bulk Cc: The IESG , rfc-editor@rfc-editor.org, stir@ietf.org, Robert Sparks , draft-ietf-stir-certificates@ietf.org, aroach@mozilla.com, stir-chairs@ietf.org, rjsparks@nostrum.com MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-ID: <149618150077.19785.10242528706695406413.idtracker@ietfa.amsl.com> Date: Tue, 30 May 2017 14:58:20 -0700 Archived-At: Subject: [stir] Protocol Action: 'Secure Telephone Identity Credentials: Certificates' to Proposed Standard (draft-ietf-stir-certificates-14.txt) X-BeenThere: stir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Secure Telephone Identity Revisited List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 May 2017 21:58:21 -0000 The IESG has approved the following document: - 'Secure Telephone Identity Credentials: Certificates' (draft-ietf-stir-certificates-14.txt) as Proposed Standard This document is the product of the Secure Telephone Identity Revisited Working Group. The IESG contact persons are Adam Roach, Alexey Melnikov and Ben Campbell. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-stir-certificates/ Technical Summary In order to prevent the impersonation of telephone numbers on the Internet, some kind of credential system needs to exist that cryptographically asserts authority over telephone numbers. This document describes the use of certificates in establishing authority over telephone numbers, as a component of a broader architecture for managing telephone numbers as identities in protocols like SIP. Working Group Summary This document has undergone heavy review. Interoperability testing at the SIPit in September identified issues leading to the introduction of the JWT Claim Constraints, shifting where LOA assertions are made. The document suite has been through three working group last calls, the third of which was abbreviated to one week. The first last call stimulated significant discussion, some of which was heated. Document Quality This document is a component of a toolset for combating robocalling. In the US, the FCC is applying significant pressure to the industry to deter robocalling (with deadlines in the last part of 2016). An industry-led strike force is moving towards deployment of a solution that uses that toolset. The ATIS/SIP Forum IPNNI Task Force's SHAKEN solution relies on the toolset defined by STIR and profiles it for deployment in the North American market. Personnel The document shepherd is Robert Sparks. The responsible AD is Adam Roach. RFC Editor Note This document contains several IANA-registered values in formal ASN.1 definitions. The definitions speculatively assumed values prior to official assignment, and two of these presumed values have subsequently been assigned. As a consequence, the final published ASN.1 syntax will need to be modified to match actually assigned values. The areas to take note of are listed below. These two definitions, which each appear _twice_ in the document, will need to be updated to match the assigned entries in https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.1 (these are known to need adjustment, as id-pe 25 has been assigned for another purpose) id-pe-JWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 25 } id-pe-TNAuthList OBJECT IDENTIFIER ::= { id-pe 26 } This definition, which appears _twice_ in the document, should match the assigned value in https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.48 (as the codepoint 14 remains unallocated, this may not need adjustment) id-ad-stirTNList OBJECT IDENTIFIER ::= { id-ad 14 } Finally, the (88) in the following definition from Appendix A needs to be replaced with the actually assigned value from https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.0 (the current value of 88 has already been assigned for another purpose, so this will require adjustment): TN-Module-2016 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-tn-module(88) } From nobody Wed May 31 11:25:47 2017 Return-Path: X-Original-To: stir@ietfa.amsl.com Delivered-To: stir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DCD3127337 for ; Wed, 31 May 2017 11:25:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.3 X-Spam-Level: X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sZdldrAKNs4i for ; Wed, 31 May 2017 11:25:44 -0700 (PDT) Received: from p3plsmtpout003.prod.phx3.secureserver.net (p3plsmtpout003.prod.phx3.secureserver.net [208.109.80.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 522961286B1 for ; Wed, 31 May 2017 11:25:44 -0700 (PDT) Received: from ip-208-109-238-122.ip.secureserver.net ([208.109.238.122]) by : HOSTING RELAY : with SMTP id G8IVdO7Y1Rf1vG8IVdd1sY; Wed, 31 May 2017 11:24:43 -0700 x-originating-ip: 208.109.238.122 Received: (qmail 28963 invoked by uid 2); 31 May 2017 11:24:43 -0700 To: , , MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_6813036402f30b945ab23a56cf72c78a" Date: Wed, 31 May 2017 13:24:43 -0500 From: "Brian C. Wiles" Message-ID: <01be31dd33c2c3dc576e8c73f0393b37@poldon.com> X-Sender: brian@poldon.com User-Agent: RoundCube Webmail/0.5.1 X-CMAE-Envelope: MS4wfKW18VhVxsYzUSJdpiO2kddpt/o1GX0BDOMbXfD6SzZHYG6maSZeEu8mZqsF622eDiTzsKfNa0nST7xJ6rBM0vJNdGUqd7lC1Jb3b+TErP6OHc/4TBCk hmxevHAPPqBvPa3/19lPU6t4qSp1pJeqb8ZK+Y0Da3kzKszawzvTVgmpw+UwR3yeV0AZhKKlFAo1ijg0Xweq6DtHIOm945t03ts= Archived-At: Subject: [stir] SIP PASSporT and Registrations X-BeenThere: stir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Secure Telephone Identity Revisited List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 May 2017 18:25:45 -0000 --=_6813036402f30b945ab23a56cf72c78a Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=UTF-8 Hi, Jon and Chris, I have been searching for a way to use JSON Web Tokens in SIP, and it looks like PASSporT is close to what I need. However, I see a couple of issues that would need to be addressed in order for me to be able to use it. I was hoping we could get some changes before it becomes a final RFC because I think they are big issues for some uses of SIP, but it sounds like I'm a bit too late. The main issue is that PASSporT is only designed for INVITEs. There is no method for handling REGISTER events in the context of a PASSporT. For example, I have clients that need to authenticate with a SIP gateway to receive calls, and I'm trying to use JWT tokens so that my SIP gateway doesn't have to contact an external database or web service to verify the credentials. The other issue is that I don't want to have to specify the destination in my PASSporT token. I realize there are some security implications there, but using expirations via the "exp" claim and other methods, I can protect against replay attacks, etc. My architecture has its own security protocols to prevent unauthorized use, and I don't really care how many calls are made since they are only to other clients who have registered. My current implementation is close to PASSporT but using the Authorization header like most other JWT implementations use. I'm fine with using PASSporT if we can at least make the "dest" claim optional and specify that it can be used with REGISTERs as well. Let me know what you think. I'd like to get something drafted soon before I publish my open source module. Thanks. -Brian --=_6813036402f30b945ab23a56cf72c78a Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8

Hi, Jon and Chris,


  I have been searching for a way to use JSON Web Tokens in S= IP, and it looks like PASSporT is close to what I need.  How= ever, I see a couple of issues that would need to be addressed in order for= me to be able to use it.  I was hoping we could get some changes befo= re it becomes a final RFC because I think they are big issues for some uses= of SIP, but it sounds like I'm a bit too late.

 

  The main issue is that PASSporT is only designed for INVITEs. &nb= sp;There is no method for handling REGISTER events in the context of a PASS= porT.  For example, I have clients that need to authenticate with a SI= P gateway to receive calls, and I'm trying to use JWT tokens so that my SIP= gateway doesn't have to contact an external database or web service to ver= ify the credentials.

 

  The other issue is that I don't want to have to specify the desti= nation in my PASSporT token.  I realize there are some security i= mplications there, but using expirations via the "exp" claim and other meth= ods, I can protect against replay attacks, etc.  My architecture has i= ts own security protocols to prevent unauthorized use, and I don't really c= are how many calls are made since they are only to other clients who have r= egistered.

 

  My current implementation is close to PASSporT but using the= Authorization header like most other JWT implementations use.  I'm fi= ne with using PASSporT if we can at least make the "dest" claim option= al and specify that it can be used with REGISTERs as well.  Let me kno= w what you think.  I'd like to get something drafted soon before I pub= lish my open source module.  Thanks.

 

-Brian

 

--=_6813036402f30b945ab23a56cf72c78a-- From nobody Wed May 31 21:15:58 2017 Return-Path: X-Original-To: stir@ietfa.amsl.com Delivered-To: stir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A759E127775 for ; Wed, 31 May 2017 21:15:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oGGXcXcVMUHc for ; Wed, 31 May 2017 21:15:55 -0700 (PDT) Received: from mail-qt0-x241.google.com (mail-qt0-x241.google.com [IPv6:2607:f8b0:400d:c0d::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA561127078 for ; Wed, 31 May 2017 21:15:55 -0700 (PDT) Received: by mail-qt0-x241.google.com with SMTP id l39so4391316qtb.1 for ; Wed, 31 May 2017 21:15:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=8wLgvwu1dOTx5rCV6KXgEN9SfgnFAypfoS1ucBbfdK0=; b=YltMlqobzSkc9NNDMNJ3XEPnmm9XYCNwPWcXKYaoYXWnDf5EXVs/nq/3N4Swsdebpy Yja0XwVhYA8W6ggTkFkr/sXP/tJGo2yoVmNrZDX0imlgUy3+vmEWyC0wGJpcgZ6iueoV K96mM7EfhNGaMyz+eJiNDLHU4knGXZdEhDrTq46rOuT4jdgkDbvkwcp9NWjlQ0Q9wepu VBd8GFgjAQcZ/lyXTMdzIMnXuD4DixBL+1y1Z06FupsztFlmBVc/Ye0zRToOyITHrJc8 VQW9K78qeVOJwq1CdKjThyvM9LDzgxJGOwb45gSIpnbuUM1GipZlz3+UA7QETc80wTCI 3F+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=8wLgvwu1dOTx5rCV6KXgEN9SfgnFAypfoS1ucBbfdK0=; b=SbYHLWM6cbYZWpfp/8KUsxVdxooL7beQFmkXlQlr4LDi4pq4QV9GgihJ5xEOmH2pYv uw/5dzD3nq33ThXUUKQsquPeZ78CILGa6QimN38nmuOm1MMMNCyN69/AULDxmQsLHzTs ztISzqbeIBLEx4h2JOKi73NQ3Spa/vayjPyXGD9ibMI75I1ftXVYif1a0l/vNK439HwQ 3vuMpNG57a1S5C7paBuI3V/ZzKcSkpZanAskLjx476ORkND/N+E0tdj8ARZmwXkciX+h xRXDRl0Kbeq/MU79Rui6OLb3usJVGTvJbp4EDTxLkxO/7OLnwbLOHAKZPvUo6quURwuf rl+A== X-Gm-Message-State: AODbwcDvtjUWrBNu5Wvo0SYnG21TycF0+Cc+78NwRmz4t91chDGZZupI OcQ2bB4uh/l39P0+ X-Received: by 10.200.51.27 with SMTP id t27mr36265535qta.10.1496290554923; Wed, 31 May 2017 21:15:54 -0700 (PDT) Received: from ?IPv6:2601:41:c102:3d1e:9420:2913:b54f:e2d3? ([2601:41:c102:3d1e:9420:2913:b54f:e2d3]) by smtp.gmail.com with ESMTPSA id c5sm11832636qkf.14.2017.05.31.21.15.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 May 2017 21:15:54 -0700 (PDT) From: Chris Wendt Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_E46E4631-9EDD-4439-9116-39013D57D816" Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Thu, 1 Jun 2017 00:15:52 -0400 In-Reply-To: <01be31dd33c2c3dc576e8c73f0393b37@poldon.com> Cc: stir@ietf.org, jon.peterson@neustar.biz To: "Brian C. Wiles" References: <01be31dd33c2c3dc576e8c73f0393b37@poldon.com> X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [stir] SIP PASSporT and Registrations X-BeenThere: stir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Secure Telephone Identity Revisited List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jun 2017 04:15:58 -0000 --Apple-Mail=_E46E4631-9EDD-4439-9116-39013D57D816 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi Brian, What you are really looking for is not Passport but specifically an = authentication mechanism. Passport is not for authentication and is = very specific to proving an originator to a destination party. Thus the = explicit dependency on orig and dest as claims in the JWT. There was some recent work on using OAuth 2.0 with SIP, and as you say = there is other authentication mechanisms exist outside of SIP both using = JWT and not. But unfortunately, Passport is not going to be the right = answer for REGISTER. -Chris > On May 31, 2017, at 2:24 PM, Brian C. Wiles wrote: >=20 > Hi, Jon and Chris, >=20 >=20 > I have been searching for a way to use JSON Web Tokens in SIP, and = it looks like PASSporT is close to what I need. However, I see a couple = of issues that would need to be addressed in order for me to be able to = use it. I was hoping we could get some changes before it becomes a = final RFC because I think they are big issues for some uses of SIP, but = it sounds like I'm a bit too late. >=20 > =20 > The main issue is that PASSporT is only designed for INVITEs. There = is no method for handling REGISTER events in the context of a PASSporT. = For example, I have clients that need to authenticate with a SIP gateway = to receive calls, and I'm trying to use JWT tokens so that my SIP = gateway doesn't have to contact an external database or web service to = verify the credentials. >=20 > =20 > The other issue is that I don't want to have to specify the = destination in my PASSporT token. I realize there are some security = implications there, but using expirations via the "exp" claim and other = methods, I can protect against replay attacks, etc. My architecture has = its own security protocols to prevent unauthorized use, and I don't = really care how many calls are made since they are only to other clients = who have registered. >=20 > =20 > My current implementation is close to PASSporT but using the = Authorization header like most other JWT implementations use. I'm fine = with using PASSporT if we can at least make the "dest" claim optional = and specify that it can be used with REGISTERs as well. Let me know = what you think. I'd like to get something drafted soon before I publish = my open source module. Thanks. >=20 > =20 > -Brian >=20 > =20 --Apple-Mail=_E46E4631-9EDD-4439-9116-39013D57D816 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Hi Brian,

What you are really looking for is not Passport but = specifically an authentication mechanism.  Passport is not for = authentication and is very specific to proving an originator to a = destination party.  Thus the explicit dependency on orig and dest = as claims in the JWT.

There was some recent work on using OAuth 2.0 with SIP, and = as you say there is other authentication mechanisms exist outside of SIP = both using JWT and not.  But unfortunately, Passport is not going = to be the right answer for REGISTER.

-Chris


On May 31, 2017, at 2:24 PM, = Brian C. Wiles <brian@poldon.com> wrote:

Hi, Jon and Chris,


  I have been searching for a way to use JSON Web Tokens = in SIP, and it looks like PASSporT is close to what I need. =  However, I see a couple of issues that would need to be addressed = in order for me to be able to use it.  I was hoping we could get = some changes before it becomes a final RFC because I think they are big = issues for some uses of SIP, but it sounds like I'm a bit too = late.

 

  The main = issue is that PASSporT is only designed for INVITEs.  There is no = method for handling REGISTER events in the context of a PASSporT. =  For example, I have clients that need to authenticate with a SIP = gateway to receive calls, and I'm trying to use JWT tokens so that my = SIP gateway doesn't have to contact an external database or web service = to verify the credentials.

 

  The other = issue is that I don't want to have to specify the destination in = my PASSporT token.  I realize there are some security = implications there, but using expirations via the "exp" claim and other = methods, I can protect against replay attacks, etc.  My = architecture has its own security protocols to prevent unauthorized use, = and I don't really care how many calls are made since they are only to = other clients who have registered.

 

  My current = implementation is close to PASSporT but using the Authorization = header like most other JWT implementations use.  I'm fine with = using PASSporT if we can at least make the "dest" claim optional = and specify that it can be used with REGISTERs as well.  Let me = know what you think.  I'd like to get something drafted soon before = I publish my open source module.  Thanks.

 

-Brian

 

= --Apple-Mail=_E46E4631-9EDD-4439-9116-39013D57D816--