Internet-Draft | STIR OCSP Stapling | October 2022 |
Peterson | Expires 27 April 2023 | [Page] |
In order to facilitate the use of the Online Certificate Status Protocol (OCSP) with Secure Telephone Identity Revisited (STIR), this specification defines a mechanism for incorporating an OCSP staple into a Personal Assertion Token (PASSporT).¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 27 April 2023.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The STIR problem statement [RFC7340] discusses many attacks on the telephone network that are enabled by impersonation, including various forms of robocalling, voicemail hacking, and swatting. One of the most important components of a system to prevent impersonation is the implementation of credentials which identify the parties who control telephone numbers. The STIR certificates [RFC8226] specification describes a credential system based on [X.509] version 3 certificates in accordance with [RFC5280] for that purpose. Those credentials can then be used by STIR authentication services [RFC8224] to sign PASSporT objects [RFC8225] carried in a SIP [RFC3261] request.¶
[RFC8226] specifies an extension to X.509 that defines a Telephony Number (TN) Authorization List that may be included by certificate authorities in certificates. This extension provides additional information that relying parties can use when validating transactions with the certificate. When a SIP request, for example, arrives at a terminating administrative domain, the calling number attested by the SIP request can be compared to the TN Authorization List of the certificate that signed the request to determine if the caller is authorized to use that calling number in SIP.¶
[I-D.ietf-stir-certificates-ocsp] defines a means to use OCSP to establish that, at the time of STIR verification, a particular telephone number (the calling number) is within the scope of authority of a certificate. This is especially useful with STIR delegate certificates [RFC9060], which typically claim authority over telephone number ranges rather than Service Provider Codes (SPCs) in their TN Authorization List. However, this requires an additional round-trip request and response from the verification service to the OCSP responder, and the telephony applications are delay sensitive. Thus, this document specifies a means to incorporate an OCSP staple into the PASSporT object.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
At a high level, there are a number of potential solutions that could mitigate the round-trip time incurred on the verification service side to perform OCSP validation.¶
A verification service validating a PASSporT acquires the certificate referenced by its "x5u" header element, if that certificate is not cached. Typically, that acquisition happens by derefencing the URI in the value of the "x5u" element. One could design an system where OCSP validation is piggybacked onto that network fetch. This solution is however not optimal for cases where signing certificates are long-lived and cached, so that queries will otherwise be very infrequent. Requiring certificate fetches every time a new telephone number is seen at the verification service would likely incur roughly the same number of round trips as the [I-D.peterson-stir-certificates-shortlived] mechanism.¶
There are also variants of the "x5u" approach that sidestep OCSP entirely, by decorating the "x5u" URI with query parameters that incorporate the calling telephone number. As the authentication service necessarily knows the telephone number from the "orig" field, and controls the contents of "x5u", it has the means to decorate the URI appropriately during PASSporT creation. The certificate repository (i.e. HTTP service) receiving a certificate fetch with a decorated URI could could then verify that the calling number is currently in the scope of the requested certificate - if it is not, the service could then fail to return a certificate, preventing the verification service from validating. However, like the approach above, this would have implications for certificate fetch frequency similar to short-lived certs, as the decorated URIs would be governed by HTTP caching mechanics.¶
Thus, the solution proposed here is that the authentication service instead inserts a new PASSporT payload element, "stpl", which has as its value an OCSP staple compliant with the STIR extension defined in [I-D.ietf-stir-certificates-ocsp]. Such staples can either be pre-generated ([RFC6960] Section 2.5) and published regularly to the authentication service, or the authentication service can query for a staple on a per-call basis. Note that OCSP for STIR does furnish a response concerning only a single telephone number, and thus if a certificate can sign for a large number range, one pre-generated staple would need to be furnished to the authentication service for each telephone number that could potentially originate a call. Generating OCSP staples on the fly may however cause a round-trip time delay of its own, which depending on how the authentication service and the certificate authority are connected, could effectively incur the same delay as an OCSP dip from the verification service.¶
One alternative design would be to carry an OCSP staple at the SIP layer, in a body or header. But the because PASSporT can be used in non-SIP environments, and this OCSP extension is specific to certificates that use the TNAuthList extension, embedding the staple in the PASSporT is a superior choice. While encoding and embedding an OCSP response will increase the size of the PASSporT, that overall increase in SIP message size will ideally be the same as if the response had been placed in a separate header.¶
Finally, it could be argued that the round-trip delay incurred at the verification service is not actually problematic, as there is a fungible delay on the terminating side during which ringing can be played to the caller without commencing alerting on the end-user called device. But [I-D.ietf-stir-certificates-ocsp] also describes the potential privacy implications of revealing to the OCSP responder the verification service that has received a call for a particular calling number. On balance, stapling at the authentication service, especially pre-generated stapling, seems to offer the best all-around solution.¶
This specification requests that the IANA add one new claim to the JSON Web Token Claims registry as defined in [RFC7519].¶
Claim Name: "stpl"¶
Claim Description: OCSP Staple¶
Change Controller: IESG¶
Specification Document(s): [RFCThis]¶
The use of OCSP stapling should largely mitigate the privacy risks noted in [I-D.ietf-stir-certificates-ocsp].¶
This document is entirely about security. For further information on certificate security and practices, see [RFC5280], in particular its Security Considerations. For OCSP-related security considerations see [RFC6960] and [RFC5019].¶
We thank the STIR working group for its input into this document.¶