draft-ietf-stir-rfc4474bis-10.txt   draft-ietf-stir-rfc4474bis-11.txt 
Network Working Group J. Peterson Network Working Group J. Peterson
Internet-Draft NeuStar Internet-Draft NeuStar
Intended status: Standards Track C. Jennings Intended status: Standards Track C. Jennings
Expires: January 8, 2017 Cisco Expires: February 25, 2017 Cisco
E. Rescorla E. Rescorla
RTFM, Inc. RTFM, Inc.
C. Wendt C. Wendt
Comcast Comcast
July 7, 2016 August 24, 2016
Authenticated Identity Management in the Session Initiation Protocol Authenticated Identity Management in the Session Initiation Protocol
(SIP) (SIP)
draft-ietf-stir-rfc4474bis-10.txt draft-ietf-stir-rfc4474bis-11.txt
Abstract Abstract
The baseline security mechanisms in the Session Initiation Protocol The baseline security mechanisms in the Session Initiation Protocol
(SIP) are inadequate for cryptographically assuring the identity of (SIP) are inadequate for cryptographically assuring the identity of
the end users that originate SIP requests, especially in an the end users that originate SIP requests, especially in an
interdomain context. This document defines a mechanism for securely interdomain context. This document defines a mechanism for securely
identifying originators of SIP requests. It does so by defining a identifying originators of SIP requests. It does so by defining a
SIP header field for conveying a signature used for validating the SIP header field for conveying a signature used for validating the
identity, and for conveying a reference to the credentials of the identity, and for conveying a reference to the credentials of the
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 8, 2017. This Internet-Draft will expire on February 25, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Architectural Overview . . . . . . . . . . . . . . . . . . . 4
4. Overview of Operations . . . . . . . . . . . . . . . . . . . 6 4. Identity Header Field Syntax . . . . . . . . . . . . . . . . 6
5. Signature Generation and Validation . . . . . . . . . . . . . 7 4.1. PASSporT Construction . . . . . . . . . . . . . . . . . . 7
5.1. Authentication Service Behavior . . . . . . . . . . . . . 7 4.1.1. 'canon' and PASSporT . . . . . . . . . . . . . . . . 9
5.2. Verifier Behavior . . . . . . . . . . . . . . . . . . . . 10 5. Example of Operations . . . . . . . . . . . . . . . . . . . . 10
5.2.1. Handling 'canon' parameters . . . . . . . . . . . . . 12 5.1. Example Identity Header Construction . . . . . . . . . . 11
6. Credentials . . . . . . . . . . . . . . . . . . . . . . . . . 13 6. Signature Generation and Validation . . . . . . . . . . . . . 13
6.1. Credential Use by the Authentication Service . . . . . . 13 6.1. Authentication Service Behavior . . . . . . . . . . . . . 13
6.2. Credential Use by the Verification Service . . . . . . . 14 6.2. Verifier Behavior . . . . . . . . . . . . . . . . . . . . 16
6.3. Handling 'info' parameter URIs . . . . . . . . . . . . . 15 6.2.1. Authorization of Requests . . . . . . . . . . . . . . 17
6.4. Credential System Requirements . . . . . . . . . . . . . 15 6.2.2. Response Codes Sent by a Verification Service . . . . 18
7. Identity Types . . . . . . . . . . . . . . . . . . . . . . . 16 6.2.3. Handling 'canon' parameters . . . . . . . . . . . . . 19
7.1. Authority for Telephone Numbers . . . . . . . . . . . . . 18 7. Credentials . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.2. Telephone Number Canonicalization Procedures . . . . . . 18 7.1. Credential Use by the Authentication Service . . . . . . 20
7.3. Authority for Domain Names . . . . . . . . . . . . . . . 19 7.2. Credential Use by the Verification Service . . . . . . . 21
7.4. URI Normalization . . . . . . . . . . . . . . . . . . . . 20 7.3. 'info' parameter URIs . . . . . . . . . . . . . . . . . . 22
8. Header Syntax . . . . . . . . . . . . . . . . . . . . . . . . 21 7.4. Credential System Requirements . . . . . . . . . . . . . 22
9. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 24 8. Identity Types . . . . . . . . . . . . . . . . . . . . . . . 24
10. Backwards Compatibililty with RFC4474 . . . . . . . . . . . . 25 8.1. Differentiating Telephone Numbers from URIs . . . . . . . 24
11. Privacy Considerations . . . . . . . . . . . . . . . . . . . 25 8.2. Authority for Telephone Numbers . . . . . . . . . . . . . 25
12. Security Considerations . . . . . . . . . . . . . . . . . . . 27 8.3. Telephone Number Canonicalization Procedures . . . . . . 25
12.1. Protected Request Fields . . . . . . . . . . . . . . . . 27 8.4. Authority for Domain Names . . . . . . . . . . . . . . . 26
12.1.1. Protection of the To Header and Retargeting . . . . 29 8.5. URI Normalization . . . . . . . . . . . . . . . . . . . . 27
12.2. Unprotected Request Fields . . . . . . . . . . . . . . . 30 9. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 28
12.3. Malicious Removal of Identity Headers . . . . . . . . . 30 10. Backwards Compatibililty with RFC4474 . . . . . . . . . . . . 29
12.4. Securing the Connection to the Authentication Service . 31 11. Privacy Considerations . . . . . . . . . . . . . . . . . . . 30
12.5. Authorization and Transitional Strategies . . . . . . . 32 12. Security Considerations . . . . . . . . . . . . . . . . . . . 32
12.6. Display-Names and Identity . . . . . . . . . . . . . . . 33 12.1. Protected Request Fields . . . . . . . . . . . . . . . . 32
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 12.1.1. Protection of the To Header and Retargeting . . . . 34
13.1. Identity-Info Parameters . . . . . . . . . . . . . . . . 33 12.2. Unprotected Request Fields . . . . . . . . . . . . . . . 34
13.2. Identity-Info Algorithm Parameter Values . . . . . . . . 34 12.3. Malicious Removal of Identity Headers . . . . . . . . . 35
13.3. Response Codes defined in RFC4474 . . . . . . . . . . . 34 12.4. Securing the Connection to the Authentication Service . 35
14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 35 12.5. Authorization and Transitional Strategies . . . . . . . 36
15. Changes from RFC4474 . . . . . . . . . . . . . . . . . . . . 35 12.6. Display-Names and Identity . . . . . . . . . . . . . . . 37
16. References . . . . . . . . . . . . . . . . . . . . . . . . . 35
16.1. Normative References . . . . . . . . . . . . . . . . . . 36 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
16.2. Informative References . . . . . . . . . . . . . . . . . 37 13.1. SIP Header Fields . . . . . . . . . . . . . . . . . . . 38
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 13.2. SIP Response Codes . . . . . . . . . . . . . . . . . . . 38
13.3. Identity-Info Parameters . . . . . . . . . . . . . . . . 38
13.4. Identity-Info Algorithm Parameter Values . . . . . . . . 38
14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 39
15. Changes from RFC4474 . . . . . . . . . . . . . . . . . . . . 39
16. References . . . . . . . . . . . . . . . . . . . . . . . . . 39
16.1. Normative References . . . . . . . . . . . . . . . . . . 39
16.2. Informative References . . . . . . . . . . . . . . . . . 41
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 43
1. Introduction 1. Introduction
This document provides enhancements to the existing mechanisms for This document provides enhancements to the existing mechanisms for
authenticated identity management in the Session Initiation Protocol authenticated identity management in the Session Initiation Protocol
(SIP, [RFC3261]). An identity, for the purposes of this document, is (SIP, [RFC3261]). An identity, for the purposes of this document, is
defined as either a SIP URI, commonly a canonical address-of-record defined as either a canonical address-of-record (AoR) SIP URI
(AoR) employed to reach a user (such as employed to reach a user (such as 'sip:alice@atlanta.example.com'),
'sip:alice@atlanta.example.com'), or a telephone number, which can be or a telephone number, which commonly appears in either a TEL URI
represented as either a TEL URI [RFC3966] or as the user portion of a [RFC3966] or as the user portion of a SIP URI.
SIP URI.
[RFC3261] specifies several places within a SIP request where users [RFC3261] specifies several places within a SIP request where users
can express an identity for themselves, most prominently the user- can express an identity for themselves, most prominently the user-
populated From header field. However, the recipient of a SIP request populated From header field. However, the recipient of a SIP request
has no way to verify that the From header field has been populated has no way to verify that the From header field has been populated
appropriately, in the absence of some sort of cryptographic appropriately, in the absence of some sort of cryptographic
authentication mechanism. This leaves SIP vulnerable to a category authentication mechanism. This leaves SIP vulnerable to a category
of abuses, including impersonation attacks that enable robocalling of abuses, including impersonation attacks that facilitate or enable
and related problems as described in [RFC7340]. Ideally, a robocalling, voicemail hacking, swatting, and related problems as
cryptographic approach to identity can provide a much stronger and described in [RFC7340]. Ideally, a cryptographic approach to
less spoofable assurance of identity than the Caller ID services that identity can provide a much stronger and less spoofable assurance of
the telephone network provides today. identity than the Caller ID services that the telephone network
provides today.
[RFC3261] encourages user agents (UAs) to implement a number of [RFC3261] encourages user agents (UAs) to implement a number of
potential authentication mechanisms, including Digest authentication, potential authentication mechanisms, including Digest authentication,
Transport Layer Security (TLS), and S/MIME (implementations may Transport Layer Security (TLS), and S/MIME (implementations may
support other security schemes as well). However, few SIP user support other security schemes as well). However, few SIP user
agents today support the end-user certificates necessary to agents today support the end-user certificates necessary to
authenticate themselves (via S/MIME, for example), and for its part authenticate themselves (via S/MIME, for example), and for its part
Digest authentication is limited by the fact that the originator and Digest authentication is limited by the fact that the originator and
destination must share a prearranged secret. Practically speaking, destination must share a prearranged secret. Practically speaking,
originating user agents need to be able to securely communicate their originating user agents need to be able to securely communicate their
users' identity to destinations with which they have no previous users' identity to destinations with which they have no previous
association. association.
As an initial attempt to address this gap, [RFC4474] specified a As an initial attempt to address this gap, [RFC4474] specified a
means of signing portions of SIP requests in order to provide an means of signing portions of SIP requests in order to provide an
identity assurance. However, RFC 4474 was in several ways misaligned identity assurance. However, RFC4474 was in several ways misaligned
with deployment realities (see [I-D.rosenberg-sip-rfc4474-concerns]). with deployment realities (see [I-D.rosenberg-sip-rfc4474-concerns]).
Most significantly, RFC 4474 did not deal well with telephone numbers Most significantly, RFC4474 did not deal well with telephone numbers
as identifiers, despite their enduring use in SIP deployments. RFC as identifiers, despite their enduring use in SIP deployments.
4474 also provided a signature over material that intermediaries in RFC4474 also provided a signature over material that intermediaries
existing deployments commonly altered. This specification therefore in existing deployments commonly altered. This specification
revises RFC 4474 in light of recent reconsideration of the problem therefore deprecates the RFC4474 syntax and behavior, reconsidering
space to align with the threat model in [RFC7375], and aligns the the problem space in light of the threat model in [RFC7375] and
signature format with PASSporT [I-D.ietf-stir-passport]. aligning the signature format with PASSporT [I-D.ietf-stir-passport].
2. Terminology 2. Terminology
In this document, the key words "MUST", "MUST NOT", "REQUIRED", In this document, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT
RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as
described in RFC 2119 [RFC2119] and RFC 6919 [RFC6919]. described in RFC 2119 [RFC2119].
3. Background In addition, this document uses three terms specific to the
mechanism:
Per [RFC7340], problems such as robocalling, voicemail hacking, and Identity: An identifier for the user of a communications service;
swatting are enabled by an attacker's ability to impersonate someone for the purposes of SIP, either a SIP URI or a telephone number.
else. The secure operation of most SIP applications and services Identities are extracted from an "identity field" a SIP request
depends on authorizing the source of communications as it is such as the From header field.
represented in a SIP request. Such authorization policies can be
automated or be a part of human operation of SIP devices. An example
of the former would be a voicemail service that compares the identity
of the caller to a whitelist before determining whether it should
allow the caller access to recorded messages. An example of the
latter would be an Internet telephone application that displays the
calling party number (and/or Caller-ID) of a caller, which a human
may review to make a policy decision before answering a call. In
both of these cases, attackers might attempt to circumvent these
authorization policies through impersonation. Since the primary
identifier of the sender of a SIP request, the From header field, can
be populated arbitrarily by the controller of a user agent,
impersonation is very simple today in many environments. The
mechanism described in this document provides a strong identity
system for detecting attempted impersonation in SIP requests.
This identity architecture for SIP depends on a logical Authentication Service: A logical role played by a SIP entity that
"authentication service" which validates outgoing requests. An adds Identity headers to SIP requests.
authentication service may be implemented either as part of a user
agent or as a proxy server; typically, it is a component of a network
intermediary like a proxy to which originating user agents send
unsigned requests. Once the sender of the message has been
authenticated, the authentication service then computes and adds
cryptographic information (including a digital signature over some
components of messages) to requests to communicate to other SIP
entities that the sending user has been authenticated and its claim
of a particular identity has been authorized. A "verification
service" on the receiving end then validates this signature and
enables policy decisions to be made based on the results of the
verification.
Identities are issued to users by authorities. When a new user Verification Service (or "Verifier"): A logical role played by a
becomes associated with example.com, the administrator of the SIP SIP entity that validates Identity headers in a SIP request.
service for that domain can issue them an identity in that namespace,
such as alice@example.com. Alice may then send REGISTER requests to
example.com that make her user agents eligible to receive requests
for sip:alice@example.com. In some cases, Alice may be the owner of
the domain herself, and may issue herself identities as she chooses.
But ultimately, it is the controller of the SIP service at
example.com that must be responsible for authorizing the use of names
in the example.com domain. Therefore, for the purposes of baseline
SIP, the credentials needed to prove a user is authorized to use a
particular From header field must ultimately derive from the domain
owner: either a user agent gives requests to the domain name owner in
order for them to be signed by the domain owner's credentials, or the
user agent must possess credentials that prove in some fashion that
the domain owner has given the user agent the right to a name.
The situation is however more complicated for telephone numbers, 3. Architectural Overview
however. Authority over telephone numbers does not correspond
directly to Internet domains. While a user could register at a SIP The identity architecture for SIP defined in this specification
domain with a username that corresponds to a telephone number, any depends on a logical "authentication service" which validates
connection between the administrator of that domain and the outgoing requests. An authentication service may be implemented
assignment of telephone numbers is not currently reflected on the either as part of a user agent or as a proxy server; typically, it is
Internet. Telephone numbers do not share the domain-scope property a component of a network intermediary like a proxy to which
described above, as they are dialed without any domain component. originating user agents send unsigned requests. Once the originator
This document thus assumes the existence of a separate means of of the message has been authenticated, through means entirely up to
the authentication service, the authentication service then creates
and adds an Identity header field to the request. This requires
computing cryptographic information, including a digital signature
over some components of messages, that lets other SIP entities verify
that the sending user has been authenticated and its claim of a
particular identity has been authorized. These "verification
services" validate the signature and enable policy decisions to be
made based on the results of the validation.
Policy decisions made after validation depend heavily on the
verification service's trust for the credentials that the
authentication service uses to sign requests. As robocalling,
voicemail hacking, and swatting usually involve impersonation of
telephone numbers, credentials that will be trusted by relying
parties to sign for telephone numbers are a key component of the
architecture. Authority over telephone numbers is however, not so
easy to establish on the Internet as authority over traditional
domain names. This document assumes the existence of credentials for
establishing authority over telephone numbers, for cases where the establishing authority over telephone numbers, for cases where the
telephone number is the identity of the user. As with SIP URIs, the telephone number is the identity of the user, but this document does
necessary credentials to prove authority for a name might reside not mandate or specify a credential system.
either in the endpoint or at some intermediary. [I-D.ietf-stir-certificates] describes a credential system compatible
with this architecture.
This document specifies a means of sharing a cryptographic assurance Although addressing the vulnerabilities in the STIR problem statement
of end-user SIP identity in an interdomain or intradomain context. and threat model mostly requires dealing with telephone number as
It relies on the authentication service constructing tokens based on identities, SIP must also handle signing for SIP URIs as identities.
the PASSporT [I-D.ietf-stir-passport] format, a JSON [RFC7159] object This is typically easier to deal with, as these identities are issued
comprising values copied from certain header field values in the SIP to users by authorities over Internet domains. When a new user
request. The authentication service then computes a signature over becomes associated with example.com, for example, the administrator
those JSON object in a manner following PASSporT. That signature is of the SIP service for that domain can issue them an identity in that
then placed in a SIP Identity header. In order to assist in the namespace, such as sip:alice@example.com. Alice may then send
validation of the Identity header, this specification also describes REGISTER requests to example.com that make her user agents eligible
some metadata fields associated with the header that can be used by to receive requests for sip:alice@example.com. In other cases, Alice
the recipient of a request to recover the credentials of the signer. may herself be the owner of her own domain, and may issue herself
Note that the scope of this document is limited to providing this identities as she chooses. But ultimately, it is the controller of
the SIP service at example.com that must be responsible for
authorizing the use of names in the example.com domain. Therefore,
for the purposes of baseline SIP, the necessary credentials needed to
prove a user is authorized to use a particular From header field must
ultimately derive from the domain owner: either a user agent gives
requests to the domain name owner in order for them to be signed by
the domain owner's credentials, or the user agent must possess
credentials that prove in some fashion that the domain owner has
given the user agent the right to a name.
In order to share a cryptographic assurance of end-user SIP identity
in an interdomain or intradomain context, an authentication service
constructs tokens based on the PASSporT [I-D.ietf-stir-passport]
format, a JSON [RFC7159] object comprising values copied from certain
header field values in the SIP request. The authentication service
computes a signature over those JSON elements as PASSporT specifies.
That signature is then placed in the SIP Identity header field. In
order to assist in the validation of the Identity header field, this
specification also describes a parameter of the Identity header field
that can be used by the recipient of a request to recover the
credentials of the signer.
Note that the scope of this document is limited to providing an
identity assurance for SIP requests; solving this problem for SIP identity assurance for SIP requests; solving this problem for SIP
responses is outside the scope of this work (see [RFC4916]). Future responses is outside the scope of this work (see [RFC4916]). Future
work might specify ways that a SIP implementation could gateway work might specify ways that a SIP implementation could gateway
PASSporT objects to other protocols. PASSporT objects to other protocols.
This specification allows either a user agent or a proxy server to 4. Identity Header Field Syntax
provide the authentication service function and/or the verification
service function. To maximize end-to-end security, it is obviously
preferable for end-users to acquire their own credentials; if they
do, their user agents can act as authentication services. However,
for some deployments, end-user credentials may be neither practical
nor affordable, given the potentially large number of SIP user agents
(phones, PCs, laptops, PDAs, gaming devices) that may be employed by
a single user. In such environments, synchronizing keying material
across multiple devices may be prohibitively complex and require
quite a good deal of additional endpoint behavior. Managing several
credentials for the various devices could also be burdensome. In
these cases, implementation the authentication service at an
intermediary may be more practical. This trade-off needs to be
understood by implementers of this specification.
4. Overview of Operations The Identity and Identity-Info header fields that were previously
defined in RFC4474 are here deprecated. This revised specification
collapses the grammar of Identity-Info into the Identity header field
via the "info" parameter. Note that unlike the prior specification
in RFC4474, the Identity header field is now allowed to appear more
than one time in a SIP request. The revised grammar for the Identity
header field builds on the ABNF [RFC4234] in RFC 3261 [RFC3261]
Section 25. It is as follows:
Identity = "Identity" HCOLON signed-identity-digest SEMI ident-info \
*( SEMI ident-info-params )
signed-identity-digest = LDQUOT *base64-char RDQUOT
ident-info = "info" EQUAL ident-info-uri
ident-info-uri = LAQUOT absoluteURI RAQUOT
ident-info-params = ident-info-alg / ident-type / canonical-str / \
ident-info-extension
ident-info-alg = "alg" EQUAL token
ident-type = "ppt" EQUAL token
canonical-str = "canon" EQUAL LDQUOT *base64-char RDQUOT
ident-info-extension = generic-param
base64-char = ALPHA / DIGIT / "/" / "+"
In addition to the "info" parameter, and the "alg" parameter
previously defined in RFC4474, this specification defines the
optional "canon" and "ppt" parameters. The 'absoluteURI' portion of
ident-info-uri MUST contain a URI; see Section 7.3 for more on
choosing how to advertise credentials through this parameter.
The signed-identity-digest is the PASSporT signature component of a
PASSporT object [I-D.ietf-stir-passport], a signature which PASSporT
generates over the JSON objects contain headers and claims; some
header and claim values will mirror elements of the SIP request. In
order to generate that signature, an implementation must construct a
complete PASSporT object.
4.1. PASSporT Construction
For SIP implementations to populate the PASSporT header JSON object
with fields from a SIP request, the following elements message MUST
be placed as the values corresponding to the designated JSON keys:
First, per baseline [I-D.ietf-stir-passport], the JSON key "typ"
key MUST have the value "passport".
Second, the JSON key "alg" MUST mirror the value of the optional
"alg" parameter in the SIP Identity header field. Note if the
"alg" parameter is absent from the Identity header, the default
value is "ES256".
Third, the JSON key "x5u" MUST have a value equivalent to the
quoted URI in the "info" parameter.
Fourth, the optional JSON key "ppt", if present, MUST have a value
equivalent to the quoted value of the "ppt" parameter of the
Identity header field. If the "ppt" parameter is absent from the
header field, the "ppt" key MUST NOT not appear in the JSON header
object.
For example:
{ "typ":"passport",
"alg":"ES256",
"x5u":"https://www.example.com/cert.pkx" }
To populate the PASSporT claims JSON object from a SIP request, the
following elements MUST be placed as values corresponding to the
designated JSON keys:
First, the JSON "orig" array MUST be populated. If the
originating identity is a telephone number, then the array MUST be
populated with a "tn" claim with a value set to the value of the
quoted originating identity, a canonicalized telephone number (see
Section 8.3). Otherwise, the array MUST be populated with a "uri"
claim, set to the value of the AoR of the UA sending the message
as taken from addr-spec of the From header field, per the
procedures in Section 8.5.
Second, the JSON "dest" array MUST be populated. If the
destination identity is a telephone number, then the array MUST be
populated with a "tn" claim with a value set to the value of the
quoted destination identity, a canonicalized telephone number (see
Section 8.3). Otherwise, the array MUST be populated with a "uri"
claim, set to the value of the addr-spec component of the To
header field, which is the AoR to which the request is being sent,
per the procedures in Section 8.5.
Third, the JSON key "iat" MUST appear, set to the value of a
quoted encoding of the value of the SIP Date header field as a
JSON NumericDate (as UNIX time, per [RFC7519] Section 2).
Fourth, if the request contains an SDP message body, and if that
SDP contains one or more "a=fingerprint" attributes, then the JSON
key "mky" MUST appear with the algorithm(s) and value(s) of the
fingerprint attributes (if they differ), following the format
given in [I-D.ietf-stir-passport] Section 3.2.2.2.
For example:
{ "orig":{"tn":"12155551212"},
"dest":{"tn":"12155551213"},
"iat":"1443208345" }
For information on the security properties of these SIP message
elements, and why their inclusion mitigates replay attacks, see
Section 12. Note that future extensions to the PASSporT object could
introduce new claims, and that further SIP procedures could be
required to extract information from the SIP request to populate the
values of those claims; see Section 9.
The "orig" and "dest" arrays may contain identifiers of heterogeneous
type; for example, the "orig" array might contain a "tn" claim, while
the "dest" contains a "uri" claim. Also note that in some cases, the
"orig" and "dest" arrays might be populated with more than one value.
This could for example occur when multiple "dest" identities are
specified in a meshed conference. Defining how a SIP implementation
would provision multiple originating or destination identities is
left as a subject for future specification.
After these two JSON objects, the header and the claims, have been
constructed and base64-encoded, they must each be hashed per
[I-D.ietf-stir-passport] Section 3.3. The signed value of those
concatenated hashes then becomes the signed-identity-string of the
Identity header field. The hashing and signing algorithm is
specified by the 'alg' parameter of the Identity header field and the
mirrored "alg" parameter of PASSporT. This specification inherits
from the PASSporT specification one value for the 'alg' parameter:
'ES256', as defined in [RFC7519], which connotes an ECDSA P-256
digital signature. All implementations of this specification MUST
support the required signing algorithms of PASSporT.
The PASSporT signature that serves as the signed-identity-digest for
the SIP Identity header field constitutes only the base64 encoded
signed hash, omitting the leading '.' of JWS.
The complete form of the Identity header field will therefore look
like the following example:
Identity: "sv5CTo05KqpSmtHt3dcEiO/1CWTSZtnG3iV+1nmurLXV/Hmty \
NS7Ltrg9dlxkWzoeU7d7OV8HweTTDobV3itTmgPwCFjaEmMyEI3d7SyN21y \
NDo2ER/Ovgtw0Lu5csIppPqOg1uXndzHbG7mR6Rl9BnUhHufVRbp51Mn3w0 \
gfUs=";info=<https://biloxi.example.org/biloxi.cer>;alg=ES256
4.1.1. 'canon' and PASSporT
As Appendix F of the JWS specification [RFC7515] notes, there are
cases where "it is useful to integrity-protect content that is not
itself contained in a JWS." Since the fields that make up the
majority of the PASSporT header and claims have values replicated in
the SIP request, the SIP usage of PASSporT may exclude the base64
encoded version of the header and claims JSON objects from the
Identity header field and instead present a detached signature. Only
the signature component of the PASSporT is REQUIRED in SIP, as it
forms the contents of the signed-identity-digest field. Optionally,
as a debugging measure or optimization, the base64-encoded
concatenation of the JSON header and claims MAY be included as the
value of a "canon" parameter of the Identity header field. Note
however that the use of some future extensions could require "canon"
(see Section 9).
When the "canon" parameter is present, it is populated per the
[I-D.ietf-stir-passport] Section 3.2 payload of PASSporT. However,
no trailing '.' is included: the string consists solely of the base64
encoded JSON header object, followed by a '.', followed by the base64
encoded claims JSON object, as follows:
Identity: "rq3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpj \
lk-cpFYpFYsojNCpTzO3QfPOlckGaS6hEck7w"; \
info=<https://biloxi.example.org/biloxi.c>;alg=ES256;canon= \
"eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cH \
M6Ly9jZXJ0LmV4YW1wbGUub3JnL3Bhc3Nwb3J0LmNlciJ9.eyJkZXN0Ijp7 \
InVyaSI6WyJzaXA6YWxpY2VAZXhhbXBsZS5jb20iXX0sImlhdCI6IjE0NDM \
yMDgzNDUiLCJvcmlnIjp7InRuIjoiMTIxNTU1NTEyMTIifX0"
Note that the presence of the "canon" parameter adds considerably to
the length of the Identity header field value.
5. Example of Operations
This section provides an informative (non-normative) high-level This section provides an informative (non-normative) high-level
overview of the mechanisms described in this document. example of the operation of the mechanisms described in this
document.
Imagine a case where Alice, who has the home proxy of example.com and Imagine a case where Bob, who has the home proxy of example.com and
the address-of-record sip:alice@example.com, wants to communicate the address-of-record sip:12155551212@example.com, wants to
with Bob at sip:bob@example.org. They have no prior relationship, communicate with Alice at sip:alice@example.org. They have no prior
and Bob implements best practices to prevent impersonation attacks. relationship, and Alice implements best practices to prevent
impersonation attacks.
Alice generates an INVITE and places her identity, in this case her Bob's user agent generates an INVITE and places his address-of-record
address-of-record, in the From header field of the request. She then in the From header field of the request. He then sends an INVITE to
sends an INVITE over TLS to an authentication service proxy for the an authentication service proxy for his domain.
example.com domain.
The proxy authenticates Alice (possibly by sending a Digest ............................ ..............................
authentication challenge), and validates that she is authorized to . . . .
assert the identity that she populated in the From header field. . +-------+ . . +-------+ .
This value could be Alice's AoR, but in other cases it could be some . Signs for | | . Signed . | | .
different value that the authentication service has authority over, . 12125551xxx| Auth |------------> | Verif | .
such as a telephone number. The proxy authentication service then . | Svc | . INVITE . | Svc | .
constructs a PASSporT object which contains a JSON representations of . | Proxy | . . | Proxy | .
headers and claims which mirror certain parts of the SIP request, . > +-------+ . . +-------+ \ .
including the identity in the From header field. As a part of . / | . -> \ .
generating the PASSporT object, the authentication service signs a . / | . --. \ .
hash of those headers and claims with the appropriate credential for . / | . -- . \ .
the identity (in this case, the certificate for example.com, which . / | . -- . \ .
covers the identity sip:alice@example.com), and the signature is . / +-------+. -- . \ .
inserted by the proxy server into the Identity header field value of . / | |.<- . \ .
the request. Optionally, the JSON headers and claims themselves may . / | Cert |. . > .
also be included in the object, encoded in the "canon" parameter of . +-------+ | Store |. . +-------+ .
the Identity header. . | | | |. . | | .
. | Bob | +-------+. . | Alice | .
. | UA | . . | UA | .
. | | . . | | .
. +-------+ . . +-------+ .
. Domain A . . Domain B .
............................ ..............................
The proxy, as the holder of the private key for the example.com The proxy authenticates Bob, and validates that he is authorized to
domain, is asserting that the originator of this request has been assert the identity that he populated in the From header field. The
authenticated and that she is authorized to claim the identity that proxy authentication service then constructs a PASSporT object which
appears in the From header field. The proxy inserts an "info" contains a JSON representation of headers and claims which mirror
parameter into the Identity header that tells Bob how to acquire certain parts of the SIP request, including the identity in the From
keying material necessary to validate its credentials (a public key), header field value. As a part of generating the PASSporT object, the
in case he doesn't already have it. authentication service signs a hash of those JSON headers and claims
with the private key associated with the appropriate credential for
the identity (in this example, a certificate with authority to sign
for numbers in a range from 12155551000 to 121555519999), and the
signature is inserted by the proxy server into the Identity header
field value of the request. Optionally, the JSON headers and claims
themselves may also be included in the object, encoded in the "canon"
parameter of the Identity header field.
When Bob's domain receives the request, it verifies the signature The proxy authentication service, as the holder of a private key with
provided in the Identity header, and thus can validate that the authority over Bob's telephone number, is asserting that the
authority over the identity in the From header field authenticated originator of this request has been authenticated and that he is
the user, and permitted the user to assert that From header field authorized to claim the identity that appears in the From header
value. This same validation operation may be performed by Bob's user field. The proxy inserts an "info" parameter into the Identity
agent server (UAS). As the request has been validated, it is header field that tells Alice how to acquire keying material
rendered to Bob. If the validation was unsuccessful, some other necessary to validate its credentials (a public key), in case she
treatment would be applied by the receiving domain. doesn't already have it.
5. Signature Generation and Validation When Alice's domain receives the request, a proxy verification
service validates the signature provided in the Identity header
field, and then determines that the authentication service
credentials demonstrate authority over the identity in the From
header field. This same validation operation might be performed by a
verification service in Alice's user agent server. Ultimately, this
valid request is rendered to Alice. If the validation were
unsuccessful, some other treatment could be applied by the receiving
domain or Alice's user agent.
5.1. Authentication Service Behavior 5.1. Example Identity Header Construction
This document specifies a role for SIP entities called an For the following SIP request:
authentication service. The authentication service role can be
instantiated, for example, by an intermediary such as a proxy server INVITE sip:bob@biloxi.example.org SIP/2.0
or by a user agent. Any entity that instantiates the authentication Via: SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKnashds8
service role MUST possess the private key of one or more credentials To: Alice <sip:alice@example.com>
that can be used to sign for a domain or a telephone number (see From: Bob <sip:12155551212@example.com>;tag=1928301774>
Section 6.1). Intermediaries that instantiate this role MUST be Call-ID: a84b4c76e66710
capable of authenticating one or more SIP users who can register for CSeq: 314159 INVITE
that identity. Commonly, this role will be instantiated by a proxy Max-Forwards: 70
server, since these entities are more likely to have a static Date: Fri, 25 Sep 2015 19:12:25 GMT
Contact: <sip:12155551212gateway.example.com>
Content-Type: application/sdp
Content-Length: 147
v=0
o=UserA 2890844526 2890844526 IN IP4 pc33.atlanta.example.com
s=Session SDP
c=IN IP4 pc33.atlanta.example.com
t=0 0
m=audio 49172 RTP/AVP 0
a=rtpmap:0 PCMU/8000
An authentication service will create a corresponding PASSporT
object. The properly-serialized PASSporT header and claims JSON
objects would look as follows. For the header, the values chosen by
the authentication service at "example.org" might read:
{"alg":"ES256","typ":"passport","x5u":"https://cert.example.org/
passport.cer"}
The serialized claims will derive from the SIP request (the From, To,
and Date header field values) as follows:
{"dest":{"uri":["sip:alice@example.com"]},"iat":"1443208345",
"orig":{"tn":"12155551212"}}
The authentication service would then generate the signature over the
object following the procedures in [I-D.ietf-stir-passport]
Section 3.3. That signature would look as follows:
rq3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpjlk-cpFYpFYs \
ojNCpTzO3QfPOlckGaS6hEck7w
An authentication service signing this request would thus generate
and add to the request an Identity header field of the following
form:
Identity: "rq3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpj \
lk-cpFYpFYsojNCpTzO3QfPOlckGaS6hEck7w"; \
info=<https://biloxi.example.org/biloxi.c>
6. Signature Generation and Validation
SIP entities that instantiate the authentication service and
verification service roles will, respectively, generate and validate
the Identity header and the signature it contains.
6.1. Authentication Service Behavior
Any entity that instantiates the authentication service role MUST
possess the private key of one or more credentials that can be used
to sign for a domain or a telephone number (see Section 7.1). The
authentication service role can be instantiated, for example, by an
intermediary such as a proxy server or by a user agent.
Intermediaries that instantiate this role MUST be capable of
authenticating one or more SIP users who can register for that
identity. Commonly, this role will be instantiated by a proxy
server, since proxy servers are more likely to have a static
hostname, hold corresponding credentials, and have access to SIP hostname, hold corresponding credentials, and have access to SIP
registrar capabilities that allow them to authenticate users. It is registrar capabilities that allow them to authenticate users. It is
also possible that the authentication service role might be also possible that the authentication service role might be
instantiated by an entity that acts as a redirect server, but that is instantiated by an entity that acts as a redirect server, but that is
left as a topic for future work. left as a topic for future work.
An authentication service adds the Identity header to SIP requests. An authentication service adds the Identity header field to SIP
The procedures below define the steps that must be taken when each an requests. The procedures below define the steps that must be taken
header is added. More than one may appear in a single request, and when each Identity header field is added. More than one Identity
an authentication service may add an Identity header to a request header field may appear in a single request, and an authentication
that already contains one or more Identity headers. If the Identity service may add an Identity header field to a request that already
header added follows extended signing procedures beyond the baseline contains one or more Identity header fields.
given in Section 8, then it differentiates the header with a "ppt"
parameter per the fourth step below.
Entities instantiating the authentication service role perform the Entities instantiating the authentication service role perform the
following steps, in order, to generate an Identity header for a SIP following steps, in order, to generate an Identity header field for a
request: SIP request:
Step 1: Step 1: Check Authority for the Identity
First, the authentication service must determine whether it is First, the authentication service must determine whether it is
authoritative for the identity of the sender of the request. In authoritative for the identity of the originator of the request. The
ordinary operations, the authentication service decides this by authentication service extracts the identity from the URI value from
inspecting the URI value from the addr-spec component of From header the "identity field"; in ordinary operations, that is the addr-spec
field; this URI will be referred to here as the 'identity field'. If component of From header field. In order to determine whether the
the identity field contains a SIP or SIP Secure (SIPS) URI, and the signature for the identity field should be over the entire identity
user portion is not a telephone number, the authentication service field URI or just a telephone number, the authentication service MUST
MUST extract the hostname portion of the identity field and compare follow the process described in Section 8.1. That section will
it to the domain(s) for which it is responsible (following the either lead to the telephone number canonicalization procedures in
procedures in RFC 3261 [RFC3261], Section 16.4). If the identity Section 8.3 for telephone numbers, or to the URI normalization
field uses the TEL URI scheme [RFC3966], or the identity field is a procedures described in Section 8.5 for domain names. Whichever the
SIP or SIPS URI with a telephone number in the user portion, the result, if the authentication service is not authoritative for the
authentication service determines whether or not it is responsible identity in question, it SHOULD process and forward the request
for this telephone number; see Section 7.1 for more information. An
authentication service proceeding with a signature over a telephone
number MUST then follow the canonicalization procedures described in
Section 7.2. If the authentication service is not authoritative for
the identity in question, it SHOULD process and forward the request
normally unless the local policy is to block such requests. The normally unless the local policy is to block such requests. The
authentication service MUST NOT add an Identity header if the authentication service MUST NOT add an Identity header field if the
authentication service does not have the authority to make the claim authentication service does not have the authority to make the claim
it asserts. it asserts.
Step 2: Step 2: Authenticate the Originator
The authentication service MUST then determine whether or not the The authentication service MUST then determine whether or not the
sender of the request is authorized to claim the identity given in originator of the request is authorized to claim the identity given
the identity field. In order to do so, the authentication service in the identity field. In order to do so, the authentication service
MUST authenticate the sender of the message. Some possible ways in MUST authenticate the originator of the message. Some possible ways
which this authentication might be performed include: in which this authentication might be performed include:
If the authentication service is instantiated by a SIP If the authentication service is instantiated by a SIP
intermediary (proxy server), it may authenticate the request with intermediary (proxy server), it may authenticate the request with
the authentication scheme used for registration in its domain the authentication scheme used for registration in its domain
(e.g., Digest authentication). (e.g., Digest authentication).
If the authentication service is instantiated by a SIP user agent, If the authentication service is instantiated by a SIP user agent,
a user agent may authenticate its own user through any system- a user agent may authenticate its own user through any system-
specific means, perhaps simply by virtue of having physical access specific means, perhaps simply by virtue of having physical access
to the user agent. to the user agent.
Authorization of the use of a particular username or telephone number Authorization of the use of a particular username or telephone number
in the user part of the From header field is a matter of local policy in the user part of the From header field is a matter of local policy
for the authentication service; see Section 6.1 for more information. for the authentication service; see Section 7.1 for more information.
Note that this check is performed only on the addr-spec in the Note that this check is performed only on the addr-spec in the
identity field (e.g., the URI of the sender, like identity field (e.g., the URI of the originator, like
'sip:alice@atlanta.example.com'); it does not convert the display- 'sip:alice@atlanta.example.com'); it does not cover the display-name
name portion of the From header field (e.g., 'Alice Atlanta'). For portion of the From header field (e.g., 'Alice Atlanta'). For more
more information, see Section 12.6. information, see Section 12.6.
Step 3: Step 3: Verify Date is Present and Valid
An authentication service MUST add a Date header field to SIP An authentication service MUST add a Date header field to SIP
requests that do not have one. The authentication service MUST requests that do not have one. The authentication service MUST
ensure that any preexisting Date header in the request is accurate. ensure that any preexisting Date header field in the request is
Local policy can dictate precisely how accurate the Date must be; a accurate. Local policy can dictate precisely how accurate the Date
RECOMMENDED maximum discrepancy of sixty seconds will ensure that the must be; a RECOMMENDED maximum discrepancy of sixty seconds will
request is unlikely to upset any verifiers. If the Date header ensure that the request is unlikely to upset any verifiers. If the
contains a time different by more than one minute from the current Date header field value contains a time different by more than one
time noted by the authentication service, the authentication service minute from the current time noted by the authentication service, the
SHOULD reject the request. This behavior is not mandatory because a authentication service SHOULD reject the request. This behavior is
user agent client (UAC) could only exploit the Date header in order not mandatory because a user agent client (UAC) could only exploit
to cause a request to fail verification; the Identity header is not the Date header field in order to cause a request to fail
intended to provide a source of non-repudiation or a perfect record verification; the Identity header field is not intended to provide a
of when messages are processed. Finally, the authentication service perfect record of when messages are processed. Finally, the
MUST verify that both the Date header and the current time fall authentication service MUST verify that both the Date header field
within the validity period of its credential. and the current time fall within the validity period of its
credential.
See Section 12 for information on how the Date header field assists See Section 12.1 for information on how the Date header field assists
verifiers. verifiers.
Step 4: Step 4: Populate and Add the Identity Header
Subsequently, the authentication service MUST form a PASSporT object Subsequently, the authentication service MUST form a PASSporT object
and add a corresponding an Identity header to the request containing and add a corresponding Identity header field to the request
this signature. For baseline PASSporT objects headers (without an containing this signature. For the baseline PASSporT header (headers
Identity header "ppt" parameter), this follows the procedures in containing no "ppt" parameter), this follows the procedures in
Section 8; if the authentication service is using an alternative Section 4; if the authentication service is using an alternative
"ppt" format, it MUST add an appropriate "ppt" parameter and follow "ppt" format, it MUST add an appropriate "ppt" parameter and follow
the procedures associated with that extension (see Section 9). After the procedures associated with that extension (see Section 9). After
the Identity header has been added to the request, the authentication the Identity header field has been added to the request, the
service MUST also add a "info" parameter to the Identity header. The authentication service MUST also add a "info" parameter to the
"info" parameter contains a URI from which the authentication Identity header field. The "info" parameter contains a URI from
service's credential can be acquired; see Section 6.3 for more on which the authentication service's credential can be acquired; see
credential acquisition. Section 7.3 for more on credential acquisition.
Step 5: Step 5: Add "canon", if Needed
In the circumstances described below, an authentication service will An authentication service MAY add a "canon" parameter to the Identity
add a "canon" parameter to the Identity header. The syntax of header field. The presence of "canon" is OPTIONAL because the
"canon" is given in Section 8; essentially, it contains a base64 information carried in the baseline PASSporT object's headers and
encoding of the JSON header and claims in the PASSporT object. The claims is usually redundant with information already carried
presence of "canon" is OPTIONAL baseline PASSporT objects in SIP as a elsewhere in the SIP request. Omitting "canon" can significantly
because the information carried in the baseline PASSporT object's reduce SIP message size, especially when the PASSporT object contains
headers and claims is usually redundant with information already media keys. The syntax of "canon" is given in Section 4.1.1;
carried elsewhere in the SIP request. Omitting "canon" can essentially, it contains a base64 encoding of the JSON header and
significantly reduce SIP message size, especially when the PASSporT claims in the PASSporT object.
object contains media keys.
When however an authentication service creates a PASSporT that uses When however an authentication service creates a PASSporT object that
extension claims beyond the baseline PASSporT object, including uses extension claims beyond the baseline PASSporT object, including
"canon" is REQUIRED in order for the verification service to be "canon" is REQUIRED in order for the verification service to be
capable of validating the signature. See Section 9. capable of validating the signature. See Section 9.
Also, in some cases, a request signed by an authentication service Also, in some cases, a request signed by an authentication service
will be rejected by the verification service on the receiving side, will be rejected by the verification service on the receiving side,
and the authentication service will receive a SIP 4xx status code in and the authentication service will receive a SIP 4xx status code in
the backwards direction, such as a 438 indicating a verification the backwards direction, such as a 438 indicating a verification
failure. If the authentication service did not originally send the failure. If the authentication service did not originally send the
Identity header with the "canon" parameter, it SHOULD retry a request Identity header field with the "canon" parameter, it SHOULD retry a
once after receiving a 438 response, this time including the "canon". request once after receiving a 438 response, this time including the
The information in "canon" is useful on the verification side for "canon". The information in "canon" is useful on the verification
debugging errors, and there are some known causes of verification side for debugging errors, and there are some known causes of
failures (such as the Date header changing in transit, see verification failures (such as the Date header field value changing
Section 12.1 for more information) that can be resolved by the in transit, see Section 12.1 for more information) that can be
inclusion of "canon". resolved by the inclusion of "canon".
Finally, the authentication service MUST forward the message Finally, the authentication service forwards the message normally.
normally.
5.2. Verifier Behavior 6.2. Verifier Behavior
This document specifies a logical role for SIP entities called a This document specifies a logical role for SIP entities called a
verification service, or verifier. When a verifier receives a SIP verification service, or verifier. When a verifier receives a SIP
message containing one or more Identity headers, it inspects the message containing one or more Identity header fields, it inspects
signature(s) to verify the identity of the sender of the message. the signature(s) to verify the identity of the originator of the
The results of a verification are provided as input to an message. The results of a verification are provided as input to an
authorization process that is outside the scope of this document. authorization process that is outside the scope of this document.
A SIP request may contain zero, one, or more Identity headers. A A SIP request may contain zero, one, or more Identity header fields.
verification service performs the procedures above on each Identity A verification service performs the steps below on each Identity
header that appears in a request. If the verifier does not support header field that appears in a request. If the verifier does not
an Identity header present in a request due to the presence of an support an Identity header field "ppt" parameter which is present, or
unsupported "ppt" parameter, or if no Identity header is present, and if no Identity header field is present at all, and the presence of an
the presence of an Identity header is required by local policy (for Identity header field is required by local policy (for example, based
example, based on a per-sending-domain policy, or a per-sending-user on a per-sending-domain policy, or a per-sending-user policy), then a
policy), then a 428 'Use Identity Header' response MUST be sent in 428 'Use Identity Header' response MUST be sent in the backwards
the backwards direction. For more on this and other failure direction. For more on this and other verifier responses, see
responses, see Section 13.3. Section 6.2.2.
In order to verify an Identity header in a message, an entity acting In order to verify an Identity header field in a message, an entity
as a verifier MUST perform the following steps, in the order here acting as a verifier MUST perform the following steps, in the order
specified. Note that when an Identity header contains the optional here specified. Note that when an Identity header field contains the
"canon" parameter, the verifier MUST follow the additional procedures optional "canon" parameter, the verifier MUST follow the additional
in Section 5.2.1. procedures in Section 6.2.3.
Step 1: Step 1: Check for an Unsupported "ppt"
The verifier MUST inspect any optional "ppt" parameter appearing the The verifier MUST inspect any optional "ppt" parameter appearing in
Identity request. If no "ppt" parameter is present, then the the Identity request. If no "ppt" parameter is present, then the
verifier proceeds normally below. If a "ppt" parameter value is verifier proceeds normally below. If a "ppt" parameter value is
present, and the verifier does not support it, it MUST ignore the present, and the verifier does not support it, it MUST ignore the
Identity header. If a supported "ppt" parameter value is present, Identity header field. If a supported "ppt" parameter value is
the verifier follows the procedures below, including the variations present, the verifier proceeds with Step 2, and will ultimately
described in Step 5. follow the "ppt" variations described in Step 5.
Step 2: Step 2: Determine the Originator's Identity
In order to determine whether the signature for the identity field In order to determine whether the signature for the identity field
should be over the entire identity field URI or just a canonicalized should be over the entire identity field URI or just a telephone
telephone number, the verification service MUST follow the number, the verification service MUST follow the process described in
canonicalization process described in Section 7.2. That section also Section 8.1. That section will either lead to the telephone number
describes the procedures the verification service MUST follow to canonicalization procedures in Section 8.3 for telephone numbers, or
determine if the signer is authoritative for a telephone number. For to the URI normalization procedures described in Section 8.5 for
domains, the verifier MUST follow the process described in domain names.
Section 7.3 to determine if the signer is authoritative for the
identity field.
Step 3: Step 3: Identify Credential for Validation
The verifier must first ensure that it possesses the proper keying The verifier must ensure that it possesses the proper keying material
material to validate the signature in the Identity header field, to validate the signature in the Identity header field, which usually
which usually involves dereferencing a URI in the "info" parameter of involves dereferencing a URI in the "info" parameter of the Identity
the Identity header. See Section 6.2 for more information on these header field. See Section 7.2 for more information on these
procedures. If the verifier does not support the credential procedures. If the verifier does not support the credential
described in the "info" parameter, then it should consider the described in the "info" parameter, then it treats the credential for
credential for this header unsupported. If a SIP request contains no this header field as unsupported.
Identity headers with a supported credential, then the verifier MUST
return a 437 "Unsupported Credential" response.
Step 4: Step 4: Check the Freshness of Date
The verifier MUST furthermore ensure that the value of the Date The verifier furthermore ensures that the value of the Date header
header of the request meets local policy for freshness (usually, field of the request meets local policy for freshness (sixty seconds
within sixty seconds) and that it falls within the validity period of is RECOMMENDED) and that it falls within the validity period of the
the credential used to sign the Identity header. For more on the credential used to sign the Identity header field. For more on the
attacks this prevents, see Section 12.1. If the "canon" parameter is attacks this prevents, see Section 12.1. If the "canon" parameter is
present, the verifier should follow the Date-related behavior in present, the verifier SHOULD compare the "iat" value in the "canon"
Section 5.2.1. to the Date header field value in the request. If the two are
different, and the "iat" value is later but within verification
service policy for freshness, the verification service SHOULD perform
the computation required by Step 5 using the "iat" value instead of
the Date header field value.
Step 5: Step 5: Validate the Signature
The verifier MUST validate the signature in the Identity header field The verifier MUST validate the signature in the Identity header field
over the PASSporT object. For baseline PASSporT objects (with no over the PASSporT object. For baseline PASSporT objects (with no
Identity header "ppt" parameter) the verifier MUST follow the Identity header field "ppt" parameter) the verifier MUST follow the
procedures for generating the signature over a PASSporT object procedures for generating the signature over a PASSporT object
described in Section 8. If a "ppt" parameter is present (and per described in Section 4. If a "ppt" parameter is present (and per
Step 1, is understood), the verifier follows the procedures for that Step 1, is supported), the verifier follows the procedures for that
"ppt" (see Section 9). If a verifier determines that the that the "ppt" (see Section 9). If a verifier determines that the that the
signature in the Identity does not correspond to the reconstructed signature in the Identity does not correspond to the reconstructed
signed-identity-digest, then the Identity header should be considered signed-identity-digest, then the Identity header field should be
invalid. considered invalid.
The presence of multiple Identity headers within a message raises the 6.2.1. Authorization of Requests
prospect that a verification services could receive a message
containing some valid and some invalid Identity headers. If the
verifier determines all Identity headers within a message are
invalid, then a 438 'Invalid Identity Header' response MUST be
returned.
The verification of an Identity header does not entail any particular The verification of an Identity header field does not entail any
treatment of the request. The handling of the message after the particular treatment of the request. The handling of the message
verification process depends on how the implementation service is after the verification process depends on how the verification
implemented and on local policy. This specification does not propose service is implemented and on local policy. This specification does
any authorization policy for user agents or proxy servers to follow not propose any authorization policy for user agents or proxy servers
based on the presence of a valid Identity header, the presence of an to follow based on the presence of a valid Identity header field, the
invalid Identity header, or the absence of an Identity header, but it presence of an invalid Identity header field, or the absence of an
is anticipated that local policies could involve making different Identity header field, or a stale Date header field value, but it is
anticipated that local policies could involve making different
forwarding decisions in intermediary implementations, or changing how forwarding decisions in intermediary implementations, or changing how
the user is alerted, or how identity is rendered, in user agent the user is alerted, or how identity is rendered, in user agent
implementations. implementations.
5.2.1. Handling 'canon' parameters The presence of multiple Identity header fields within a message
raises the prospect that a verification services could receive a
message containing some valid and some invalid Identity header
fields. As a guideline, this specification recommends that only if a
verifier determines all Identity header fields within a message are
invalid should the request be considered to have an invalid identity.
If the optional "canon" parameter of the Identity header is present, 6.2.2. Response Codes Sent by a Verification Service
it contains a base64 encoding of the header and claim component of
the PASSporT object constructed by the authentication service, and
this it conveys any canonical telephone number formats created by the
authentication service (see Section 7.2), as well as an "iat" claim
corresponding to the Date header that the authentication service
used. The "canon" is provided purely as an optimization and
debugging mechanism for the verification service.
When "canon" is present, the verification service MAY compute its own RFC4474 originally defined four response codes for failure conditions
canonicalization of the numbers and compare them to the values in the specific to the Identity header field and its original mechanism.
"canon" parameter before performing any cryptographic functions in These status codes are retained in this specification, with some
order to ascertain whether or not the two ends agree on the canonical slight modifications. Also, this specification details responding
number form. Also, when "canon" is present, during Step 4 the with 403 when a stale Date header field value is received.
verification service SHOULD compare the "iat" value in the "canon" to
its Date header field value. If the two are different, and the "iat"
value is later but within verification service policy for freshness,
the verification service SHOULD perform the computation required by
Step 5 using the "iat" value instead of the Date value. As some
deployments in the field have been observed to change the Date header
in transit, this procedure will prevent some unnecessary verification
failures.
6. Credentials A 428 response will be sent (per Section 6.2) when an Identity header
field is required, but no Identity header field without a "ppt"
parameter, or with a supported "ppt" value, has been received. In
the case where one or more Identity header fields with unsupported
"ppt" values have been received, then a verification service may send
a 428 with the special reason phrase "Use Supported PASSporT Format".
Note however that this specification gives no guidance on how a
verification service might decide to require an Identity header field
for a particular SIP request. Such authorization policies are
outside the scope of this specification.
6.1. Credential Use by the Authentication Service The 436 'Bad Identity Info' response code indicates an inability to
acquire the credentials needed by the verification service for
validating the signature in an Identity header field. Again, given
the potential presence of multiple Identity header fields, this
response code should only be sent when the verification service is
unable to deference the URIs and/or acquire the credentials
associated with all Identity header fields in the request. This
failure code could be repairable if the authentication service
resends the request with an 'info' parameter pointing to a credential
that the verification service can access.
The 437 'Unsupported Credential' is sent when a verification service
can acquire, or already holds, the credential represented by the
'info' parameter of at least one Identity header field in the
request, but does not support said credential(s), for reasons such as
failing to trust the issuing CA, or failing to support the algorithm
with which the credential was signed.
The 438 'Invalid Identity Header' response indicates that of the set
of Identity header fields in a request, no header field with a valid
and supported PASSporT object has been received. Like the 428
response, this is sent by a verification service when its local
policy dictates that a broken signature in an Identity header field
is grounds for rejecting a request. Note that in some cases, an
Identity header field may be broken for other reasons than that an
originator is attempting to spoof an identity: for example, when a
transit network alters the Date header field of the request. Relying
on the full PASSporT object presented through the "canon" parameter
can repair some of these conditions (see Section 6.2.3), so the
recommended way to attempt to repair this failure is to retry the
request with "canon".
Finally, a 403 with the special reason phase 'Stale Date" response
may be sent when the verification service receives a request with a
Date header field value that is older than the local policy for
freshness permits. The same response may be used when the "iat" in
the "canon" parameter of a request has a value older than the local
policy for freshness permits.
6.2.3. Handling 'canon' parameters
If the optional "canon" parameter of the Identity header field is
present, it contains a base64 encoding of the header and claim
component of the PASSporT object constructed by the authentication
service (see Section 4.1.1). The verification service can thus
extract from it the canonical telephone number created by the
authentication service, as well as an "iat" claim corresponding to
the Date header field that the authentication service used. These
may be used to debug canonicalization problems, or to avoid
unnecessary signature breakage caused by intermediaries that alter
the Date header field value in transit.
As an optimization, when "canon" is present, the verification service
MAY compute its own canonicalization of an originating telephone
number and compare it to the values in the "canon" parameter before
performing any cryptographic functions in order to ascertain whether
or not the two ends agree on the canonical number form.
7. Credentials
This section gives general guidance on the use of credential systems
by authentication and verification services, as well as requirements
that must be met by credential systems that conform with this
architecture. It does not mandate any specific credential system.
Furthermore, this specification allows either a user agent or a proxy
server to provide the authentication service function and/or the
verification service function. For the purposes of end-to-end
security, it is obviously preferable for end systems to acquire their
own credentials; in this case user agents can act as authentication
services. However, for some deployments, end-user credentials may be
neither practical nor affordable, given the potentially large number
of SIP user agents (phones, PCs, laptops, PDAs, gaming devices) that
may be employed by a single user. Synchronizing keying material
across multiple devices may be prohibitively complex and require
quite a good deal of additional endpoint behavior. Managing several
credentials for the various devices could also be burdensome. Thus,
for reasons of credential management alone, implementing the
authentication service at an intermediary may be more practical.
This trade-off needs to be understood by implementers of this
specification.
7.1. Credential Use by the Authentication Service
In order to act as an authentication service, a SIP entity must have In order to act as an authentication service, a SIP entity must have
access to the private keying material of one or more credentials that access to the private keying material of one or more credentials that
cover domain names or telephone numbers. These credentials may cover domain names or telephone numbers. These credentials may
represent authority over an entire domain (such as example.com) or represent authority over one domain (such as example.com) or a set of
potentially a set of domains enumerated by the credential. domains enumerated by the credential. Similarly, a credential may
Similarly, a credential may represent authority over a single represent authority over a single telephone number or a range of
telephone number or a range of telephone numbers. The way that the telephone numbers. The way that the scope of a credential's
scope of a credential is expressed is specific to the credential authority is expressed is specific to the credential mechanism.
mechanism.
Authorization of the use of a particular username or telephone number Authorization of the use of a particular username or telephone number
in the identity field is a matter of local policy for the in the From header field value is a matter of local policy for the
authentication service, one that depends greatly on the manner in authentication service, one that depends greatly on the manner in
which authentication is performed. For non-telephone number user which authentication is performed. For non-telephone number user
parts, one policy might be as follows: the username given in the parts, one policy might be as follows: the username given in the
'username' parameter of the Proxy-Authorization header MUST 'username' parameter of the Proxy-Authorization header field MUST
correspond exactly to the username in the From header field of the correspond exactly to the username in the From header field of the
SIP message. However, there are many cases in which this is too SIP message. However, there are many cases in which this is too
limiting or inappropriate; a realm might use 'username' parameters in limiting or inappropriate; a realm might use 'username' parameters in
Proxy-Authorization that do not correspond to the user-portion of SIP Proxy-Authorization header field that do not correspond to the user-
From headers, or a user might manage multiple accounts in the same portion of From header fields, or a user might manage multiple
administrative domain. In this latter case, a domain might maintain accounts in the same administrative domain. In this latter case, a
a mapping between the values in the 'username' parameter of Proxy- domain might maintain a mapping between the values in the 'username'
Authorization and a set of one or more SIP URIs that might parameter of the Proxy-Authorization header field and a set of one or
legitimately be asserted for that 'username'. For example, the more SIP URIs that might legitimately be asserted for that
username can correspond to the 'private identity' as defined in Third 'username'. For example, the username can correspond to the 'private
Generation Partnership Project (3GPP), in which case the From header identity' as defined in Third Generation Partnership Project (3GPP),
field can contain any one of the public identities associated with in which case the From header field can contain any one of the public
this private identity. In this instance, another policy might be as identities associated with this private identity. In this instance,
follows: the URI in the From header field MUST correspond exactly to another policy might be as follows: the URI in the From header field
one of the mapped URIs associated with the 'username' given in the MUST correspond exactly to one of the mapped URIs associated with the
Proxy-Authorization header. This is a suitable approach for 'username' given in the Proxy-Authorization header field. This is a
telephone numbers in particular. suitable approach for telephone numbers in particular.
This specification could also be used with credentials that cover a This specification could also be used with credentials that cover a
single name or URI, such as alice@example.com or single name or URI, such as alice@example.com or
sip:alice@example.com. This would require a modification to sip:alice@example.com. This would require a modification to
authentication service behavior to operate on a whole URI rather than authentication service behavior to operate on a whole URI rather than
a domain name. Because this is not believed to be a pressing use a domain name. Because this is not believed to be a pressing use
case, this is deferred to future work, but implementers should note case, this is deferred to future work, but implementers should note
this as a possible future direction. this as a possible future direction.
Exceptions to such authentication service policies arise for cases Exceptions to such authentication service policies arise for cases
like anonymity; if the AoR asserted in the From header field uses a like anonymity; if the AoR asserted in the From header field uses a
form like 'sip:anonymous@example.com' (see [RFC3323]), then the form like 'sip:anonymous@example.com' (see [RFC3323]), then the
'example.com' proxy might authenticate only that the user is a valid 'example.com' proxy might authenticate only that the user is a valid
user in the domain and insert the signature over the From header user in the domain and insert the signature over the From header
field as usual. field as usual.
6.2. Credential Use by the Verification Service 7.2. Credential Use by the Verification Service
In order to act as a verification service, a SIP entity must have a In order to act as a verification service, a SIP entity must have a
way to acquire and retain credentials for authorities over particular way to acquire and retain credentials for authorities over particular
domain names and/or telephone numbers or number ranges. domain names, telephone numbers and/or number ranges. Dereferencing
Dereferencing the URI found in the "info" parameter of the Identity the URI found in the "info" parameter of the Identity header field
header (as described in the next section) MUST be supported by all (as described Section 7.3) MUST be supported by all verification
verification service implementations to create a baseline means of service implementations to create a baseline means of credential
credential acquisition. Provided that the credential used to sign a acquisition. Provided that the credential used to sign a message is
message is not previously known to the verifier, SIP entities SHOULD not previously known to the verifier, SIP entities SHOULD discover
discover this credential by dereferencing the "info" parameter, this credential by dereferencing the "info" parameter, unless they
unless they have some more other implementation-specific way of have some implementation-specific way of acquiring the needed keying
acquiring the needed keying material, such as an offline store of material, such as an offline store of periodically-updated
periodically-updated credentials. If the URI in the "info" parameter credentials. The 436 'Bad Identity Info' response exists for cases
cannot be dereferenced, then a 436 'Bad Identity-Info' response MUST where the verification service cannot deference the URI in the "info"
be returned. parameter.
This specification does not propose any particular policy for a This specification does not propose any particular policy for a
verification service to determine whether or not the holder of a verification service to determine whether or not the holder of a
credential is the appropriate party to sign for a given SIP identity. credential is the appropriate party to sign for a given SIP identity.
Guidance on this is deferred to the credential mechanism Guidance on this is deferred to credential mechanism specifications.
specifications, which must meet the requirements in Section 6.4.
Verification service implementations supporting this specification Verification service implementations supporting this specification
may wish to have some means of retaining credentials (in accordance may wish to have some means of retaining credentials (in accordance
with normal practices for credential lifetimes and revocation) in with normal practices for credential lifetimes and revocation) in
order to prevent themselves from needlessly downloading the same order to prevent themselves from needlessly downloading the same
credential every time a request from the same identity is received. credential every time a request from the same identity is received.
Credentials cached in this manner may be indexed in accordance with Credentials cached in this manner may be indexed in accordance with
local policy: for example, by their scope, or the URI given in the local policy: for example, by their scope of authority, or the URI
"info" parameter value. Further consideration of how to cache given in the "info" parameter value. Further consideration of how to
credentials is deferred to the credential mechanism specifications. cache credentials is deferred to the credential mechanism
specifications.
6.3. Handling 'info' parameter URIs 7.3. 'info' parameter URIs
An "info" parameter MUST contain a URI which dereferences to a An "info" parameter MUST contain a URI which dereferences to a
resource that contains the public key components of the credential resource that contains the public key components of the credential
used by the authentication service to sign a request. It is used by the authentication service to sign a request. It is
essential that a URI in the "info parameter" be dereferencable by any essential that a URI in the "info" parameter be dereferencable by any
entity that could plausibly receive the request. For common cases, entity that could plausibly receive the request. For common cases,
this means that the URI must be dereferencable by any entity on the this means that the URI SHOULD be dereferencable by any entity on the
public Internet. In constrained deployment environments, a service public Internet. In constrained deployment environments, a service
private to the environment might be used instead. private to the environment MAY be used instead.
Beyond providing a means of accessing credentials for an identity, Beyond providing a means of accessing credentials for an identity,
the "info" parameter further serves as a means of differentiating the "info" parameter further serves as a means of differentiating
which particular credential was used to sign a request, when there which particular credential was used to sign a request, when there
are potentially multiple authorities eligible to sign. For example, are potentially multiple authorities eligible to sign. For example,
imagine a case where a domain implements the authentication service imagine a case where a domain implements the authentication service
role for a range of telephone and a user agent belonging to Alice has role for a range of telephone numbers and a user agent belonging to
acquired a credential for a single telephone number within that Alice has acquired a credential for a single telephone number within
range. Either would be eligible to sign a SIP request for the number that range. Either would be eligible to sign a SIP request for the
in question. Verification services however need a means to number in question. Verification services however need a means to
differentiate which one performed the signature. The "info" differentiate which one performed the signature. The "info"
parameter performs that function. parameter performs that function.
6.4. Credential System Requirements 7.4. Credential System Requirements
This document makes no recommendation for the use of any specific This document makes no recommendation for the use of any specific
credential system. Today, there are two primary credential systems credential system. Today, there are two primary credential systems
in place for proving ownership of domain names: certificates (e.g., in place for proving ownership of domain names: certificates (e.g.,
X.509 v3, see [RFC5280]) and the domain name system itself (e.g., X.509 v3, see [RFC5280]) and the domain name system itself (e.g.,
DANE, see [RFC6698]). It is envisioned that either could be used in DANE, see [RFC6698]). It is envisioned that either could be used in
the SIP identity context: an "info" parameter could for example give the SIP identity context: an "info" parameter could for example give
an HTTP URL of the Content-Type 'application/pkix-cert' pointing to a an HTTP URL of the Content-Type 'application/pkix-cert' pointing to a
certificate (following the conventions of [RFC2585]). The "info" certificate (following the conventions of [RFC2585]). The "info"
parameter may use the DNS URL scheme (see [RFC4501]) to designate parameter might use the DNS URL scheme (see [RFC4501]) to designate
keys in the DNS. keys in the DNS.
While no comparable public credentials exist for telephone numbers, While no comparable public credentials exist for telephone numbers,
either approach could be applied to telephone numbers. A credential either approach could be applied to telephone numbers. A credential
system based on certificates is given in system based on certificates is given in
[I-D.ietf-stir-certificates], but this specification can work with [I-D.ietf-stir-certificates], but this specification can work with
other credential systems; for example, using the DNS was proposed in other credential systems; for example, using the DNS was proposed in
[I-D.kaplan-stir-cider]. [I-D.kaplan-stir-cider].
In order for a credential system to work with this mechanism, its In order for a credential system to work with this mechanism, its
skipping to change at page 16, line 19 skipping to change at page 23, line 26
parameter, and any special procedures required to dereference the parameter, and any special procedures required to dereference the
URIs URIs
how the verifier can learn the scope of the credential how the verifier can learn the scope of the credential
any special procedures required to extract keying material from any special procedures required to extract keying material from
the resources designated by the URI the resources designated by the URI
any algorithms required to validate the credentials (e.g. for any algorithms required to validate the credentials (e.g. for
certificates, any algorithms used by certificate authorities to certificates, any algorithms used by certificate authorities to
sign certificates themselves) sign certificates themselves), and
It is furthermore required that all credential specifications how the associated credentials will support the mandatory signing
describe how the associated credentials will support the mandatory algorithm(s) required by PASSporT [I-D.ietf-stir-passport].
signing algorithm(s) required by PASSporT [I-D.ietf-stir-passport].
SIP entities cannot reliably predict where SIP requests will SIP entities cannot reliably predict where SIP requests will
terminate. When choosing a credential scheme for deployments of this terminate. When choosing a credential scheme for deployments of this
specification, it is therefore essential that the trust anchor(s) for specification, it is therefore essential that the trust anchor(s) for
credentials be widely trusted, or that deployments restrict the use credentials be widely trusted, or that deployments restrict the use
of this mechanism to environments where the reliance on particular of this mechanism to environments where the reliance on particular
trust anchors is assured by business arrangements or similar trust anchors is assured by business arrangements or similar
constraints. constraints.
Note that credential systems must address key lifecycle management Note that credential systems must address key lifecycle management
concerns: were a domain to change the credential available at the concerns: were a domain to change the credential available at the
Identity-Info URI before a verifier evaluates a request signed by an Identity header field "info" parameter URI before a verifier
authentication service, this would cause obvious verifier failures. evaluates a request signed by an authentication service, this would
When a rollover occurs, authentication services SHOULD thus provide cause obvious verifier failures. When a rollover occurs,
new Identity-Info URIs for each new credential, and SHOULD continue authentication services SHOULD thus provide new "info" URIs for each
to make older key acquisition URIs available for a duration longer new credential, and SHOULD continue to make older key acquisition
than the plausible lifetime of a SIP transaction (a minute would most URIs available for a duration longer than the plausible lifetime of a
likely suffice). SIP transaction (a minute would most likely suffice).
7. Identity Types 8. Identity Types
This specification focuses primarily on cases where the called and The problem statement of STIR [RFC7340] focuses primarily on cases
calling parties identified in the To and From header field values use where the called and calling parties identified in the To and From
telephone numbers, as this remains the dominant use case in the header field values use telephone numbers, as this remains the
deployment of SIP. However, this specification also works with dominant use case in the deployment of SIP. However, the Identity
"greenfield" identifiers (of the form "sip:user@host"), and header mechanism also works with SIP URIs without telephone numbers
potentially other identifiers when SIP interworks with another (of the form "sip:user@host"), and potentially other identifiers when
protocol. SIP interworks with other protocols.
The guidance in this section also applies to extracting the URI Authentication services vet the identity of the originator of a call,
which is typically found in the From header field value. The
guidance in this specification also applies to extracting the URI
containing the originator's identity from the P-Asserted-Identity containing the originator's identity from the P-Asserted-Identity
header field value instead of the From header field value. In some header field value instead of the From header field value. In some
environments, the P-Asserted-Identity header field is used in lieu of environments, the P-Asserted-Identity header field is used in lieu of
the From header field to convey the address-of-record or telephone the From header field to convey the address-of-record or telephone
number of the sender of a request; while it is not envisioned that number of the originator of a request; where it does, local policy
many of those networks would or should make use of the Identity might therefore dictate that the canonical identity derive from the
mechanism described in this specification, where they do, local P-Asserted-Identity header field rather than the From header field.
policy might therefore dictate that the canonical identity derive
from the P-Asserted-Identity header field rather than the From.
Ultimately, in any case where local policy canonicalizes the idenity Ultimately, in any case where local policy canonicalizes the identity
into a form different from how it appears in the From header field, into a form different from how it appears in the From header field,
the use of the "canon" parameter by authentication services is the use of the "canon" parameter by authentication services is
RECOMMENDED, but because "canon" itself could then divulge RECOMMENDED, but because "canon" itself could then divulge
information about users or networks, implementers should be mindful information about users or networks, implementers should be mindful
of the guidelines in Section 11. of the guidelines in Section 11.
8.1. Differentiating Telephone Numbers from URIs
It may not be trivial to tell if a given URI contains a telephone It may not be trivial to tell if a given URI contains a telephone
number. In order to determine whether or not the user portion of a number. In order to determine whether or not the user portion of a
SIP URI is a telephone number, authentication services and SIP URI is a telephone number, authentication services and
verification services MUST perform the following procedure on any SIP verification services MUST perform the following procedure on any SIP
URI they inspect which contains a numeric user part. Note that the URI they inspect which contains a numeric user part. Note that the
same procedures are followed for creating the canonical form of URIs same procedures are followed for creating the canonical form of URIs
found in the From header field as they are in the To header field or found in the From header field as they are in the To header field or
the P-Asserted-Identity header field. the P-Asserted-Identity header field.
First, implementations must look for obvious indications that the First, implementations must look for obvious indications that the
skipping to change at page 17, line 48 skipping to change at page 25, line 11
[RFC3966]). It is also possible for a TEL URI to appear in the SIP [RFC3966]). It is also possible for a TEL URI to appear in the SIP
To or From header field outside the context of a SIP or SIPS URI To or From header field outside the context of a SIP or SIPS URI
(e.g., 'tel:+17005551008'). Thus, in some environments, numbers will (e.g., 'tel:+17005551008'). Thus, in some environments, numbers will
be explicitly labeled by the use of TEL URIs or the 'user=phone' be explicitly labeled by the use of TEL URIs or the 'user=phone'
parameter, or implicitly by the presence of the '+' indicator at the parameter, or implicitly by the presence of the '+' indicator at the
start of the user-portion. Absent these indications, if there are start of the user-portion. Absent these indications, if there are
numbers present in the user-portion, implementations may also detect numbers present in the user-portion, implementations may also detect
that the user-portion of the URI contains a telephone number by that the user-portion of the URI contains a telephone number by
determining whether or not those numbers would be dialable or determining whether or not those numbers would be dialable or
routable in the local environment -- bearing in mind that the routable in the local environment -- bearing in mind that the
telephone number may be a valid E.164 number, a nationally-specific telephone number may be a valid [E.164] number, a nationally-specific
number, or even a private branch exchange number. Once a telephone number, or even a private branch exchange number. Once a telephone
number has been detected, implementations should follow the number has been detected, implementations should follow the
procedures in Section 7.2. procedures in Section 8.3.
If the URI field does not contain a telephone number, URI If the URI field does not contain a telephone number, URI
normalization procedures are invoked to canonicalize the URI before normalization procedures are invoked to canonicalize the URI before
it is included in a PASSporT object in, for example, an "uri" claim. it is included in a PASSporT object in, for example, an "uri" claim.
See Section 7.4 for that behavior. See Section 8.5 for that behavior.
7.1. Authority for Telephone Numbers 8.2. Authority for Telephone Numbers
In order for telephone numbers to be used with the mechanism In order for telephone numbers to be used with the mechanism
described in this document, authentication services must enroll with described in this document, authentication services must receive
an authority that issues credentials authoritative for telephone credentials from an authority for telephone numbers or telephone
numbers or telephone number ranges, and verification services must number ranges, and verification services must trust the authority
trust the authority employed by the authentication service that signs employed by the authentication service that signs a request. Per
a request. Per Section 6.4, enrollment procedures and credential Section 7.4, enrollment procedures and credential management are
management are outside the scope of this document; approaches to outside the scope of this document; approaches to credential
credential management for telephone numbers are discussed in management for telephone numbers are discussed in
[I-D.ietf-stir-certificates]. [I-D.ietf-stir-certificates].
7.2. Telephone Number Canonicalization Procedures 8.3. Telephone Number Canonicalization Procedures
Once an implementation has identified a telephone number in the URI, Once an implementation has identified a telephone number in the URI,
it must construct a number string. That requires performing the it must construct a number string. That requires performing the
following steps: following steps:
Implementations MUST drop any leading +'s, any internal dashes, Implementations MUST drop any "+"s, any internal dashes,
parentheses or other non-numeric characters, excepting only the parentheses or other non-numeric characters, excepting only the
leading "#" or "*" keys used in some special service numbers leading "#" or "*" keys used in some special service numbers
(typically, these will appear only in the To header field value). (typically, these will appear only in the To header field value).
This MUST result in an ASCII string limited to "#", "*" and digits This MUST result in an ASCII string limited to "#", "*" and digits
without whitespace or visual separators. without whitespace or visual separators.
Next, an implementation must assess if the number string is a Next, an implementation must assess if the number string is a
valid, globally-routable number with a leading country code. If valid, globally-routable number with a leading country code. If
not, implementations SHOULD convert the number into E.164 format, not, implementations SHOULD convert the number into E.164 format,
adding a country code if necessary; this may involve transforming adding a country code if necessary; this may involve transforming
skipping to change at page 18, line 52 skipping to change at page 26, line 15
determine how to convert the number to a globally-routable format determine how to convert the number to a globally-routable format
that this step may be skipped. This will be the case, for that this step may be skipped. This will be the case, for
example, for nationally-specific service numbers (e.g. 911, 112); example, for nationally-specific service numbers (e.g. 911, 112);
however, the routing procedures associated with those numbers will however, the routing procedures associated with those numbers will
likely make sure that the verification service understands the likely make sure that the verification service understands the
context of their use. context of their use.
Other transformations during canonicalization MAY be made in Other transformations during canonicalization MAY be made in
accordance with specific policies used within a local domain. For accordance with specific policies used within a local domain. For
example, one domain may only use local number formatting and need example, one domain may only use local number formatting and need
to convert all To/From user portions to E.164 by prepending to convert all To/From header field user portions to E.164 by
country-code and region code digits; another domain might prefix prepending country-code and region code digits; another domain
usernames with trunk-routing codes and need to remove the prefix. might haved prefixed usernames with trunk-routing codes, in which
This specification cannot anticipate all of the potential case the canonicalization will need to remove the prefix. This
specification cannot anticipate all of the potential
transformations that might be useful. transformations that might be useful.
The resulting canonical number string will be used as input to the The resulting canonical number string will be used as input to the
hash calculation during signing and verifying processes. hash calculation during signing and verifying processes.
The ABNF of this number string is: The ABNF of this number string is:
tn-spec = [ "#" / "*" ] 1*DIGIT tn-spec = [ "#" / "*" ] 1*DIGIT
If the result of this procedure forms a complete telephone number, If the result of this procedure forms a full E.164 telephone number,
that number is used for the purpose of creating and signing the that number is used for the purpose of creating the signed-identity-
signed-identity-string by both the authentication service and string by both the authentication service and verification service.
verification service. Practically, entities that perform the Practically, entities that perform the authentication service role
authentication service role will sometimes alter the telephone will sometimes alter the telephone numbers that appear in the To and
numbers that appear in the To and From header field values, From header field values, converting them to this format (though note
converting them to this format (though note this is not a function this is not a function that [RFC3261] permits proxy servers to
that [RFC3261] permits proxy servers to perform). The result of the perform). The result of the canonicalization process of the From
canonicalization process of the From header field value may also be header field value may also be recorded through the use of the
recorded through the use of the "canon" parameter of the Identity(see "canon" parameter of the Identity (see Section 4).
Section 8).
If the result of the canonicalization of the From header field value If the result of the canonicalization of the From header field value
does not form a complete and valid telephone number, the does not form a valid E.164 telephone number, the authentication
authentication service and/or verification service SHOULD treat the service and/or verification service SHOULD treat the entire URI as a
entire URI as a SIP URI, and apply the procedures in Section 7.4. SIP URI, and apply the procedures in Section 8.5.
7.3. Authority for Domain Names 8.4. Authority for Domain Names
When a verifier processes a request containing an Identity-Info To use a SIP URI as an identity in this mechanism requires
header with a domain signature, it must compare the domain portion of authentication and verification systems to support standard
the URI in the From header field of the request with the domain name mechanisms for proving authority over a domain name: that is, the
that is the subject of the credential acquired from the "info" domain name in the host portion of the SIP URI.
parameter. While it might seem that this should be a straightforward
process, it is complicated by two deployment realities. In the first
place, credentials have varying ways of describing their subjects,
and may indeed have multiple subjects, especially in 'virtual
hosting' cases where multiple domains are managed by a single
application. Secondly, some SIP services may delegate SIP functions
to a subordinate domain and utilize the procedures in RFC 3263
[RFC3263] that allow requests for, say, 'example.com' to be routed to
'sip.example.com'. As a result, a user with the AoR
'sip:jon@example.com' may process requests through a host like
'sip.example.com', and it may be that latter host that acts as an
authentication service.
To meet the second of these problems, a domain that deploys an A verifier MUST evaluate the correspondence between the user's
identity and the signing credential by following the procedures
defined in [RFC5922], Section 7.2. While [RFC5922] deals with the
use of TLS and is specific to certificates, the procedures described
are applicable to verifying identity if one substitutes the "hostname
of the server" for the domain portion of the user's identity in the
From header field of a SIP request with an Identity header field.
This process is complicated by two deployment realities. In the
first place, credentials have varying ways of describing their
subjects, and may indeed have multiple subjects, especially in
'virtual hosting' cases where multiple domains are managed by a
single application (see [RFC5922] Section 7.8). Secondly, some SIP
services may delegate SIP functions to a subordinate domain and
utilize the procedures in [RFC3263] that allow requests for, say,
'example.com' to be routed to 'sip.example.com'. As a result, a user
with the AoR 'sip:alice@example.com' may process requests through a
host like 'sip.example.com', and it may be that latter host that acts
as an authentication service.
To address the second of these problems, a domain that deploys an
authentication service on a subordinate host MUST be willing to authentication service on a subordinate host MUST be willing to
supply that host with the private keying material associated with a supply that host with the private keying material associated with a
credential whose subject is a domain name that corresponds to the credential whose subject is a domain name that corresponds to the
domain portion of the AoRs that the domain distributes to users. domain portion of the AoRs that the domain distributes to users.
Note that this corresponds to the comparable case of routing inbound Note that this corresponds to the comparable case of routing inbound
SIP requests to a domain. When the NAPTR and SRV procedures of RFC SIP requests to a domain. When the NAPTR and SRV procedures of RFC
3263 are used to direct requests to a domain name other than the 3263 are used to direct requests to a domain name other than the
domain in the original Request-URI (e.g., for 'sip:jon@example.com', domain in the original Request-URI (e.g., for
the corresponding SRV records point to the service 'sip:alice@example.com', the corresponding SRV records point to the
'sip1.example.org'), the client expects that the certificate passed service 'sip1.example.org'), the client expects that the certificate
back in any TLS exchange with that host will correspond exactly with passed back in any TLS exchange with that host will correspond
the domain of the original Request-URI, not the domain name of the exactly with the domain of the original Request-URI, not the domain
host. Consequently, in order to make inbound routing to such SIP name of the host. Consequently, in order to make inbound routing to
services work, a domain administrator must similarly be willing to such SIP services work, a domain administrator must similarly be
share the domain's private key with the service. This design willing to share the domain's private key with the service. This
decision was made to compensate for the insecurity of the DNS, and it design decision was made to compensate for the insecurity of the DNS,
makes certain potential approaches to DNS-based 'virtual hosting' and it makes certain potential approaches to DNS-based 'virtual
unsecurable for SIP in environments where domain administrators are hosting' unsecurable for SIP in environments where domain
unwilling to share keys with hosting services. administrators are unwilling to share keys with hosting services.
A verifier MUST evaluate the correspondence between the user's
identity and the signing credential by following the procedures
defined in RFC 2818 [RFC2818], Section 3.1. While RFC 2818 [RFC2818]
deals with the use of HTTP in TLS and is specific to certificates,
the procedures described are applicable to verifying identity if one
substitutes the "hostname of the server" in HTTP for the domain
portion of the user's identity in the From header field of a SIP
request with an Identity header.
7.4. URI Normalization 8.5. URI Normalization
Just as telephone numbers may undergo a number of syntactic Just as telephone numbers may undergo a number of syntactic
transformation during transit, the same can happen to SIP and SIPS transformations during transit, the same can happen to SIP and SIPS
URIs without telephone numbers as they traverse certain URIs without telephone numbers as they traverse certain
intermediaries. Therefore, when generating a PASSporT object based intermediaries. Therefore, when generating a PASSporT object based
on a SIP request, any SIP and SIPS URIs must be transformed into a on a SIP request, any SIP and SIPS URIs must be transformed into a
canonical form which captures the address-of-record represented by canonical form which captures the address-of-record represented by
the URI before they are provisioned in PASSporT claims such as "uri". the URI before they are provisioned in PASSporT claims such as "uri".
The URI normalization procedures required are as follows. The URI normalization procedures required are as follows.
Following the ABNF of RFC3261, the SIP or SIPS URI in question MUST Following the ABNF of RFC3261, the SIP or SIPS URI in question MUST
discard all elements after the "hostport" of the URI, including all discard all elements after the "hostport" of the URI, including all
uri-parameters and headers, from its ayntax. Of the userinfo uri-parameters and escaped headers, from its syntax. Of the userinfo
component of the SIP URI, only the user element will be retained: any component of the SIP URI, only the user element will be retained: any
password (and any leading ":" before the password) MUST be removed, password (and any leading ":" before the password) MUST be removed,
and since this userinfo necessarily does not contain a telephone- and since this userinfo necessarily does not contain a telephone-
subscriber component, no further parameters can appear in the user subscriber component, no further parameters can appear in the user
portion. portion.
The hostport portion of the SIP or SIPS URI MUST similarly be The hostport portion of the SIP or SIPS URI MUST similarly be
stripped of any trailing port along with the ":" that proceeds the stripped of any trailing port along with the ":" that proceeds the
port, leaving only the host. port, leaving only the host.
skipping to change at page 21, line 30 skipping to change at page 28, line 40
internationalized environments (see [I-D.ietf-iri-comparison]) and internationalized environments (see [I-D.ietf-iri-comparison]) and
that perfect normalization of URIs may not be possible in those that perfect normalization of URIs may not be possible in those
environments. environments.
For future PASSporT applications, it may be desirable to provide an For future PASSporT applications, it may be desirable to provide an
identifier without an attached protocol scheme. Future identifier without an attached protocol scheme. Future
specifications that define PASSporT claims for SIP as a using specifications that define PASSporT claims for SIP as a using
protocol could use these basic procedures, but eliminate the scheme protocol could use these basic procedures, but eliminate the scheme
component. A more exact definition is left to future specifications. component. A more exact definition is left to future specifications.
8. Header Syntax
The Identity and Identity-Info headers that were previously defined
in RFC4474 are deprecated. This revised specification collapses the
grammar of Identity-Info into the Identity header via the "info"
parameter. Note that unlike the prior specification in RFC4474, the
Identity header is now allowed to appear more than one time in a SIP
request. The revised grammar for the Identity header is (following
the ABNF [RFC4234] in RFC 3261 [RFC3261]):
Identity = "Identity" HCOLON signed-identity-digest SEMI ident-info *( SEMI ident-info-params )
signed-identity-digest = LDQUOT *base64-char RDQUOT
ident-info = "info" EQUAL ident-info-uri
ident-info-uri = LAQUOT absoluteURI RAQUOT
ident-info-params = ident-info-alg / ident-type / canonical-str / ident-info-extension
ident-info-alg = "alg" EQUAL token
ident-type = "ppt" EQUAL token
canonical-str = "canon" EQUAL *base64-char
ident-info-extension = generic-param
base64-char = ALPHA / DIGIT / "/" / "+"
In addition to "info" parameter, and the "alg" parameter previously
defined in RFC4474, this specification includes the optional "canon"
and "ppt" parameters. Note that in RFC4474, the signed-identity-
digest (see ABNF above) was given as quoted 32LHEX, whereas here it
is given as a quoted sequence of base64-char.
The 'absoluteURI' portion of ident-info-uri MUST contain a URI; see
Section 6.3 for more on choosing how to advertise credentials through
this parameter.
The signed-identity-digest is the signed hash component of a PASSporT
object [I-D.ietf-stir-passport], a signature which PASSporT generates
over a pair of JSON objects. The first PASSporT object contains
header information, and the second contains claims, following the
conventions of JWT [RFC7519]; some header and claim values will
mirror elements of the SIP request. Once these two JSON objects have
been generated, they will be encoded, then hashed with a SHA-256
hash. Those two hashes are then concatenated (header then claims)
into a string separated by a single "." per baseline PASSporT.
Finally, that string is signed to generate the signed-identity-digest
value of the Identity header.
For SIP implementations to populate the PASSporT header object from a
SIP request, the following elements message MUST be placed as the
values corresponding to the designated JSON keys:
First, per baseline [I-D.ietf-stir-passport], the JSON key "typ"
key MUST have the value "passport".
Second, the JSON key "alg" MUST mirror the value of the optional
"alg" parameter in the SIP Identity header. Note if the "alg"
parameter is absent, the default value is "ES256".
Third, the JSON key "x5u" MUST have a value equivalent to the
quoted URI in the "info" parameter.
Fourth, the optional JSON key "ppt", if present, MUST have a value
equivalent to the quoted value of the "ppt" parameter of the
Identity header. If the "ppt" parameter is absent from the
header, the "ppt" key MUST NOT not appear in the JSON heaer
object.
For example:
{ "typ":"passport",
"alg":"ES256",
"x5u":"https://www.example.com/cert.pkx" }
To populate the PASSporT claims JSON object from a SIP request, the
following elements MUST be placed as values corresponding to the
designated JSON keys:
First, the JSON "orig" array MUST be populated. If the
originating identity is a telephone number, then the array MUST be
populated with a "tn" claim with a value set to the value of the
quoted originating identity, a canonicalized telephone number (see
Section 7.2). Otherwise, the array MUST be populated with a "uri"
claim, set to the value of the AoR of the UA sending the message
as taken from addr-spec of the From header field, per the
procedures in Section 7.4.
Second, the JSON "dest" array MUST be populated. If the
destination identity is a telephone number, then the array MUST be
populated with a "tn" claim with a value set to the value of the
quoted destination identity, a canonicalized telephone number (see
Section 7.2). Otherwise, the array MUST be populated with a "uri"
claim, set to the value of the addr-spec component of the To
header field, which is the AoR to which the request is being sent,
per the procedures in Section 7.4.
Third, the JSON key "iat" MUST appear, set to the value of a
quoted encoding of the value of the SIP Date header field as a
JSON NumericDate (as UNIX time, per [RFC7519] Section 2).
Fourth, if the request contains an SDP message body, and if that
SDP contains one or more "a=fingerprint" attributes, then the JSON
key "mky" MUST appear with the algorithm(s) and value(s) of the
fingerprint attributes (if they differ), following the format
given in [I-D.ietf-stir-passport] Section 3.2.2.2.
For example:
{ "orig":{"tn":"12155551212"},
"dest":{"tn":"12155551213"},
"iat":"1443208345" }
For more information on the security properties of these SIP message
elements, and why their inclusion mitigates replay attacks, see
Section 12 and [RFC3893]. Note that future extensions to the
PASSporT object could introduce new claims, and that further SIP
procedures could be required to extract further information from the
SIP request to populate the values of those claims; see Section 9.
The "orig" and "dest" arrays may contain identifiers of heterogeneous
type; for example, the "orig" array might contain a "tn" claim, while
the "dest" contains a "uri" claim. Also note that in some cases, the
"orig" and "dest" arrays might be populated with more than one value.
This could for example occur when multiple "dest" identities are
specified in a meshed conference. Defining how a SIP implementation
would provision multiple originating or destination identities is
left as a subject for future specification.
After these two JSON objects, the header and the claims, have been
constructed, they must each be hashed per [I-D.ietf-stir-passport]
Section 3.3. The signed value of those concatenated hashes then
becomes the signed-identity-string of the Identity header. The
hashing and signing algorithm is specified by the 'alg' parameter of
the Identity header and the mirrored "alg" parameter of PASSporT.
This specification inherits from the PASSporT specification one value
for the 'alg' parameter: 'ES256', as defined in [RFC7519], which
connotes an ECDSA P-256 digital signature. All implementations of
this specification MUST support the required signing algorithms of
PASSporT.
The complete form of the Identity header will therefore look like the
following example:
Identity: "sv5CTo05KqpSmtHt3dcEiO/1CWTSZtnG3iV+1nmurLXV/HmtyNS7Ltrg9dlxkWzo
eU7d7OV8HweTTDobV3itTmgPwCFjaEmMyEI3d7SyN21yNDo2ER/Ovgtw0Lu5csIp
pPqOg1uXndzHbG7mR6Rl9BnUhHufVRbp51Mn3w0gfUs="; \
info=<https://biloxi.example.org/biloxi.cer>;alg=ES256
In a departure from JWT practice, the SIP usage of PASSporT MAY NOT
include the base64 encoded version of the JSON objects in the
Identity header: only the signature component of the PASSporT is
REQUIRED. Optionally, as a debugging measure or optimization, the
base64 encoded concatenation of the JSON header and claims may be
included as the value of a "canon" parameter of the Identity header.
Note that this may be lengthy string.
9. Extensibility 9. Extensibility
For the extensibility of baseline PASSporT with now claims, see
[I-D.ietf-stir-passport] Section 4.
As future requirements may warrant increasing the scope of the As future requirements may warrant increasing the scope of the
Identity mechanism, this specification defines an optional "ppt" Identity mechanism, this specification specifies an optional "ppt"
parameter of the Identity header, which mirrors the "ppt" header key parameter of the Identity header field, which mirrors the "ppt"
in PASSporT. The "ppt" parameter value MUST consist of a token header in PASSporT. The "ppt" parameter value MUST consist of a
containing an extension specification, which denotes an extended set token containing an extension specification, which denotes an
of one or more signed claims per the type extensibility mechanism extended set of one or more signed claims per the type extensibility
specified in [I-D.ietf-stir-passport]. mechanism specified in [I-D.ietf-stir-passport] Section 4.
The potential for extensions is one the primary motivations for
allowing the presence of multiple Identity header fields in the same
SIP request. It is envisioned that future extensions might allow for
alternate information to be signed, or to explicitly allow different
parties to provide the signatures than the authorities envisioned by
baseline STIR. A request might, for example, have one Identity added
by an authentication service at the originating administrative
domain, and then another Identity header field added by some further
intermediary using a PASSporT extension. While this specification
does not define any such specific purpose for multiple Identity
header fields, implementations MUST support receiving multiple header
fields for future compatibility reasons.
An authentication service cannot assume that verifiers will An authentication service cannot assume that verifiers will
understand any given extension. Verifiers that do support an understand any given extension. Verifiers that do support an
extension may then trigger appropriate application-level behavior in extension may then trigger appropriate application-level behavior in
the presence of an extension; authors of extensions should provide the presence of an extension; authors of extensions should provide
appropriate extension-specific guidance to application developers on appropriate extension-specific guidance to application developers on
this point. this point.
If any claim in an extension contains a JSON value that does not If any claim in an extension contains a JSON value that does not
correspond to any field of the SIP request, but then the optional correspond to a field of the SIP request, and the extension does not
"canon" parameter MUST be used for the Identity header containing otherwise explain how a verification service could derive or acquire
that extension. that value, then the optional "canon" parameter MUST be used for the
Identity header field containing that extension.
10. Backwards Compatibililty with RFC4474 10. Backwards Compatibililty with RFC4474
This specification introduces several significant changes from the This specification introduces several significant changes from the
RFC4474 version of the Identity header. However, due to the problems RFC4474 version of the Identity header field. However, due to the
enumerated in [I-D.rosenberg-sip-rfc4474-concerns], it is not problems enumerated in [I-D.rosenberg-sip-rfc4474-concerns], it is
believed that the original Identity header has seen any deployment, not believed that the original Identity header field has seen any
or even implementation in deployed products. deployment, or even implementation in deployed products.
As such, this mechanism contains no provisions for signatures As such, this mechanism contains no provisions for signatures
generated with this specification to work with RFC4474-compliant generated with this specification to work with RFC4474-compliant
implementations, nor any related backwards-compatibility provisions. implementations, nor any related backwards-compatibility provisions.
Hypothetically, were an RFC4474-compliant implementation to receive Hypothetically, were an RFC4474-compliant implementation to receive
messages containing this revised version of the Identity header, it messages containing this revised version of the Identity header
would likely fail the request due to the absence of an Identity-Info field, it would likely fail the request due to the absence of an
header with a 436 response code. Implementations of this Identity-Info header field with a 436 response code. Implementations
specification, for debugging purposes, might interpret a 436 with a of this specification, for debugging purposes, might interpret a 436
reason phrase of "Bad Identity-Info" as an indication that the with a reason phrase of "Bad Identity-Info" as an indication that the
request has failed because it reached a (hypothetical) request has failed because it reached a (hypothetical)
RFC4474-compliant verification service. RFC4474-compliant verification service.
11. Privacy Considerations 11. Privacy Considerations
The purpose of this mechanism is to provide a strong identification The purpose of this mechanism is to provide a reliable identification
of the originator of a SIP request, specifically a cryptographic of the originator of a SIP request, specifically a cryptographic
assurance that an authority asserts the originator can claim the URI assurance that an authority asserts the originator can claim the URI
given in the From header field. This URI may contain a variety of the identity stipulated in the request. This URI may contain or
personally identifying information, including the name of a human imply a variety of personally identifying information, including the
being, their place of work or service provider, and possibly further name of a human being, their place of work or service provider, and
details. The intrinsic privacy risks associated with that URI are, possibly further details. The intrinsic privacy risks associated
however, no different from those of baseline SIP. Per the guidance with that URI are, however, no different from those of baseline SIP.
in [RFC6973], implementers should make users aware of the privacy Per the guidance in [RFC6973], implementers should make users aware
trade-off of providing secure identity. of the privacy trade-off of providing secure identity.
The identity mechanism presented in this document is compatible with The identity mechanism presented in this document is compatible with
the standard SIP practices for privacy described in [RFC3323]. A SIP the standard SIP practices for privacy described in [RFC3323]. A SIP
proxy server can act both as a privacy service and as an proxy server can act both as a RFC3323 privacy service and as an
authentication service. Since a user agent can provide any From authentication service. Since a user agent can provide any From
header field value that the authentication service is willing to header field value that the authentication service is willing to
authorize, there is no reason why private SIP URIs that contain authorize, there is no reason why private SIP URIs that contain
legitimate domains (e.g., sip:anonymous@example.com) cannot be signed legitimate domains (e.g., sip:anonymous@example.com) cannot be signed
by an authentication service. The construction of the Identity by an authentication service. The construction of the Identity
header is the same for private URIs as it is for any other sort of header field is the same for private URIs as it is for any other sort
URIs. Similar practices could be used to support opportunistic of URIs. Similar practices could be used to support opportunistic
signing of SIP requests for UA-integrated authentications services signing of SIP requests for UA-integrated authentication services
with self-signed certificates, though that is outside the scope of with self-signed certificates, though that is outside the scope of
this specification and is left as a matter for future investigation. this specification and is left as a matter for future investigation.
Note, however, that even when using anonymous SIP URIs, an Note, however, that even when using anonymous SIP URIs, an
authentication service must possess a certificate corresponding to authentication service must possess a certificate corresponding to
the host portion of the addr-spec of the From header field of the the host portion of the addr-spec of the From header field value of
request; accordingly, using domains like 'anonymous.invalid' will not the request; accordingly, using domains like 'anonymous.invalid' will
be possible for privacy services that also act as authentication not be usable by privacy services that simultaneously act as
services. The assurance offered by the usage of anonymous URIs with authentication services. The assurance offered by the usage of
a valid domain portion is "this is a known user in my domain that I anonymous URIs with a valid domain portion is "this is a known user
have authenticated, but I am keeping its identity private". in my domain that I have authenticated, but I am keeping its identity
private".
It is worth noting two features of this more anonymous form of It is worth noting two features of this more anonymous form of
identity. One can eliminate any identifying information in a domain identity. One can eliminate any identifying information in a domain
through the use of the domain 'anonymous.invalid," but we must then through the use of the domain 'anonymous.invalid," but we must then
acknowledge that it is difficult for a domain to be both anonymous acknowledge that it is difficult for a domain to be both anonymous
and authenticated. The use of the "anonymous.invalid" domain entails and authenticated. The use of the "anonymous.invalid" domain entails
that no corresponding authority for the domain can exist, and as a that no corresponding authority for the domain can exist, and as a
consequence, authentication service functions for that domain are consequence, authentication service functions for that domain are
meaningless. The second feature is more germane to the threats this meaningless. The second feature is more germane to the threats this
document mitigates [RFC7375]. None of the relevant attacks, all of document mitigates [RFC7375]. None of the relevant attacks, all of
which rely on the attacker taking on the identity of a victim or which rely on the attacker taking on the identity of a victim or
hiding their identity using someone else's identity, are enabled by hiding their identity using someone else's identity, are enabled by
an anonymous identity. As such, the inability to assert an authority an anonymous identity. As such, the inability to assert an authority
over an anonymous domain is irrelevant to our threat model. over an anonymous domain is irrelevant to our threat model.
[RFC3325] defines the "id" priv-value token, which is specific to the [RFC3325] defines the "id" priv-value token, which is specific to the
P-Asserted-Identity header. The sort of assertion provided by the P- P-Asserted-Identity header field. The sort of assertion provided by
Asserted-Identity header is very different from the Identity header the P-Asserted-Identity header field is very different from the
presented in this document. It contains additional information about Identity header field presented in this document. It contains
the sender of a message that may go beyond what appears in the From additional information about the originator of a message that may go
header field; P-Asserted-Identity holds a definitive identity for the beyond what appears in the From header field; P-Asserted-Identity
sender that is somehow known to a closed network of intermediaries. holds a definitive identity for the originator that is somehow known
Presumably, that network will use this identity for billing or to a closed network of intermediaries. Presumably, that network will
security purposes. The danger of this network-specific information use this identity for billing or security purposes. The danger of
leaking outside of the closed network motivated the "id" priv-value this network-specific information leaking outside of the closed
token. The "id" priv-value token has no implications for the network motivated the "id" priv-value token. The "id" priv-value
Identity header, and privacy services MUST NOT remove the Identity token has no implications for the Identity header field, and privacy
header when a priv-value of "id" appears in a Privacy header. services MUST NOT remove the Identity header field when a priv-value
of "id" appears in a Privacy header field.
The optional "canon" parameter of the Identity header specified in The optional "canon" parameter of the Identity header field specified
this document provides the complete JSON objects used to generate the in this document provides the complete JSON objects used to generate
signed-identity-digest of the Identity header, including the the signed-identity-digest of the Identity header field value,
canonicalized form of the telephone number of the originator of a including the canonicalized form of the telephone number of the
call, if the signature is over a telephone number. In some contexts, originator of a call, if the signature is over a telephone number.
local policy may require a canonicalization which differs In some contexts, local policy may require a canonicalization which
substantially from the original From header field. Depending on differs substantially from the original From header field. Depending
those policies, potentially the "canon" parameter might divulge on those policies, potentially the "canon" parameter might divulge
information about the originating network or user that might not information about the originating network or user that might not
appear elsewhere in the SIP request. Were it to be used to reflect appear elsewhere in the SIP request. Were it to be used to reflect
the contents of the P-Asserted-Identity header field, for example, the contents of the P-Asserted-Identity header field, for example,
then "canon" would need to be removed when the P-Asserted-Identity then "canon" would need to be removed when the P-Asserted-Identity
header is removed to avoid any such leakage outside of a trust header is removed to avoid any such leakage outside of a trust
domain. Since, in those contexts, the canonical form of the sender's domain. Since, in those contexts, the canonical form of the
identity could not be reassembled by a verifier, and thus the originator's identity could not be reassembled by a verifier, and
Identity signature validation process would fail, using P-Asserted- thus the Identity signature validation process would fail, using P-
Identity with the Identity "canon" parameter in this fashion is NOT Asserted-Identity with the Identity "canon" parameter in this fashion
RECOMMENDED outside of environments where SIP requests will never is NOT RECOMMENDED outside of environments where SIP requests will
leave the trust domain. As a side note, history shows that closed never leave the trust domain. As a side note, history shows that
networks never stay closed and one should design their implementation closed networks never stay closed and one should design their
assuming connectivity to the broader Internet. implementation assuming connectivity to the broader Internet.
Finally, note that unlike [RFC3325], the mechanism described in this Finally, note that unlike [RFC3325], the mechanism described in this
specification adds no information to SIP requests that has privacy specification adds no information to SIP requests that has privacy
implications. implications - apart from disclosing that an authentication service
is willing to sign for an originator.
12. Security Considerations 12. Security Considerations
This document describes a mechanism that provides a signature over This document describes a mechanism that provides a signature over
the Date header field of SIP requests, parts of the To and From the Date header field of SIP requests, parts of the To and From
header fields, and when present any media keying material in the header fields, and when present any media keying material in the
message body. In general, the considerations related to the security message body. In general, the considerations related to the security
of these headers are the same as those given in [RFC3261] for of these header fields are the same as those given in [RFC3261] for
including headers in tunneled 'message/sip' MIME bodies (see including header fields in tunneled 'message/sip' MIME bodies (see
Section 23 of RFC3261 in particular). The following section details Section 23 of RFC3261 in particular). The following section details
the individual security properties obtained by including each of the individual security properties obtained by including each of
these header fields within the signature; collectively, this set of these header fields within the signature; collectively, this set of
header fields provides the necessary properties to prevent header fields provides the necessary properties to prevent
impersonation. It addresses the solution-specific attacks against impersonation. It addresses the solution-specific attacks against
in-band solutions enumerated in [RFC7375] Section 4.1. in-band solutions enumerated in [RFC7375] Section 4.1.
12.1. Protected Request Fields 12.1. Protected Request Fields
The From header field value (in ordinary operations) indicates the The From header field value (in ordinary operations) indicates the
identity of the sender of the message. The SIP address-of-record identity of the originator of the message. The SIP address-of-record
URI, or an embedded telephone number, in the From header field is the URI, or an embedded telephone number, in the From header field is the
identity of a SIP user, for the purposes of this document. Note that identity of a SIP user, for the purposes of this document. Note that
in some deployments the identity of the sender may reside in P- in some deployments the identity of the originator may reside in P-
Asserted-Id instead. The sender's identity is the key piece of Asserted-Id instead. The originator's identity is the key piece of
information that this mechanism secures; the remainder of the signed information that this mechanism secures; the remainder of the signed
parts of a SIP request are present to provide reference integrity and parts of a SIP request are present to provide reference integrity and
to prevent certain types of cut-and-paste attacks. to prevent certain types of cut-and-paste attacks.
The Date header field value protects against cut-and-paste attacks, The Date header field value protects against cut-and-paste attacks,
as described in [RFC3261], Section 23.4.2. Implementations of this as described in [RFC3261], Section 23.4.2. That specification
specification MUST NOT deem valid a request with an outdated Date recommends that implementations notify the user of a potential
header field (the RECOMMENDED interval is that the Date header must security issue if the signed Date header field value is stale by an
indicate a time within 60 seconds of the receipt of a message). Note hour or more. To prevent cut-and-paste of recently-observed
that per baseline [RFC3261] behavior, servers keep state of recently messages, this specification instead RECOMMENDS a shorter interval of
received requests, and thus if an Identity header is replayed by an sixty seconds. Implementations of this specification MUST NOT deem
attacker within the Date interval, verifiers can detect that it is valid a request with an outdated Date header field. Note that per
spoofed because a message with an identical Date from the same source [RFC3893] Section 10 behavior, servers can keep state of recently
had recently been received. received requests, and thus if an Identity header field is replayed
by an attacker within the Date interval, verifiers can detect that it
is spoofed because a message with an identical Date from the same
source had recently been received.
It has been observed in the wild that some networks change the Date It has been observed in the wild that some networks change the Date
header field value of SIP requests in transit, and that alternative header field value of SIP requests in transit, and that alternative
behavior might be necessary to accommodate that use case. behavior might be necessary to accommodate that use case.
Verification services that observe a signature validation failure MAY Verification services that observe a signature validation failure MAY
therefore reconstruct the Date header field component of the therefore reconstruct the Date header field component of the
signature from the "iat" carried in PASSporT via the "canon" signature from the "iat" carried in PASSporT via the "canon"
parameter: provided that time recorded by "iat" falls within the parameter: provided that time recorded by "iat" falls within the
local policy for freshness that would ordinarily apply to the Date local policy for freshness that would ordinarily apply to the Date
header, the verification service MAY treat the signature as valid, header, the verification service MAY treat the signature as valid,
provided it keeps adequate state to detect recent replays. Note that provided it keeps adequate state to detect recent replays. Note that
this will require the inclusion of the "canon" parameter by this will require the inclusion of the "canon" parameter by
authentication services in networks where such failures are observed. authentication services in networks where such failures are observed.
The To header field value provides the identity of the SIP user that The To header field value provides the identity of the SIP user that
this request originally targeted. Covering the identity in the To this request originally targeted. Covering the identity in the To
header field with the Identity signature serves two purposes. First, header field with the Identity signature serves two purposes. First,
it prevents cut-and-paste attacks in which an Identity header from it prevents cut-and-paste attacks in which an Identity header field
legitimate request for one user is cut-and-pasted into a request for from a legitimate request for one user is cut-and-pasted into a
a different user. Second, it preserves the starting URI scheme of request for a different user. Second, it preserves the starting URI
the request, which helps prevent downgrade attacks against the use of scheme of the request, which helps prevent downgrade attacks against
SIPS. The To identity offers additional protection against cut-and- the use of SIPS. The To identity offers additional protection
paste attacks beyond the Date header field. For example, without a against cut-and-paste attacks beyond the Date header field. For
signature over the To identity, an attacker who receives a call from example, without a signature over the To identity, an attacker who
a target could immediately forward the INVITE to the target's receives a call from a target could immediately cut-and-paste the
voicemail service within the Date interval, and the voicemail service Identity and From header field value from that INVITE into a new
would have no way knowing that the Identity header it received had request to the target's voicemail service within the Date interval,
been originally signed for a call intended for a different number. and the voicemail service would have no way knowing that the Identity
However, note the caveats below in Section 12.1.1. header field it received had been originally signed for a call
intended for a different number. However, note the caveats below in
Section 12.1.1.
When signing a request that contains a fingerprint of keying material When signing a request that contains a fingerprint of keying material
in SDP for DTLS-SRTP [RFC5763], this mechanism always provides a in SDP for DTLS-SRTP [RFC5763], this mechanism always provides a
signature over that fingerprint. This signature prevents certain signature over that fingerprint. This signature prevents certain
classes of impersonation attacks in which an attacker forwards or classes of impersonation attacks in which an attacker forwards or
cut-and-pastes a legitimate request. Although the target of the cut-and-pastes a legitimate request. Although the target of the
attack may accept the request, the attacker will be unable to attack may accept the request, the attacker will be unable to
exchange media with the target as they will not possess a key exchange media with the target as they will not possess a key
corresponding to the fingerprint. For example, there are some corresponding to the fingerprint. For example, there are some
baiting attacks, launched with the REFER method or through social baiting attacks, launched with the REFER method or through social
skipping to change at page 29, line 25 skipping to change at page 34, line 7
robocalling, ultimately there is little purpose in establishing the robocalling, ultimately there is little purpose in establishing the
identity of the user that originated a SIP request if this assurance identity of the user that originated a SIP request if this assurance
is not coupled with a comparable assurance over the contents of the is not coupled with a comparable assurance over the contents of the
subsequent media communication. This signature also, per [RFC7258], subsequent media communication. This signature also, per [RFC7258],
reduces the potential for passive monitoring attacks against the SIP reduces the potential for passive monitoring attacks against the SIP
media. In environments where DTLS-SRTP is unsupported, however, no media. In environments where DTLS-SRTP is unsupported, however, no
field is signed and no protections are provided. field is signed and no protections are provided.
12.1.1. Protection of the To Header and Retargeting 12.1.1. Protection of the To Header and Retargeting
The mechanism in this document provides a signature over the identity Armed with the original value of the To header field, the recipient
information in the To header field value of requests. This provides of a request may be tempted compare it to their own identity in order
a means for verifiers to detect replay attacks where a signed request to determine whether or not the identity information in this call
originally sent to one target is modified and then forwarded by an might have been replayed. However, any request may be legitimately
attacker to another, unrelated target. Armed with the original value retargeted as well, and as a result legitimate requests may reach a
of the To header field, the recipient of a request may compare it to SIP endpoint whose user is not identified by the URI designated in
their own identity in order to determine whether or not the identity the To header field value. It is therefore difficult for any
information in this call might have been replayed. However, any verifier to decide whether or not some prior retargeting was
request may be legitimately retargeted as well, and as a result "legitimate." Retargeting can also cause confusion when identity
legitimate requests may reach a SIP endpoint whose user is not information is provided for requests sent in the backwards direction
identified by the URI designated in the To header field value. It is in a dialog, as the dialog identifiers may not match credentials held
therefore difficult for any verifier to decide whether or not some by the ultimate target of the dialog. For further information on the
prior retargeting was "legitimate." Retargeting can also cause problems of response identity see [I-D.peterson-sipping-retarget].
confusion when identity information is provided for requests sent in
the backwards direction in a dialog, as the dialog identifiers may
not match credentials held by the ultimate target of the dialog. For
further information on the problems of response identity see
[I-D.peterson-sipping-retarget].
Any means for authentication services or verifiers to anticipate Any means for authentication services or verifiers to anticipate
retargeting is outside the scope of this document, and likely to have retargeting is outside the scope of this document, and likely to have
equal applicability to response identity as it does to requests in equal applicability to response identity as it does to requests in
the backwards direction within a dialog. Consequently, no special the backwards direction within a dialog. Consequently, no special
guidance is given for implementers here regarding the 'connected guidance is given for implementers here regarding the 'connected
party' problem (see [RFC4916]); authentication service behavior is party' problem (see [RFC4916]); authentication service behavior is
unchanged if retargeting has occurred for a dialog-forming request. unchanged if retargeting has occurred for a dialog-forming request.
Ultimately, the authentication service provides an Identity header Ultimately, the authentication service provides an Identity header
for requests in the backwards dialog when the user is authorized to field for requests in the dialog only when the user is authorized to
assert the identity given in the From header field, and if they are assert the identity given in the From header field, and if they are
not, an Identity header is not provided. And per the threat model of not, an Identity header field is not provided. And per the threat
[RFC7375], resolving problems with 'connected' identity has little model of [RFC7375], resolving problems with 'connected' identity has
bearing on detecting robocalling or related impersonation attacks. little bearing on detecting robocalling or related impersonation
attacks.
12.2. Unprotected Request Fields 12.2. Unprotected Request Fields
RFC4474 originally had protections for the Contact, Call-ID and CSeq. RFC4474 originally had protections for the Contact, Call-ID and CSeq.
These are removed from RFC4474bis. The absence of these header These are removed from RFC4474bis. The absence of these header field
values creates some opportunities for determined attackers to values creates some opportunities for determined attackers to
impersonate based on cut-and-paste attacks; however, the absence of impersonate based on cut-and-paste attacks; however, the absence of
these headers does not seem impactful to preventing the simple these header field values does not seem impactful to preventing the
unauthorized claiming of an identity for the purposes of robocalling, simple unauthorized claiming of an identity for the purposes of
voicemail hacking, or swatting, which is the primary scope of the robocalling, voicemail hacking, or swatting, which is the primary
current document. scope of the current document.
It might seem attractive to provide a signature over some of the It might seem attractive to provide a signature over some of the
information present in the Via header field value(s). For example, information present in the Via header field value(s). For example,
without a signature over the sent-by field of the topmost Via header, without a signature over the sent-by field of the topmost Via header
an attacker could remove that Via header and insert its own in a cut- field, an attacker could remove that Via header field and insert its
and-paste attack, which would cause all responses to the request to own in a cut-and-paste attack, which would cause all responses to the
be routed to a host of the attacker's choosing. However, a signature request to be routed to a host of the attacker's choosing. However,
over the topmost Via header does not prevent attacks of this nature, a signature over the topmost Via header field does not prevent
since the attacker could leave the topmost Via intact and merely attacks of this nature, since the attacker could leave the topmost
insert a new Via header field directly after it, which would cause Via intact and merely insert a new Via header field directly after
responses to be routed to the attacker's host "on their way" to the it, which would cause responses to be routed to the attacker's host
valid host, which has exactly the same end result. Although it is "on their way" to the valid host, which has exactly the same end
possible that an intermediary-based authentication service could result. Although it is possible that an intermediary-based
guarantee that no Via hops are inserted between the sending user authentication service could guarantee that no Via hops are inserted
agent and the authentication service, it could not prevent an between the sending user agent and the authentication service, it
attacker from adding a Via hop after the authentication service, and could not prevent an attacker from adding a Via hop after the
thereby preempting responses. It is necessary for the proper authentication service, and thereby preempting responses. It is
operation of SIP for subsequent intermediaries to be capable of necessary for the proper operation of SIP for subsequent
inserting such Via header fields, and thus it cannot be prevented. intermediaries to be capable of inserting such Via header fields, and
As such, though it is desirable, securing Via is not possible through thus it cannot be prevented. As such, though it is desirable,
the sort of identity mechanism described in this document; the best securing Via is not possible through the sort of identity mechanism
known practice for securing Via is the use of SIPS. described in this document; the best known practice for securing Via
is the use of SIPS.
12.3. Malicious Removal of Identity Headers 12.3. Malicious Removal of Identity Headers
In the end analysis, the Identity header cannot protect itself. Any In the end analysis, the Identity header field cannot protect itself.
attacker could remove the header from a SIP request, and modify the Any attacker could remove the header field from a SIP request, and
request arbitrarily afterwards. However, this mechanism is not modify the request arbitrarily afterwards. However, this mechanism
intended to protect requests from men-in-the-middle who interfere is not intended to protect requests from men-in-the-middle who
with SIP messages; it is intended only to provide a way that the interfere with SIP messages; it is intended only to provide a way
originators of SIP requests can prove that they are who they claim to that the originators of SIP requests can prove that they are who they
be. At best, by stripping identity information from a request, a claim to be. At best, by stripping identity information from a
man-in-the-middle could make it impossible to distinguish any request, a man-in-the-middle could make it impossible to distinguish
illegitimate messages he would like to send from those messages sent any illegitimate messages he would like to send from those messages
by an authorized user. However, it requires a considerably greater sent by an authorized user. However, it requires a considerably
amount of energy to mount such an attack than it does to mount greater amount of energy to mount such an attack than it does to
trivial impersonations by just copying someone else's From header mount trivial impersonations by just copying someone else's From
field. This mechanism provides a way that an authorized user can header field. This mechanism provides a way that an authorized user
provide a definitive assurance of his identity that an unauthorized can provide a definitive assurance of his identity that an
user, an impersonator, cannot. unauthorized user, an impersonator, cannot.
12.4. Securing the Connection to the Authentication Service 12.4. Securing the Connection to the Authentication Service
In the absence of user agent-based authentication services, the In the absence of user agent-based authentication services, the
assurance provided by this mechanism is strongest when a user agent assurance provided by this mechanism is strongest when a user agent
forms a direct connection, preferably one secured by TLS, to an forms a direct connection, preferably one secured by TLS, to an
intermediary-based authentication service. The reasons for this are intermediary-based authentication service. The reasons for this are
twofold: twofold:
If a user does not receive a certificate from the authentication If a user does not receive a certificate from the authentication
skipping to change at page 31, line 40 skipping to change at page 36, line 18
Without TLS, the various header field values and the body of the Without TLS, the various header field values and the body of the
request will not have integrity protection when the request request will not have integrity protection when the request
arrives at an authentication service. Accordingly, a prior arrives at an authentication service. Accordingly, a prior
legitimate or illegitimate intermediary could modify the message legitimate or illegitimate intermediary could modify the message
arbitrarily. arbitrarily.
Of these two concerns, the first is most material to the intended Of these two concerns, the first is most material to the intended
scope of this mechanism. This mechanism is intended to prevent scope of this mechanism. This mechanism is intended to prevent
impersonation attacks, not man-in-the-middle attacks; integrity over impersonation attacks, not man-in-the-middle attacks; integrity over
the header and bodies is provided by this mechanism only to prevent parts of the the header and body is provided by this mechanism only
replay attacks. However, it is possible that applications relying on to prevent replay attacks. However, it is possible that applications
the presence of the Identity header could leverage this integrity relying on the presence of the Identity header field could leverage
protection for services other than replay protection. this integrity protection for services other than replay protection.
Accordingly, direct TLS connections SHOULD be used between the UAC Accordingly, direct TLS connections SHOULD be used between the UAC
and the authentication service whenever possible. The opportunistic and the authentication service whenever possible. The opportunistic
nature of this mechanism, however, makes it very difficult to nature of this mechanism, however, makes it very difficult to
constrain UAC behavior, and moreover there will be some deployment constrain UAC behavior, and moreover there will be some deployment
architectures where a direct connection is simply infeasible and the architectures where a direct connection is simply infeasible and the
UAC cannot act as an authentication service itself. Accordingly, UAC cannot act as an authentication service itself. Accordingly,
when a direct connection and TLS are not possible, a UAC should use when a direct connection and TLS are not possible, a UAC should use
the SIPS mechanism, Digest 'auth-int' for body integrity, or both the SIPS mechanism, Digest 'auth-int' for body integrity, or both
when it can. The ultimate decision to add an Identity header to a when it can. The ultimate decision to add an Identity header field
request lies with the authentication service, of course; domain to a request lies with the authentication service, of course; domain
policy must identify those cases where the UAC's security association policy must identify those cases where the UAC's security association
with the authentication service is too weak. with the authentication service is too weak.
12.5. Authorization and Transitional Strategies 12.5. Authorization and Transitional Strategies
Ultimately, the worth of an assurance provided by an Identity header Ultimately, the worth of an assurance provided by an Identity header
is limited by the security practices of the authentication service field is limited by the security practices of the authentication
that issues the assurance. Relying on an Identity header generated service that issues the assurance. Relying on an Identity header
by a remote administrative domain assumes that the issuing domain field generated by a remote administrative domain assumes that the
uses recommended administrative practices to authenticate its users. issuing domain uses recommended administrative practices to
However, it is possible that some authentication services will authenticate its users. However, it is possible that some
implement policies that effectively make users unaccountable (e.g., authentication services will implement policies that effectively make
ones that accept unauthenticated registrations from arbitrary users). users unaccountable (e.g., ones that accept unauthenticated
The value of an Identity header from such authentication services is registrations from arbitrary users). The value of an Identity header
questionable. While there is no magic way for a verifier to field from such authentication services is questionable. While there
distinguish "good" from "bad" signers by inspecting a SIP request, it is no magic way for a verifier to distinguish "good" from "bad"
is expected that further work in authorization practices could be signers by inspecting a SIP request, it is expected that further work
built on top of this identity solution; without such an identity in authorization practices could be built on top of this identity
solution, many promising approaches to authorization policy are solution; without such an identity solution, many promising
impossible. That much said, it is RECOMMENDED that authentication approaches to authorization policy are impossible. That much said,
services based on proxy servers employ strong authentication it is RECOMMENDED that authentication services based on proxy servers
practices. employ strong authentication practices.
One cannot expect the Identity header to be supported by every SIP One cannot expect the Identity header field to be supported by every
entity overnight. This leaves the verifier in a compromising SIP entity overnight. This leaves the verifier in a compromising
position; when it receives a request from a given SIP user, how can position; when it receives a request from a given SIP user, how can
it know whether or not the sender's domain supports Identity? In the it know whether or not the originator's domain supports Identity? In
absence of ubiquitous support for identity, some transitional the absence of ubiquitous support for identity, some transitional
strategies are necessary. strategies are necessary.
A verifier could remember when it receives a request from a domain A verifier could remember when it receives a request from a domain
or telephone number that uses Identity, and in the future, view or telephone number that uses Identity, and in the future, view
messages received from that sources without Identity headers with messages received from that source without an Identity header
skepticism. field with skepticism.
A verifier could consult some sort of directory that indications A verifier could consult some sort of directory that indicates
whether a given caller should have a signed identity. There are a whether a given caller should have a signed identity. There are a
number of potential ways in which this could be implemented. This number of potential ways in which this could be implemented. This
is left as a subject for future work. is left as a subject for future work.
In the long term, some sort of identity mechanism, either the one In the long term, some sort of identity mechanism, either the one
documented in this specification or a successor, must become documented in this specification or a successor, must become
mandatory-to-use for the SIP protocol; that is the only way to mandatory-to-use for the SIP protocol; that is the only way to
guarantee that this protection can always be expected by verifiers. guarantee that this protection can always be expected by verifiers.
Finally, it is worth noting that the presence or absence of the Finally, it is worth noting that the presence or absence of the
Identity headers cannot be the sole factor in making an authorization Identity header fields cannot be the sole factor in making an
decision. Permissions might be granted to a message on the basis of authorization decision. Permissions might be granted to a message on
the specific verified Identity or really on any other aspect of a SIP the basis of the specific verified Identity or really on any other
request. Authorization policies are outside the scope of this aspect of a SIP request. Authorization policies are outside the
specification, but this specification advises any future scope of this specification, but this specification advises any
authorization work not to assume that messages with valid Identity future authorization work not to assume that messages with valid
headers are always good. Identity header fields are always good.
12.6. Display-Names and Identity 12.6. Display-Names and Identity
As a matter of interface design, SIP user agents might render the As a matter of interface design, SIP user agents might render the
display-name portion of the From header field of a caller as the display-name portion of the From header field of a caller as the
identity of the caller; there is a significant precedent in email identity of the caller; there is a significant precedent in email
user interfaces for this practice. Securing the display-name user interfaces for this practice. Securing the display-name
component of the From header field value is outside the scope of this component of the From header field value is outside the scope of this
document, but may be the subject of future work, such as through the document, but may be the subject of future work, such as through the
"ppt" name mechanism. "ppt" name mechanism.
In the absence of signing the display-name, authentication services In the absence of signing the display-name, authentication services
might check and validate it, and compare it to a list of acceptable might check and validate it, and compare it to a list of acceptable
display-names that may be used by the sender; if the display-name display-names that may be used by the originator; if the display-name
does not meet policy constraints, the authentication service could does not meet policy constraints, the authentication service could
return a 403 response code. In this case, the reason phrase should return a 403 response code. In this case, the reason phrase should
indicate the nature of the problem; for example, "Inappropriate indicate the nature of the problem; for example, "Inappropriate
Display Name". However, the display-name is not always present, and Display Name". However, the display-name is not always present, and
in many environments the requisite operational procedures for in many environments the requisite operational procedures for
display-name validation may not exist, so no normative guidance is display-name validation may not exist, so no normative guidance is
given here. given here.
13. IANA Considerations 13. IANA Considerations
This document relies on the headers and response codes defined in RFC This document contains a number of actions for IANA.
4474. It also retains the requirements for the specification of new
algorithms or headers related to the mechanisms described in that
document.
13.1. Identity-Info Parameters 13.1. SIP Header Fields
The IANA has already created a registry for Identity-Info parameters. The Identity-Info header in the SIP Header Fields registry should be
This specification defines a new value called "canon" as defined in marked as deprecated by [RFCThis].
Section 6.3. Note however that unlike in RFC4474, Identity-Info
parameters now appear in the Identity header.
13.2. Identity-Info Algorithm Parameter Values 13.2. SIP Response Codes
The IANA has already created a registry for Identity-Info "alg" The Reason phrase for the 436 response default reason phrase should
parameter values. Note that now, the "alg" parameter appears in the be changed from "Bad Identity-Info" to "Bad Identity Info" in the SIP
Identity header rather than the deprecated Identity-Info header. Response Code registry.
Since the algorithms for signing PASSporT objects are defined in
PASSporT rather than in this specification, there is no longer a need
for an algorithm parameter registry for the Identity header. This
registry is therefore deprecated.
13.3. Response Codes defined in RFC4474 The 437 "Unsupported Certificate" default reason phrase should be
changed to "Unsupported Credential".
RFC4474 defined four response codes for failure conditions specific 13.3. Identity-Info Parameters
to the Identity header and its original mechanism. These status
codes are retained in this specification, with some modifications.
The semantics of the 428 'Use Identity Header' response code are The IANA manages a registry for Identity-Info parameters. The
slightly altered by the potential presence of the "ppt" parameter. specification asks the IANA to change the name of this registry to
Now, a 428 response MUST be sent when an Identity header is required, "Identity Parameters".
but no Identity header without a "ppt" parameter, or with a supported
"ppt" value, has been received. In the case where one or more
Identity headers with unsupported "ppt" values have been received,
then a verification service SHOULD send a 428 with the reason phrase
"Use Supported PASSporT Format". Note however that this
specification gives no guidance on how a verification service might
decide to require an Identity header for a particular SIP request.
Such authorization policies are outside the scope of this
specification.
For 436 'Bad Identity-Info' response, the default reason phrase is This specification defines two new values for the registry: "canon"
now renamed 'Bad Identity info', as the deprecation of the Identity- as defined in this specification in Section 4.1.1; and "info" as
Info header has made 'info' a parameter of the Identity header. defined in this specification in Section 7.3.
Again, given the potential presence of multiple Identity headers,
this response code is sent when the verification service is unable to
deference the URIs and/or acquire the credentials associated with all
Identity headers in the request. This failure code could be
repairable if the authentication service resends the request with an
'info' parameter pointing to a credential that the verification
service can access.
The 437 'Unsupported Certificate' default reason phrase is now 13.4. Identity-Info Algorithm Parameter Values
changed to 'Unsupported Credential'. This response is sent when a
verification service can acquire, or already holds, the credential
represented by the 'info' parameter of at least one Identity header
in the request, but does not support said credential(s), for reasons
such as failing to trust the issuing CA, or failing to support the
algorithm with which the credential was signed.
Finally, the 438 'Invalid Identity Header' response now indicates This IANA manages an Identity-Info Algorithm Parameter Values
that of the set of Identity headers in a request, no header with a registry which this specification deprecates. Since the algorithms
valid and supported PASSporT object has been received. Like the 428 for signing PASSporT objects are defined in PASSporT rather than in
response, this is sent by a verification service when its local this specification, there is no longer a need for an algorithm
policy dictates that a broken signature in an Identity header is parameter registry for the Identity header field.
grounds for rejecting a request. Note that in some cases, an
Identity header may be broken for other reasons than that an
originator is attempting to spoof an identity: for example, when a
transit network alters the Date header of the request. Relying on
the full PASSporT object presented through the "canon" parameter can
repair some of these conditions (see Section 5.2.1), so the
recommended way to attempt to repair this failure is to retry the
request with "canon".
14. Acknowledgments 14. Acknowledgments
The authors would like to thank Stephen Kent, Brian Rosen, Alex The authors would like to thank Olle Jacobson, Dave Frankel, Robert
Bobotek, Paul Kyzviat, Jonathan Lennox, Richard Shockey, Martin Sparks, Dave Crocker, Stephen Kent, Brian Rosen, Alex Bobotek, Paul
Dolly, Andrew Allen, Hadriel Kaplan, Sanjay Mishra, Anton Baskov, Kyzviat, Jonathan Lennox, Richard Shockey, Martin Dolly, Andrew
Pierce Gorman, David Schwartz, Eric Burger, Alan Ford, Philippe Allen, Hadriel Kaplan, Sanjay Mishra, Anton Baskov, Pierce Gorman,
David Schwartz, Eric Burger, Alan Ford, Christer Holmberg, Philippe
Fouquart, Michael Hamer, Henning Schulzrinne, and Richard Barnes for Fouquart, Michael Hamer, Henning Schulzrinne, and Richard Barnes for
their comments. their comments.
15. Changes from RFC4474 15. Changes from RFC4474
The following are salient changes from the original RFC 4474: The following are salient changes from the original RFC 4474:
Generalized the credential mechanism; credential enrollment, Generalized the credential mechanism; credential enrollment,
acquisition and trust is now outside the scope of this document acquisition and trust is now outside the scope of this document
Reduced the scope of the Identity signature to remove CSeq, Call- Reduced the scope of the Identity signature to remove CSeq, Call-
ID, Contact, and the message body ID, Contact, and the message body
Removed the Identity-Info header and relocated its components into Deprecated the Identity-Info header field and relocated its
parameters of the Identity header components into parameters of the Identity header field (which
obsoletes the previous version of the header field)
The Identity header can now appear multiple times in one request The Identity header field can now appear multiple times in one
request
Replaced previous signed-identity-digest format with PASSporT Replaced previous signed-identity-digest format with PASSporT
(signing algorithms now defined there) (signing algorithms now defined there)
Revised status code descriptions Revised status code descriptions
16. References 16. References
16.1. Normative References 16.1. Normative References
[E.164] ITU-T, "The international public telecommunication
numbering plan", E 164, February 2005,
<https://www.itu.int/rec/T-REC-E.164/en>.
[I-D.ietf-stir-passport] [I-D.ietf-stir-passport]
Wendt, C. and J. Peterson, "Persona Assertion Token", Wendt, C. and J. Peterson, "Persona Assertion Token",
draft-ietf-stir-passport-03 (work in progress), June 2016. draft-ietf-stir-passport-06 (work in progress), August
2016.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<http://www.rfc-editor.org/info/rfc2818>. <http://www.rfc-editor.org/info/rfc2818>.
skipping to change at page 37, line 11 skipping to change at page 41, line 5
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<http://www.rfc-editor.org/info/rfc3986>. <http://www.rfc-editor.org/info/rfc3986>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<http://www.rfc-editor.org/info/rfc5280>. <http://www.rfc-editor.org/info/rfc5280>.
[RFC5922] Gurbani, V., Lawrence, S., and A. Jeffrey, "Domain
Certificates in the Session Initiation Protocol (SIP)",
RFC 5922, DOI 10.17487/RFC5922, June 2010,
<http://www.rfc-editor.org/info/rfc5922>.
[RFC6919] Barnes, R., Kent, S., and E. Rescorla, "Further Key Words [RFC6919] Barnes, R., Kent, S., and E. Rescorla, "Further Key Words
for Use in RFCs to Indicate Requirement Levels", RFC 6919, for Use in RFCs to Indicate Requirement Levels", RFC 6919,
DOI 10.17487/RFC6919, April 2013, DOI 10.17487/RFC6919, April 2013,
<http://www.rfc-editor.org/info/rfc6919>. <http://www.rfc-editor.org/info/rfc6919>.
16.2. Informative References 16.2. Informative References
[I-D.ietf-iri-comparison] [I-D.ietf-iri-comparison]
Masinter, L. and M. D&#258;&#378;rst, "Comparison, Masinter, L. and M. D&#258;&#378;rst, "Comparison,
Equivalence and Canonicalization of Internationalized Equivalence and Canonicalization of Internationalized
Resource Identifiers", draft-ietf-iri-comparison-02 (work Resource Identifiers", draft-ietf-iri-comparison-02 (work
in progress), October 2012. in progress), October 2012.
[I-D.ietf-stir-certificates] [I-D.ietf-stir-certificates]
Peterson, J. and S. Turner, "Secure Telephone Identity Peterson, J. and S. Turner, "Secure Telephone Identity
Credentials: Certificates", draft-ietf-stir- Credentials: Certificates", draft-ietf-stir-
certificates-06 (work in progress), July 2016. certificates-07 (work in progress), July 2016.
[I-D.kaplan-stir-cider] [I-D.kaplan-stir-cider]
Kaplan, H., "A proposal for Caller Identity in a DNS-based Kaplan, H., "A proposal for Caller Identity in a DNS-based
Entrusted Registry (CIDER)", draft-kaplan-stir-cider-00 Entrusted Registry (CIDER)", draft-kaplan-stir-cider-00
(work in progress), July 2013. (work in progress), July 2013.
[I-D.peterson-sipping-retarget] [I-D.peterson-sipping-retarget]
Peterson, J., "Retargeting and Security in SIP: A Peterson, J., "Retargeting and Security in SIP: A
Framework and Requirements", draft-peterson-sipping- Framework and Requirements", draft-peterson-sipping-
retarget-00 (work in progress), February 2005. retarget-00 (work in progress), February 2005.
skipping to change at page 39, line 28 skipping to change at page 43, line 28
[RFC7340] Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure [RFC7340] Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure
Telephone Identity Problem Statement and Requirements", Telephone Identity Problem Statement and Requirements",
RFC 7340, DOI 10.17487/RFC7340, September 2014, RFC 7340, DOI 10.17487/RFC7340, September 2014,
<http://www.rfc-editor.org/info/rfc7340>. <http://www.rfc-editor.org/info/rfc7340>.
[RFC7375] Peterson, J., "Secure Telephone Identity Threat Model", [RFC7375] Peterson, J., "Secure Telephone Identity Threat Model",
RFC 7375, DOI 10.17487/RFC7375, October 2014, RFC 7375, DOI 10.17487/RFC7375, October 2014,
<http://www.rfc-editor.org/info/rfc7375>. <http://www.rfc-editor.org/info/rfc7375>.
[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
2015, <http://www.rfc-editor.org/info/rfc7515>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<http://www.rfc-editor.org/info/rfc7519>. <http://www.rfc-editor.org/info/rfc7519>.
Authors' Addresses Authors' Addresses
Jon Peterson Jon Peterson
Neustar, Inc. Neustar, Inc.
1800 Sutter St Suite 570 1800 Sutter St Suite 570
Concord, CA 94520 Concord, CA 94520
 End of changes. 171 change blocks. 
948 lines changed or deleted 1111 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/