rfc4474bis passport certs
play

rfc4474bis + PASSporT + certs IETF 98 (Chicago) STIR WG The good - PowerPoint PPT Presentation

Jun 25, 2023 •189 likes •426 views

rfc4474bis + PASSporT + certs IETF 98 (Chicago) STIR WG The good news Were done, pretuy much Past IESG review, ballot cleared (!) Stjll a litule cleanup to do, mostly on certs Last minute fjxes Synchronizatjon across drafus

  1. rfc4474bis + PASSporT + certs IETF 98 (Chicago) STIR WG

  2. The good news • We’re done, pretuy much • Past IESG review, ballot cleared (!) – Stjll a litule cleanup to do, mostly on certs

  3. Last minute fjxes • Synchronizatjon across drafus – E.g. stjll twiddling whether TNs include “#” or “*” – Gettjng the right syntax for claims • ASCII or UTF*? • Honed the text about how we handle Date in PASSporT vs. the SIP header • Relaxed some of the reason phrase text in rfc4474bis

  4. JWT Claim Constraints • Kind of a last minute thing to begin with – Subsumed “Levels of Assurance” into this • Idea that a cert can limit which PASSporT claims the cert is authorized to provide – i.e. this cert cannot provide “cnam” – If no Claim Constraints are present, anything is allowed • A blacklist or a whitelist? – Originally allowed both – Ultjmately a blacklist doesn’t make much sense, so we dropped the “exclude” semantjcs • Is it right yet? Let’s talk about it…

  5. Crossover to SIPBRANDY • On the SIPBRANDY mailing list, Adam raised an issue – Regarding connected identjty (RFC4916) and any problems we’ve created with the Identjty changes • This led to some fjxes to the text about retransmissions – Retries already kind of a hack – Now rfc4474bis is clearer about where UAS behavior might trip on this • Basically, we advise to override a SHOULD in RFC3261 intended to compensate for certain spiraly things in sequentjal forking

  6. STIR certjfjcates IETF 98 (Chicago) STIR WG

  7. Final Hurdles • This document got some atuentjon in IESG review – Blocking points now resolved • Yes, we need to fjx EKR’s thing about TN range arithmetjc boundaries – Have text, will either put in a -14 or AUTH48

  8. Service Provider Codes • OCNs? SPIDs? AltSPIDs? LastAltSPIDs? – All very natjonally specifjc, defjnitjons slippery • Replaced now with the concept of an SPC – A simple ASCII string, identjfjes a service provider – Profjles of STIR (like SHAKEN) can further specify what these mean • For current North America deployments, it’s an OCN • Coordinatjng this with ATIS, hopefully we’re in sync

  9. The Cost of Freshness • Stephen’s DISCUSS on stjr-certs focused on privacy – Doing OCSP potentjally reveals to eavesdroppers metadata about calls in progress • Worse, the way we defjned the OCSP extension passes around the TNs over the interface – There’s some text on OCSP about confjdentjality, but not much • We can (and should) do betuer

  10. So… • Freshness is now punted from stjr-certs • We kept in some general discussion about approaches to freshness – Stephen had asked why nothing was MTI • I don’t think we’re ready to bless any One True Way to approach this – Need some further elaboratjon and implementatjon experience • Leaving in the approach of providing a TN Auth List by reference – URL in the AIA

  11. drafu-ietg-stjr-certjfjcates-ocsp drafu-peterson-stjr-certjfjcates-shortlived IETF 98 (Chicago) STIR WG

  12. Two paths • We aren’t seriously going to propose using CRLs or SCVP for this • That leaves OCSP and short-lived certs – They have very difgerent privacy propertjes, potentjally • Basically, I propose we explore both paths a bit and see what the discussion yields

  13. Who Cares about Freshness? • Freshness is difgerent for STIR certs than regular PKI certs – This is due to TN Auth List • Not for SPCs, really, just for TNs – The problem is the inherent dynamism of number assignment • Relying partjes want to know if a cert is stjll valid for a number right now • So if I don’t care about TN Auth List for TNs in certs, can I not care about freshness? – Let me try to convince you that you should

  14. Real-tjme Credentjal Validatjon Logical Logical Authority Authority Credentjal Credentjal Provisioning Validatjon (very rare) PBX PBX (ocsp) Endpoint Endpoint Signed Unsigned Requests Inter- Requests Inter- Inter- Inter- (rfc4474bis + Mediary Mediary Mediary Mediary User User PASSporT) Endpoint PBX Endpoint PBX Endpoint Endpoint User User Same architecture with User User Endpoint Endpoint Endpoint Endpoint either approach User User User User Endpoint Endpoint Endpoint Endpoint

  15. The OCSP Path • Two ways: either terminatjng side or stapled – Terminatjng side is where much of the privacy leak occurs • Probably, we would recommend stapling – We would defjne a SIP header for carrying a staple • Probably a general SIP feature, actually, not just for STIR – Staple basically says “the cert is valid for this number right now” • The propertjes of stapling and short-lived certs start to look real, real similar

  16. Stapled Validatjon Logical Logical Credentjal Authority Authority Stapling (shortlived) PBX PBX Endpoint Endpoint Signed Unsigned Requests Inter- Requests Inter- Inter- Inter- (rfc4474bis + Mediary Mediary Mediary Mediary User User PASSporT) Endpoint PBX Endpoint PBX Endpoint Endpoint User User Same architecture with User User Endpoint Endpoint Endpoint Endpoint either approach User User User User Endpoint Endpoint Endpoint Endpoint

  17. Short-lived Credentjals Logical Logical Credentjal Authority Authority Provisioning (shortlived) PBX PBX Endpoint Endpoint Signed Unsigned Requests Inter- Requests Inter- Inter- Inter- (rfc4474bis + Mediary Mediary Mediary Mediary User User PASSporT) Endpoint PBX Endpoint PBX Endpoint Endpoint User User Same architecture with User User Endpoint Endpoint Endpoint Endpoint either approach User User User User Endpoint Endpoint Endpoint Endpoint

  18. Short-lived • Issuing certs for individual TNs that expire soon – Basically says, “this cert is valid for this number right now” • Also obviates the need for relying partjes to talk to the CA – Though not necessarily to individual people! • What does short-lived mean? – Hours? Days? Not months or years anyway. – Part of our job to decide what is appropriate • The hard part is gettjng the new cert… but...

  19. ACME makes short-lived easy Proof Proof Certjfjcate Certjfjcate Authority Authority Proofjng Validate Certjfjcate Provisioning ACME Relying ACME Relying Client Party Client Party Communicatjon

  20. Individual TN certs not just for users • ACME allows CSPs that control large number blocks to use disposable, single-number certs – Relying partjes only know that the cert atuests a number – doesn’t reveal the SPC unless you want to – Might be useful for some SHAKEN-like environments • Similar mechanisms could work for enterprises • Solves privacy concerns without requiring new protocol work for OCSP, new staple header, etc.

  21. So what to do? • Let’s explore both a bit, see which story is betuer • Not much harm in kicking the tjres on both approaches out there in implementatjon

  22. drafu-peterson-passport-diversion drafu-peterson-stjr-cercnam IETF 98 (Chicago) STIR WG

  23. Don’t Forget • I keep hearing that people need these things • CNAM just defjned a PASSporT claim to carry a caller name – Works in a fjrst or third-party mode • Divert leverages multjple Identjty headers to allow chaining of Identjtjes when call forwarding occurs • If we need these things, let’s adopt/fjnish them

Recommend

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
Your Passport To Future Horizons Your Passport To Future Horizons Your Passport To Future

Your Passport To Future Horizons Your Passport To Future Horizons Your Passport To Future

Your Passport To Future Horizons Your Passport To Future Horizons Your Passport To Future Horizons Your Passport To Future Horizons Making Sense Of The Industry Tea Leaves ! The Economy ! ! ! ! ! ! ! Fab Capacity ! Unit Demand !

174 views • 15 slides
The IHI Passport Program: The Quality Champions Improvement Toolkit As a Passport member,

The IHI Passport Program: The Quality Champions Improvement Toolkit As a Passport member,

The IHI Passport Program: The Quality Champions Improvement Toolkit As a Passport member, everyone in our organization can have access to Expeditions Leading Quality Improvement: Essentials for Managers Passport Members-Only

234 views • 10 slides
Selective Logs Log all the certs! A log server indicates which CAs it supports

Selective Logs Log all the certs! A log server indicates which CAs it supports

Selective Logs Log all the certs! A log server indicates which CAs it supports Implied that (almost) all certs from those CAs are logged not all Its not required What should we do, if anything?

328 views • 3 slides
CISV PASSPORT for Active Global Citizenship The Passport provides a summary of CISVs

CISV PASSPORT for Active Global Citizenship The Passport provides a summary of CISVs

CISV PASSPORT for Active Global Citizenship The Passport provides a summary of CISVs approach to Peace Education. It is a practical guide to what we do and why we do it, and can be used as a handbook for CISV training. We hope you enjoy

1.06k views • 26 slides
Asia Region Funds Passport Summary Context Comparison with other regional initiatives

Asia Region Funds Passport Summary Context Comparison with other regional initiatives

Introducing the framework for Asia Region Funds Passport Summary Context Comparison with other regional initiatives What is the Passport? Objectives Who regulates what? Other host economy laws and regulations Passport

149 views • 10 slides
OMS OMS Passport Education Support Kitty Petty, M.A., M.Ed., LMHC Educational Consultant

OMS OMS Passport Education Support Kitty Petty, M.A., M.Ed., LMHC Educational Consultant

OMS OMS Passport Education Support Kitty Petty, M.A., M.Ed., LMHC Educational Consultant Neurology Department Boston Childrens Hospital OMS MEDICAL PASSPORT The purpose of a medical passport is to allow adolescents/young adults/adults

652 views • 24 slides
SIRIOS the Framework for CERTs Thomas Klingmller Federal Office for Information Security (BSI)

SIRIOS the Framework for CERTs Thomas Klingmller Federal Office for Information Security (BSI)

SIRIOS the Framework for CERTs Thomas Klingmller Federal Office for Information Security (BSI) Germany 17th FIRST Conference 2005 - Singapore June 26 July 1, 2005 Abstract SIRIOS Framework for CERTs BSI and CERT-Bund J SIRIOS

661 views • 18 slides
Automated Reliability Reports (ARR) CERTS I ndustry Leaders Council Meeting By: Mahmood

Automated Reliability Reports (ARR) CERTS I ndustry Leaders Council Meeting By: Mahmood

Automated Reliability Reports (ARR) CERTS I ndustry Leaders Council Meeting By: Mahmood Mirheidar - FERC Carlos Martinez CERTS/EPG Washington D. C. May 13, 2009 Automated Reliability Reports (ARR) Presentation Overview Automated

161 views • 15 slides
Overview of CCA & EV Resources Peter Lindstrom, Clean Energy Resource Teams (CERTs)

Overview of CCA & EV Resources Peter Lindstrom, Clean Energy Resource Teams (CERTs)

Overview of CCA & EV Resources Peter Lindstrom, Clean Energy Resource Teams (CERTs) Diana McKeown, Great Plains Institute/CERTs About Cities Charging Ahead (CCA) About Cities Charging Ahead! Peer cohort of 28 cities working together

331 views • 20 slides
WeClimbUK Passport Presentation & discussion by the Project Board 27 th July 2019 Session

WeClimbUK Passport Presentation & discussion by the Project Board 27 th July 2019 Session

WeClimbUK Passport Presentation & discussion by the Project Board 27 th July 2019 Session objectives 1. Brief you on progress with the Passport The business case for such a scheme Our vision for the Passport Progress to

406 views • 28 slides
The Passport Difference: Working Together for a Healthier Kentucky The Advisory Council for

The Passport Difference: Working Together for a Healthier Kentucky The Advisory Council for

The Passport Difference: Working Together for a Healthier Kentucky The Advisory Council for Medical Assistance May 23, 2019 1 Passport Health Plan: A Leader in Medicaid for 20+ Years 21 YEARS 318K Provider- Non-profit and Nationally

473 views • 22 slides
Passport to IHI Training The IHI Membership Guiding Your Improvement Journey Informational Call

Passport to IHI Training The IHI Membership Guiding Your Improvement Journey Informational Call

November 14, 2016 www.IHI.org/Passport Passport to IHI Training The IHI Membership Guiding Your Improvement Journey Informational Call 2 WebEx Quick Reference Welcome to todays session! Raise your hand Please use chat to All

545 views • 29 slides
the different continents of the world. Each passport has a series of steps based on recall of

the different continents of the world. Each passport has a series of steps based on recall of

Every child has been given a passport for the different continents of the world. Each passport has a series of steps based on recall of mental maths number facts. These steps are taken from the current National Curriculum and are the key

508 views • 15 slides
CERTs and Digital Forensics: The Need for Security Collaborations Among Regions Dr. Soranun

CERTs and Digital Forensics: The Need for Security Collaborations Among Regions Dr. Soranun

CERTs and Digital Forensics: The Need for Security Collaborations Among Regions Dr. Soranun Jiwasurat Division Director, Office of Security, ETDA 1 ThaiCERT: A Quick Glance A government funded unit, established in 2000 The first and

654 views • 22 slides
MHIRT: what to expect Preparing for Your Trip Packing List: Documents Copies of: Passport &

MHIRT: what to expect Preparing for Your Trip Packing List: Documents Copies of: Passport &

MHIRT: what to expect Preparing for Your Trip Packing List: Documents Copies of: Passport & visa Passport & visa Yellow fever vaccination paper Vaccinations Ticket / boarding pass Student ID ~$500 USD for exchanging** Drivers

408 views • 18 slides
(USPVS) Nalini Rangaraju Electronic application to verify Passport information Developed

(USPVS) Nalini Rangaraju Electronic application to verify Passport information Developed

US Passport Verification Service (USPVS) Nalini Rangaraju Electronic application to verify Passport information Developed in 2010 with funding from DHS to support REAL ID 17 jurisdictions in production (6 additional jurisdictions

454 views • 12 slides
E-Passport Survey Serge Vaudenay and Martin Vuagnoux COLE POLYTECHNIQUE FDRALE DE LAUSANNE

E-Passport Survey Serge Vaudenay and Martin Vuagnoux COLE POLYTECHNIQUE FDRALE DE LAUSANNE

E-Passport Survey Serge Vaudenay and Martin Vuagnoux COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasecwww.epfl.ch/ SV 2007 e-passport survey Eurocrypt 2007 1 / 13 Machine-Readable Travel Document (MRTD) History 1968: ICAO starts

474 views • 13 slides
Passport to Health & Wellbeing Excellence Launch Event Lynn Neville Staff Developer

Passport to Health & Wellbeing Excellence Launch Event Lynn Neville Staff Developer

Passport to Health & Wellbeing Excellence Launch Event Lynn Neville Staff Developer Objectives Introduce the new passport programme Explain the 6Ws: Why What Who When Where How Give you enough information

490 views • 24 slides
THE FUTURE OF THE TRANSIT INDUSTRY Mobile Payments and BLE Based Payment Validation PASSPORT

THE FUTURE OF THE TRANSIT INDUSTRY Mobile Payments and BLE Based Payment Validation PASSPORT

THE FUTURE OF THE TRANSIT INDUSTRY Mobile Payments and BLE Based Payment Validation PASSPORT SNAPSHOT Mobile Payment Expertise SunGO Transit COMET Transit (PILOT) Tucson, AZ Columbia, SC Passport founded in 2010 Leader in mobile

614 views • 16 slides
SSL/TLS OpenSSL OpenSSL is a very common SSL/TLS library Written in C Wrappers exist

SSL/TLS OpenSSL OpenSSL is a very common SSL/TLS library Written in C Wrappers exist

SSL/TLS OpenSSL OpenSSL is a very common SSL/TLS library Written in C Wrappers exist for many languages Can be used for many encryption needs Generating keys Signing certs Validating certs We'll use OpenSSL in the

287 views • 6 slides
1 Certificates /etc/ssl/certs $ cat GlobalSign_Root_CA.pem -----BEGIN TRUSTED CERTIFICATE-----

1 Certificates /etc/ssl/certs $ cat GlobalSign_Root_CA.pem -----BEGIN TRUSTED CERTIFICATE-----

1 Certificates /etc/ssl/certs $ cat GlobalSign_Root_CA.pem -----BEGIN TRUSTED CERTIFICATE----- MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv

213 views • 7 slides
Welcome, International S tudents! Presentation by: Karla David Nha Le Passport HOLDS :

Welcome, International S tudents! Presentation by: Karla David Nha Le Passport HOLDS :

Welcome, International S tudents! Presentation by: Karla David Nha Le Passport HOLDS : International S tudent Hold S ee OIE to have this hold removed Health Insurance Pay for health insurance fee on Passport S pring 2020 New

227 views • 8 slides
passport.lausd.net P arent A ccess S upport S ystem port al The LAUSD PASSport provides the

passport.lausd.net P arent A ccess S upport S ystem port al The LAUSD PASSport provides the

P arent A ccess S upport S ystem port al Parent Presentation P arent A ccess S upport S ystem port al The LAUSD Parent Access Support System portal (LAUSD PASSport), is a one-stop online system available 24/7 that securely connects

813 views • 21 slides

More recommend