Secure Telephone Identity Revisited
charter-ietf-stir-01

Document Charter Secure Telephone Identity Revisited WG (stir)
Title Secure Telephone Identity Revisited
Last updated 2018-01-30
State Approved
WG State Active
IESG Responsible AD Adam Roach
Charter Edit AD Adam Roach
Send notices to (None)

Charter
charter-ietf-stir-01

The STIR working group will specify Internet-based mechanisms that allow 
verification of the calling party's authorization to use a particular 
telephone number for an incoming call.  Since it has  become fairly easy 
to present an incorrect source telephone number, a growing set of 
problems have emerged over the last decade.  As with email, the claimed 
source identity of a SIP request is not verified, permitting 
unauthorized use of the source identity as part of deceptive and 
coercive activities, such as robocalling (bulk unsolicited commercial 
communications), vishing (voicemail hacking, and impersonating banks) 
and swatting (impersonating callers to emergency services to stimulate 
unwarranted large scale law enforcement deployments).  In addition, use 
of an incorrect source telephone number facilitates wire fraud or can 
lead to a return call at premium rates.  

SIP is one of the main VoIP technologies used by parties that want to
present an incorrect origin, in this context an origin telephone number.
Several previous efforts have tried to secure the origins of SIP
communications, including RFC 3325, RFC 4474, and the VIPR working 
group.  To date, however, true validation of the source of SIP calls has 
not seen any appreciable deployment.  Several factors contributed to 
this lack of success, including: failure of the problem to be seen as 
critical at the time; lack of any technical means of producing a proof 
of authorization to use telephone numbers; misalignment of the 
mechanisms proposed by RFC 4474 with the complex deployment environment 
that has emerged for SIP; lack of end-to-end SIP session establishment; 
and inherent operational problems with a transitive trust model.  To 
make deployment of this solution more likely, consideration must be 
given to latency, real-time performance, computational overhead, and 
administrative overhead for the legitimate call source and all 
verifiers.

As its priority mechanism work item, the working group will specify a 
SIP header-based mechanism for verification that the originator of a SIP 
session is authorized to use the claimed source telephone number, where 
the session is established with SIP end to end.  This is called an in-
band mechanism. The mechanism will use a canonical telephone number 
representation specified by the working group, including any mappings 
that  might be needed between the SIP header fields and the canonical 
telephone  number representation.  The working group will consider 
choices for protecting identity information and credentials used.  This 
protection will likely be based on a digital signature mechanism that 
covers a set of information in the SIP header fields, and verification 
will employ a credential that contains the public key that is associated 
with the one or more telephone numbers.  Credentials used with this 
mechanism will be derived from existing telephone number assignment and 
delegation models.  That is, when a telephone number or range of 
telephone numbers is delegated to an entity, relevant credentials will 
be generated (or modified) to reflect such delegation.  The mechanism 
must allow a telephone number holder to further delegate and revoke use 
of a telephone number without compromising the global delegation scheme.

In addition to its priority mechanism work item, the working group will
consider a mechanism for verification of the originator during session
establishment in an environment with one or more non-SIP hops, most
likely requiring an out-of-band authorization mechanism.  However, the
in-band and the out-of-band mechanisms should share as much in common as
possible, especially the credentials.  The in-band mechanism must be 
sent to the IESG for approval and publication prior to the out-of-band
mechanism.

The work of this group is limited to developing a solution for telephone 
numbers. Expansion of the authorization mechanism to identities using the 
user@domain or other name forms is out of scope.

The working group will coordinate with the Security Area on credential 
management and signature mechanics.

The working group will coordinate with other working groups in the RAI
Area regarding signaling through existing deployments.

The working group welcomes input from potential implementors or 
operators of technologies developed by this working group.  For example, 
national numbering authorities might consider acting as credential 
authorities for telephone numbers within their purview.

It is important to note that while the main focus of this working group
is telephone numbers, the STIR working group will not develop any
mechanisms that require changes to circuit-switched technologies.

Authentication and authorization of identity is closely linked to
privacy, and these security features sometimes come at the cost of
privacy.  Anonymous calls are already defined in SIP standards, and this
working group will not propose changes to these standards.  In order to
support anonymity, the working group will provide a solution in which 
the called party receives an indication that the source telephone number 
is unavailable.  This working group, to the extent feasible, will 
specify privacy-friendly mechanisms that do not reveal any more 
information to user agents or third parties than a call that does not 
make use of secure telephone identification mechanisms.

Input to working group discussions shall include:

  - Private Extensions to the Session Initiation Protocol (SIP)
    for Asserted Identity within Trusted Networks
    [RFC 3325]

  - Enhancements for Authenticated Identity Management in the
    Session Initiation Protocol (SIP)
    [RFC 4474]

  - Secure Call Origin Identification
    [draft-cooper-iab-secure-origin-00]

  - Secure Origin Identification: Problem Statement, Requirements,
    and Roadmap
    [draft-peterson-secure-origin-ps-00]

  - Authenticated Identity Management in the Session Initiation
    Protocol (SIP)
    [draft-jennings-dispatch-rfc4474bis-00]

The working group will deliver the following:

  - A problem statement detailing the deployment environment and
    situations that motivate work on secure telephone identity

  - A threat model for the secure telephone identity mechanisms

  - A privacy analysis of the secure telephone identity mechanisms

  - A document describing the SIP in-band mechanism for telephone
    number-based identities during call setup

  - A document describing the credentials required to support
    telephone number identity authentication

  - A document describing the out-of-band mechanism for telephone
    number-based identities during call setup