rfc4474bis passport certs
play

rfc4474bis + PASSporT + certs IETF 98 (Chicago) STIR WG The good - PowerPoint PPT Presentation

Jun 25, 2023 •189 likes •426 views

rfc4474bis + PASSporT + certs IETF 98 (Chicago) STIR WG The good news Were done, pretuy much Past IESG review, ballot cleared (!) Stjll a litule cleanup to do, mostly on certs Last minute fjxes Synchronizatjon across drafus

  1. rfc4474bis + PASSporT + certs IETF 98 (Chicago) STIR WG

  2. The good news • We’re done, pretuy much • Past IESG review, ballot cleared (!) – Stjll a litule cleanup to do, mostly on certs

  3. Last minute fjxes • Synchronizatjon across drafus – E.g. stjll twiddling whether TNs include “#” or “*” – Gettjng the right syntax for claims • ASCII or UTF*? • Honed the text about how we handle Date in PASSporT vs. the SIP header • Relaxed some of the reason phrase text in rfc4474bis

  4. JWT Claim Constraints • Kind of a last minute thing to begin with – Subsumed “Levels of Assurance” into this • Idea that a cert can limit which PASSporT claims the cert is authorized to provide – i.e. this cert cannot provide “cnam” – If no Claim Constraints are present, anything is allowed • A blacklist or a whitelist? – Originally allowed both – Ultjmately a blacklist doesn’t make much sense, so we dropped the “exclude” semantjcs • Is it right yet? Let’s talk about it…

  5. Crossover to SIPBRANDY • On the SIPBRANDY mailing list, Adam raised an issue – Regarding connected identjty (RFC4916) and any problems we’ve created with the Identjty changes • This led to some fjxes to the text about retransmissions – Retries already kind of a hack – Now rfc4474bis is clearer about where UAS behavior might trip on this • Basically, we advise to override a SHOULD in RFC3261 intended to compensate for certain spiraly things in sequentjal forking

  6. STIR certjfjcates IETF 98 (Chicago) STIR WG

  7. Final Hurdles • This document got some atuentjon in IESG review – Blocking points now resolved • Yes, we need to fjx EKR’s thing about TN range arithmetjc boundaries – Have text, will either put in a -14 or AUTH48

  8. Service Provider Codes • OCNs? SPIDs? AltSPIDs? LastAltSPIDs? – All very natjonally specifjc, defjnitjons slippery • Replaced now with the concept of an SPC – A simple ASCII string, identjfjes a service provider – Profjles of STIR (like SHAKEN) can further specify what these mean • For current North America deployments, it’s an OCN • Coordinatjng this with ATIS, hopefully we’re in sync

  9. The Cost of Freshness • Stephen’s DISCUSS on stjr-certs focused on privacy – Doing OCSP potentjally reveals to eavesdroppers metadata about calls in progress • Worse, the way we defjned the OCSP extension passes around the TNs over the interface – There’s some text on OCSP about confjdentjality, but not much • We can (and should) do betuer

  10. So… • Freshness is now punted from stjr-certs • We kept in some general discussion about approaches to freshness – Stephen had asked why nothing was MTI • I don’t think we’re ready to bless any One True Way to approach this – Need some further elaboratjon and implementatjon experience • Leaving in the approach of providing a TN Auth List by reference – URL in the AIA

  11. drafu-ietg-stjr-certjfjcates-ocsp drafu-peterson-stjr-certjfjcates-shortlived IETF 98 (Chicago) STIR WG

  12. Two paths • We aren’t seriously going to propose using CRLs or SCVP for this • That leaves OCSP and short-lived certs – They have very difgerent privacy propertjes, potentjally • Basically, I propose we explore both paths a bit and see what the discussion yields

  13. Who Cares about Freshness? • Freshness is difgerent for STIR certs than regular PKI certs – This is due to TN Auth List • Not for SPCs, really, just for TNs – The problem is the inherent dynamism of number assignment • Relying partjes want to know if a cert is stjll valid for a number right now • So if I don’t care about TN Auth List for TNs in certs, can I not care about freshness? – Let me try to convince you that you should

  14. Real-tjme Credentjal Validatjon Logical Logical Authority Authority Credentjal Credentjal Provisioning Validatjon (very rare) PBX PBX (ocsp) Endpoint Endpoint Signed Unsigned Requests Inter- Requests Inter- Inter- Inter- (rfc4474bis + Mediary Mediary Mediary Mediary User User PASSporT) Endpoint PBX Endpoint PBX Endpoint Endpoint User User Same architecture with User User Endpoint Endpoint Endpoint Endpoint either approach User User User User Endpoint Endpoint Endpoint Endpoint

  15. The OCSP Path • Two ways: either terminatjng side or stapled – Terminatjng side is where much of the privacy leak occurs • Probably, we would recommend stapling – We would defjne a SIP header for carrying a staple • Probably a general SIP feature, actually, not just for STIR – Staple basically says “the cert is valid for this number right now” • The propertjes of stapling and short-lived certs start to look real, real similar

  16. Stapled Validatjon Logical Logical Credentjal Authority Authority Stapling (shortlived) PBX PBX Endpoint Endpoint Signed Unsigned Requests Inter- Requests Inter- Inter- Inter- (rfc4474bis + Mediary Mediary Mediary Mediary User User PASSporT) Endpoint PBX Endpoint PBX Endpoint Endpoint User User Same architecture with User User Endpoint Endpoint Endpoint Endpoint either approach User User User User Endpoint Endpoint Endpoint Endpoint

  17. Short-lived Credentjals Logical Logical Credentjal Authority Authority Provisioning (shortlived) PBX PBX Endpoint Endpoint Signed Unsigned Requests Inter- Requests Inter- Inter- Inter- (rfc4474bis + Mediary Mediary Mediary Mediary User User PASSporT) Endpoint PBX Endpoint PBX Endpoint Endpoint User User Same architecture with User User Endpoint Endpoint Endpoint Endpoint either approach User User User User Endpoint Endpoint Endpoint Endpoint

  18. Short-lived • Issuing certs for individual TNs that expire soon – Basically says, “this cert is valid for this number right now” • Also obviates the need for relying partjes to talk to the CA – Though not necessarily to individual people! • What does short-lived mean? – Hours? Days? Not months or years anyway. – Part of our job to decide what is appropriate • The hard part is gettjng the new cert… but...

  19. ACME makes short-lived easy Proof Proof Certjfjcate Certjfjcate Authority Authority Proofjng Validate Certjfjcate Provisioning ACME Relying ACME Relying Client Party Client Party Communicatjon

  20. Individual TN certs not just for users • ACME allows CSPs that control large number blocks to use disposable, single-number certs – Relying partjes only know that the cert atuests a number – doesn’t reveal the SPC unless you want to – Might be useful for some SHAKEN-like environments • Similar mechanisms could work for enterprises • Solves privacy concerns without requiring new protocol work for OCSP, new staple header, etc.

  21. So what to do? • Let’s explore both a bit, see which story is betuer • Not much harm in kicking the tjres on both approaches out there in implementatjon

  22. drafu-peterson-passport-diversion drafu-peterson-stjr-cercnam IETF 98 (Chicago) STIR WG

  23. Don’t Forget • I keep hearing that people need these things • CNAM just defjned a PASSporT claim to carry a caller name – Works in a fjrst or third-party mode • Divert leverages multjple Identjty headers to allow chaining of Identjtjes when call forwarding occurs • If we need these things, let’s adopt/fjnish them

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
Your Passport To Future Horizons Your Passport To Future Horizons Your Passport To Future

Your Passport To Future Horizons Your Passport To Future Horizons Your Passport To Future

Your Passport To Future Horizons Your Passport To Future Horizons Your Passport To Future Horizons Your Passport To Future Horizons Making Sense Of The Industry Tea Leaves ! The Economy ! ! ! ! ! ! ! Fab Capacity ! Unit Demand !

174 views • 15 slides
The IHI Passport Program: The Quality Champions Improvement Toolkit As a Passport member,

The IHI Passport Program: The Quality Champions Improvement Toolkit As a Passport member,

The IHI Passport Program: The Quality Champions Improvement Toolkit As a Passport member, everyone in our organization can have access to Expeditions Leading Quality Improvement: Essentials for Managers Passport Members-Only

234 views • 10 slides
Selective Logs Log all the certs! A log server indicates which CAs it supports

Selective Logs Log all the certs! A log server indicates which CAs it supports

Selective Logs Log all the certs! A log server indicates which CAs it supports Implied that (almost) all certs from those CAs are logged not all Its not required What should we do, if anything?

328 views • 3 slides
CISV PASSPORT for Active Global Citizenship The Passport provides a summary of CISVs

CISV PASSPORT for Active Global Citizenship The Passport provides a summary of CISVs

CISV PASSPORT for Active Global Citizenship The Passport provides a summary of CISVs approach to Peace Education. It is a practical guide to what we do and why we do it, and can be used as a handbook for CISV training. We hope you enjoy

1.06k views • 26 slides
Asia Region Funds Passport Summary Context Comparison with other regional initiatives

Asia Region Funds Passport Summary Context Comparison with other regional initiatives

Introducing the framework for Asia Region Funds Passport Summary Context Comparison with other regional initiatives What is the Passport? Objectives Who regulates what? Other host economy laws and regulations Passport

149 views • 10 slides
OMS OMS Passport Education Support Kitty Petty, M.A., M.Ed., LMHC Educational Consultant

OMS OMS Passport Education Support Kitty Petty, M.A., M.Ed., LMHC Educational Consultant

OMS OMS Passport Education Support Kitty Petty, M.A., M.Ed., LMHC Educational Consultant Neurology Department Boston Childrens Hospital OMS MEDICAL PASSPORT The purpose of a medical passport is to allow adolescents/young adults/adults

652 views • 24 slides
SIRIOS the Framework for CERTs Thomas Klingmller Federal Office for Information Security (BSI)

SIRIOS the Framework for CERTs Thomas Klingmller Federal Office for Information Security (BSI)

SIRIOS the Framework for CERTs Thomas Klingmller Federal Office for Information Security (BSI) Germany 17th FIRST Conference 2005 - Singapore June 26 July 1, 2005 Abstract SIRIOS Framework for CERTs BSI and CERT-Bund J SIRIOS

661 views • 18 slides
Automated Reliability Reports (ARR) CERTS I ndustry Leaders Council Meeting By: Mahmood

Automated Reliability Reports (ARR) CERTS I ndustry Leaders Council Meeting By: Mahmood

Automated Reliability Reports (ARR) CERTS I ndustry Leaders Council Meeting By: Mahmood Mirheidar - FERC Carlos Martinez CERTS/EPG Washington D. C. May 13, 2009 Automated Reliability Reports (ARR) Presentation Overview Automated

161 views • 15 slides
Overview of CCA & EV Resources Peter Lindstrom, Clean Energy Resource Teams (CERTs)

Overview of CCA & EV Resources Peter Lindstrom, Clean Energy Resource Teams (CERTs)

Overview of CCA & EV Resources Peter Lindstrom, Clean Energy Resource Teams (CERTs) Diana McKeown, Great Plains Institute/CERTs About Cities Charging Ahead (CCA) About Cities Charging Ahead! Peer cohort of 28 cities working together

331 views • 20 slides
WeClimbUK Passport Presentation & discussion by the Project Board 27 th July 2019 Session

WeClimbUK Passport Presentation & discussion by the Project Board 27 th July 2019 Session

WeClimbUK Passport Presentation & discussion by the Project Board 27 th July 2019 Session objectives 1. Brief you on progress with the Passport The business case for such a scheme Our vision for the Passport Progress to

406 views • 28 slides
The Passport Difference: Working Together for a Healthier Kentucky The Advisory Council for

The Passport Difference: Working Together for a Healthier Kentucky The Advisory Council for

The Passport Difference: Working Together for a Healthier Kentucky The Advisory Council for Medical Assistance May 23, 2019 1 Passport Health Plan: A Leader in Medicaid for 20+ Years 21 YEARS 318K Provider- Non-profit and Nationally

473 views • 22 slides
Passport to IHI Training The IHI Membership Guiding Your Improvement Journey Informational Call

Passport to IHI Training The IHI Membership Guiding Your Improvement Journey Informational Call

November 14, 2016 www.IHI.org/Passport Passport to IHI Training The IHI Membership Guiding Your Improvement Journey Informational Call 2 WebEx Quick Reference Welcome to todays session! Raise your hand Please use chat to All

545 views • 29 slides
the different continents of the world. Each passport has a series of steps based on recall of

the different continents of the world. Each passport has a series of steps based on recall of

Every child has been given a passport for the different continents of the world. Each passport has a series of steps based on recall of mental maths number facts. These steps are taken from the current National Curriculum and are the key

507 views • 15 slides
CERTs and Digital Forensics: The Need for Security Collaborations Among Regions Dr. Soranun

CERTs and Digital Forensics: The Need for Security Collaborations Among Regions Dr. Soranun

CERTs and Digital Forensics: The Need for Security Collaborations Among Regions Dr. Soranun Jiwasurat Division Director, Office of Security, ETDA 1 ThaiCERT: A Quick Glance A government funded unit, established in 2000 The first and

654 views • 22 slides
MHIRT: what to expect Preparing for Your Trip Packing List: Documents Copies of: Passport &

MHIRT: what to expect Preparing for Your Trip Packing List: Documents Copies of: Passport &

MHIRT: what to expect Preparing for Your Trip Packing List: Documents Copies of: Passport & visa Passport & visa Yellow fever vaccination paper Vaccinations Ticket / boarding pass Student ID ~$500 USD for exchanging** Drivers

408 views • 18 slides
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1 , Chiara

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1 , Chiara

ASIAN07 A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1 , Chiara Bodei 2 , Pierpaolo Degano 2 , Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University of Denmark 1 Dipartimento di

435 views • 20 slides
OPEN EDITION Diffuser les rsultats de la recherche en sciences humaines et sociales

OPEN EDITION Diffuser les rsultats de la recherche en sciences humaines et sociales

#OSSPARIS1 6 DITION 2016 | 16 & 17 NOVEMBRE UN EVENEMENT EN PARTENARIAT AVEC LE OPEN EDITION Diffuser les rsultats de la recherche en sciences humaines et sociales #OSSPARIS 16 sur le web ouvert #OSSPARIS 16 Limpact de

166 views • 12 slides
DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @ I N G O B E N T E ) B S I D E S M U N I C H 2 0 1 8 Patching Isnt that solved? Nope, its not. R E M E M B E R T H O S E R A N S O M

635 views • 48 slides
MOBILE APPLICATIONS AND CLOUD COMPUTING Roberto Beraldi Course Outline 6 CFUs Topics:

MOBILE APPLICATIONS AND CLOUD COMPUTING Roberto Beraldi Course Outline 6 CFUs Topics:

MOBILE APPLICATIONS AND CLOUD COMPUTING Roberto Beraldi Course Outline 6 CFUs Topics: Mobile application programming (Android) Cloud computing To pass the exam: Individual working and documented application in android

768 views • 42 slides
New approaches for evaluation: correctness and freshness Pablo S anchez Rus M. Mesas

New approaches for evaluation: correctness and freshness Pablo S anchez Rus M. Mesas

New approaches for evaluation: correctness and freshness Pablo S anchez Rus M. Mesas Alejandro Bellog n Universidad Aut onoma de Madrid Escuela Polit ecnica Superior Departamento de Ingenier a Inform atica V Congreso

1.04k views • 75 slides
A Simpler Proof Theory for Nominal Logic James Cheney University of Edinburgh FOSSACS 2005

A Simpler Proof Theory for Nominal Logic James Cheney University of Edinburgh FOSSACS 2005

A Simpler Proof Theory for Nominal Logic James Cheney University of Edinburgh FOSSACS 2005 April 6, 2005 1 Motivation Nominal logic [Pitts 2003]: an extension of sorted first-order logic that formalizes names , name-binding , and

669 views • 42 slides
Motivation Non-Monotonic Snapshot Isolation: Geo-replication for x scalable and strong

Motivation Non-Monotonic Snapshot Isolation: Geo-replication for x scalable and strong

Motivation Non-Monotonic Snapshot Isolation: Geo-replication for x scalable and strong consistency Low latency y for geo-replicated transactional systems Availability x Disaster tolerance y Requirements Masoud Saeida

440 views • 7 slides
Competitive Freshness Algorithms for Wait free Objects Wait-free Objects Peter Damaschke, Phuong

Competitive Freshness Algorithms for Wait free Objects Wait-free Objects Peter Damaschke, Phuong

Competitive Freshness Algorithms for Wait free Objects Wait-free Objects Peter Damaschke, Phuong Ha & Philippas Tsigas Presentation at the Euro-Par 2006 29 th Aug. 1 st Sept. 2006, Dresden, Germany. Introduction Wait-free data objects

365 views • 17 slides

More recommend