Secure Telephone Identity Revisited
charter-ietf-stir-00-07
| Document | Proposed charter | Secure Telephone Identity Revisited WG (stir) Snapshot | |
|---|---|---|---|
| Title | Secure Telephone Identity Revisited | ||
| Last updated | 2013-08-30 | ||
| State | IESG Review (Charter for Approval, Selected by Secretariat) Rechartering | ||
| WG | State | Proposed | |
| IESG | Responsible AD | Orie Steele | |
| Charter edit AD | Richard Barnes | ||
| Send notices to | (None) |
The STIR working group will specify Internet-based mechanisms that allow
verification of the calling party's authorization to use a particular
telephone number for an incoming call. Since it has become fairly easy
to present an incorrect source telephone number, a growing set of
problems have emerged over the last decade. As with email, the claimed
source identity of a SIP request is not verified, permitting
unauthorized use of the source identity as part of deceptive and
coercive activities, such as robocalling (bulk unsolicited commercial
communications), vishing (voicemail hacking, and impersonating banks)
and swatting (impersonating callers to emergency services to stimulate
unwarranted large scale law enforcement deployments). In addition, use
of an incorrect source telephone number facilitates wire fraud or can
lead to a return call at premium rates.
SIP is one of the main VoIP technologies used by parties that want to
present an incorrect origin, in this context an origin telephone number.
Several previous efforts have tried to secure the origins of SIP
communications, including RFC 3325, RFC 4474, and the VIPR working
group. To date, however, true validation of the source of SIP calls has
not seen any appreciable deployment. Several factors contributed to
this lack of success, including: failure of the problem to be seen as
critical at the time; lack of any technical means of producing a proof
of authorization to use telephone numbers; misalignment of the
mechanisms proposed by RFC 4474 with the complex deployment environment
that has emerged for SIP; lack of end-to-end SIP session establishment;
and inherent operational problems with a transitive trust model. To
make deployment of this solution more likely, consideration must be
given to latency, real-time performance, computational overhead, and
administrative overhead for the legitimate call source and all
verifiers.
As its priority mechanism work item, the working group will specify a
SIP header-based mechanism for verification that the originator of a SIP
session is authorized to use the claimed source telephone number, where
the session is established with SIP end to end. This is called an in-
band mechanism. The mechanism will use a canonical telephone number
representation specified by the working group, including any mappings
that might be needed between the SIP header fields and the canonical
telephone number representation. The working group will consider
choices for protecting identity information and credentials used. This
protection will likely be based on a digital signature mechanism that
covers a set of information in the SIP header fields, and verification
will employ a credential that contains the public key that is associated
with the one or more telephone numbers. Credentials used with this
mechanism will be derived from existing telephone number assignment and
delegation models. That is, when a telephone number or range of
telephone numbers is delegated to an entity, relevant credentials will
be generated (or modified) to reflect such delegation. The mechanism
must allow a telephone number holder to further delegate and revoke use
of a telephone number without compromising the global delegation scheme.
In addition to its priority mechanism work item, the working group will
consider a mechanism for verification of the originator during session
establishment in an environment with one or more non-SIP hops, most
likely requiring an out-of-band authorization mechanism. However, the
in-band and the out-of-band mechanisms should share as much in common as
possible, especially the credentials. The in-band mechanism must be
sent to the IESG for approval and publication prior to the out-of-band
mechanism.
The work of this group is limited to developing a solution for telephone
numbers. Expansion of the authorization mechanism to identities using the
user@domain or other name forms is out of scope.
The working group will coordinate with the Security Area on credential
management and signature mechanics.
The working group will coordinate with other working groups in the RAI
Area regarding signaling through existing deployments.
The working group welcomes input from potential implementors or
operators of technologies developed by this working group. For example,
national numbering authorities might consider acting as credential
authorities for telephone numbers within their purview.
It is important to note that while the main focus of this working group
is telephone numbers, the STIR working group will not develop any
mechanisms that require changes to circuit-switched technologies.
Authentication and authorization of identity is closely linked to
privacy, and these security features sometimes come at the cost of
privacy. Anonymous calls are already defined in SIP standards, and this
working group will not propose changes to these standards. In order to
support anonymity, the working group will provide a solution in which
the called party receives an indication that the source telephone number
is unavailable. This working group, to the extent feasible, will
specify privacy-friendly mechanisms that do not reveal any more
information to user agents or third parties than a call that does not
make use of secure telephone identification mechanisms.
Input to working group discussions shall include:
-
Private Extensions to the Session Initiation Protocol (SIP)
for Asserted Identity within Trusted Networks
[RFC 3325] -
Enhancements for Authenticated Identity Management in the
Session Initiation Protocol (SIP)
[RFC 4474] -
Secure Call Origin Identification
[draft-cooper-iab-secure-origin-00] -
Secure Origin Identification: Problem Statement, Requirements,
and Roadmap
[draft-peterson-secure-origin-ps-00] -
Authenticated Identity Management in the Session Initiation
Protocol (SIP)
[draft-jennings-dispatch-rfc4474bis-00]
The working group will deliver the following:
-
A problem statement detailing the deployment environment and
situations that motivate work on secure telephone identity -
A threat model for the secure telephone identity mechanisms
-
A privacy analysis of the secure telephone identity mechanisms
-
A document describing the SIP in-band mechanism for telephone
number-based identities during call setup -
A document describing the credentials required to support
telephone number identity authentication -
A document describing the out-of-band mechanism for telephone
number-based identities during call setup