Secure Telephone Identity Revisited
charter-ietf-stir-00-03
| Document | Proposed charter | Secure Telephone Identity Revisited WG (stir) Snapshot | |
|---|---|---|---|
| Title | Secure Telephone Identity Revisited | ||
| Last updated | 2013-08-19 | ||
| State | Start Chartering/Rechartering (Internal Steering Group/IAB Review) Rechartering | ||
| WG | State | Proposed | |
| IESG | Responsible AD | Orie Steele | |
| Charter edit AD | Richard Barnes | ||
| Send notices to | (None) |
Name: Secure Telephone Identity Revisited (stir)
Area: RAI
Chairs: TBD
Area Advisor: Richard Barnes
Mailing list: stir@ietf.org
To Subscribe: https://www.ietf.org/mailman/listinfo/stir
The STIR working group will specify Internet-based mechanisms for the
validation of the source telephone number for an incoming call. Since it
has become fairly easy to present an incorrect source telephone number,
a growing set of problems have emerged over the last decade. As with
email, the claimed source identity of a SIP request is not verified,
permitting unauthorized use of the source identity as part of deceptive
and coercive activities, such as robocalling (bulk unsolicited commercial
communications), vishing (voicemail hacking, and impersonating banks) and
swatting (impersonating callers to emergency services to stimulate
unwarranted large scale law enforcement deployments). In addition, use
of an incorrect source telephone number facilitates wire fraud or can
lead to a return call at premium rates. This working group will define
mechanisms that allow verification of the calling party's authorization
to use a particular telephone number.
SIP is one of the main VoIP technologies used by parties that want to
present an incorrect origin, in this context an origin telephone number.
Several previous efforts have tried to secure the origins of SIP
communications, including RFC 3325, RFC 4474, and the VIPR working group.
To date, however, true validation of the source of SIP calls has not seen
any appreciable deployment. Several factors contributed to this lack of
success, including: failure of the problem to be seen as critical at the
time; lack of any technical means of producing a proof of authorization to
use telephone numbers; misalignment of the mechanisms proposed by RFC 4474
with the complex deployment environment that has emerged for SIP; lack of
end-to-end SIP session establishment; and inherent operational problems
with a transitive trust model. To make deployment of this solution more
likely, consideration must be given to latency, real-time performance,
computational overhead, and administrative overhead for the legitimate
call source and all verifiers.
As its priority mechanism work item, the working group will specify a SIP
header-based mechanism for verification that the originator of a SIP
session is authorized to use the claimed source telephone number, where
the session is established with SIP end to end. This is called an in-band
mechanism. The mechanism will use a canonical telephone number
representation specified by the working group, including any mappings that
might be needed between the SIP header fields and the canonical telephone
number representation. The working group will consider choices for
protecting identity information and credentials used. This protection
will likely be based on a digital signature mechanism that covers a set
of information in the SIP header fields, and verification will employ a
credential that contains the public key that is associated with the one
or more telephone numbers. Credentials used with this mechanism will be
derived from existing telephone number assignment and delegation models.
That is, when a telephone number or range of telephone numbers is
delegated to an entity, relevant credentials will be generated (or
modified) to reflect such delegation. The mechanism must allow a
telephone number holder to further delegate and revoke use of a telephone
number without compromising the global delegation scheme.
In addition to its priority mechanism work item, the working group will
consider a mechanism for verification of the originator during session
establishment in an environment with one or more non-SIP hops, most
likely requiring an out-of-band authorization mechanism. However, the
in-band and the out-of-band mechanisms should share as much in common as
possible, especially the credentials. The in-band mechanism must be sent
to the IESG for approval and publication prior to the out-of-band
mechanism.
Expansion of the authorization mechanism to identities using the
user@domain form are deferred since the main focus of the working group
is to develop a solution for telephone numbers.
The working group will coordinate with the Security Area on credential
management.
The working group will coordinate with other working groups in the RAI
Area regarding signaling through existing deployments.
The working group welcomes input form potential implementors or operators
of parts of the STIR system. For example, national numbering authorities
might consider acting as credential authorities for telephone numbers
within their purview.
It is important to note that while the main focus of this working group
is telephone numbers, the STIR working group will not develop any
technologies based on the PSTN.
Authentication and authorization of identity is closely linked to
privacy, and these security features sometimes come at the cost of
privacy. Anonymous calls are already defined in SIP standards, and this
working group will not propose changes to these standards. In order to
support anonymity, the working group will provide a solution in which the
called party receives an indication that the source telephone number is
unavailable. This working group, to the extent feasible, will specify
privacy-friendly mechanisms that do not reveal any more information to
user agents or third parties than a call that does not make use of secure
telephone identification mechanisms.
Input to working group discussions shall include:
-
Private Extensions to the Session Initiation Protocol (SIP)
for Asserted Identity within Trusted Networks
[RFC 3325] -
Enhancements for Authenticated Identity Management in the
Session Initiation Protocol (SIP)
[RFC 4474] -
Secure Call Origin Identification
[draft-cooper-iab-secure-origin-00] -
Secure Origin Identification: Problem Statement, Requirements,
and Roadmap
[draft-peterson-secure-origin-ps-00] -
Authenticated Identity Management in the Session Initiation
Protocol (SIP)
[draft-jennings-dispatch-rfc4474bis-00]
The working group will deliver the following:
-
A problem statement detailing the deployment environment and
situations that motivate work on secure telephone identity -
A threat model for the secure telephone identity mechanisms
-
A privacy analysis of the secure telephone identity mechanisms
-
A document describing the SIP in-band mechanism for telephone
number-based identities during call setup -
A document describing the credentials required to support
telephone number identity authentication -
A document describing the out-of-band mechanism for telephone
number-based identities during call setup
Milestones
Sep 2013 Submit problem statement for Informational
Nov 2013 Submit threat model for Informational
Nov 2013 Submit in-band mechanism for Proposed Standard
Feb 2014 Submit credential specification for Proposed Standard
Apr 2014 Submit Privacy analysis for Informational
Jun 2014 Submit out-of-band mechanism for Proposed Standard