Network Working Group                                        J. Peterson
Internet-Draft                                                   NeuStar
Intended status: Standards Track                             C. Jennings
Expires: January 8, February 25, 2017                                         Cisco
                                                             E. Rescorla
                                                              RTFM, Inc.
                                                                C. Wendt
                                                                 Comcast
                                                            July 7,
                                                         August 24, 2016

  Authenticated Identity Management in the Session Initiation Protocol
                                 (SIP)
                   draft-ietf-stir-rfc4474bis-10.txt
                   draft-ietf-stir-rfc4474bis-11.txt

Abstract

   The baseline security mechanisms in the Session Initiation Protocol
   (SIP) are inadequate for cryptographically assuring the identity of
   the end users that originate SIP requests, especially in an
   interdomain context.  This document defines a mechanism for securely
   identifying originators of SIP requests.  It does so by defining a
   SIP header field for conveying a signature used for validating the
   identity, and for conveying a reference to the credentials of the
   signer.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 8, February 25, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Background  Architectural Overview  . . . . . . . . . . . . . . . . . . .   4
   4.  Identity Header Field Syntax  . . . . . . .   4
   4.  Overview . . . . . . . . .   6
     4.1.  PASSporT Construction . . . . . . . . . . . . . . . . . .   7
       4.1.1.  'canon' and PASSporT  . . . . . . . . . . . . . . . .   9
   5.  Example of Operations . . . . . . . . . . . . . . . . . . .   6
   5. .  10
     5.1.  Example Identity Header Construction  . . . . . . . . . .  11
   6.  Signature Generation and Validation . . . . . . . . . . . . .   7
     5.1.  13
     6.1.  Authentication Service Behavior . . . . . . . . . . . . .   7
     5.2.  13
     6.2.  Verifier Behavior . . . . . . . . . . . . . . . . . . . .  10
       5.2.1.  16
       6.2.1.  Authorization of Requests . . . . . . . . . . . . . .  17
       6.2.2.  Response Codes Sent by a Verification Service . . . .  18
       6.2.3.  Handling 'canon' parameters . . . . . . . . . . . . .  12
   6.  19
   7.  Credentials . . . . . . . . . . . . . . . . . . . . . . . . .  13
     6.1.  20
     7.1.  Credential Use by the Authentication Service  . . . . . .  13
     6.2.  20
     7.2.  Credential Use by the Verification Service  . . . . . . .  14
     6.3.  Handling  21
     7.3.  'info' parameter URIs . . . . . . . . . . . . .  15
     6.4. . . . . .  22
     7.4.  Credential System Requirements  . . . . . . . . . . . . .  15
   7.  22
   8.  Identity Types  . . . . . . . . . . . . . . . . . . . . . . .  16
     7.1.  24
     8.1.  Differentiating Telephone Numbers from URIs . . . . . . .  24
     8.2.  Authority for Telephone Numbers . . . . . . . . . . . . .  18
     7.2.  25
     8.3.  Telephone Number Canonicalization Procedures  . . . . . .  18
     7.3.  25
     8.4.  Authority for Domain Names  . . . . . . . . . . . . . . .  19
     7.4.  26
     8.5.  URI Normalization . . . . . . . . . . . . . . . . . . . .  20
   8.  Header Syntax . . . . . . . . . . . . . . . . . . . . . . . .  21  27
   9.  Extensibility . . . . . . . . . . . . . . . . . . . . . . . .  24  28
   10. Backwards Compatibililty with RFC4474 . . . . . . . . . . . .  25  29
   11. Privacy Considerations  . . . . . . . . . . . . . . . . . . .  25  30
   12. Security Considerations . . . . . . . . . . . . . . . . . . .  27  32
     12.1.  Protected Request Fields . . . . . . . . . . . . . . . .  27  32
       12.1.1.  Protection of the To Header and Retargeting  . . . .  29  34
     12.2.  Unprotected Request Fields . . . . . . . . . . . . . . .  30  34
     12.3.  Malicious Removal of Identity Headers  . . . . . . . . .  30  35
     12.4.  Securing the Connection to the Authentication Service  .  31  35
     12.5.  Authorization and Transitional Strategies  . . . . . . .  32  36
     12.6.  Display-Names and Identity . . . . . . . . . . . . . . .  33  37

   13. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  33  38
     13.1.  Identity-Info Parameters  SIP Header Fields  . . . . . . . . . . . . . . . .  33
     13.2.  Identity-Info Algorithm Parameter Values . . .  38
     13.2.  SIP Response Codes . . . . .  34
     13.3.  Response Codes defined in RFC4474 . . . . . . . . . . .  34
   14. Acknowledgments . . .  38
     13.3.  Identity-Info Parameters . . . . . . . . . . . . . . . .  38
     13.4.  Identity-Info Algorithm Parameter Values . . . .  35
   15. Changes from RFC4474 . . . .  38
   14. Acknowledgments . . . . . . . . . . . . . . . .  35
   16. References . . . . . . .  39
   15. Changes from RFC4474  . . . . . . . . . . . . . . . . . .  35 . .  39
   16. References  . . . . . . . . . . . . . . . . . . . . . . . . .  39
     16.1.  Normative References . . . . . . . . . . . . . . . . . .  36  39
     16.2.  Informative References . . . . . . . . . . . . . . . . .  37  41
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  39  43

1.  Introduction

   This document provides enhancements to the existing mechanisms for
   authenticated identity management in the Session Initiation Protocol
   (SIP, [RFC3261]).  An identity, for the purposes of this document, is
   defined as either a SIP URI, commonly a canonical address-of-record (AoR) SIP URI
   employed to reach a user (such as 'sip:alice@atlanta.example.com'),
   or a telephone number, which can be
   represented as commonly appears in either a TEL URI
   [RFC3966] or as the user portion of a SIP URI.

   [RFC3261] specifies several places within a SIP request where users
   can express an identity for themselves, most prominently the user-
   populated From header field.  However, the recipient of a SIP request
   has no way to verify that the From header field has been populated
   appropriately, in the absence of some sort of cryptographic
   authentication mechanism.  This leaves SIP vulnerable to a category
   of abuses, including impersonation attacks that facilitate or enable robocalling
   robocalling, voicemail hacking, swatting, and related problems as
   described in [RFC7340].  Ideally, a cryptographic approach to
   identity can provide a much stronger and less spoofable assurance of
   identity than the Caller ID services that the telephone network
   provides today.

   [RFC3261] encourages user agents (UAs) to implement a number of
   potential authentication mechanisms, including Digest authentication,
   Transport Layer Security (TLS), and S/MIME (implementations may
   support other security schemes as well).  However, few SIP user
   agents today support the end-user certificates necessary to
   authenticate themselves (via S/MIME, for example), and for its part
   Digest authentication is limited by the fact that the originator and
   destination must share a prearranged secret.  Practically speaking,
   originating user agents need to be able to securely communicate their
   users' identity to destinations with which they have no previous
   association.

   As an initial attempt to address this gap, [RFC4474] specified a
   means of signing portions of SIP requests in order to provide an
   identity assurance.  However, RFC 4474 RFC4474 was in several ways misaligned
   with deployment realities (see [I-D.rosenberg-sip-rfc4474-concerns]).
   Most significantly, RFC 4474 RFC4474 did not deal well with telephone numbers
   as identifiers, despite their enduring use in SIP deployments.  RFC
   4474
   RFC4474 also provided a signature over material that intermediaries
   in existing deployments commonly altered.  This specification
   therefore
   revises RFC 4474 in light of recent reconsideration of deprecates the RFC4474 syntax and behavior, reconsidering
   the problem space to align with in light of the threat model in [RFC7375], [RFC7375] and aligns
   aligning the signature format with PASSporT [I-D.ietf-stir-passport].

2.  Terminology

   In this document, the key words "MUST", "MUST NOT", "REQUIRED",
   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT
   RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as
   described in RFC 2119 [RFC2119] and RFC 6919 [RFC6919].

3.  Background

   Per [RFC7340], problems such as robocalling, voicemail hacking, and
   swatting are enabled by an attacker's ability [RFC2119].

   In addition, this document uses three terms specific to impersonate someone
   else.  The secure operation of most SIP applications and services
   depends on authorizing the source of communications as it is
   represented in a SIP request.  Such authorization policies can be
   automated or be a part of human operation of SIP devices.
   mechanism:

      Identity: An example
   of the former would be a voicemail service that compares identifier for the identity user of the caller to a whitelist before determining whether it should
   allow the caller access to recorded messages.  An example of the
   latter would be an Internet telephone application that displays communications service;
      for the
   calling party number (and/or Caller-ID) purposes of SIP, either a caller, which a human
   may review to make a policy decision before answering SIP URI or a call.  In
   both of these cases, attackers might attempt to circumvent these
   authorization policies through impersonation.  Since the primary
   identifier of the sender of telephone number.
      Identities are extracted from an "identity field" a SIP request, request
      such as the From header field, can
   be populated arbitrarily field.

      Authentication Service: A logical role played by the controller of a user agent,
   impersonation is very simple today in many environments.  The
   mechanism described in this document provides SIP entity that
      adds Identity headers to SIP requests.

      Verification Service (or "Verifier"): A logical role played by a strong identity
   system for detecting attempted impersonation
      SIP entity that validates Identity headers in a SIP requests.

   This request.

3.  Architectural Overview

   The identity architecture for SIP defined in this specification
   depends on a logical "authentication service" which validates
   outgoing requests.  An authentication service may be implemented
   either as part of a user agent or as a proxy server; typically, it is
   a component of a network intermediary like a proxy to which
   originating user agents send unsigned requests.  Once the sender originator
   of the message has been authenticated, through means entirely up to
   the authentication service, the authentication service then computes creates
   and adds an Identity header field to the request.  This requires
   computing cryptographic information (including information, including a digital signature
   over some components of messages) to requests to communicate to messages, that lets other SIP entities verify
   that the sending user has been authenticated and its claim of a
   particular identity has been authorized.  A  These "verification
   service" on
   services" validate the receiving end then validates this signature and
   enables enable policy decisions to be
   made based on the results of the
   verification.

   Identities validation.

   Policy decisions made after validation depend heavily on the
   verification service's trust for the credentials that the
   authentication service uses to sign requests.  As robocalling,
   voicemail hacking, and swatting usually involve impersonation of
   telephone numbers, credentials that will be trusted by relying
   parties to sign for telephone numbers are a key component of the
   architecture.  Authority over telephone numbers is however, not so
   easy to establish on the Internet as authority over traditional
   domain names.  This document assumes the existence of credentials for
   establishing authority over telephone numbers, for cases where the
   telephone number is the identity of the user, but this document does
   not mandate or specify a credential system.
   [I-D.ietf-stir-certificates] describes a credential system compatible
   with this architecture.

   Although addressing the vulnerabilities in the STIR problem statement
   and threat model mostly requires dealing with telephone number as
   identities, SIP must also handle signing for SIP URIs as identities.
   This is typically easier to deal with, as these identities are issued
   to users by authorities. authorities over Internet domains.  When a new user
   becomes associated with example.com, for example, the administrator
   of the SIP service for that domain can issue them an identity in that
   namespace, such as alice@example.com. sip:alice@example.com.  Alice may then send
   REGISTER requests to example.com that make her user agents eligible
   to receive requests for sip:alice@example.com.  In some other cases, Alice
   may herself be the owner of
   the domain herself, her own domain, and may issue herself
   identities as she chooses.  But ultimately, it is the controller of
   the SIP service at example.com that must be responsible for
   authorizing the use of names in the example.com domain.  Therefore,
   for the purposes of baseline SIP, the necessary credentials needed to
   prove a user is authorized to use a particular From header field must
   ultimately derive from the domain owner: either a user agent gives
   requests to the domain name owner in order for them to be signed by
   the domain owner's credentials, or the user agent must possess
   credentials that prove in some fashion that the domain owner has
   given the user agent the right to a name.

   The situation is however more complicated for telephone numbers,
   however.  Authority over telephone numbers does not correspond
   directly to Internet domains.  While a user could register at a SIP
   domain with a username that corresponds

   In order to a telephone number, any
   connection between the administrator of that domain and the
   assignment of telephone numbers is not currently reflected on the
   Internet.  Telephone numbers do not share the domain-scope property
   described above, as they are dialed without any domain component.
   This document thus assumes the existence of a separate means of
   establishing authority over telephone numbers, for cases where the
   telephone number is the identity of the user.  As with SIP URIs, the
   necessary credentials to prove authority for a name might reside
   either in the endpoint or at some intermediary.

   This document specifies a means of sharing a cryptographic assurance of end-user SIP identity
   in an interdomain or intradomain context.
   It relies on the context, an authentication service constructing
   constructs tokens based on the PASSporT [I-D.ietf-stir-passport]
   format, a JSON [RFC7159] object comprising values copied from certain
   header field values in the SIP request.  The authentication service then
   computes a signature over those JSON object in a manner following PASSporT. elements as PASSporT specifies.
   That signature is then placed in a the SIP Identity header. header field.  In
   order to assist in the validation of the Identity header, header field, this
   specification also describes
   some metadata fields associated with a parameter of the Identity header field
   that can be used by the recipient of a request to recover the
   credentials of the signer.

   Note that the scope of this document is limited to providing this an
   identity assurance for SIP requests; solving this problem for SIP
   responses is outside the scope of this work (see [RFC4916]).  Future
   work might specify ways that a SIP implementation could gateway
   PASSporT objects to other protocols.

4.  Identity Header Field Syntax

   The Identity and Identity-Info header fields that were previously
   defined in RFC4474 are here deprecated.  This revised specification allows either a user agent or a proxy server to
   provide
   collapses the authentication service function and/or grammar of Identity-Info into the verification
   service function.  To maximize end-to-end security, it Identity header field
   via the "info" parameter.  Note that unlike the prior specification
   in RFC4474, the Identity header field is obviously
   preferable for end-users now allowed to acquire their own credentials; if they
   do, their user agents can act as authentication services.  However, appear more
   than one time in a SIP request.  The revised grammar for some deployments, end-user credentials may be neither practical
   nor affordable, given the potentially large number of SIP user agents
   (phones, PCs, laptops, PDAs, gaming devices) that may be employed by
   a single user.  In such environments, synchronizing keying material
   across multiple devices may be prohibitively complex and require
   quite a good deal of additional endpoint behavior.  Managing several
   credentials for the various devices could also be burdensome.  In
   these cases, implementation the authentication service at an
   intermediary may be more practical.  This trade-off needs to be
   understood by implementers of this specification.

4.  Overview of Operations

   This section provides an informative (non-normative) high-level
   overview of the mechanisms described in this document.

   Imagine a case where Alice, who has the home proxy of example.com and
   the address-of-record sip:alice@example.com, wants to communicate
   with Bob at sip:bob@example.org.  They have no prior relationship,
   and Bob implements best practices to prevent impersonation attacks.

   Alice generates an INVITE and places her identity, in this case her
   address-of-record, in the From header field of the request.  She then
   sends an INVITE over TLS to an authentication service proxy for the
   example.com domain.

   The proxy authenticates Alice (possibly by sending a Digest
   authentication challenge), and validates that she is authorized to
   assert the identity that she populated in the From header field.
   This value could be Alice's AoR, but in other cases it could be some
   different value that the authentication service has authority over,
   such as a telephone number.  The proxy authentication service then
   constructs a PASSporT object which contains a JSON representations of
   headers and claims which mirror certain parts of the SIP request,
   including the identity in the From header field.  As a part of
   generating the PASSporT object, the authentication service signs a
   hash of those headers and claims with the appropriate credential for
   the identity (in this case, the certificate for example.com, which
   covers the identity sip:alice@example.com), and the signature is
   inserted by the proxy server into the Identity header field value of
   the request.  Optionally, the JSON headers and claims themselves may
   also be included in the object, encoded in the "canon" parameter of
   the Identity header.

   The proxy, as the holder of the private key for the example.com
   domain, is asserting that the originator of this request has been
   authenticated and that she is authorized to claim the identity that
   appears in the From header field.  The proxy inserts an "info"
   parameter into the Identity header that tells Bob how to acquire
   keying material necessary to validate its credentials (a public key),
   in case he doesn't already have it.

   When Bob's domain receives the request, it verifies the signature
   provided in the Identity header, and thus can validate that the
   authority over the identity in the From header field authenticated
   the user, and permitted the user to assert that From header field
   value.  This same validation operation may be performed by Bob's user
   agent server (UAS).  As the request has been validated, it is
   rendered to Bob. If the validation was unsuccessful, some other
   treatment would be applied by the receiving domain.

5.  Signature Generation and Validation

5.1.  Authentication Service Behavior

   This document specifies a role for SIP entities called an
   authentication service.  The authentication service role can be
   instantiated, for example, by an intermediary such as a proxy server
   or by a user agent.  Any entity that instantiates the authentication
   service role MUST possess the private key of one or more credentials
   that can be used to sign for a domain or a telephone number (see
   Section 6.1).  Intermediaries that instantiate this role MUST be
   capable of authenticating one or more SIP users who can register for
   that identity.  Commonly, this role will be instantiated by a proxy
   server, since these entities are more likely to have a static
   hostname, hold corresponding credentials, and have access to SIP
   registrar capabilities that allow them to authenticate users.  It is
   also possible that the authentication service role might be
   instantiated by an entity that acts as a redirect server, but that is
   left as a topic for future work.

   An authentication service adds the Identity
   header to SIP requests.
   The procedures below define field builds on the steps that must be taken when each an
   header is added.  More than one may appear ABNF [RFC4234] in a single request, and
   an authentication service may add an RFC 3261 [RFC3261]
   Section 25.  It is as follows:

   Identity header = "Identity" HCOLON signed-identity-digest SEMI ident-info \
       *( SEMI ident-info-params )
   signed-identity-digest = LDQUOT *base64-char RDQUOT
   ident-info = "info" EQUAL ident-info-uri
   ident-info-uri = LAQUOT absoluteURI RAQUOT
   ident-info-params = ident-info-alg / ident-type / canonical-str /   \
        ident-info-extension
   ident-info-alg = "alg" EQUAL token
   ident-type = "ppt" EQUAL token
   canonical-str = "canon" EQUAL LDQUOT *base64-char RDQUOT
   ident-info-extension = generic-param

   base64-char = ALPHA / DIGIT / "/" / "+"

   In addition to a request
   that already contains one or more Identity headers.  If the Identity
   header added follows extended signing procedures beyond "info" parameter, and the baseline
   given "alg" parameter
   previously defined in Section 8, then it differentiates RFC4474, this specification defines the header with a
   optional "canon" and "ppt"
   parameter per the fourth step below.

   Entities instantiating the authentication service role perform the
   following steps, in order, to generate an Identity header for parameters.  The 'absoluteURI' portion of
   ident-info-uri MUST contain a SIP
   request:

   Step 1:

   First, the authentication service must determine whether it URI; see Section 7.3 for more on
   choosing how to advertise credentials through this parameter.

   The signed-identity-digest is
   authoritative for the identity PASSporT signature component of a
   PASSporT object [I-D.ietf-stir-passport], a signature which PASSporT
   generates over the sender JSON objects contain headers and claims; some
   header and claim values will mirror elements of the SIP request.  In
   ordinary operations, the authentication service decides this by
   inspecting the URI value from the addr-spec component of From header
   field; this URI will be referred
   order to here as the 'identity field'.  If
   the identity field contains generate that signature, an implementation must construct a
   complete PASSporT object.

4.1.  PASSporT Construction

   For SIP or SIP Secure (SIPS) URI, and implementations to populate the
   user portion is not PASSporT header JSON object
   with fields from a telephone number, SIP request, the authentication service following elements message MUST extract the hostname portion of
   be placed as the identity field and compare
   it values corresponding to the domain(s) for which it is responsible (following the
   procedures in RFC 3261 [RFC3261], Section 16.4).  If the identity
   field uses the TEL URI scheme [RFC3966], or the identity field is a
   SIP or SIPS URI with a telephone number in the user portion, designated JSON keys:

      First, per baseline [I-D.ietf-stir-passport], the
   authentication service determines whether or not it is responsible
   for this telephone number; see Section 7.1 for more information.  An
   authentication service proceeding with a signature over a telephone
   number JSON key "typ"
      key MUST then follow the canonicalization procedures described in
   Section 7.2.  If have the authentication service is not authoritative for value "passport".

      Second, the identity in question, it SHOULD process and forward JSON key "alg" MUST mirror the request
   normally unless value of the local policy is to block such requests.  The
   authentication service MUST NOT add an optional
      "alg" parameter in the SIP Identity header field.  Note if the
   authentication service does not have the authority to make the claim
   it asserts.

   Step 2:

   The authentication service MUST then determine whether or not
      "alg" parameter is absent from the
   sender of Identity header, the request default
      value is authorized "ES256".

      Third, the JSON key "x5u" MUST have a value equivalent to claim the identity given
      quoted URI in the identity field.  In order to do so, "info" parameter.

      Fourth, the authentication service optional JSON key "ppt", if present, MUST authenticate have a value
      equivalent to the sender quoted value of the message.  Some possible ways in
   which this authentication might be performed include: "ppt" parameter of the
      Identity header field.  If the authentication service "ppt" parameter is instantiated by a SIP
      intermediary (proxy server), it may authenticate absent from the request with
      header field, the authentication scheme used for registration "ppt" key MUST NOT not appear in its domain
      (e.g., Digest authentication).

      If the authentication service is instantiated by JSON header
      object.

   For example:

   { "typ":"passport",
     "alg":"ES256",
     "x5u":"https://www.example.com/cert.pkx" }

   To populate the PASSporT claims JSON object from a SIP user agent,
      a user agent may authenticate its own user through any system-
      specific means, perhaps simply by virtue of having physical access request, the
   following elements MUST be placed as values corresponding to the user agent.

   Authorization of
   designated JSON keys:

      First, the use of JSON "orig" array MUST be populated.  If the
      originating identity is a particular username or telephone number
   in the user part of number, then the From header field is array MUST be
      populated with a matter "tn" claim with a value set to the value of local policy
   for the authentication service; see
      quoted originating identity, a canonicalized telephone number (see
      Section 6.1 for more information.

   Note that this check is performed only on 8.3).  Otherwise, the addr-spec in array MUST be populated with a "uri"
      claim, set to the
   identity field (e.g., value of the URI AoR of the sender, like
   'sip:alice@atlanta.example.com'); it does not convert UA sending the display-
   name portion message
      as taken from addr-spec of the From header field (e.g., 'Alice Atlanta').  For
   more information, see field, per the
      procedures in Section 12.6.

   Step 3:

   An authentication service MUST add a Date header field to SIP
   requests that do not have one.  The authentication service 8.5.

      Second, the JSON "dest" array MUST
   ensure that any preexisting Date header in be populated.  If the request
      destination identity is accurate.
   Local policy can dictate precisely how accurate the Date must be; a
   RECOMMENDED maximum discrepancy of sixty seconds will ensure that telephone number, then the
   request is unlikely array MUST be
      populated with a "tn" claim with a value set to upset any verifiers.  If the Date header
   contains value of the
      quoted destination identity, a time different by more than one minute from canonicalized telephone number (see
      Section 8.3).  Otherwise, the current
   time noted by array MUST be populated with a "uri"
      claim, set to the authentication service, value of the authentication service
   SHOULD reject addr-spec component of the request.  This behavior To
      header field, which is not mandatory because a
   user agent client (UAC) could only exploit the Date header in order
   to cause a request AoR to fail verification; which the Identity header request is not
   intended being sent,
      per the procedures in Section 8.5.

      Third, the JSON key "iat" MUST appear, set to provide a source the value of non-repudiation or a perfect record
      quoted encoding of when messages are processed.  Finally, the authentication service
   MUST verify that both value of the SIP Date header field as a
      JSON NumericDate (as UNIX time, per [RFC7519] Section 2).

      Fourth, if the request contains an SDP message body, and if that
      SDP contains one or more "a=fingerprint" attributes, then the current time fall
   within JSON
      key "mky" MUST appear with the validity period algorithm(s) and value(s) of its credential.

   See the
      fingerprint attributes (if they differ), following the format
      given in [I-D.ietf-stir-passport] Section 12 for 3.2.2.2.

   For example:

   { "orig":{"tn":"12155551212"},
     "dest":{"tn":"12155551213"},
     "iat":"1443208345" }

   For information on how the Date header field assists
   verifiers.

   Step 4:

   Subsequently, security properties of these SIP message
   elements, and why their inclusion mitigates replay attacks, see
   Section 12.  Note that future extensions to the authentication service MUST form a PASSporT object could
   introduce new claims, and add a corresponding an Identity header that further SIP procedures could be
   required to extract information from the SIP request containing
   this signature.  For baseline PASSporT objects headers (without an
   Identity header "ppt" parameter), this follows to populate the procedures in
   values of those claims; see Section 8; if 9.

   The "orig" and "dest" arrays may contain identifiers of heterogeneous
   type; for example, the "orig" array might contain a "tn" claim, while
   the "dest" contains a "uri" claim.  Also note that in some cases, the
   "orig" and "dest" arrays might be populated with more than one value.
   This could for example occur when multiple "dest" identities are
   specified in a meshed conference.  Defining how a SIP implementation
   would provision multiple originating or destination identities is
   left as a subject for future specification.

   After these two JSON objects, the authentication service is using an alternative
   "ppt" format, it MUST add an appropriate "ppt" parameter header and follow the procedures associated with that extension (see claims, have been
   constructed and base64-encoded, they must each be hashed per
   [I-D.ietf-stir-passport] Section 9).  After 3.3.  The signed value of those
   concatenated hashes then becomes the signed-identity-string of the
   Identity header has been added to the request, field.  The hashing and signing algorithm is
   specified by the authentication
   service MUST also add a "info" 'alg' parameter to of the Identity header.  The
   "info" header field and the
   mirrored "alg" parameter contains a URI of PASSporT.  This specification inherits
   from which the authentication
   service's credential can be acquired; see Section 6.3 PASSporT specification one value for more on
   credential acquisition.

   Step 5:

   In the circumstances described below, 'alg' parameter:
   'ES256', as defined in [RFC7519], which connotes an authentication service will
   add a "canon" parameter to ECDSA P-256
   digital signature.  All implementations of this specification MUST
   support the Identity header.  The syntax required signing algorithms of
   "canon" is given in Section 8; essentially, it contains a PASSporT.

   The PASSporT signature that serves as the signed-identity-digest for
   the SIP Identity header field constitutes only the base64
   encoding encoded
   signed hash, omitting the leading '.' of JWS.

   The complete form of the JSON Identity header and claims in field will therefore look
   like the following example:

   Identity: "sv5CTo05KqpSmtHt3dcEiO/1CWTSZtnG3iV+1nmurLXV/Hmty \
    NS7Ltrg9dlxkWzoeU7d7OV8HweTTDobV3itTmgPwCFjaEmMyEI3d7SyN21y \
    NDo2ER/Ovgtw0Lu5csIppPqOg1uXndzHbG7mR6Rl9BnUhHufVRbp51Mn3w0 \
    gfUs=";info=<https://biloxi.example.org/biloxi.cer>;alg=ES256

4.1.1.  'canon' and PASSporT object.  The
   presence

   As Appendix F of "canon" the JWS specification [RFC7515] notes, there are
   cases where "it is OPTIONAL baseline PASSporT objects useful to integrity-protect content that is not
   itself contained in SIP as a
   because JWS."  Since the information carried in fields that make up the
   majority of the baseline PASSporT object's
   headers header and claims is usually redundant with information already
   carried elsewhere in the SIP request.  Omitting "canon" can
   significantly reduce have values replicated in
   the SIP message size, especially when request, the SIP usage of PASSporT
   object contains media keys.

   When however an authentication service creates a PASSporT that uses
   extension may exclude the base64
   encoded version of the header and claims beyond JSON objects from the
   Identity header field and instead present a detached signature.  Only
   the signature component of the baseline PASSporT object, including
   "canon" is REQUIRED in order for SIP, as it
   forms the verification service to be
   capable contents of validating the signature.  See Section 9.

   Also, in some cases, signed-identity-digest field.  Optionally,
   as a request signed by an authentication service
   will be rejected by debugging measure or optimization, the verification service on base64-encoded
   concatenation of the receiving side, JSON header and the authentication service will receive a SIP 4xx status code in
   the backwards direction, such claims MAY be included as a 438 indicating a verification
   failure.  If the authentication service did not originally send
   value of a "canon" parameter of the Identity header with field.  Note
   however that the use of some future extensions could require "canon" parameter, it SHOULD retry a request
   once after receiving a 438 response, this time including
   (see Section 9).

   When the "canon".
   The information in "canon" parameter is useful on the verification side for
   debugging errors, and there are some known causes of verification
   failures (such as present, it is populated per the Date header changing in transit, see
   [I-D.ietf-stir-passport] Section 12.1 for more information) that can be resolved by the
   inclusion 3.2 payload of "canon".

   Finally, PASSporT.  However,
   no trailing '.' is included: the authentication service MUST forward string consists solely of the message
   normally.

5.2.  Verifier Behavior

   This document specifies a logical role for SIP entities called a
   verification service, or verifier.  When a verifier receives base64
   encoded JSON header object, followed by a SIP
   message containing one or more Identity headers, it inspects '.', followed by the
   signature(s) base64
   encoded claims JSON object, as follows:

   Identity: "rq3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpj \
    lk-cpFYpFYsojNCpTzO3QfPOlckGaS6hEck7w"; \
    info=<https://biloxi.example.org/biloxi.c>;alg=ES256;canon= \
    "eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cH \
    M6Ly9jZXJ0LmV4YW1wbGUub3JnL3Bhc3Nwb3J0LmNlciJ9.eyJkZXN0Ijp7 \
    InVyaSI6WyJzaXA6YWxpY2VAZXhhbXBsZS5jb20iXX0sImlhdCI6IjE0NDM \
    yMDgzNDUiLCJvcmlnIjp7InRuIjoiMTIxNTU1NTEyMTIifX0"

   Note that the presence of the "canon" parameter adds considerably to verify
   the identity length of the sender Identity header field value.

5.  Example of Operations

   This section provides an informative (non-normative) high-level
   example of the message.
   The results operation of the mechanisms described in this
   document.

   Imagine a verification are provided as input case where Bob, who has the home proxy of example.com and
   the address-of-record sip:12155551212@example.com, wants to
   communicate with Alice at sip:alice@example.org.  They have no prior
   relationship, and Alice implements best practices to prevent
   impersonation attacks.

   Bob's user agent generates an
   authorization process that is outside INVITE and places his address-of-record
   in the scope From header field of this document.

   A SIP request may contain zero, one, or more Identity headers.  A
   verification the request.  He then sends an INVITE to
   an authentication service performs proxy for his domain.

   ............................          ..............................
   .                          .          .                            .
   .                +-------+ .          . +-------+                  .
   .     Signs for  |       | .  Signed  . |       |                  .
   .     12125551xxx| Auth  |------------> | Verif |                  .
   .                |  Svc  | .  INVITE  . |  Svc  |                  .
   .                | Proxy | .          . | Proxy |                  .
   .              > +-------+ .          . +-------+ \                .
   .             /       |    .          ->           \               .
   .            /        |    .        --.             \              .
   .           /         |    .      --  .              \             .
   .          /          |    .    --    .               \            .
   .         /       +-------+.  --      .                \           .
   .        /        |       |.<-        .                 \          .
   .       /         | Cert  |.          .                  >         .
   .   +-------+     | Store |.          .                +-------+   .
   .   |       |     |       |.          .                |       |   .
   .   | Bob   |     +-------+.          .                | Alice |   .
   .   | UA    |              .          .                | UA    |   .
   .   |       |              .          .                |       |   .
   .   +-------+              .          .                +-------+   .
   .              Domain A    .          .   Domain B                 .
   ............................          ..............................

   The proxy authenticates Bob, and validates that he is authorized to
   assert the procedures above on each Identity
   header identity that appears he populated in a request.  If the verifier does not support
   an Identity From header present in field.  The
   proxy authentication service then constructs a request due to the presence PASSporT object which
   contains a JSON representation of an
   unsupported "ppt" parameter, or if no Identity header is present, headers and
   the presence claims which mirror
   certain parts of an Identity header is required by local policy (for
   example, based on a per-sending-domain policy, or a per-sending-user
   policy), then a 428 'Use Identity Header' response MUST be sent in the backwards direction.  For more on this and other failure
   responses, see Section 13.3.

   In order to verify an Identity header in a message, an entity acting
   as a verifier MUST perform SIP request, including the following steps, identity in the order here
   specified.  Note that when an Identity From
   header contains the optional
   "canon" parameter, the verifier MUST follow the additional procedures
   in Section 5.2.1.

   Step 1:

   The verifier MUST inspect any optional "ppt" parameter appearing the
   Identity request.  If no "ppt" parameter is present, then the
   verifier proceeds normally below.  If field value.  As a "ppt" parameter value is
   present, and part of generating the verifier does not support it, it MUST ignore PASSporT object, the
   Identity header.  If
   authentication service signs a supported "ppt" parameter value is present, hash of those JSON headers and claims
   with the verifier follows private key associated with the procedures below, including appropriate credential for
   the variations
   described identity (in this example, a certificate with authority to sign
   for numbers in Step 5.

   Step 2:

   In order a range from 12155551000 to determine whether 121555519999), and the
   signature for is inserted by the identity field
   should be over proxy server into the entire identity Identity header
   field URI or just a canonicalized
   telephone number, value of the verification service MUST follow request.  Optionally, the
   canonicalization process described in Section 7.2.  That section JSON headers and claims
   themselves may also
   describes be included in the procedures object, encoded in the verification service MUST follow to
   determine if "canon"
   parameter of the signer is authoritative for Identity header field.

   The proxy authentication service, as the holder of a private key with
   authority over Bob's telephone number.  For
   domains, the verifier MUST follow the process described in
   Section 7.3 to determine if number, is asserting that the signer
   originator of this request has been authenticated and that he is authoritative for
   authorized to claim the identity that appears in the From header
   field.

   Step 3:  The verifier must first ensure that it possesses proxy inserts an "info" parameter into the proper Identity
   header field that tells Alice how to acquire keying material
   necessary to validate its credentials (a public key), in case she
   doesn't already have it.

   When Alice's domain receives the request, a proxy verification
   service validates the signature provided in the Identity header
   field,
   which usually involves dereferencing a URI in the "info" parameter of
   the Identity header.  See Section 6.2 for more information on these
   procedures.  If and then determines that the verifier does not support authentication service
   credentials demonstrate authority over the credential
   described identity in the "info" parameter, then it should consider the
   credential for this From
   header unsupported.  If field.  This same validation operation might be performed by a SIP
   verification service in Alice's user agent server.  Ultimately, this
   valid request contains no is rendered to Alice.  If the validation were
   unsuccessful, some other treatment could be applied by the receiving
   domain or Alice's user agent.

5.1.  Example Identity headers with a supported credential, then Header Construction

   For the verifier MUST
   return following SIP request:

    INVITE sip:bob@biloxi.example.org SIP/2.0
    Via: SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKnashds8
    To: Alice <sip:alice@example.com>
    From: Bob <sip:12155551212@example.com>;tag=1928301774>
    Call-ID: a84b4c76e66710
    CSeq: 314159 INVITE
    Max-Forwards: 70
    Date: Fri, 25 Sep 2015 19:12:25 GMT
    Contact: <sip:12155551212gateway.example.com>
    Content-Type: application/sdp
    Content-Length: 147
    v=0
    o=UserA 2890844526 2890844526 IN IP4 pc33.atlanta.example.com
    s=Session SDP
    c=IN IP4 pc33.atlanta.example.com
    t=0 0
    m=audio 49172 RTP/AVP 0
    a=rtpmap:0 PCMU/8000

   An authentication service will create a 437 "Unsupported Credential" response.

   Step 4: corresponding PASSporT
   object.  The verifier MUST furthermore ensure that the value of the Date properly-serialized PASSporT header of the request meets local policy for freshness (usually,
   within sixty seconds) and that it falls within claims JSON
   objects would look as follows.  For the validity period of header, the credential used to sign values chosen by
   the Identity header.  For more on authentication service at "example.org" might read:

   {"alg":"ES256","typ":"passport","x5u":"https://cert.example.org/
      passport.cer"}

   The serialized claims will derive from the
   attacks this prevents, see Section 12.1.  If SIP request (the From, To,
   and Date header field values) as follows:

   {"dest":{"uri":["sip:alice@example.com"]},"iat":"1443208345",
     "orig":{"tn":"12155551212"}}

   The authentication service would then generate the "canon" parameter is
   present, signature over the verifier should follow
   object following the Date-related behavior procedures in [I-D.ietf-stir-passport]
   Section 5.2.1.

   Step 5:

   The verifier MUST validate the 3.3.  That signature in would look as follows:

   rq3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpjlk-cpFYpFYs \
    ojNCpTzO3QfPOlckGaS6hEck7w

   An authentication service signing this request would thus generate
   and add to the request an Identity header field
   over of the PASSporT object.  For baseline PASSporT objects (with no
   Identity header "ppt" parameter) following
   form:

   Identity: "rq3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpj \
    lk-cpFYpFYsojNCpTzO3QfPOlckGaS6hEck7w"; \
    info=<https://biloxi.example.org/biloxi.c>

6.  Signature Generation and Validation

   SIP entities that instantiate the verifier MUST follow authentication service and
   verification service roles will, respectively, generate and validate
   the
   procedures for generating Identity header and the signature over a PASSporT object
   described in Section 8.  If a "ppt" parameter is present (and per
   Step 1, is understood), it contains.

6.1.  Authentication Service Behavior

   Any entity that instantiates the verifier follows authentication service role MUST
   possess the procedures for private key of one or more credentials that
   "ppt" can be used
   to sign for a domain or a telephone number (see Section 9).  If 7.1).  The
   authentication service role can be instantiated, for example, by an
   intermediary such as a verifier determines that the proxy server or by a user agent.
   Intermediaries that the
   signature in the Identity does not correspond to the reconstructed
   signed-identity-digest, then the Identity header should instantiate this role MUST be considered
   invalid.

   The presence capable of multiple Identity headers within a message raises the
   prospect
   authenticating one or more SIP users who can register for that
   identity.  Commonly, this role will be instantiated by a verification services could receive proxy
   server, since proxy servers are more likely to have a message
   containing some valid static
   hostname, hold corresponding credentials, and some invalid Identity headers.  If have access to SIP
   registrar capabilities that allow them to authenticate users.  It is
   also possible that the
   verifier determines all Identity headers within a message are
   invalid, then a 438 'Invalid Identity Header' response MUST authentication service role might be
   returned.

   The verification of
   instantiated by an entity that acts as a redirect server, but that is
   left as a topic for future work.

   An authentication service adds the Identity header does not entail any particular
   treatment of the request. field to SIP
   requests.  The handling of the message after the
   verification process depends on how procedures below define the implementation service steps that must be taken
   when each Identity header field is
   implemented and on local policy.  This specification does not propose
   any authorization policy for user agents or proxy servers added.  More than one Identity
   header field may appear in a single request, and an authentication
   service may add an Identity header field to follow
   based on the presence of a valid request that already
   contains one or more Identity header, header fields.

   Entities instantiating the presence of authentication service role perform the
   following steps, in order, to generate an
   invalid Identity header, or header field for a
   SIP request:

   Step 1: Check Authority for the absence of an Identity header, but

   First, the authentication service must determine whether it is anticipated that local policies could involve making different
   forwarding decisions in intermediary implementations, or changing how
   authoritative for the user is alerted, or how identity is rendered, in user agent
   implementations.

5.2.1.  Handling 'canon' parameters

   If the optional "canon" parameter of the Identity header is present,
   it contains a base64 encoding originator of the header and claim component of request.  The
   authentication service extracts the PASSporT object constructed by identity from the authentication service, and
   this it conveys any canonical telephone number formats created by URI value from
   the
   authentication service (see Section 7.2), as well as an "iat" claim
   corresponding to "identity field"; in ordinary operations, that is the Date addr-spec
   component of From header that field.  In order to determine whether the authentication service
   used.  The "canon" is provided purely as an optimization and
   debugging mechanism
   signature for the verification service.

   When "canon" is present, identity field should be over the verification service MAY compute its own
   canonicalization of entire identity
   field URI or just a telephone number, the numbers and compare them to authentication service MUST
   follow the values process described in Section 8.1.  That section will
   either lead to the
   "canon" parameter before performing any cryptographic functions telephone number canonicalization procedures in
   order to ascertain whether
   Section 8.3 for telephone numbers, or not to the URI normalization
   procedures described in Section 8.5 for domain names.  Whichever the two ends agree on
   result, if the canonical
   number form.  Also, when "canon" authentication service is present, during Step 4 not authoritative for the
   verification service
   identity in question, it SHOULD compare process and forward the "iat" value in request
   normally unless the "canon" local policy is to
   its Date block such requests.  The
   authentication service MUST NOT add an Identity header field value.  If the two are different, and if the "iat"
   value is later but within verification
   authentication service policy for freshness, does not have the verification service SHOULD perform authority to make the computation required by claim
   it asserts.

   Step 5 using 2: Authenticate the "iat" value instead of Originator

   The authentication service MUST then determine whether or not the Date value.  As some
   deployments in
   originator of the field have been observed request is authorized to change claim the Date header identity given
   in transit, this procedure will prevent some unnecessary verification
   failures.

6.  Credentials

6.1.  Credential Use by the Authentication Service identity field.  In order to act as an do so, the authentication service, a SIP entity must have
   access to service
   MUST authenticate the private keying material of one or more credentials that
   cover domain names or telephone numbers.  These credentials may
   represent authority over an entire domain (such as example.com) or
   potentially a set originator of domains enumerated by the credential.
   Similarly, message.  Some possible ways
   in which this authentication might be performed include:

      If the authentication service is instantiated by a credential SIP
      intermediary (proxy server), it may represent authority over a single
   telephone number or a range of telephone numbers.  The way that authenticate the request with
      the authentication scheme used for registration in its domain
      (e.g., Digest authentication).

      If the
   scope of a credential is expressed authentication service is instantiated by a SIP user agent,
      a user agent may authenticate its own user through any system-
      specific means, perhaps simply by virtue of having physical access
      to the credential
   mechanism. user agent.

   Authorization of the use of a particular username or telephone number
   in the identity user part of the From header field is a matter of local policy
   for the authentication service, one service; see Section 7.1 for more information.

   Note that depends greatly this check is performed only on the manner addr-spec in
   which authentication is performed.  For non-telephone number user
   parts, one policy might be as follows: the username given in
   identity field (e.g., the
   'username' parameter URI of the Proxy-Authorization header MUST
   correspond exactly to originator, like
   'sip:alice@atlanta.example.com'); it does not cover the username in display-name
   portion of the From header field of the
   SIP message.  However, there are many cases in which this (e.g., 'Alice Atlanta').  For more
   information, see Section 12.6.

   Step 3: Verify Date is too
   limiting or inappropriate; a realm might use 'username' parameters in
   Proxy-Authorization that do not correspond to the user-portion of SIP
   From headers, or a user might manage multiple accounts in the same
   administrative domain.  In this latter case, a domain might maintain
   a mapping between the values in the 'username' parameter of Proxy-
   Authorization Present and Valid

   An authentication service MUST add a set of one or more Date header field to SIP URIs
   requests that might
   legitimately be asserted for do not have one.  The authentication service MUST
   ensure that 'username'.  For example, the
   username can correspond to the 'private identity' as defined in Third
   Generation Partnership Project (3GPP), in which case the From any preexisting Date header field in the request is
   accurate.  Local policy can contain any one of dictate precisely how accurate the public identities associated with
   this private identity.  In this instance, another policy might be as
   follows: Date
   must be; a RECOMMENDED maximum discrepancy of sixty seconds will
   ensure that the URI in request is unlikely to upset any verifiers.  If the From
   Date header field MUST correspond exactly to value contains a time different by more than one of
   minute from the mapped URIs associated with current time noted by the 'username' given in authentication service, the
   Proxy-Authorization header.  This is a suitable approach for
   telephone numbers in particular.

   This specification could also be used with credentials that cover a
   single name or URI, such as alice@example.com or
   sip:alice@example.com.  This would require a modification to
   authentication service SHOULD reject the request.  This behavior to operate on a whole URI rather than
   a domain name.  Because this is
   not believed mandatory because a user agent client (UAC) could only exploit
   the Date header field in order to be cause a pressing use
   case, this request to fail
   verification; the Identity header field is deferred not intended to future work, but implementers should note
   this as provide a possible future direction.

   Exceptions to such
   perfect record of when messages are processed.  Finally, the
   authentication service policies arise MUST verify that both the Date header field
   and the current time fall within the validity period of its
   credential.

   See Section 12.1 for cases
   like anonymity; if information on how the AoR asserted in Date header field assists
   verifiers.

   Step 4: Populate and Add the Identity Header

   Subsequently, the authentication service MUST form a PASSporT object
   and add a corresponding Identity header field to the request
   containing this signature.  For the From baseline PASSporT header field uses a
   form like 'sip:anonymous@example.com' (see [RFC3323]), then the
   'example.com' proxy might authenticate only that (headers
   containing no "ppt" parameter), this follows the user is a valid
   user procedures in
   Section 4; if the domain authentication service is using an alternative
   "ppt" format, it MUST add an appropriate "ppt" parameter and insert follow
   the signature over procedures associated with that extension (see Section 9).  After
   the From Identity header field as usual.

6.2.  Credential Use by the Verification Service

   In order has been added to act as the request, the
   authentication service MUST also add a verification service, "info" parameter to the
   Identity header field.  The "info" parameter contains a SIP entity must have URI from
   which the authentication service's credential can be acquired; see
   Section 7.3 for more on credential acquisition.

   Step 5: Add "canon", if Needed

   An authentication service MAY add a
   way "canon" parameter to acquire and retain credentials for authorities over particular
   domain names and/or telephone numbers or number ranges.
   Dereferencing the URI found Identity
   header field.  The presence of "canon" is OPTIONAL because the
   information carried in the "info" parameter baseline PASSporT object's headers and
   claims is usually redundant with information already carried
   elsewhere in the SIP request.  Omitting "canon" can significantly
   reduce SIP message size, especially when the PASSporT object contains
   media keys.  The syntax of "canon" is given in Section 4.1.1;
   essentially, it contains a base64 encoding of the Identity JSON header (as described and
   claims in the next section) MUST be supported by all PASSporT object.

   When however an authentication service creates a PASSporT object that
   uses extension claims beyond the baseline PASSporT object, including
   "canon" is REQUIRED in order for the verification service implementations to create a baseline means be
   capable of
   credential acquisition.  Provided that validating the credential used to sign signature.  See Section 9.

   Also, in some cases, a
   message is not previously known to the verifier, SIP entities SHOULD
   discover this credential request signed by an authentication service
   will be rejected by dereferencing the "info" parameter,
   unless they have some more other implementation-specific way of
   acquiring verification service on the needed keying material, such as an offline store of
   periodically-updated credentials.  If receiving side,
   and the URI authentication service will receive a SIP 4xx status code in
   the "info" parameter
   cannot be dereferenced, then backwards direction, such as a 436 'Bad Identity-Info' response MUST
   be returned.

   This specification does not propose any particular policy for 438 indicating a verification
   failure.  If the authentication service to determine whether or did not originally send the holder of a
   credential is
   Identity header field with the appropriate party to sign for "canon" parameter, it SHOULD retry a given SIP identity.
   Guidance on
   request once after receiving a 438 response, this is deferred to the credential mechanism
   specifications, which must meet time including the requirements
   "canon".  The information in Section 6.4.

   Verification service implementations supporting this specification
   may wish to have some means of retaining credentials (in accordance
   with normal practices "canon" is useful on the verification
   side for credential lifetimes debugging errors, and revocation) in
   order to prevent themselves from needlessly downloading the same
   credential every time a request from there are some known causes of
   verification failures (such as the same identity is received.
   Credentials cached in this manner may be indexed Date header field value changing
   in accordance with
   local policy: transit, see Section 12.1 for example, more information) that can be
   resolved by their scope, or the URI given in the
   "info" parameter value.  Further consideration inclusion of how to cache
   credentials is deferred to "canon".

   Finally, the credential mechanism specifications.

6.3.  Handling 'info' parameter URIs

   An "info" parameter MUST contain authentication service forwards the message normally.

6.2.  Verifier Behavior

   This document specifies a URI which dereferences to logical role for SIP entities called a
   resource that contains
   verification service, or verifier.  When a verifier receives a SIP
   message containing one or more Identity header fields, it inspects
   the public key components signature(s) to verify the identity of the credential
   used by originator of the authentication service to sign a request.  It is
   essential that
   message.  The results of a URI in the "info parameter" be dereferencable by any
   entity verification are provided as input to an
   authorization process that could plausibly receive is outside the request.  For common cases, scope of this means that document.

   A SIP request may contain zero, one, or more Identity header fields.
   A verification service performs the URI must be dereferencable by any entity steps below on the
   public Internet.  In constrained deployment environments, each Identity
   header field that appears in a service
   private to request.  If the environment might be used instead.

   Beyond providing a means of accessing credentials for verifier does not
   support an identity,
   the "info" Identity header field "ppt" parameter further serves as a means of differentiating which particular credential was used to sign a request, when there
   are potentially multiple authorities eligible to sign.  For is present, or
   if no Identity header field is present at all, and the presence of an
   Identity header field is required by local policy (for example,
   imagine based
   on a case where per-sending-domain policy, or a domain implements the authentication service
   role for per-sending-user policy), then a range of telephone
   428 'Use Identity Header' response MUST be sent in the backwards
   direction.  For more on this and a user agent belonging other verifier responses, see
   Section 6.2.2.

   In order to Alice has
   acquired a credential for verify an Identity header field in a single telephone number within that
   range.  Either would be eligible to sign message, an entity
   acting as a SIP request for verifier MUST perform the number following steps, in question.  Verification services however need a means to
   differentiate which one performed the signature.  The "info"
   parameter performs order
   here specified.  Note that function.

6.4.  Credential System Requirements

   This document makes no recommendation for when an Identity header field contains the use of any specific
   credential system.  Today, there are two primary credential systems
   optional "canon" parameter, the verifier MUST follow the additional
   procedures in place Section 6.2.3.

   Step 1: Check for proving ownership of domain names: certificates (e.g.,
   X.509 v3, see [RFC5280]) and the domain name system itself (e.g.,
   DANE, see [RFC6698]).  It is envisioned that either could be used an Unsupported "ppt"

   The verifier MUST inspect any optional "ppt" parameter appearing in
   the SIP identity context: an "info" Identity request.  If no "ppt" parameter could for example give
   an HTTP URL of is present, then the Content-Type 'application/pkix-cert' pointing to
   verifier proceeds normally below.  If a
   certificate (following the conventions of [RFC2585]).  The "info" "ppt" parameter may use value is
   present, and the DNS URL scheme (see [RFC4501]) to designate
   keys in verifier does not support it, it MUST ignore the DNS.

   While no comparable public credentials exist for telephone numbers,
   either approach could be applied to telephone numbers.  A credential
   system based on certificates
   Identity header field.  If a supported "ppt" parameter value is given in
   [I-D.ietf-stir-certificates], but this specification can work
   present, the verifier proceeds with
   other credential systems; for example, using Step 2, and will ultimately
   follow the DNS was proposed "ppt" variations described in
   [I-D.kaplan-stir-cider]. Step 5.

   Step 2: Determine the Originator's Identity

   In order to determine whether the signature for the identity field
   should be over the entire identity field URI or just a credential system to work with this mechanism, its
   specification must detail:

      which URIs schemes telephone
   number, the credential will use verification service MUST follow the process described in
   Section 8.1.  That section will either lead to the "info"
      parameter, and any special telephone number
   canonicalization procedures required in Section 8.3 for telephone numbers, or
   to dereference the
      URIs

      how the URI normalization procedures described in Section 8.5 for
   domain names.

   Step 3: Identify Credential for Validation

   The verifier can learn the scope of must ensure that it possesses the credential

      any special procedures required to extract proper keying material from
   to validate the resources designated by signature in the Identity header field, which usually
   involves dereferencing a URI

      any algorithms required to validate in the credentials (e.g. "info" parameter of the Identity
   header field.  See Section 7.2 for
      certificates, any algorithms used by certificate authorities to
      sign certificates themselves)

   It is furthermore required that all credential specifications
   describe how more information on these
   procedures.  If the associated credentials will verifier does not support the mandatory
   signing algorithm(s) required by PASSporT [I-D.ietf-stir-passport].

   SIP entities cannot reliably predict where SIP requests will
   terminate.  When choosing a credential scheme
   described in the "info" parameter, then it treats the credential for deployments of
   this
   specification, it is therefore essential that header field as unsupported.

   Step 4: Check the trust anchor(s) for
   credentials be widely trusted, or Freshness of Date

   The verifier furthermore ensures that deployments restrict the use value of this mechanism to environments where the reliance on particular
   trust anchors Date header
   field of the request meets local policy for freshness (sixty seconds
   is assured by business arrangements or similar
   constraints.

   Note RECOMMENDED) and that it falls within the validity period of the
   credential systems must address key lifecycle management
   concerns: were a domain used to change sign the credential available at Identity header field.  For more on the
   Identity-Info URI before a verifier evaluates a request signed by an
   authentication service,
   attacks this would cause obvious prevents, see Section 12.1.  If the "canon" parameter is
   present, the verifier failures.
   When a rollover occurs, authentication services SHOULD thus provide
   new Identity-Info URIs for each new credential, and SHOULD continue
   to make older key acquisition URIs available for a duration longer
   than the plausible lifetime of a SIP transaction (a minute would most
   likely suffice).

7.  Identity Types

   This specification focuses primarily on cases where compare the called and
   calling parties identified "iat" value in the To and From "canon"
   to the Date header field values use
   telephone numbers, as this remains the dominant use case value in the
   deployment of SIP.  However, this specification also works with
   "greenfield" identifiers (of request.  If the form "sip:user@host"), two are
   different, and
   potentially other identifiers when SIP interworks with another
   protocol.

   The guidance in this section also applies to extracting the URI
   containing "iat" value is later but within verification
   service policy for freshness, the verification service SHOULD perform
   the originator's identity from computation required by Step 5 using the P-Asserted-Identity
   header field "iat" value instead of
   the From Date header field value.  In some
   environments,

   Step 5: Validate the P-Asserted-Identity Signature

   The verifier MUST validate the signature in the Identity header field is used in lieu of
   over the From PASSporT object.  For baseline PASSporT objects (with no
   Identity header field to convey "ppt" parameter) the address-of-record or telephone
   number of verifier MUST follow the sender of a request; while it is not envisioned that
   many of those networks would or should make use of
   procedures for generating the Identity
   mechanism signature over a PASSporT object
   described in this specification, where they do, local
   policy might therefore dictate that Section 4.  If a "ppt" parameter is present (and per
   Step 1, is supported), the canonical identity derive
   from verifier follows the P-Asserted-Identity header field rather than procedures for that
   "ppt" (see Section 9).  If a verifier determines that the From.

   Ultimately, in any case where local policy canonicalizes that the idenity
   into a form different from how it appears
   signature in the From header field,
   the use of Identity does not correspond to the "canon" parameter by authentication services is
   RECOMMENDED, but because "canon" itself could reconstructed
   signed-identity-digest, then divulge
   information about users or networks, implementers the Identity header field should be mindful
   considered invalid.

6.2.1.  Authorization of Requests

   The verification of an Identity header field does not entail any
   particular treatment of the guidelines in Section 11.

   It may request.  The handling of the message
   after the verification process depends on how the verification
   service is implemented and on local policy.  This specification does
   not be trivial propose any authorization policy for user agents or proxy servers
   to tell if follow based on the presence of a given URI contains valid Identity header field, the
   presence of an invalid Identity header field, or the absence of an
   Identity header field, or a telephone
   number.  In order to determine whether stale Date header field value, but it is
   anticipated that local policies could involve making different
   forwarding decisions in intermediary implementations, or not changing how
   the user portion is alerted, or how identity is rendered, in user agent
   implementations.

   The presence of multiple Identity header fields within a
   SIP URI is message
   raises the prospect that a telephone number, authentication services and verification services MUST perform the following procedure on any SIP
   URI they inspect which contains could receive a numeric user part.  Note
   message containing some valid and some invalid Identity header
   fields.  As a guideline, this specification recommends that the
   same procedures only if a
   verifier determines all Identity header fields within a message are followed for creating
   invalid should the canonical form of URIs
   found in request be considered to have an invalid identity.

6.2.2.  Response Codes Sent by a Verification Service

   RFC4474 originally defined four response codes for failure conditions
   specific to the From Identity header field as they and its original mechanism.
   These status codes are retained in this specification, with some
   slight modifications.  Also, this specification details responding
   with 403 when a stale Date header field value is received.

   A 428 response will be sent (per Section 6.2) when an Identity header
   field is required, but no Identity header field without a "ppt"
   parameter, or with a supported "ppt" value, has been received.  In
   the case where one or more Identity header fields with unsupported
   "ppt" values have been received, then a verification service may send
   a 428 with the To special reason phrase "Use Supported PASSporT Format".
   Note however that this specification gives no guidance on how a
   verification service might decide to require an Identity header field or
   the P-Asserted-Identity header field.

   First, implementations must look
   for obvious indications that the
   user-portion of the URI constitutes a telephone number.  Telephone
   numbers most commonly appear in particular SIP header field values in request.  Such authorization policies are
   outside the
   username portion scope of a SIP URI (e.g.,
   'sip:+17005551008@chicago.example.com;user=phone'). this specification.

   The user part of
   that URI conforms 436 'Bad Identity Info' response code indicates an inability to
   acquire the syntax of credentials needed by the TEL URI scheme (RFC 3966
   [RFC3966]).  It is also possible verification service for a TEL URI to appear in
   validating the SIP
   To or From signature in an Identity header field outside field.  Again, given
   the context potential presence of a SIP or SIPS URI
   (e.g., 'tel:+17005551008').  Thus, in some environments, numbers will multiple Identity header fields, this
   response code should only be explicitly labeled by sent when the verification service is
   unable to deference the use of TEL URIs or and/or acquire the 'user=phone'
   parameter, or implicitly by credentials
   associated with all Identity header fields in the presence of request.  This
   failure code could be repairable if the '+' indicator at authentication service
   resends the
   start of request with an 'info' parameter pointing to a credential
   that the user-portion.  Absent these indications, if there are
   numbers present in verification service can access.

   The 437 'Unsupported Credential' is sent when a verification service
   can acquire, or already holds, the user-portion, implementations may also detect
   that credential represented by the user-portion
   'info' parameter of at least one Identity header field in the URI contains a telephone number by
   determining whether or
   request, but does not those numbers would be dialable support said credential(s), for reasons such as
   failing to trust the issuing CA, or
   routable in failing to support the local environment -- bearing in mind algorithm
   with which the credential was signed.

   The 438 'Invalid Identity Header' response indicates that of the
   telephone number may be a valid E.164 number, a nationally-specific
   number, or even set
   of Identity header fields in a private branch exchange number.  Once request, no header field with a telephone
   number valid
   and supported PASSporT object has been detected, implementations should follow received.  Like the
   procedures 428
   response, this is sent by a verification service when its local
   policy dictates that a broken signature in Section 7.2.

   If the URI an Identity header field does not contain a telephone number, URI
   normalization procedures are invoked to canonicalize the URI before
   it
   is included in a PASSporT object in, grounds for example, rejecting a request.  Note that in some cases, an "uri" claim.
   See Section 7.4
   Identity header field may be broken for other reasons than that behavior.

7.1.  Authority for Telephone Numbers

   In order for telephone numbers an
   originator is attempting to be used with the mechanism
   described in this document, authentication services must enroll with spoof an authority that issues credentials authoritative identity: for telephone
   numbers or telephone number ranges, and verification services must
   trust example, when a
   transit network alters the authority employed by Date header field of the authentication service that signs
   a request.  Per Section 6.4, enrollment procedures and credential
   management are outside request.  Relying
   on the scope full PASSporT object presented through the "canon" parameter
   can repair some of these conditions (see Section 6.2.3), so the
   recommended way to attempt to repair this document; approaches failure is to
   credential management for telephone numbers are discussed in
   [I-D.ietf-stir-certificates].

7.2.  Telephone Number Canonicalization Procedures

   Once an implementation has identified a telephone number in retry the URI,
   it must construct
   request with "canon".

   Finally, a number string.  That requires performing the
   following steps:

      Implementations MUST drop any leading +'s, any internal dashes,
      parentheses or other non-numeric characters, excepting only 403 with the
      leading "#" or "*" keys used in some special service numbers
      (typically, these will appear only in reason phase 'Stale Date" response
   may be sent when the To verification service receives a request with a
   Date header field value).
      This MUST result value that is older than the local policy for
   freshness permits.  The same response may be used when the "iat" in an ASCII string limited to "#", "*" and digits
      without whitespace or visual separators.

      Next, an implementation must assess if
   the number string is "canon" parameter of a
      valid, globally-routable number with request has a leading country code. value older than the local
   policy for freshness permits.

6.2.3.  Handling 'canon' parameters

   If
      not, implementations SHOULD convert the number into E.164 format,
      adding a country code if necessary; this may involve transforming optional "canon" parameter of the number from Identity header field is
   present, it contains a dial string base64 encoding of the header and claim
   component of the PASSporT object constructed by the authentication
   service (see [RFC3966]), removing any
      national or international dialing prefixes or performing similar
      procedures.  It is only in Section 4.1.1).  The verification service can thus
   extract from it the case that canonical telephone number created by the
   authentication service, as well as an implementation cannot
      determine how "iat" claim corresponding to convert
   the number to a globally-routable format Date header field that this step may be skipped.  This will be the case, for
      example, for nationally-specific authentication service numbers (e.g. 911, 112);
      however, the routing procedures associated with those numbers will
      likely make sure used.  These
   may be used to debug canonicalization problems, or to avoid
   unnecessary signature breakage caused by intermediaries that alter
   the Date header field value in transit.

   As an optimization, when "canon" is present, the verification service understands the
      context of their use.

      Other transformations during canonicalization
   MAY be made in
      accordance with specific policies used within a local domain.  For
      example, one domain may only use local compute its own canonicalization of an originating telephone
   number formatting and need
      to convert all To/From user portions to E.164 by prepending
      country-code and region code digits; another domain might prefix
      usernames with trunk-routing codes and need compare it to remove the prefix.
      This specification cannot anticipate all of values in the potential
      transformations that might be useful.

      The resulting canonical number string will be used as input "canon" parameter before
   performing any cryptographic functions in order to ascertain whether
   or not the
      hash calculation during signing and verifying processes.

   The ABNF of this number string is:

             tn-spec = [ "#" / "*" ] 1*DIGIT

   If two ends agree on the result of this procedure forms a complete telephone number,
   that canonical number is used for form.

7.  Credentials

   This section gives general guidance on the purpose use of creating and signing the
   signed-identity-string credential systems
   by both the authentication service and verification service.  Practically, entities services, as well as requirements
   that perform the
   authentication service role will sometimes alter the telephone
   numbers must be met by credential systems that appear in the To and From header field values,
   converting them to this format (though note conform with this is
   architecture.  It does not mandate any specific credential system.

   Furthermore, this specification allows either a user agent or a function
   that [RFC3261] permits proxy servers
   server to perform).  The result of provide the
   canonicalization process authentication service function and/or the
   verification service function.  For the purposes of end-to-end
   security, it is obviously preferable for end systems to acquire their
   own credentials; in this case user agents can act as authentication
   services.  However, for some deployments, end-user credentials may be
   neither practical nor affordable, given the From header field value potentially large number
   of SIP user agents (phones, PCs, laptops, PDAs, gaming devices) that
   may also be
   recorded through employed by a single user.  Synchronizing keying material
   across multiple devices may be prohibitively complex and require
   quite a good deal of additional endpoint behavior.  Managing several
   credentials for the use various devices could also be burdensome.  Thus,
   for reasons of credential management alone, implementing the "canon" parameter
   authentication service at an intermediary may be more practical.
   This trade-off needs to be understood by implementers of this
   specification.

7.1.  Credential Use by the Identity(see
   Section 8).

   If Authentication Service

   In order to act as an authentication service, a SIP entity must have
   access to the result private keying material of the canonicalization one or more credentials that
   cover domain names or telephone numbers.  These credentials may
   represent authority over one domain (such as example.com) or a set of
   domains enumerated by the From header field value
   does not form credential.  Similarly, a complete and valid credential may
   represent authority over a single telephone number, the
   authentication service and/or verification service SHOULD treat the
   entire URI as number or a SIP URI, and apply range of
   telephone numbers.  The way that the procedures in Section 7.4.

7.3.  Authority for Domain Names

   When a verifier processes a request containing an Identity-Info
   header with scope of a domain signature, it must compare credential's
   authority is expressed is specific to the domain portion credential mechanism.

   Authorization of the URI use of a particular username or telephone number
   in the From header field of the request with the domain name
   that value is the subject a matter of local policy for the credential acquired from the "info"
   parameter.  While it might seem
   authentication service, one that this should be a straightforward
   process, it is complicated by two deployment realities.  In the first
   place, credentials have varying ways of describing their subjects,
   and may indeed have multiple subjects, especially in 'virtual
   hosting' cases where multiple domains are managed by a single
   application.  Secondly, some SIP services may delegate SIP functions
   to a subordinate domain and utilize depends greatly on the procedures manner in RFC 3263
   [RFC3263] that allow requests for, say, 'example.com' to be routed to
   'sip.example.com'.  As a result, a
   which authentication is performed.  For non-telephone number user with the AoR
   'sip:jon@example.com' may process requests through a host like
   'sip.example.com', and it may
   parts, one policy might be that latter host that acts as an
   authentication service.

   To meet the second of these problems, a domain that deploys an
   authentication service on a subordinate host follows: the username given in the
   'username' parameter of the Proxy-Authorization header field MUST be willing
   correspond exactly to
   supply that host with the private keying material associated with a
   credential whose subject is a domain name that corresponds to username in the
   domain portion From header field of the AoRs that the domain distributes to users.
   Note that
   SIP message.  However, there are many cases in which this corresponds is too
   limiting or inappropriate; a realm might use 'username' parameters in
   Proxy-Authorization header field that do not correspond to the comparable case user-
   portion of routing inbound
   SIP requests to From header fields, or a domain.  When user might manage multiple
   accounts in the NAPTR and SRV procedures of RFC
   3263 are used to direct requests to same administrative domain.  In this latter case, a
   domain name other than might maintain a mapping between the
   domain values in the original Request-URI (e.g., for 'sip:jon@example.com',
   the corresponding SRV records point to the service
   'sip1.example.org'), 'username'
   parameter of the client expects Proxy-Authorization header field and a set of one or
   more SIP URIs that the certificate passed
   back in any TLS exchange with might legitimately be asserted for that host will correspond exactly with
   'username'.  For example, the domain of username can correspond to the original Request-URI, not 'private
   identity' as defined in Third Generation Partnership Project (3GPP),
   in which case the domain name From header field can contain any one of the
   host.  Consequently, in order to make inbound routing to such SIP
   services work, a domain administrator must similarly public
   identities associated with this private identity.  In this instance,
   another policy might be willing to
   share as follows: the domain's private key with URI in the service.  This design
   decision was made From header field
   MUST correspond exactly to compensate for the insecurity one of the DNS, and it
   makes certain potential approaches to DNS-based 'virtual hosting'
   unsecurable for SIP in environments where domain administrators are
   unwilling to share keys mapped URIs associated with hosting services.

   A verifier MUST evaluate the correspondence between the user's
   identity and the signing credential by following
   'username' given in the procedures
   defined Proxy-Authorization header field.  This is a
   suitable approach for telephone numbers in RFC 2818 [RFC2818], Section 3.1.  While RFC 2818 [RFC2818]
   deals particular.

   This specification could also be used with the credentials that cover a
   single name or URI, such as alice@example.com or
   sip:alice@example.com.  This would require a modification to
   authentication service behavior to operate on a whole URI rather than
   a domain name.  Because this is not believed to be a pressing use of HTTP in TLS and
   case, this is specific deferred to certificates,
   the procedures described are applicable future work, but implementers should note
   this as a possible future direction.

   Exceptions to verifying identity such authentication service policies arise for cases
   like anonymity; if one
   substitutes the "hostname of AoR asserted in the server" From header field uses a
   form like 'sip:anonymous@example.com' (see [RFC3323]), then the
   'example.com' proxy might authenticate only that the user is a valid
   user in HTTP for the domain
   portion of and insert the user's identity in signature over the From header
   field of as usual.

7.2.  Credential Use by the Verification Service

   In order to act as a verification service, a SIP
   request with an Identity header.

7.4.  URI Normalization

   Just as entity must have a
   way to acquire and retain credentials for authorities over particular
   domain names, telephone numbers may undergo a and/or number ranges.  Dereferencing
   the URI found in the "info" parameter of syntactic
   transformation during transit, the same can happen Identity header field
   (as described Section 7.3) MUST be supported by all verification
   service implementations to SIP and SIPS
   URIs without telephone numbers as they traverse certain
   intermediaries.  Therefore, when generating a PASSporT object based
   on create a SIP request, any SIP and SIPS URIs must be transformed into baseline means of credential
   acquisition.  Provided that the credential used to sign a
   canonical form which captures message is
   not previously known to the address-of-record represented verifier, SIP entities SHOULD discover
   this credential by dereferencing the URI before "info" parameter, unless they are provisioned in PASSporT claims
   have some implementation-specific way of acquiring the needed keying
   material, such as "uri". an offline store of periodically-updated
   credentials.  The 436 'Bad Identity Info' response exists for cases
   where the verification service cannot deference the URI normalization procedures required are as follows.

   Following in the ABNF "info"
   parameter.

   This specification does not propose any particular policy for a
   verification service to determine whether or not the holder of RFC3261, a
   credential is the appropriate party to sign for a given SIP or SIPS URI identity.
   Guidance on this is deferred to credential mechanism specifications.

   Verification service implementations supporting this specification
   may wish to have some means of retaining credentials (in accordance
   with normal practices for credential lifetimes and revocation) in question MUST
   discard all elements after
   order to prevent themselves from needlessly downloading the "hostport" same
   credential every time a request from the same identity is received.
   Credentials cached in this manner may be indexed in accordance with
   local policy: for example, by their scope of authority, or the URI, including all
   uri-parameters and headers, from its ayntax.  Of URI
   given in the userinfo
   component "info" parameter value.  Further consideration of how to
   cache credentials is deferred to the SIP URI, only the user element will be retained: any
   password (and any leading ":" before the password) credential mechanism
   specifications.

7.3.  'info' parameter URIs

   An "info" parameter MUST be removed,
   and since this userinfo necessarily does not contain a telephone-
   subscriber component, no further parameters can appear in URI which dereferences to a
   resource that contains the user
   portion.

   The hostport portion public key components of the SIP or SIPS credential
   used by the authentication service to sign a request.  It is
   essential that a URI MUST similarly in the "info" parameter be
   stripped of dereferencable by any trailing port along with the ":"
   entity that proceeds the
   port, leaving only could plausibly receive the host.

   The ABNF of request.  For common cases,
   this canonical URI form (following the syntax defined in
   RFC3261) is:

             canon-uri =  ( "sip" / "sips" ) ":" user "@" host

   Finally, means that the URI will SHOULD be subject dereferencable by any entity on the
   public Internet.  In constrained deployment environments, a service
   private to syntax-based URI normalization
   procedures the environment MAY be used instead.

   Beyond providing a means of [RFC3986] Section 6.2.2, especially accessing credentials for an identity,
   the "info" parameter further serves as a means of differentiating
   which particular credential was used to perform case
   normalization and percent-encoding normalization.  However, note that
   normalization procedures face known challenges in some
   internationalized environments (see [I-D.ietf-iri-comparison]) sign a request, when there
   are potentially multiple authorities eligible to sign.  For example,
   imagine a case where a domain implements the authentication service
   role for a range of telephone numbers and a user agent belonging to
   Alice has acquired a credential for a single telephone number within
   that perfect normalization of URIs may not range.  Either would be possible eligible to sign a SIP request for the
   number in those
   environments.

   For future PASSporT applications, it may be desirable question.  Verification services however need a means to provide an
   identifier without an attached protocol scheme.  Future
   specifications
   differentiate which one performed the signature.  The "info"
   parameter performs that define PASSporT claims function.

7.4.  Credential System Requirements

   This document makes no recommendation for SIP as a using
   protocol could the use these basic procedures, but eliminate of any specific
   credential system.  Today, there are two primary credential systems
   in place for proving ownership of domain names: certificates (e.g.,
   X.509 v3, see [RFC5280]) and the scheme
   component.  A more exact definition domain name system itself (e.g.,
   DANE, see [RFC6698]).  It is left to future specifications.

8.  Header Syntax

   The Identity and Identity-Info headers envisioned that were previously defined either could be used in RFC4474 are deprecated.  This revised specification collapses
   the
   grammar SIP identity context: an "info" parameter could for example give
   an HTTP URL of Identity-Info into the Identity header via Content-Type 'application/pkix-cert' pointing to a
   certificate (following the conventions of [RFC2585]).  The "info"
   parameter.  Note that unlike
   parameter might use the prior specification DNS URL scheme (see [RFC4501]) to designate
   keys in RFC4474, the
   Identity header DNS.

   While no comparable public credentials exist for telephone numbers,
   either approach could be applied to telephone numbers.  A credential
   system based on certificates is now allowed to appear more than one time given in a SIP
   request.  The revised grammar
   [I-D.ietf-stir-certificates], but this specification can work with
   other credential systems; for example, using the Identity header is (following
   the ABNF [RFC4234] DNS was proposed in RFC 3261 [RFC3261]):

   Identity = "Identity" HCOLON signed-identity-digest SEMI ident-info *( SEMI ident-info-params )
   signed-identity-digest = LDQUOT *base64-char RDQUOT
   ident-info = "info" EQUAL ident-info-uri
   ident-info-uri = LAQUOT absoluteURI RAQUOT
   ident-info-params = ident-info-alg / ident-type / canonical-str / ident-info-extension
   ident-info-alg = "alg" EQUAL token
   ident-type = "ppt" EQUAL token
   canonical-str = "canon" EQUAL *base64-char
   ident-info-extension = generic-param

   base64-char = ALPHA / DIGIT / "/" / "+"
   [I-D.kaplan-stir-cider].

   In addition order for a credential system to work with this mechanism, its
   specification must detail:

      which URIs schemes the credential will use in the "info"
      parameter, and any special procedures required to dereference the "alg" parameter previously
   defined in RFC4474, this specification includes
      URIs

      how the optional "canon"
   and "ppt" parameters.  Note that in RFC4474, verifier can learn the signed-identity-
   digest (see ABNF above) was given as quoted 32LHEX, whereas here it
   is given as a quoted sequence of base64-char.

   The 'absoluteURI' portion scope of ident-info-uri MUST contain a URI; see
   Section 6.3 the credential

      any special procedures required to extract keying material from
      the resources designated by the URI

      any algorithms required to validate the credentials (e.g. for more on choosing how
      certificates, any algorithms used by certificate authorities to advertise
      sign certificates themselves), and

      how the associated credentials through will support the mandatory signing
      algorithm(s) required by PASSporT [I-D.ietf-stir-passport].

   SIP entities cannot reliably predict where SIP requests will
   terminate.  When choosing a credential scheme for deployments of this parameter.

   The signed-identity-digest
   specification, it is therefore essential that the signed hash component trust anchor(s) for
   credentials be widely trusted, or that deployments restrict the use
   of this mechanism to environments where the reliance on particular
   trust anchors is assured by business arrangements or similar
   constraints.

   Note that credential systems must address key lifecycle management
   concerns: were a PASSporT
   object [I-D.ietf-stir-passport], a signature which PASSporT generates
   over a pair of JSON objects.  The first PASSporT object contains
   header information, and domain to change the second contains claims, following credential available at the
   conventions of JWT [RFC7519]; some
   Identity header and claim values will
   mirror elements of the SIP request.  Once these two JSON objects have
   been generated, they will be encoded, then hashed with field "info" parameter URI before a SHA-256
   hash.  Those two hashes are then concatenated (header then claims)
   into verifier
   evaluates a string separated request signed by an authentication service, this would
   cause obvious verifier failures.  When a single "." per baseline PASSporT.
   Finally, that string is signed rollover occurs,
   authentication services SHOULD thus provide new "info" URIs for each
   new credential, and SHOULD continue to generate make older key acquisition
   URIs available for a duration longer than the signed-identity-digest
   value plausible lifetime of the Identity header.

   For SIP implementations to populate the PASSporT header object from a
   SIP request, transaction (a minute would most likely suffice).

8.  Identity Types

   The problem statement of STIR [RFC7340] focuses primarily on cases
   where the following elements message MUST be placed as called and calling parties identified in the To and From
   header field values corresponding to the designated JSON keys:

      First, per baseline [I-D.ietf-stir-passport], the JSON key "typ"
      key MUST have the value "passport".

      Second, use telephone numbers, as this remains the JSON key "alg" MUST mirror
   dominant use case in the value deployment of SIP.  However, the optional
      "alg" parameter in Identity
   header mechanism also works with SIP URIs without telephone numbers
   (of the form "sip:user@host"), and potentially other identifiers when
   SIP Identity header.  Note if interworks with other protocols.

   Authentication services vet the "alg"
      parameter is absent, identity of the default value originator of a call,
   which is "ES256".

      Third, typically found in the JSON key "x5u" MUST have a value equivalent From header field value.  The
   guidance in this specification also applies to extracting the
      quoted URI in
   containing the "info" parameter.

      Fourth, originator's identity from the optional JSON key "ppt", if present, MUST have a P-Asserted-Identity
   header field value
      equivalent to instead of the quoted value From header field value.  In some
   environments, the P-Asserted-Identity header field is used in lieu of
   the "ppt" parameter From header field to convey the address-of-record or telephone
   number of the
      Identity header.  If originator of a request; where it does, local policy
   might therefore dictate that the "ppt" parameter is absent canonical identity derive from the
      header,
   P-Asserted-Identity header field rather than the "ppt" key MUST NOT not appear From header field.

   Ultimately, in any case where local policy canonicalizes the JSON heaer
      object.

   For example:

   { "typ":"passport",
     "alg":"ES256",
     "x5u":"https://www.example.com/cert.pkx" }

   To populate the PASSporT claims JSON object from identity
   into a SIP request, the
   following elements MUST be placed as values corresponding to form different from how it appears in the
   designated JSON keys:

      First, From header field,
   the JSON "orig" array MUST be populated.  If use of the
      originating identity "canon" parameter by authentication services is a telephone number,
   RECOMMENDED, but because "canon" itself could then divulge
   information about users or networks, implementers should be mindful
   of the array MUST guidelines in Section 11.

8.1.  Differentiating Telephone Numbers from URIs

   It may not be
      populated with trivial to tell if a "tn" claim with given URI contains a value set telephone
   number.  In order to determine whether or not the value user portion of the
      quoted originating identity, a canonicalized
   SIP URI is a telephone number (see
      Section 7.2).  Otherwise, the array number, authentication services and
   verification services MUST be populated with a "uri"
      claim, set to the value of perform the AoR of following procedure on any SIP
   URI they inspect which contains a numeric user part.  Note that the UA sending
   same procedures are followed for creating the message
      as taken from addr-spec canonical form of URIs
   found in the From header field, per the
      procedures field as they are in Section 7.4.

      Second, the JSON "dest" array MUST be populated.  If the
      destination identity is a telephone number, then To header field or
   the array MUST be
      populated with a "tn" claim with a value set to P-Asserted-Identity header field.

   First, implementations must look for obvious indications that the value
   user-portion of the
      quoted destination identity, URI constitutes a canonicalized telephone number (see
      Section 7.2).  Otherwise, number.  Telephone
   numbers most commonly appear in SIP header field values in the array MUST be populated with
   username portion of a "uri"
      claim, set to the value SIP URI (e.g.,
   'sip:+17005551008@chicago.example.com;user=phone').  The user part of
   that URI conforms to the addr-spec component syntax of the To
      header field, which TEL URI scheme (RFC 3966
   [RFC3966]).  It is the AoR also possible for a TEL URI to which the request is being sent,
      per the procedures appear in Section 7.4.

      Third, the JSON key "iat" MUST appear, set to SIP
   To or From header field outside the value context of a
      quoted encoding SIP or SIPS URI
   (e.g., 'tel:+17005551008').  Thus, in some environments, numbers will
   be explicitly labeled by the use of TEL URIs or the value 'user=phone'
   parameter, or implicitly by the presence of the SIP Date header field as a
      JSON NumericDate (as UNIX time, per [RFC7519] Section 2).

      Fourth, if '+' indicator at the request contains an SDP message body, and
   start of the user-portion.  Absent these indications, if there are
   numbers present in the user-portion, implementations may also detect
   that
      SDP the user-portion of the URI contains one a telephone number by
   determining whether or more "a=fingerprint" attributes, then the JSON
      key "mky" MUST appear with not those numbers would be dialable or
   routable in the algorithm(s) and value(s) of local environment -- bearing in mind that the
      fingerprint attributes (if they differ), following
   telephone number may be a valid [E.164] number, a nationally-specific
   number, or even a private branch exchange number.  Once a telephone
   number has been detected, implementations should follow the format
      given
   procedures in [I-D.ietf-stir-passport] Section 3.2.2.2.

   For example:

      { "orig":{"tn":"12155551212"},
        "dest":{"tn":"12155551213"},
        "iat":"1443208345" }

   For more information on 8.3.

   If the security properties of these SIP message
   elements, and why their inclusion mitigates replay attacks, see
   Section 12 and [RFC3893].  Note that future extensions URI field does not contain a telephone number, URI
   normalization procedures are invoked to canonicalize the URI before
   it is included in a PASSporT object could introduce new claims, and in, for example, an "uri" claim.
   See Section 8.5 for that further SIP
   procedures could be required behavior.

8.2.  Authority for Telephone Numbers

   In order for telephone numbers to extract further information be used with the mechanism
   described in this document, authentication services must receive
   credentials from an authority for telephone numbers or telephone
   number ranges, and verification services must trust the
   SIP request to populate authority
   employed by the values of those claims; see authentication service that signs a request.  Per
   Section 9.

   The "orig" 7.4, enrollment procedures and "dest" arrays may contain identifiers credential management are
   outside the scope of heterogeneous
   type; this document; approaches to credential
   management for example, the "orig" array might contain telephone numbers are discussed in
   [I-D.ietf-stir-certificates].

8.3.  Telephone Number Canonicalization Procedures

   Once an implementation has identified a "tn" claim, while telephone number in the "dest" contains URI,
   it must construct a "uri" claim.  Also note that number string.  That requires performing the
   following steps:

      Implementations MUST drop any "+"s, any internal dashes,
      parentheses or other non-numeric characters, excepting only the
      leading "#" or "*" keys used in some cases, special service numbers
      (typically, these will appear only in the
   "orig" and "dest" arrays might be populated with more than one value. To header field value).
      This could for example occur when multiple "dest" identities are
   specified MUST result in an ASCII string limited to "#", "*" and digits
      without whitespace or visual separators.

      Next, an implementation must assess if the number string is a meshed conference.  Defining how
      valid, globally-routable number with a SIP implementation
   would provision multiple originating leading country code.  If
      not, implementations SHOULD convert the number into E.164 format,
      adding a country code if necessary; this may involve transforming
      the number from a dial string (see [RFC3966]), removing any
      national or destination identities international dialing prefixes or performing similar
      procedures.  It is
   left as a subject for future specification.

   After these two JSON objects, only in the header and case that an implementation cannot
      determine how to convert the claims, have been
   constructed, they must each number to a globally-routable format
      that this step may be skipped.  This will be hashed per [I-D.ietf-stir-passport]
   Section 3.3.  The signed value of those concatenated hashes then
   becomes the signed-identity-string of case, for
      example, for nationally-specific service numbers (e.g. 911, 112);
      however, the Identity header.  The
   hashing and signing algorithm is specified by routing procedures associated with those numbers will
      likely make sure that the 'alg' parameter of verification service understands the Identity
      context of their use.

      Other transformations during canonicalization MAY be made in
      accordance with specific policies used within a local domain.  For
      example, one domain may only use local number formatting and need
      to convert all To/From header field user portions to E.164 by
      prepending country-code and region code digits; another domain
      might haved prefixed usernames with trunk-routing codes, in which
      case the mirrored "alg" parameter of PASSporT.
   This specification inherits from canonicalization will need to remove the PASSporT prefix.  This
      specification one value
   for cannot anticipate all of the 'alg' parameter: 'ES256', potential
      transformations that might be useful.

      The resulting canonical number string will be used as defined in [RFC7519], which
   connotes an ECDSA P-256 digital signature.  All implementations of
   this specification MUST support input to the required
      hash calculation during signing algorithms of
   PASSporT. and verifying processes.

   The complete form ABNF of this number string is:

             tn-spec = [ "#" / "*" ] 1*DIGIT

   If the Identity header will therefore look like the
   following example:

  Identity: "sv5CTo05KqpSmtHt3dcEiO/1CWTSZtnG3iV+1nmurLXV/HmtyNS7Ltrg9dlxkWzo
      eU7d7OV8HweTTDobV3itTmgPwCFjaEmMyEI3d7SyN21yNDo2ER/Ovgtw0Lu5csIp
      pPqOg1uXndzHbG7mR6Rl9BnUhHufVRbp51Mn3w0gfUs="; \
          info=<https://biloxi.example.org/biloxi.cer>;alg=ES256

   In a departure from JWT practice, the SIP usage result of PASSporT MAY NOT
   include this procedure forms a full E.164 telephone number,
   that number is used for the base64 encoded version purpose of creating the JSON objects in signed-identity-
   string by both the
   Identity header: only authentication service and verification service.
   Practically, entities that perform the signature component of authentication service role
   will sometimes alter the PASSporT telephone numbers that appear in the To and
   From header field values, converting them to this format (though note
   this is
   REQUIRED.  Optionally, as not a debugging measure or optimization, function that [RFC3261] permits proxy servers to
   perform).  The result of the
   base64 encoded concatenation canonicalization process of the JSON From
   header and claims field value may also be
   included as recorded through the value use of a the
   "canon" parameter of the Identity header.
   Note that this may be lengthy string.

9.  Extensibility

   For the extensibility of baseline PASSporT with now claims, see
   [I-D.ietf-stir-passport] (see Section 4.

   As future requirements may warrant increasing 4).

   If the scope result of the
   Identity mechanism, this specification defines an optional "ppt"
   parameter canonicalization of the Identity header, which mirrors the "ppt" From header key
   in PASSporT.  The "ppt" parameter field value MUST consist of
   does not form a token
   containing an extension specification, which denotes an extended set
   of one or more signed claims per valid E.164 telephone number, the type extensibility mechanism
   specified in [I-D.ietf-stir-passport].

   An authentication
   service cannot assume that verifiers will
   understand any given extension.  Verifiers that do support an
   extension may then trigger appropriate application-level behavior in and/or verification service SHOULD treat the presence of an extension; authors of extensions should provide
   appropriate extension-specific guidance to application developers on
   this point.

   If any claim entire URI as a
   SIP URI, and apply the procedures in Section 8.5.

8.4.  Authority for Domain Names

   To use a SIP URI as an extension contains identity in this mechanism requires
   authentication and verification systems to support standard
   mechanisms for proving authority over a JSON value domain name: that does not
   correspond to any field is, the
   domain name in the host portion of the SIP request, but then the optional
   "canon" parameter URI.

   A verifier MUST be used for evaluate the Identity header containing
   that extension.

10.  Backwards Compatibililty correspondence between the user's
   identity and the signing credential by following the procedures
   defined in [RFC5922], Section 7.2.  While [RFC5922] deals with RFC4474

   This specification introduces several significant changes from the
   RFC4474 version
   use of TLS and is specific to certificates, the Identity header.  However, due procedures described
   are applicable to verifying identity if one substitutes the problems
   enumerated "hostname
   of the server" for the domain portion of the user's identity in [I-D.rosenberg-sip-rfc4474-concerns], it is not
   believed that the original Identity
   From header has seen any deployment,
   or even implementation in deployed products.

   As such, this mechanism contains no provisions for signatures
   generated with this specification to work field of a SIP request with RFC4474-compliant
   implementations, nor any related backwards-compatibility provisions.
   Hypothetically, were an RFC4474-compliant implementation to receive
   messages containing this revised version of the Identity header, it
   would likely fail header field.

   This process is complicated by two deployment realities.  In the request due
   first place, credentials have varying ways of describing their
   subjects, and may indeed have multiple subjects, especially in
   'virtual hosting' cases where multiple domains are managed by a
   single application (see [RFC5922] Section 7.8).  Secondly, some SIP
   services may delegate SIP functions to a subordinate domain and
   utilize the procedures in [RFC3263] that allow requests for, say,
   'example.com' to the absence of an Identity-Info
   header with be routed to 'sip.example.com'.  As a 436 response code.  Implementations of this
   specification, for debugging purposes, might interpret result, a 436 user
   with the AoR 'sip:alice@example.com' may process requests through a
   reason phrase of "Bad Identity-Info"
   host like 'sip.example.com', and it may be that latter host that acts
   as an indication authentication service.

   To address the second of these problems, a domain that deploys an
   authentication service on a subordinate host MUST be willing to
   supply that host with the
   request has failed because it reached private keying material associated with a (hypothetical)
   RFC4474-compliant verification service.

11.  Privacy Considerations

   The purpose of this mechanism
   credential whose subject is to provide a strong identification domain name that corresponds to the
   domain portion of the originator AoRs that the domain distributes to users.
   Note that this corresponds to the comparable case of a routing inbound
   SIP request, specifically requests to a cryptographic
   assurance that an authority asserts domain.  When the originator can claim NAPTR and SRV procedures of RFC
   3263 are used to direct requests to a domain name other than the URI
   given
   domain in the From header field.  This URI may contain a variety of
   personally identifying information, including original Request-URI (e.g., for
   'sip:alice@example.com', the corresponding SRV records point to the name of a human
   being, their place of work or
   service provider, and possibly further
   details.  The intrinsic privacy risks associated with 'sip1.example.org'), the client expects that URI are,
   however, no different from those of baseline SIP.  Per the guidance certificate
   passed back in [RFC6973], implementers should make users aware any TLS exchange with that host will correspond
   exactly with the domain of the privacy
   trade-off original Request-URI, not the domain
   name of providing secure identity.

   The identity mechanism presented in this document is compatible with the standard SIP practices for privacy described host.  Consequently, in [RFC3323].  A order to make inbound routing to
   such SIP
   proxy server can act both as a privacy service and as an
   authentication service.  Since services work, a user agent can provide any From
   header field value that the authentication service is domain administrator must similarly be
   willing to
   authorize, there is no reason why share the domain's private SIP URIs that contain
   legitimate domains (e.g., sip:anonymous@example.com) cannot be signed
   by an authentication key with the service.  The construction of  This
   design decision was made to compensate for the Identity
   header is insecurity of the same for private URIs as DNS,
   and it is for any other sort of
   URIs.  Similar practices could be used makes certain potential approaches to support opportunistic
   signing of SIP requests DNS-based 'virtual
   hosting' unsecurable for UA-integrated authentications services SIP in environments where domain
   administrators are unwilling to share keys with self-signed certificates, though that is outside the scope hosting services.

8.5.  URI Normalization

   Just as telephone numbers may undergo a number of
   this specification syntactic
   transformations during transit, the same can happen to SIP and is left SIPS
   URIs without telephone numbers as a matter for future investigation.

   Note, however, that even they traverse certain
   intermediaries.  Therefore, when using anonymous generating a PASSporT object based
   on a SIP URIs, an
   authentication service request, any SIP and SIPS URIs must possess be transformed into a certificate corresponding to
   canonical form which captures the address-of-record represented by
   the URI before they are provisioned in PASSporT claims such as "uri".
   The URI normalization procedures required are as follows.

   Following the host portion ABNF of RFC3261, the addr-spec SIP or SIPS URI in question MUST
   discard all elements after the "hostport" of the From header field URI, including all
   uri-parameters and escaped headers, from its syntax.  Of the userinfo
   component of the
   request; accordingly, using domains like 'anonymous.invalid' SIP URI, only the user element will not be possible for privacy services that also act as authentication
   services. retained: any
   password (and any leading ":" before the password) MUST be removed,
   and since this userinfo necessarily does not contain a telephone-
   subscriber component, no further parameters can appear in the user
   portion.

   The assurance offered by hostport portion of the usage SIP or SIPS URI MUST similarly be
   stripped of anonymous URIs any trailing port along with
   a valid domain portion is "this is a known user in my domain the ":" that I
   have authenticated, but I am keeping its identity private".

   It is worth noting two features proceeds the
   port, leaving only the host.

   The ABNF of this more anonymous canonical URI form of
   identity.  One can eliminate any identifying information (following the syntax defined in a domain
   through
   RFC3261) is:

             canon-uri =  ( "sip" / "sips" ) ":" user "@" host

   Finally, the use URI will be subject to syntax-based URI normalization
   procedures of the domain 'anonymous.invalid," but we must then
   acknowledge [RFC3986] Section 6.2.2, especially to perform case
   normalization and percent-encoding normalization.  However, note that
   normalization procedures face known challenges in some
   internationalized environments (see [I-D.ietf-iri-comparison]) and
   that perfect normalization of URIs may not be possible in those
   environments.

   For future PASSporT applications, it is difficult for a domain to may be both anonymous
   and authenticated.  The use of the "anonymous.invalid" domain entails desirable to provide an
   identifier without an attached protocol scheme.  Future
   specifications that no corresponding authority define PASSporT claims for the domain can exist, and SIP as a
   consequence, authentication service functions for that domain are
   meaningless.  The second feature is using
   protocol could use these basic procedures, but eliminate the scheme
   component.  A more germane exact definition is left to future specifications.

9.  Extensibility

   As future requirements may warrant increasing the threats this
   document mitigates [RFC7375].  None scope of the relevant attacks, all
   Identity mechanism, this specification specifies an optional "ppt"
   parameter of
   which rely on the attacker taking on Identity header field, which mirrors the identity "ppt"
   header in PASSporT.  The "ppt" parameter value MUST consist of a victim or
   hiding their identity using someone else's identity, are enabled by
   an anonymous identity.  As such, the inability to assert
   token containing an authority
   over extension specification, which denotes an anonymous domain is irrelevant to our threat model.

   [RFC3325] defines
   extended set of one or more signed claims per the "id" priv-value token, which type extensibility
   mechanism specified in [I-D.ietf-stir-passport] Section 4.

   The potential for extensions is specific to one the
   P-Asserted-Identity header.  The sort of assertion provided by primary motivations for
   allowing the P-
   Asserted-Identity presence of multiple Identity header fields in the same
   SIP request.  It is very envisioned that future extensions might allow for
   alternate information to be signed, or to explicitly allow different from
   parties to provide the signatures than the authorities envisioned by
   baseline STIR.  A request might, for example, have one Identity added
   by an authentication service at the originating administrative
   domain, and then another Identity header
   presented in this document.  It contains additional information about
   the sender of field added by some further
   intermediary using a message PASSporT extension.  While this specification
   does not define any such specific purpose for multiple Identity
   header fields, implementations MUST support receiving multiple header
   fields for future compatibility reasons.

   An authentication service cannot assume that verifiers will
   understand any given extension.  Verifiers that do support an
   extension may go beyond what appears then trigger appropriate application-level behavior in
   the From
   header field; P-Asserted-Identity holds presence of an extension; authors of extensions should provide
   appropriate extension-specific guidance to application developers on
   this point.

   If any claim in an extension contains a definitive identity for the
   sender JSON value that is somehow known does not
   correspond to a closed network of intermediaries.
   Presumably, that network will use this identity for billing or
   security purposes.  The danger of this network-specific information
   leaking outside field of the closed network motivated the "id" priv-value
   token.  The "id" priv-value token has no implications for the
   Identity header, SIP request, and privacy services MUST NOT remove the Identity
   header when a priv-value of "id" appears in extension does not
   otherwise explain how a Privacy header.

   The verification service could derive or acquire
   that value, then the optional "canon" parameter of the Identity header specified in
   this document provides the complete JSON objects MUST be used to generate the
   signed-identity-digest of for the
   Identity header, including the
   canonicalized form of the telephone number of the originator of a
   call, if the signature is over a telephone number.  In some contexts,
   local policy may require a canonicalization which differs
   substantially header field containing that extension.

10.  Backwards Compatibililty with RFC4474

   This specification introduces several significant changes from the original From
   RFC4474 version of the Identity header field.  Depending on
   those policies, potentially  However, due to the "canon" parameter might divulge
   information about
   problems enumerated in [I-D.rosenberg-sip-rfc4474-concerns], it is
   not believed that the originating network original Identity header field has seen any
   deployment, or user that might not
   appear elsewhere even implementation in the SIP request.  Were it deployed products.

   As such, this mechanism contains no provisions for signatures
   generated with this specification to be used work with RFC4474-compliant
   implementations, nor any related backwards-compatibility provisions.
   Hypothetically, were an RFC4474-compliant implementation to reflect
   the contents receive
   messages containing this revised version of the P-Asserted-Identity Identity header
   field, for example,
   then "canon" it would need to be removed when likely fail the P-Asserted-Identity
   header is removed request due to avoid any such leakage outside the absence of an
   Identity-Info header field with a trust
   domain.  Since, in those contexts, the canonical form 436 response code.  Implementations
   of the sender's
   identity could not be reassembled by this specification, for debugging purposes, might interpret a verifier, and thus the
   Identity signature validation process would fail, using P-Asserted-
   Identity 436
   with the Identity "canon" parameter in this fashion is NOT
   RECOMMENDED outside of environments where SIP requests will never
   leave the trust domain.  As a side note, history shows that closed
   networks never stay closed and one should design their implementation
   assuming connectivity to the broader Internet.

   Finally, note that unlike [RFC3325], the mechanism described in this
   specification adds no information to SIP requests reason phrase of "Bad Identity-Info" as an indication that has privacy
   implications.

12.  Security Considerations

   This document describes the
   request has failed because it reached a (hypothetical)
   RFC4474-compliant verification service.

11.  Privacy Considerations

   The purpose of this mechanism that provides is to provide a signature over reliable identification
   of the Date header field originator of a SIP requests, parts of request, specifically a cryptographic
   assurance that an authority asserts the To and From
   header fields, and when present any media keying material in originator can claim the
   message body.  In general, URI
   the considerations related to identity stipulated in the security request.  This URI may contain or
   imply a variety of these headers are the same as those given in [RFC3261] for personally identifying information, including headers in tunneled 'message/sip' MIME bodies (see
   Section 23 the
   name of RFC3261 in particular). a human being, their place of work or service provider, and
   possibly further details.  The following section details
   the individual security properties obtained by including each intrinsic privacy risks associated
   with that URI are, however, no different from those of
   these header fields within baseline SIP.
   Per the signature; collectively, this set guidance in [RFC6973], implementers should make users aware
   of
   header fields provides the necessary properties to prevent
   impersonation.  It addresses privacy trade-off of providing secure identity.

   The identity mechanism presented in this document is compatible with
   the solution-specific attacks against
   in-band solutions enumerated standard SIP practices for privacy described in [RFC7375] Section 4.1.

12.1.  Protected Request Fields

   The [RFC3323].  A SIP
   proxy server can act both as a RFC3323 privacy service and as an
   authentication service.  Since a user agent can provide any From
   header field value (in ordinary operations) indicates the
   identity of the sender of that the message.  The authentication service is willing to
   authorize, there is no reason why private SIP address-of-record
   URI, or URIs that contain
   legitimate domains (e.g., sip:anonymous@example.com) cannot be signed
   by an embedded telephone number, in authentication service.  The construction of the From Identity
   header field is the
   identity same for private URIs as it is for any other sort
   of URIs.  Similar practices could be used to support opportunistic
   signing of a SIP user, requests for the purposes of this document.  Note UA-integrated authentication services
   with self-signed certificates, though that
   in some deployments the identity of the sender may reside in P-
   Asserted-Id instead.  The sender's identity is outside the key piece scope of
   information that
   this mechanism secures; the remainder of the signed
   parts of specification and is left as a matter for future investigation.

   Note, however, that even when using anonymous SIP request are present to provide reference integrity and URIs, an
   authentication service must possess a certificate corresponding to prevent certain types
   the host portion of cut-and-paste attacks.

   The Date the addr-spec of the From header field value protects against cut-and-paste attacks, of
   the request; accordingly, using domains like 'anonymous.invalid' will
   not be usable by privacy services that simultaneously act as described in [RFC3261], Section 23.4.2.  Implementations
   authentication services.  The assurance offered by the usage of this
   specification MUST NOT deem valid a request
   anonymous URIs with an outdated Date
   header field (the RECOMMENDED interval a valid domain portion is "this is that the Date header must
   indicate a time within 60 seconds known user
   in my domain that I have authenticated, but I am keeping its identity
   private".

   It is worth noting two features of the receipt this more anonymous form of a message).  Note
   that per baseline [RFC3261] behavior, servers keep state
   identity.  One can eliminate any identifying information in a domain
   through the use of recently
   received requests, and thus if an Identity header is replayed by an
   attacker within the Date interval, verifiers can detect domain 'anonymous.invalid," but we must then
   acknowledge that it is
   spoofed because difficult for a message with an identical Date from the same source
   had recently been received.

   It has been observed in the wild that some networks change the Date
   header field value of SIP requests in transit, and that alternative
   behavior might be necessary domain to accommodate that be both anonymous
   and authenticated.  The use case.
   Verification services that observe a signature validation failure MAY
   therefore reconstruct the Date header field component of the
   signature from the "iat" carried in PASSporT via the "canon"
   parameter: provided "anonymous.invalid" domain entails
   that time recorded by "iat" falls within no corresponding authority for the
   local policy domain can exist, and as a
   consequence, authentication service functions for freshness that would ordinarily apply domain are
   meaningless.  The second feature is more germane to the Date
   header, the verification service MAY treat the signature as valid,
   provided it keeps adequate state to detect recent replays.  Note that threats this will require
   document mitigates [RFC7375].  None of the inclusion relevant attacks, all of
   which rely on the "canon" parameter by
   authentication services in networks where such failures are observed.

   The To header field value provides attacker taking on the identity of a victim or
   hiding their identity using someone else's identity, are enabled by
   an anonymous identity.  As such, the SIP user that
   this request originally targeted.  Covering inability to assert an authority
   over an anonymous domain is irrelevant to our threat model.

   [RFC3325] defines the "id" priv-value token, which is specific to the identity in
   P-Asserted-Identity header field.  The sort of assertion provided by
   the To P-Asserted-Identity header field with is very different from the
   Identity signature serves two purposes.  First,
   it prevents cut-and-paste attacks header field presented in which an Identity this document.  It contains
   additional information about the originator of a message that may go
   beyond what appears in the From header from
   legitimate request field; P-Asserted-Identity
   holds a definitive identity for one user the originator that is cut-and-pasted into somehow known
   to a request closed network of intermediaries.  Presumably, that network will
   use this identity for
   a different user.  Second, it preserves the starting URI scheme billing or security purposes.  The danger of
   this network-specific information leaking outside of the request, which helps prevent downgrade attacks against closed
   network motivated the use of
   SIPS. "id" priv-value token.  The To identity offers additional protection against cut-and-
   paste attacks beyond "id" priv-value
   token has no implications for the Date Identity header field.  For example, without a
   signature over field, and privacy
   services MUST NOT remove the To identity, an attacker who receives Identity header field when a call from priv-value
   of "id" appears in a target could immediately forward the INVITE to Privacy header field.

   The optional "canon" parameter of the target's
   voicemail service within Identity header field specified
   in this document provides the Date interval, and complete JSON objects used to generate
   the voicemail service
   would have no way knowing that signed-identity-digest of the Identity header it received had
   been originally signed for a call intended for a different number.
   However, note field value,
   including the caveats below in Section 12.1.1.

   When signing a request that contains a fingerprint canonicalized form of the telephone number of the
   originator of keying material
   in SDP for DTLS-SRTP [RFC5763], this mechanism always provides a call, if the signature is over that fingerprint.  This signature prevents certain
   classes of impersonation attacks in a telephone number.
   In some contexts, local policy may require a canonicalization which an attacker forwards
   differs substantially from the original From header field.  Depending
   on those policies, potentially the "canon" parameter might divulge
   information about the originating network or
   cut-and-pastes a legitimate user that might not
   appear elsewhere in the SIP request.  Although  Were it to be used to reflect
   the target contents of the
   attack may accept the request, the attacker will P-Asserted-Identity header field, for example,
   then "canon" would need to be unable removed when the P-Asserted-Identity
   header is removed to
   exchange media with avoid any such leakage outside of a trust
   domain.  Since, in those contexts, the target as they will canonical form of the
   originator's identity could not possess be reassembled by a key
   corresponding to verifier, and
   thus the fingerprint.  For example, there are some
   baiting attacks, launched Identity signature validation process would fail, using P-
   Asserted-Identity with the REFER method or through social
   engineering, Identity "canon" parameter in this fashion
   is NOT RECOMMENDED outside of environments where SIP requests will
   never leave the attacker receives trust domain.  As a request from the target side note, history shows that
   closed networks never stay closed and reoriginates it one should design their
   implementation assuming connectivity to the broader Internet.

   Finally, note that unlike [RFC3325], the mechanism described in this
   specification adds no information to SIP requests that has privacy
   implications - apart from disclosing that an authentication service
   is willing to sign for an originator.

12.  Security Considerations

   This document describes a third party.  These might not be prevented
   by only mechanism that provides a signature over
   the From, Date header field of SIP requests, parts of the To and Date, but could be
   prevented by securing a fingerprint for DTLS-SRTP.  While this is a
   different form of impersonation than is commonly used for
   robocalling, ultimately there is little purpose From
   header fields, and when present any media keying material in establishing the
   identity of
   message body.  In general, the user that originated a SIP request if this assurance
   is not coupled with a comparable assurance over considerations related to the contents security
   of these header fields are the
   subsequent media communication.  This signature also, per [RFC7258],
   reduces the potential same as those given in [RFC3261] for passive monitoring attacks against
   including header fields in tunneled 'message/sip' MIME bodies (see
   Section 23 of RFC3261 in particular).  The following section details
   the SIP
   media.  In environments where DTLS-SRTP is unsupported, however, no
   field is signed and no protections are provided.

12.1.1.  Protection individual security properties obtained by including each of
   these header fields within the To Header and Retargeting

   The mechanism in signature; collectively, this document set of
   header fields provides a signature over the identity
   information in necessary properties to prevent
   impersonation.  It addresses the To solution-specific attacks against
   in-band solutions enumerated in [RFC7375] Section 4.1.

12.1.  Protected Request Fields

   The From header field value (in ordinary operations) indicates the
   identity of requests.  This provides
   a means for verifiers to detect replay attacks where a signed request
   originally sent to one target is modified and then forwarded by an
   attacker to another, unrelated target.  Armed with the original value originator of the To message.  The SIP address-of-record
   URI, or an embedded telephone number, in the From header field, field is the recipient
   identity of a request may compare it to
   their own identity SIP user, for the purposes of this document.  Note that
   in order to determine whether or not some deployments the identity
   information of the originator may reside in P-
   Asserted-Id instead.  The originator's identity is the key piece of
   information that this call might have been replayed.  However, any mechanism secures; the remainder of the signed
   parts of a SIP request may be legitimately retargeted as well, are present to provide reference integrity and
   to prevent certain types of cut-and-paste attacks.

   The Date header field value protects against cut-and-paste attacks,
   as a result
   legitimate requests may reach a SIP endpoint whose user is not
   identified by the URI designated described in [RFC3261], Section 23.4.2.  That specification
   recommends that implementations notify the To user of a potential
   security issue if the signed Date header field value.  It value is
   therefore difficult for any verifier to decide whether stale by an
   hour or not some
   prior retargeting was "legitimate."  Retargeting more.  To prevent cut-and-paste of recently-observed
   messages, this specification instead RECOMMENDS a shorter interval of
   sixty seconds.  Implementations of this specification MUST NOT deem
   valid a request with an outdated Date header field.  Note that per
   [RFC3893] Section 10 behavior, servers can also cause
   confusion when identity information keep state of recently
   received requests, and thus if an Identity header field is provided for requests sent in
   the backwards direction in a dialog, as the dialog identifiers may
   not match credentials held replayed
   by an attacker within the ultimate target of the dialog.  For
   further information on the problems of response identity see
   [I-D.peterson-sipping-retarget].

   Any means for authentication services or Date interval, verifiers to anticipate
   retargeting can detect that it
   is outside spoofed because a message with an identical Date from the scope of this document, and likely to have
   equal applicability to response identity as it does to requests same
   source had recently been received.

   It has been observed in the backwards direction within a dialog.  Consequently, no special
   guidance is given for implementers here regarding wild that some networks change the 'connected
   party' problem (see [RFC4916]); authentication service Date
   header field value of SIP requests in transit, and that alternative
   behavior is
   unchanged if retargeting has occurred for might be necessary to accommodate that use case.
   Verification services that observe a dialog-forming request.
   Ultimately, signature validation failure MAY
   therefore reconstruct the authentication service provides an Identity Date header
   for requests field component of the
   signature from the "iat" carried in PASSporT via the backwards dialog when "canon"
   parameter: provided that time recorded by "iat" falls within the user is authorized
   local policy for freshness that would ordinarily apply to
   assert the identity given in Date
   header, the From header field, and if they are
   not, an Identity header is not provided.  And per verification service MAY treat the threat model signature as valid,
   provided it keeps adequate state to detect recent replays.  Note that
   this will require the inclusion of
   [RFC7375], resolving problems with 'connected' identity has little
   bearing on detecting robocalling or related impersonation attacks.

12.2.  Unprotected Request Fields

   RFC4474 originally had protections for the Contact, Call-ID and CSeq.
   These "canon" parameter by
   authentication services in networks where such failures are removed from RFC4474bis. observed.

   The absence of these To header
   values creates some opportunities for determined attackers to
   impersonate based on cut-and-paste attacks; however, field value provides the absence identity of
   these headers does not seem impactful to preventing the simple
   unauthorized claiming of an SIP user that
   this request originally targeted.  Covering the identity for in the purposes of robocalling,
   voicemail hacking, or swatting, To
   header field with the Identity signature serves two purposes.  First,
   it prevents cut-and-paste attacks in which an Identity header field
   from a legitimate request for one user is cut-and-pasted into a
   request for a different user.  Second, it preserves the primary scope starting URI
   scheme of the
   current document.

   It might seem attractive to provide a signature over some of request, which helps prevent downgrade attacks against
   the
   information present in use of SIPS.  The To identity offers additional protection
   against cut-and-paste attacks beyond the Via Date header field value(s). field.  For
   example, without a signature over the sent-by field of the topmost Via header, To identity, an attacker who
   receives a call from a target could remove that Via immediately cut-and-paste the
   Identity and From header field value from that INVITE into a new
   request to the target's voicemail service within the Date interval,
   and insert its own the voicemail service would have no way knowing that the Identity
   header field it received had been originally signed for a call
   intended for a different number.  However, note the caveats below in
   Section 12.1.1.

   When signing a request that contains a fingerprint of keying material
   in SDP for DTLS-SRTP [RFC5763], this mechanism always provides a
   signature over that fingerprint.  This signature prevents certain
   classes of impersonation attacks in a cut-
   and-paste attack, which would cause all responses to the request to
   be routed to an attacker forwards or
   cut-and-pastes a host legitimate request.  Although the target of the attacker's choosing.  However, a signature
   over
   attack may accept the topmost Via header does not prevent attacks of this nature,
   since request, the attacker could leave the topmost Via intact and merely
   insert a new Via header field directly after it, which would cause
   responses to will be routed unable to
   exchange media with the attacker's host "on their way" target as they will not possess a key
   corresponding to the
   valid host, which has exactly the same end result.  Although it is
   possible that an intermediary-based authentication service could
   guarantee that no Via hops fingerprint.  For example, there are inserted between some
   baiting attacks, launched with the sending user
   agent and REFER method or through social
   engineering, where the authentication service, it could not prevent an attacker from adding receives a Via hop after request from the authentication service, target
   and
   thereby preempting responses.  It is necessary for the proper
   operation of SIP for subsequent intermediaries reoriginates it to a third party.  These might not be capable of
   inserting such Via header fields, prevented
   by only a signature over the From, To and thus it cannot Date, but could be prevented.
   As such, though it is desirable,
   prevented by securing Via is not possible through
   the sort of identity mechanism described in this document; the best
   known practice a fingerprint for securing Via DTLS-SRTP.  While this is the use of SIPS.

12.3.  Malicious Removal a
   different form of Identity Headers

   In the end analysis, impersonation than is commonly used for
   robocalling, ultimately there is little purpose in establishing the Identity header cannot protect itself.  Any
   attacker could remove
   identity of the header from user that originated a SIP request, and modify the request arbitrarily afterwards.  However, if this mechanism assurance
   is not
   intended to protect requests from men-in-the-middle who interfere coupled with SIP messages; it is intended only to provide a way that comparable assurance over the
   originators contents of the
   subsequent media communication.  This signature also, per [RFC7258],
   reduces the potential for passive monitoring attacks against the SIP requests can prove that they
   media.  In environments where DTLS-SRTP is unsupported, however, no
   field is signed and no protections are who they claim to
   be.  At best, by stripping identity information from a request, provided.

12.1.1.  Protection of the To Header and Retargeting

   Armed with the original value of the To header field, the recipient
   of a
   man-in-the-middle could make request may be tempted compare it impossible to distinguish any
   illegitimate messages he would like their own identity in order
   to send from those messages sent
   by an authorized user. determine whether or not the identity information in this call
   might have been replayed.  However, it requires any request may be legitimately
   retargeted as well, and as a considerably greater
   amount of energy to mount such an attack than it does to mount
   trivial impersonations by just copying someone else's From header
   field.  This mechanism provides result legitimate requests may reach a way that an authorized
   SIP endpoint whose user is not identified by the URI designated in
   the To header field value.  It is therefore difficult for any
   verifier to decide whether or not some prior retargeting was
   "legitimate."  Retargeting can
   provide a definitive assurance of his also cause confusion when identity that an unauthorized
   user, an impersonator, cannot.

12.4.  Securing
   information is provided for requests sent in the Connection to backwards direction
   in a dialog, as the Authentication Service

   In dialog identifiers may not match credentials held
   by the absence ultimate target of user agent-based the dialog.  For further information on the
   problems of response identity see [I-D.peterson-sipping-retarget].

   Any means for authentication services, services or verifiers to anticipate
   retargeting is outside the
   assurance provided by scope of this mechanism is strongest when a user agent
   forms a direct connection, preferably one secured by TLS, document, and likely to an
   intermediary-based authentication service.  The reasons for this are
   twofold:

      If a user have
   equal applicability to response identity as it does not receive to requests in
   the backwards direction within a certificate from dialog.  Consequently, no special
   guidance is given for implementers here regarding the 'connected
   party' problem (see [RFC4916]); authentication service over behavior is
   unchanged if retargeting has occurred for a dialog-forming request.
   Ultimately, the TLS connection that corresponds to authentication service provides an Identity header
   field for requests in the expected
      domain (especially dialog only when the user receives a challenge via a
      mechanism such as Digest), then it is possible that a rogue server is attempting authorized to pose as
   assert the identity given in the From header field, and if they are
   not, an authentication service Identity header field is not provided.  And per the threat
   model of [RFC7375], resolving problems with 'connected' identity has
   little bearing on detecting robocalling or related impersonation
   attacks.

12.2.  Unprotected Request Fields

   RFC4474 originally had protections for the Contact, Call-ID and CSeq.
   These are removed from RFC4474bis.  The absence of these header field
   values creates some opportunities for a domain
      that it determined attackers to
   impersonate based on cut-and-paste attacks; however, the absence of
   these header field values does not control, possibly in an attempt seem impactful to collect shared
      secrets for that domain.  A similar practice could be used for
      telephone numbers, though preventing the application
   simple unauthorized claiming of certificates an identity for
      telephone numbers to TLS the purposes of
   robocalling, voicemail hacking, or swatting, which is left as the primary
   scope of the current document.

   It might seem attractive to provide a matter for future study.

      Without TLS, signature over some of the various
   information present in the Via header field values and value(s).  For example,
   without a signature over the body sent-by field of the
      request will not have integrity protection when the request
      arrives at topmost Via header
   field, an authentication service.  Accordingly, a prior
      legitimate or illegitimate intermediary attacker could modify the message
      arbitrarily.

   Of these two concerns, the first is most material remove that Via header field and insert its
   own in a cut-and-paste attack, which would cause all responses to the intended
   scope of this mechanism.  This mechanism is intended
   request to prevent
   impersonation attacks, not man-in-the-middle attacks; integrity be routed to a host of the attacker's choosing.  However,
   a signature over the topmost Via header and bodies is provided by field does not prevent
   attacks of this mechanism only nature, since the attacker could leave the topmost
   Via intact and merely insert a new Via header field directly after
   it, which would cause responses to be routed to the attacker's host
   "on their way" to prevent
   replay attacks.  However, the valid host, which has exactly the same end
   result.  Although it is possible that applications relying on
   the presence of the Identity header an intermediary-based
   authentication service could leverage this integrity
   protection for services other than replay protection.

   Accordingly, direct TLS connections SHOULD be used guarantee that no Via hops are inserted
   between the UAC sending user agent and the authentication service whenever possible.  The opportunistic
   nature of this mechanism, however, makes service, it very difficult to
   constrain UAC behavior, and moreover there will be some deployment
   architectures where
   could not prevent an attacker from adding a direct connection is simply infeasible and Via hop after the
   UAC cannot act as an
   authentication service itself.  Accordingly,
   when a direct connection service, and TLS are not possible, a UAC should use thereby preempting responses.  It is
   necessary for the SIPS mechanism, Digest 'auth-int' proper operation of SIP for body integrity, or both
   when it can.  The ultimate decision subsequent
   intermediaries to add an Identity be capable of inserting such Via header to a
   request lies with fields, and
   thus it cannot be prevented.  As such, though it is desirable,
   securing Via is not possible through the authentication service, sort of course; domain
   policy must identify those cases where the UAC's security association
   with identity mechanism
   described in this document; the authentication service best known practice for securing Via
   is too weak.

12.5.  Authorization and Transitional Strategies

   Ultimately, the worth use of SIPS.

12.3.  Malicious Removal of an assurance provided by an Identity header
   is limited by Headers

   In the security practices of end analysis, the authentication service
   that issues Identity header field cannot protect itself.
   Any attacker could remove the assurance.  Relying on an Identity header generated
   by field from a remote administrative domain assumes that SIP request, and
   modify the issuing domain
   uses recommended administrative practices to authenticate its users. request arbitrarily afterwards.  However, this mechanism
   is not intended to protect requests from men-in-the-middle who
   interfere with SIP messages; it is possible that some authentication services will
   implement policies that effectively make users unaccountable (e.g.,
   ones intended only to provide a way
   that accept unauthenticated registrations from arbitrary users).
   The value the originators of an Identity header SIP requests can prove that they are who they
   claim to be.  At best, by stripping identity information from such authentication services is
   questionable.  While there is no magic way for a verifier
   request, a man-in-the-middle could make it impossible to distinguish "good"
   any illegitimate messages he would like to send from "bad" signers those messages
   sent by inspecting an authorized user.  However, it requires a SIP request, considerably
   greater amount of energy to mount such an attack than it
   is expected does to
   mount trivial impersonations by just copying someone else's From
   header field.  This mechanism provides a way that further work in authorization practices could be
   built on top an authorized user
   can provide a definitive assurance of this his identity solution; without such that an identity
   solution, many promising approaches
   unauthorized user, an impersonator, cannot.

12.4.  Securing the Connection to authorization policy are
   impossible.  That much said, it the Authentication Service

   In the absence of user agent-based authentication services, the
   assurance provided by this mechanism is RECOMMENDED that strongest when a user agent
   forms a direct connection, preferably one secured by TLS, to an
   intermediary-based authentication
   services based on proxy servers employ strong service.  The reasons for this are
   twofold:

      If a user does not receive a certificate from the authentication
   practices.

   One cannot expect
      service over the Identity header TLS connection that corresponds to be supported by every SIP
   entity overnight.  This leaves the verifier in a compromising
   position; expected
      domain (especially when it the user receives a request from challenge via a given SIP user, how can
   it know whether or not the sender's domain supports Identity?  In the
   absence of ubiquitous support for identity, some transitional
   strategies are necessary.

      A verifier could remember when
      mechanism such as Digest), then it receives is possible that a request from rogue server
      is attempting to pose as an authentication service for a domain
      or telephone number
      that uses Identity, and it does not control, possibly in the future, view
      messages received from an attempt to collect shared
      secrets for that sources without Identity headers with
      skepticism. domain.  A verifier could consult some sort of directory that indications
      whether a given caller should have a signed identity.  There are a
      number of potential ways in which this similar practice could be implemented.  This used for
      telephone numbers, though the application of certificates for
      telephone numbers to TLS is left as a subject matter for future work.

   In study.

      Without TLS, the long term, some sort various header field values and the body of the
      request will not have integrity protection when the request
      arrives at an authentication service.  Accordingly, a prior
      legitimate or illegitimate intermediary could modify the message
      arbitrarily.

   Of these two concerns, the first is most material to the intended
   scope of this mechanism.  This mechanism is intended to prevent
   impersonation attacks, not man-in-the-middle attacks; integrity over
   parts of identity mechanism, either the one
   documented in this specification or a successor, must become
   mandatory-to-use for the SIP protocol; that header and body is the provided by this mechanism only way
   to
   guarantee that this protection can always be expected by verifiers.

   Finally, prevent replay attacks.  However, it is worth noting possible that applications
   relying on the presence or absence of the Identity headers cannot be the sole factor in making an authorization
   decision.  Permissions might header field could leverage
   this integrity protection for services other than replay protection.

   Accordingly, direct TLS connections SHOULD be granted to a message on the basis of used between the specific verified Identity or really on any other aspect of a SIP
   request.  Authorization policies are outside UAC
   and the scope authentication service whenever possible.  The opportunistic
   nature of this
   specification, but this specification advises any future
   authorization work not mechanism, however, makes it very difficult to assume that messages with valid Identity
   headers are always good.

12.6.  Display-Names
   constrain UAC behavior, and Identity

   As moreover there will be some deployment
   architectures where a matter of interface design, SIP user agents might render the
   display-name portion of direct connection is simply infeasible and the From header field of a caller
   UAC cannot act as the
   identity of the caller; there is an authentication service itself.  Accordingly,
   when a significant precedent in email
   user interfaces for this practice.  Securing the display-name
   component of direct connection and TLS are not possible, a UAC should use
   the From SIPS mechanism, Digest 'auth-int' for body integrity, or both
   when it can.  The ultimate decision to add an Identity header field value is outside the scope of this
   document, but may be
   to a request lies with the subject authentication service, of future work, such as through the
   "ppt" name mechanism.

   In course; domain
   policy must identify those cases where the absence of signing UAC's security association
   with the display-name, authentication services
   might check and validate it, service is too weak.

12.5.  Authorization and compare it to a list Transitional Strategies

   Ultimately, the worth of acceptable
   display-names that may be used an assurance provided by an Identity header
   field is limited by the sender; if the display-name
   does not meet policy constraints, security practices of the authentication
   service could
   return a 403 response code.  In this case, that issues the reason phrase should
   indicate assurance.  Relying on an Identity header
   field generated by a remote administrative domain assumes that the nature
   issuing domain uses recommended administrative practices to
   authenticate its users.  However, it is possible that some
   authentication services will implement policies that effectively make
   users unaccountable (e.g., ones that accept unauthenticated
   registrations from arbitrary users).  The value of the problem; an Identity header
   field from such authentication services is questionable.  While there
   is no magic way for example, "Inappropriate
   Display Name".  However, the display-name a verifier to distinguish "good" from "bad"
   signers by inspecting a SIP request, it is not always present, and expected that further work
   in authorization practices could be built on top of this identity
   solution; without such an identity solution, many environments the requisite operational procedures for
   display-name validation may not exist, so no normative guidance is
   given here.

13.  IANA Considerations

   This document relies promising
   approaches to authorization policy are impossible.  That much said,
   it is RECOMMENDED that authentication services based on proxy servers
   employ strong authentication practices.

   One cannot expect the headers and response codes defined in RFC
   4474.  It also retains the requirements for the specification of new
   algorithms or headers related Identity header field to be supported by every
   SIP entity overnight.  This leaves the mechanisms described verifier in that
   document.

13.1.  Identity-Info Parameters

   The IANA has already created a registry for Identity-Info parameters.
   This specification defines compromising
   position; when it receives a new value called "canon" as defined in
   Section 6.3.  Note however that unlike in RFC4474, Identity-Info
   parameters now appear in the Identity header.

13.2.  Identity-Info Algorithm Parameter Values

   The IANA has already created request from a registry for Identity-Info "alg"
   parameter values.  Note that now, the "alg" parameter appears in the
   Identity header rather than given SIP user, how can
   it know whether or not the deprecated Identity-Info header.
   Since originator's domain supports Identity?  In
   the algorithms absence of ubiquitous support for signing PASSporT objects identity, some transitional
   strategies are defined in
   PASSporT rather than in this specification, there is no longer necessary.

      A verifier could remember when it receives a need
   for an algorithm parameter registry for the Identity header.  This
   registry is therefore deprecated.

13.3.  Response Codes defined request from a domain
      or telephone number that uses Identity, and in RFC4474

   RFC4474 defined four response codes for failure conditions specific
   to the future, view
      messages received from that source without an Identity header and its original mechanism.  These status
   codes
      field with skepticism.

      A verifier could consult some sort of directory that indicates
      whether a given caller should have a signed identity.  There are retained a
      number of potential ways in which this specification, with could be implemented.  This
      is left as a subject for future work.

   In the long term, some modifications.

   The semantics sort of identity mechanism, either the 428 'Use Identity Header' response code are
   slightly altered one
   documented in this specification or a successor, must become
   mandatory-to-use for the SIP protocol; that is the only way to
   guarantee that this protection can always be expected by verifiers.

   Finally, it is worth noting that the potential presence or absence of the "ppt" parameter.
   Now, a 428 response MUST be sent when an Identity header is required,
   but no
   Identity header without a "ppt" parameter, or with fields cannot be the sole factor in making an
   authorization decision.  Permissions might be granted to a supported
   "ppt" value, has been received.  In message on
   the case where one or more basis of the specific verified Identity headers with unsupported "ppt" values have been received,
   then a verification service SHOULD send or really on any other
   aspect of a 428 with SIP request.  Authorization policies are outside the reason phrase
   "Use Supported PASSporT Format".  Note however that
   scope of this specification, but this specification gives no guidance on how a verification service might
   decide advises any
   future authorization work not to require an assume that messages with valid
   Identity header for fields are always good.

12.6.  Display-Names and Identity

   As a particular matter of interface design, SIP request.
   Such authorization policies are user agents might render the
   display-name portion of the From header field of a caller as the
   identity of the caller; there is a significant precedent in email
   user interfaces for this practice.  Securing the display-name
   component of the From header field value is outside the scope of this
   specification.

   For 436 'Bad Identity-Info' response,
   document, but may be the default reason phrase is
   now renamed 'Bad Identity info', subject of future work, such as through the
   "ppt" name mechanism.

   In the deprecation absence of signing the Identity-
   Info header has made 'info' display-name, authentication services
   might check and validate it, and compare it to a parameter list of acceptable
   display-names that may be used by the Identity header.
   Again, given originator; if the potential presence of multiple Identity headers,
   this response code is sent when display-name
   does not meet policy constraints, the verification authentication service is unable to
   deference could
   return a 403 response code.  In this case, the URIs and/or acquire reason phrase should
   indicate the credentials associated with all
   Identity headers in nature of the request.  This failure code could be
   repairable if problem; for example, "Inappropriate
   Display Name".  However, the authentication service resends display-name is not always present, and
   in many environments the request with an
   'info' parameter pointing to requisite operational procedures for
   display-name validation may not exist, so no normative guidance is
   given here.

13.  IANA Considerations

   This document contains a credential that number of actions for IANA.

13.1.  SIP Header Fields

   The Identity-Info header in the verification
   service can access. SIP Header Fields registry should be
   marked as deprecated by [RFCThis].

13.2.  SIP Response Codes

   The 437 'Unsupported Certificate' Reason phrase for the 436 response default reason phrase is now should
   be changed from "Bad Identity-Info" to 'Unsupported Credential'.  This response is sent when a
   verification service can acquire, or already holds, the credential
   represented by the 'info' parameter of at least one "Bad Identity header Info" in the request, but does not support said credential(s), for reasons
   such as failing SIP
   Response Code registry.

   The 437 "Unsupported Certificate" default reason phrase should be
   changed to trust "Unsupported Credential".

13.3.  Identity-Info Parameters

   The IANA manages a registry for Identity-Info parameters.  The
   specification asks the issuing CA, or failing IANA to support the
   algorithm with which the credential was signed.

   Finally, change the 438 'Invalid Identity Header' response now indicates
   that name of this registry to
   "Identity Parameters".

   This specification defines two new values for the set of Identity headers registry: "canon"
   as defined in a request, no header with a
   valid this specification in Section 4.1.1; and supported PASSporT object has been received.  Like the 428
   response, "info" as
   defined in this is sent by a verification service when its local
   policy dictates that a broken signature specification in Section 7.3.

13.4.  Identity-Info Algorithm Parameter Values

   This IANA manages an Identity header is
   grounds Identity-Info Algorithm Parameter Values
   registry which this specification deprecates.  Since the algorithms
   for rejecting a request.  Note that signing PASSporT objects are defined in some cases, an
   Identity header may be broken for other reasons PASSporT rather than that an
   originator in
   this specification, there is attempting to spoof no longer a need for an identity: algorithm
   parameter registry for example, when a
   transit network alters the Date Identity header of the request.  Relying on
   the full PASSporT object presented through the "canon" parameter can
   repair some of these conditions (see Section 5.2.1), so the
   recommended way to attempt to repair this failure is to retry the
   request with "canon". field.

14.  Acknowledgments

   The authors would like to thank Olle Jacobson, Dave Frankel, Robert
   Sparks, Dave Crocker, Stephen Kent, Brian Rosen, Alex Bobotek, Paul
   Kyzviat, Jonathan Lennox, Richard Shockey, Martin Dolly, Andrew
   Allen, Hadriel Kaplan, Sanjay Mishra, Anton Baskov, Pierce Gorman,
   David Schwartz, Eric Burger, Alan Ford, Christer Holmberg, Philippe
   Fouquart, Michael Hamer, Henning Schulzrinne, and Richard Barnes for
   their comments.

15.  Changes from RFC4474

   The following are salient changes from the original RFC 4474:

      Generalized the credential mechanism; credential enrollment,
      acquisition and trust is now outside the scope of this document

      Reduced the scope of the Identity signature to remove CSeq, Call-
      ID, Contact, and the message body

      Removed

      Deprecated the Identity-Info header field and relocated its
      components into parameters of the Identity header field (which
      obsoletes the previous version of the header field)

      The Identity header field can now appear multiple times in one
      request

      Replaced previous signed-identity-digest format with PASSporT
      (signing algorithms now defined there)

      Revised status code descriptions

16.  References

16.1.  Normative References

   [E.164]    ITU-T, "The international public telecommunication
              numbering plan", E 164, February 2005,
              <https://www.itu.int/rec/T-REC-E.164/en>.

   [I-D.ietf-stir-passport]
              Wendt, C. and J. Peterson, "Persona Assertion Token",
              draft-ietf-stir-passport-03
              draft-ietf-stir-passport-06 (work in progress), June August
              2016.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818,
              DOI 10.17487/RFC2818, May 2000,
              <http://www.rfc-editor.org/info/rfc2818>.

   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
              A., Peterson, J., Sparks, R., Handley, M., and E.
              Schooler, "SIP: Session Initiation Protocol", RFC 3261,
              DOI 10.17487/RFC3261, June 2002,
              <http://www.rfc-editor.org/info/rfc3261>.

   [RFC3263]  Rosenberg, J. and H. Schulzrinne, "Session Initiation
              Protocol (SIP): Locating SIP Servers", RFC 3263,
              DOI 10.17487/RFC3263, June 2002,
              <http://www.rfc-editor.org/info/rfc3263>.

   [RFC3280]  Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
              X.509 Public Key Infrastructure Certificate and
              Certificate Revocation List (CRL) Profile", RFC 3280,
              DOI 10.17487/RFC3280, April 2002,
              <http://www.rfc-editor.org/info/rfc3280>.

   [RFC3370]  Housley, R., "Cryptographic Message Syntax (CMS)
              Algorithms", RFC 3370, DOI 10.17487/RFC3370, August 2002,
              <http://www.rfc-editor.org/info/rfc3370>.

   [RFC3966]  Schulzrinne, H., "The tel URI for Telephone Numbers",
              RFC 3966, DOI 10.17487/RFC3966, December 2004,
              <http://www.rfc-editor.org/info/rfc3966>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <http://www.rfc-editor.org/info/rfc3986>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <http://www.rfc-editor.org/info/rfc5280>.

   [RFC5922]  Gurbani, V., Lawrence, S., and A. Jeffrey, "Domain
              Certificates in the Session Initiation Protocol (SIP)",
              RFC 5922, DOI 10.17487/RFC5922, June 2010,
              <http://www.rfc-editor.org/info/rfc5922>.

   [RFC6919]  Barnes, R., Kent, S., and E. Rescorla, "Further Key Words
              for Use in RFCs to Indicate Requirement Levels", RFC 6919,
              DOI 10.17487/RFC6919, April 2013,
              <http://www.rfc-editor.org/info/rfc6919>.

16.2.  Informative References

   [I-D.ietf-iri-comparison]
              Masinter, L. and M. D&#258;&#378;rst, "Comparison,
              Equivalence and Canonicalization of Internationalized
              Resource Identifiers", draft-ietf-iri-comparison-02 (work
              in progress), October 2012.

   [I-D.ietf-stir-certificates]
              Peterson, J. and S. Turner, "Secure Telephone Identity
              Credentials: Certificates", draft-ietf-stir-
              certificates-06
              certificates-07 (work in progress), July 2016.

   [I-D.kaplan-stir-cider]
              Kaplan, H., "A proposal for Caller Identity in a DNS-based
              Entrusted Registry (CIDER)", draft-kaplan-stir-cider-00
              (work in progress), July 2013.

   [I-D.peterson-sipping-retarget]
              Peterson, J., "Retargeting and Security in SIP: A
              Framework and Requirements", draft-peterson-sipping-
              retarget-00 (work in progress), February 2005.

   [I-D.rosenberg-sip-rfc4474-concerns]
              Rosenberg, J., "Concerns around the Applicability of RFC
              4474", draft-rosenberg-sip-rfc4474-concerns-00 (work in
              progress), February 2008.

   [RFC2585]  Housley, R. and P. Hoffman, "Internet X.509 Public Key
              Infrastructure Operational Protocols: FTP and HTTP",
              RFC 2585, DOI 10.17487/RFC2585, May 1999,
              <http://www.rfc-editor.org/info/rfc2585>.

   [RFC3323]  Peterson, J., "A Privacy Mechanism for the Session
              Initiation Protocol (SIP)", RFC 3323,
              DOI 10.17487/RFC3323, November 2002,
              <http://www.rfc-editor.org/info/rfc3323>.

   [RFC3325]  Jennings, C., Peterson, J., and M. Watson, "Private
              Extensions to the Session Initiation Protocol (SIP) for
              Asserted Identity within Trusted Networks", RFC 3325,
              DOI 10.17487/RFC3325, November 2002,
              <http://www.rfc-editor.org/info/rfc3325>.

   [RFC3548]  Josefsson, S., Ed., "The Base16, Base32, and Base64 Data
              Encodings", RFC 3548, DOI 10.17487/RFC3548, July 2003,
              <http://www.rfc-editor.org/info/rfc3548>.

   [RFC3893]  Peterson, J., "Session Initiation Protocol (SIP)
              Authenticated Identity Body (AIB) Format", RFC 3893,
              DOI 10.17487/RFC3893, September 2004,
              <http://www.rfc-editor.org/info/rfc3893>.

   [RFC4234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", RFC 4234, DOI 10.17487/RFC4234,
              October 2005, <http://www.rfc-editor.org/info/rfc4234>.

   [RFC4474]  Peterson, J. and C. Jennings, "Enhancements for
              Authenticated Identity Management in the Session
              Initiation Protocol (SIP)", RFC 4474,
              DOI 10.17487/RFC4474, August 2006,
              <http://www.rfc-editor.org/info/rfc4474>.

   [RFC4501]  Josefsson, S., "Domain Name System Uniform Resource
              Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006,
              <http://www.rfc-editor.org/info/rfc4501>.

   [RFC4916]  Elwell, J., "Connected Identity in the Session Initiation
              Protocol (SIP)", RFC 4916, DOI 10.17487/RFC4916, June
              2007, <http://www.rfc-editor.org/info/rfc4916>.

   [RFC5763]  Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
              for Establishing a Secure Real-time Transport Protocol
              (SRTP) Security Context Using Datagram Transport Layer
              Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May
              2010, <http://www.rfc-editor.org/info/rfc5763>.

   [RFC6698]  Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
              of Named Entities (DANE) Transport Layer Security (TLS)
              Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August
              2012, <http://www.rfc-editor.org/info/rfc6698>.

   [RFC6973]  Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
              Morris, J., Hansen, M., and R. Smith, "Privacy
              Considerations for Internet Protocols", RFC 6973,
              DOI 10.17487/RFC6973, July 2013,
              <http://www.rfc-editor.org/info/rfc6973>.

   [RFC7159]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
              2014, <http://www.rfc-editor.org/info/rfc7159>.

   [RFC7258]  Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
              Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
              2014, <http://www.rfc-editor.org/info/rfc7258>.

   [RFC7340]  Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure
              Telephone Identity Problem Statement and Requirements",
              RFC 7340, DOI 10.17487/RFC7340, September 2014,
              <http://www.rfc-editor.org/info/rfc7340>.

   [RFC7375]  Peterson, J., "Secure Telephone Identity Threat Model",
              RFC 7375, DOI 10.17487/RFC7375, October 2014,
              <http://www.rfc-editor.org/info/rfc7375>.

   [RFC7515]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web
              Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
              2015, <http://www.rfc-editor.org/info/rfc7515>.

   [RFC7519]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
              (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
              <http://www.rfc-editor.org/info/rfc7519>.

Authors' Addresses

   Jon Peterson
   Neustar, Inc.
   1800 Sutter St Suite 570
   Concord, CA  94520
   US

   Email: jon.peterson@neustar.biz
   Cullen Jennings
   Cisco
   400 3rd Avenue SW, Suite 350
   Calgary, AB  T2P 4H2
   Canada

   Email: fluffy@iii.ca

   Eric Rescorla
   RTFM, Inc.
   2064 Edgewood Drive
   Palo Alto, CA  94303
   USA

   Email: ekr@rtfm.com

   Chris Wendt
   Comcast
   One Comcast Center
   Philadelphia, PA  19103
   USA

   Email: chris-ietf@chriswendt.net