STIR BOF Group H. Kaplan
Internet Draft
Intended status: Standards Track July 15, 2013
Expires: January 30, 2013
A proposal for
Caller Identity in a DNS-based Entrusted Registry (CIDER)
draft-kaplan-stir-cider-00
Abstract
This document describes a proposal for providing a database service
for authentication information for Caller-ID E.164 numbers,
nationally-specific number codes, and email-style names used in
communication requests (such as call setup, instant messages). The
model proposed uses a DNS service as a Registry for cryptographic
public-keys. The database service solution is called CIDER.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with
the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 15, 2013.
Kaplan Expires January 2014 [Page 1]
Internet-Draft CIDER July 2013
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction..................................................3
2. CIDER Overview................................................4
3. Terminology...................................................6
3.1. New Terminology..........................................6
4. Background Information........................................8
4.1. Benefits and Drawbacks to Using DNS......................8
4.2. Relation to ITU and National Number Authorities..........9
4.3. Open Numbering Plans....................................10
5. Caller-ID vs. DNS Delegation and Authority Models............11
5.1. Email-style Registries..................................12
5.2. E.164 and Number Code Registries........................12
6. Assignee Roles and Actions...................................13
6.1. Key Agents and Third-Party Private Agents...............14
7. Using CIDER for Caller-ID Verification.......................15
7.1. CIDER DNS Client Requirements...........................15
7.2. Information Needed by the Caller-ID Verifier............16
7.3. Generating the CIDER DNS query..........................16
7.3.1 Query for Email-style Identity 16
7.3.2 Query for E.164-based Identity 16
7.3.3 Query for Number Code-based Identity 17
7.4. Processing the DNS Answer...............................17
8. DNS Binding..................................................18
8.1. Subdomain Namespace.....................................18
8.2. Resource Record Type for Key Storage....................18
8.3. TXT Record Format.......................................18
9. Security Considerations......................................19
9.1. Privacy of Assignee.....................................19
10. Open Issues.................................................19
11. IANA Considerations.........................................20
12. Acknowledgments.............................................20
13. References..................................................20
13.1. Normative References...................................20
Kaplan Expires - January 2014 [Page 2]
Internet-Draft CIDER July 2013
13.2. Informative References.................................20
Author's Address.................................................21
Appendix A. Possible Deployment Model...........................21
Appendix B. Requirements for a CAPP Mechanism...................23
1. Introduction
For many years the identity of the calling party (i.e., Caller-ID)
of voice communications has been made available to the callee, and
has been assumed to be generally accurate/reliable. Not only do end
users expect this to be the case, but also applications such as
calling-name (CNAM) services, call-back services, and voice-mail
account access, have depended on the validity of the Caller-ID.
Even some forms of call rate-control and Denial-of-Service (DoS)
attack prevention between service providers depend on valid Caller-
IDs. The ability to spoof Caller-IDs enables numerous fraud and
abuse scenarios.
Unfortunately, this problem already exists and is exacerbated by the
presence of Internet-based calling services. While a small volume
of Caller-ID spoofing has occurred for many years on the PSTN, it
was infrequent enough to handle through manual investigation, and
could be largely ignored as being merely isolated cases. Lately,
however, the frequency has increased to a point that national
regulators are becoming concerned (e.g., [fcc-doc]), the media have
been reporting on it, and service providers themselves have been DoS
attacked using invalid Caller-IDs.
There are several causes for the increase in Caller-ID spoofing: the
decrease in cost for making calls, the large number of inexpensive
products capable of generating spoofed Caller-IDs, and the growing
number of entry points/paths into the trust network upon which
Caller-ID reputability has always depended.
Spoofing a Caller-ID is possible because to-date there has been no
means to validate a Caller-ID; instead the assumption has been that
the received Caller-ID came from trustworthy upstream providers, in
a chain-of-trust based on the PSTN model. Some PBXs are also
allowed to generate whatever Caller-IDs they wish across PRI
circuits, based on the belief that they can be trusted due to the
relative cost, complexity, and physical hurdle of getting a PRI
trunk.
The original assumption of Caller-ID reputability that was based on
the PSTN trust model no longer holds. Therefore, in order to keep
Caller-IDs valid in a less trustworthy interconnection model, a
means of verifying Caller-IDs must be deployed that works with the
Kaplan Expires - January 2014 [Page 3]
Internet-Draft CIDER July 2013
model. Replacing the current PSTN-style interconnection model
itself is not realistic.
One approach for verifying Caller-IDs relies on public-key
cryptography, whereby the originator signs some information in the
call setup message using a private key, and the receiver verifies
the signature using the public key. For example the solutions
described in [RFC4474], [draft-4474bis], and [draft-ikes]. These
approaches are conceptually similar to those employed by [DKIM] and
[DMARC], which have been created to address a similar issue for
email.
Regardless of the solution used, there needs to be a way for:
(1) the originator to have a private/public key pair that is
trusted by everyone else to prove the originator can claim the
Caller-ID
(2) any receiver of the originator's message to be able to
retrieve the public key the originator used, and
(3) the receiver to verify the private key was used to sign for
the given Caller-ID
This document describes a model for achieving those needs. It does
so by using the Domain Name System [DNS], as a database for mapping
source identities to public keys with an authority structure. The
DNS tree nodes have no direct identifying information - they do not
identify the carrier or end-user that was assigned each E.164
number, for example. The general model and architecture is named
"CIDER".
2. CIDER Overview
At a high-level, CIDER provides a database infrastructure using DNS
for storing and retrieving public keys to authenticate source
identities in communication messages, for example SIP or XMPP
requests. Instead of being told by the message originator where the
verifier should get a full certificate and then having the verifier
check that the certificate is signed by a common trusted third-party
for the specific identity being claimed, CIDER retrieves the public
key directly from DNS and relies on the DNS authority model to
control authorization of the public keys for source identities.
CIDER currently covers three types of identities: international
E.164 numbers, nationally-specific number codes, and email-style
names. Each type uses a different anchor to its domain name, and
thus can be deployed in different ways. The DNS infrastructure used
for each may be the public DNS infrastructure, or local private DNS
instances populated with the same data. They can even be used in a
restricted "federation" model, whereby only specific entities have
access to the CIDER data: the public keys and other associated data.
Kaplan Expires - January 2014 [Page 4]
Internet-Draft CIDER July 2013
For domain-based identities, CIDER follows the [DKIM] model of using
each identity domain's DNS zone with a defined node name and key
selector to hold the public key. The DKIM "key selector" is called
a CIDER "key index" in this document, because it is syntactically
different. The subdomain node name prefixed to the source's domain
name is also different ("_cidkey" vs. "_domainkey"), and the TXT
Resource Record format is more constrained than DKIM's.
For E.164 numbers and number codes, CIDER uses a reverse-dotted
notation similar to ENUM for the DNS structure. The top of the
domain tree hierarchy (the anchor) for the E.164 and number code
entries is still TBD - it could be one single root anchor for all
country-codes, or it could be a different anchor per country-code or
geopolitical region or whatever.
In order to simplify discussion and explanation in this document,
the domain 'cid.example.org' is used to describe a common top-level
anchor domain for both E.164-based and number code-based identity
entries. In practice they could be different, with E.164 using
'cid.example.org' and number codes using 'cid.example.net', to have
separate authorities for E.164-based numbering vs. number codes.
The structure of CIDER's DNS hierarchy for the E.164-based and
number-code-based domains follows a reverse-dotted notation of the
E.164 numbering format, so that for example the +1 "country-code"
would be the subdomain '.1.cid.example.org', whereas that for the
+49 German country-code would be '.9.4.cid.example.org'.
Nationally-specific number codes would be prefixed with their
country-code, so that for example "911" in the North American
Numbering Plan country-code 1 would be the domain
"1.1.9.1.example.org".
The public keys in CIDER's DNS tree nodes have no direct identifying
information - they do not identify the carrier or end-user that was
assigned each E.164 number.
The public keys could be unique per E.164 number entry, or they
could be the same public key for all E.164 entries belonging to the
same end entity. This is purely an administrative choice of the
owner. For example a carrier that is assigned millions of E.164
entries might re-use the same public-key in all of them. Or it can
use one public key for every thousand E.164 numbers, or whatever.
It's up to the individual end-entities that were assigned the E.164
numbers to decide what to populate their assignee DNS identity entry
nodes with.
If an organization explicitly desires to make itself known, it can
put its name into some to-be-defined DNS Resource Record for its
Kaplan Expires - January 2014 [Page 5]
Internet-Draft CIDER July 2013
E.164 number identity entry node; such may be the case for corporate
1-800 numbers, for example. The organization can decide, on a
number-by-number basis, whether to make itself known or not for that
E.164 number in the CIDER DNS tree.
It should be noted that although the public key entries installed in
the CIDER DNS tree are unique for every E.164 number (or group of
numbers), they do not need to be maintained/stored by the
organizations that uploaded them. Unlike credentials used with
SSL/TLS, for example, the public keys are not transmitted by their
servers to client hosts using certificates; rather, the keys are
only retrieved by the verifiers when validating the Caller-ID
signatures, and that's done through DNS. The signers themselves
only need to know the private key, to which the public key is paired
to for any given E.164 number. Furthermore, the originators can use
the exactly the same private key for every E.164 number they sign
for, by uploading the same public key into every E.164 node they are
assigned in the CIDER DNS.
3. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119. The
terminology in this document conforms to RFC 2828, "Internet
Security Glossary".
It is assumed the reader is already generally familiar with E.164
numbers, Public-key cryptography concepts, Domain Name System (DNS),
and DNS Security (DNSSEC).
This document uses the term "identity" instead of "identifier" with
regards to verifying source identity. The reason for this is that
it is not the syntactic encoding of an E.164 digit string, number
code, or email-style name that are being verified - it's the
canonical E.164 phone-number, number code, or email-style name
that's being verified. In other words CIDER is used for verifying a
logical entity, not a specific representation; and the logical
entity is not a specific human user or SIP agent/device, but rather
a phone-number or number code or email-style name.
3.1. New Terminology
Caller-ID: the identity of the originator of a communications
request; for example the From header field in a SIP INVITE call
setup request or MESSAGE instant message request.
Kaplan Expires - January 2014 [Page 6]
Internet-Draft CIDER July 2013
E.164 number: a phone number in international E.164 format, which is
understood by the originating and receiving entities to represent a
globally unique number. This definition includes numbers that are
not technically "E.164" numbers, such as toll-free 1-800 numbers in
North America.
Number code: a nationally-specific number which is not representable
as an E.164 number. Examples of number codes include two or three
digit emergency service numbers, N11-type numbers in NANP, and
inter-carrier common short codes.
Email-style name: a 'user@domain' format identifier, for which the
user portion is scoped to the domain portion, and the domain portion
is a classic, public domain name; removing or changing the domain
portion would fundamentally change the identity of the user.
Source identity: the E.164 number, number code, or email-style name
used for identifying the originator of a message to the receiving
user; i.e., the identity used for "Caller-ID".
Identity entry: the DNS name entry representing an E.164-based
number, nationally-specific number code, or email-style domain name.
CIDER Registry: an instance of a DNS hierarchy used for storage and
retrieval of public keys for source identities. A CIDER Registry
may be for an entire E.164-based country-code tree, or just for
portions of one, or just for a single domain name.
CIDER Registrar: the organization that owns, manages, and is
authoritative for a CIDER Registry.
CIDER Assignee: the organization/entity that the CIDER Registrar
allows to populate specific identity entries with public key data,
can grant/rescind Key Agents, and permanently transfer ("donate")
the identity entry to another Assignee. This could be a carrier or
service provider for E.164 numbers, for example.
Key Agent: an organization/entity that the CIDER Assignee grants
access to upload public key data only, for one or more of the
Assignee's identity entry nodes. This could be an Enterprise or
service provider customer of a carrier, for example.
Third-Party Private Agent: an organization/entity that can upload
public key data for an identity, but not directly to the Registry -
only via a true CIDER Assignee, and thus the Registrar knows nothing
about the Third-Party Private Agent. This could be an Enterprise or
end-user, for example.
Kaplan Expires - January 2014 [Page 7]
Internet-Draft CIDER July 2013
4. Background Information
4.1. Benefits and Drawbacks to Using DNS
A database model to hold public keys used for caller-id verification
could be accessed using a protocol other than DNS. Examples include
HTTP, LDAP, or even DIAMETER. CIDER uses DNS for the following
reasons:
o The DNS architecture has demonstrated massive intrinsic
scalability, by allowing branches of the database tree to be
run on separate physical servers and separate, independent
adminsitration.
o The DNS protocol is extremely efficient, with no extra round-
trip delays creating connections or resolving hostnames.
o The DNS protocol allows tight control over retransmission
timers and timeout behavior from the application layer, because
it runs on UDP.
o The DNS protocol has well-established practice for highly
effective geographic redundancy techniques, such as through
anycasting because it runs over UDP.
o The DNS protocol has well-established and effective caching in
local servers, and techniques are available to have local
copies of a DNS tree.
o The DNS protocol and architecture provide a seamless, global
service, but have well-established and highly effective
practice for delegation of authority, which is useful for
country-code level separation of authority for E.164 numbers
and nationally-specific number codes.
o The DNS protocol already defines the encoding syntax and
semantics for many of the functions needed.
o DNS is already used very widely by services employing DKIM for
email signing/verification for a similar purpose as would be
needed for email-style domain-based caller-id identities.
o Some service providers already use DNS for Private ENUM for
CNAM, number portability, and communication request routing
purposes.
o Virtually all clients/hosts have DNS querying capabilities
today; and there are many DNS server vendors, including a
widely popular open-source implementation (BIND).
There are some drawbacks to using DNS, however:
o DNS typically uses UDP, so if the query or response are larger
than the MTU size between the client and server, fragmentation
will occur. The base DNS maximum message size is 512 bytes,
but CIDER requires [EDNS0] be used, which allows larger message
sizes; so the real issue is for message sizes over ~1460 bytes.
The current CIDER entries would not typically be that large,
even if DNSSEC is being used.
Kaplan Expires - January 2014 [Page 8]
Internet-Draft CIDER July 2013
o Deploying a private registry using DNS is more complicated
because it runs over UDP and has no defined mechanism to
enforce access control on the queries. Private and federated
DNS has been deployed, but it usually requires using private IP
Addresses and VPN-style access to the servers.
o The DNS query model does not support providing a different
resource record(s) for different querying agents. In other
words, it does not give a different answer depending on who
asks the question. There are widely-used work-around behaviors
for this today, but they are not standardized.
o No changes to the underlying DNS protocol are envisioned.
Should they be needed, some members of the IETF treat the DNS
protocol, architecture, and its instantiation in the public
Internet for domain name resolution, all as one monolithic,
inter-dependent usage. Therefore, any changes required of the
protocol have to also work for the Internet domain name
resolution infrastructure as rooted-in/controlled-by
IANA/ICANN. Even if a DNS extension were created for purely
private use, the IAB has essentially stated they fear the
public domain name infrastructure is so brittle that it would
collapse if the extensions were accidentally sent to a public
DNS server.
[Note: If the STIR Working Group decides future extensions to the
DNS protocol would be needed, there is a way to achieve this: we
could copy the DNS RFCs into new documents, give the protocol a new
name ("NDNS" for "Not DNS"?) and a new default UDP port number other
than 53. Such a concept seems silly, but it would give us the same
benefits without the drawback of having to worry about "The DNS"
collapsing due to a few unexpected bytes in a query packet.]
4.2. Relation to ITU and National Number Authorities
A concern has been raised that using E.164 numbers in a DNS
hierarchy would be problematic because the ITU should be responsible
for delegating E.164 country-codes, and national authorities should
be responsible for managing their country-code numbers. The fear is
that deploying CIDER without the ITU and national authorities
approving and managing it would lead to claims of inappropriate
subverting of the E.164 numbering system; or fears that for CIDER to
work correctly would require such approval and management.
This document section explains why such concerns are either
unfounded, or apply equally to any database model used for caller-id
verification of E.164 numbers, whether it be DNS or otherwise.
With regards to approval, there is already precedent for the IETF to
use names defined by other organizations in DNS: the top-level
Kaplan Expires - January 2014 [Page 9]
Internet-Draft CIDER July 2013
country domain names are based on a list defined by ISO, for
example.
With regards to subverting the E.164 numbering system, this document
makes no claim that a specific CIDER registry, or top domain root
for it, is in fact authoritative for the E.164 number space. In
fact, although this document uses the term "E.164" to describe the
tree structure and assignment model, all that is truly described is
how a DNS domain may create subdomain names with Resource Records
that could be used by others to retrieve public keys. It is up to
the users of the registry/domain to decide whether to believe it
represents E.164 numbers, and to use it for identities in call-
control scenarios. The same CIDER model could be used, for example,
to deploy a public key storage/retrieval mechanism for a private
phone-numbering plan; or even digit-based names that have nothing to
do with phone numbers, such as Autonomous System numbers or
Enterprise OIDs.
The CIDER service described in this document does not dictate who
will be registrars, although existing authorities and operators
might be reasonable candidates. All CIDER needs, however, is for
some organization to manage the domain tree for a given E.164-based
namespace, to decide what entities get to populate the public key
entries for its branch nodes, and for verifiers to use that
organization's domain tree for retrieving the public keys and trust
them to be correct. In other words, any organization can be the
Registrar and create its own CIDER DNS registry with its own domain
as the anchor of the tree, and so long as both signers and verifiers
use that organization's registry and it is accurate, then CIDER
works.
This is no different than what occurs for the web-pki model of
third-party Certificate Authorities (CAs). If you trust a CA, then
you trust that the certificates it signs are for the domain/host
names contained in the certificate, even though CAs are not
authoritative for DNS domain name assignments. The IETF has a
mechanism for tying web-pki certificates to the actual authority of
DNS names: DANE is that mechanism; but without DANE verification,
the web-pki model is purely based on trusting the CAs to be accurate
with regards to domain/host name assignments. Therefore, any
caller-id verification model that is not ultimately controlled by
the numbering authorities for the E.164 number space would have the
same issues as CIDER.
4.3. Open Numbering Plans
The E.164 number model is technically an open numbering plan,
meaning it does not specify a fixed number of digits. In some
countries, the national numbering plan has a fixed number (e.g.,
Kaplan Expires - January 2014 [Page 10]
Internet-Draft CIDER July 2013
North America does), but in others it is left open (e.g., Germany).
For CIDER, this has implications if the source identity could be
more digits than the CIDER Registrar knows about and has granted
upload access to a CIDER Assignee for.
For example, in Germany not only is the numbering plan open, but the
number assignment model is as well: an Enterprise is given a single
phone number, and the Enterprise can then add a variable number of
digits at the end for their specific lines/users. For routing
purposes, the carriers only need to route on the assigned number
portion, and the Enterprise's PBX can route the final leg to the
user based on the whole number.
If the Enterprise can also claim the longer number sequence as a
caller-id, but the CIDER Registrar only has entries for the assigned
portion, then verification will fail.
This document does not specify a solution to this problem, but
leaves it as an open issue to be decided upon. There are at least
two potential solutions we can choose from:
o CIDER could specify that Assignees can upload information to
create subdomains within their assigned E.164 identity entry
node. For example, let the Enterprise notify the carrier of
the extra digits and their public keys, and the carrier in turn
uploads it to the Registry.
o We could require the SIP/XMPP/SS7 message information include
the number of significant digits to use, so that CIDER is only
queried for the assigned number portion; and have the TXT RR
for the assigned number indicate that it's an open number.
5. Caller-ID vs. DNS Delegation and Authority Models
The concept of delegation and authority is somewhat confusing when
referring to CIDER, because the terms are used in two different
ways: one is the delegation and authority model of DNS
subdomains/zones, and the other is delegation and authority model
for caller-id identities and their public keys.
CIDER makes a clear distinction between which entities are allowed
to provision public keys into specific entries in the CIDER
Registry, versus which entities own, control, administer and are
authoritative for the DNS domains/zones in the hierarchy of the
Registry.
In other words, the CIDER Registry is split into two distinct
aspects: the entities that own the Registry and thus the DNS
domains/zones used to access those public keys, and the entities
that are assigned rights to upload public key information for their
Kaplan Expires - January 2014 [Page 11]
Internet-Draft CIDER July 2013
assigned identity entries in the DNS-based Registry. The former are
called "CIDER Registrars", and the latter are "CIDER Assignees".
5.1. Email-style Registries
For email-style domain-based identities, CIDER uses the DKIM model
of storing and retrieving the public keys from the identity domain's
DNS zone. For example, if the source identity is
"alice@example.com", then the DNS zone "example.com" is used, and
thus uses the supplied domain name, to follow the typical DNS
delegation and authority model for its contents. Each domain is
thus it own CIDER Registrar as well as its own CIDER Assignee, and
there is no distinction between the delegation and authority model
for DNS versus the caller-id identities and public keys.
If a domain owner wishes to allow another entity to use its domain
name for caller-id verification, however, the owner can follow the
same model as that defined in the next section for E.164 and number
code registries. For example, if "example.com" wishes to allow a
contracted third-party company to generate calls using
"example.com", it can continue to be the CIDER Registrar for
"example.com" and make the other company a CIDER Assignee for it as
well.
5.2. E.164 and Number Code Registries
For E.164 and number codes, the details for delegation and authority
are separated. There is a CIDER Registrar which is the DNS
authority for domains/zones/nodes, and the Registrar allows CIDER
Assignees to upload public keys into specific identity entry nodes
representing the E.164/number-codes.
While it is tempting to consider using the DNS subdomain delegation
model for delegating DNS zones for specific E.164-based ranges or
specific numbered entries to the carriers or end users to which the
numbers are assigned. CIDER does not depend on such a DNS
delegation model, and in fact it is expected such a DNS delegation
model will not be used in practice; this is due to both the need to
maintain privacy of who the carrier or end-user is for each number,
and because the number portability behavior in some national
numbering plans would make such a model untenable.
For example, from a DNS and DNSSEC perspective, the DNS zone
authority for each of the subdomains within 'cid.example.org' (the
country-code CIDER Registrars) could be the national numbering plan
administrator for each country-code, possibly determined by the ITU
to be authoritative for the anchor 'cid.example.org'.
Kaplan Expires - January 2014 [Page 12]
Internet-Draft CIDER July 2013
Below the country-code level domain, each nation and national number
authority can decide how they choose to delegate DNS zone authority,
or not to. There is no requirement to delegate out DNS zone
authority below the national country-code level whatsoever, nor any
prohibition from doing so; the country-code authority can be the DNS
authority for the entire E.164 number space of DNS domains/nodes
under their country-code level. [Note: for North America, the DNS
delegation could be separated by area-codes; to give Canada's area-
codes a different authority from those in the USA, for example]
In fact, having a single DNS authority might have some advantages:
it prevents people from learning how many numbers each carrier has,
and it reduces the time for caller-id verification because the
DNSSEC authority signing chain is shorter. Since most calls are
national calls, the verifying systems can use a local cache of the
national numbering administrator's certificate to verify the
certificate of most E.164 caller-ids.
The important distinction is that it does not matter who manages the
CIDER DNS registry for a given country-code - what's important is
that the CIDER Registrar allows the entities which are assigned the
E.164 numbers (the CIDER Assignees) to upload their public keys into
their respective E.164-based nodes.
For example the CIDER Registrar can allow a SIP service provider to
be the Assignee for a set of the Registry's E.164 entries, so that
the service provider can upload the public keys it wishes to use for
its caller-ids. From a DNS perspective, however, the Registrar is
still the singular authority of the DNS zones/nodes for those E.164-
based nodes. The domain tree and its zones/nodes "belong" to the
Registrar from a DNS perspective.
6. Assignee Roles and Actions
As explained previously, CIDER creates a distinction between the DNS
authority (the CIDER Registrar) vs. an entity allowed to upload
public keys (the CIDER Assignee).
For every identity entry in the DNS tree (i.e., leaf node), the
Registry has one and only one CIDER Assignee. The Assignee may be
the Registrar itself, as would usually be the case for email-style
domain-based identity CIDER Registries for example. For E.164-based
identities, the Assignee probably is the service provider/carrier
assigned the number by the national numbering authority for the
given country-code.
The Assignee has controlled access to the Registry for performing
the actions it can take. This may be through a web portal, or even
via email or fax; if the STIR Working Group decides to continue with
Kaplan Expires - January 2014 [Page 13]
Internet-Draft CIDER July 2013
CIDER, however, the author strongly recommends that a specific
protocol be defined for this purpose in another document: a CIDER
Assignee Publishing Protocol (CAPP). For example, CAPP could be
either an HTTP/SOAP/XML or HTTP/REST type protocol. CAPP would be
useful for DKIM and DNS in general, and as an alternative for
Dynamic DNS [DDNS]. Requirements for CAPP are given in Appendix B.
An Assignee can add, modify, or remove public key entries from its
identity node(s) in the Registry, and thereby affect the available
TXT RR entries. Depending on how open numbering assignment is
handled (currently an open issue in this document), the Assignee
might be able to add, modify, or remove subdomain/additional-digit
identities below the one the Registrar granted it access to, if the
Registrar allows it.
If the Registrar allows it, an Assignee can permanently transfer
control of its identity node to another Assignee, which is called
"donating" its identity in this document. Such would be the case
for number porting in certain countries, for example.
An Assignee can also grant/rescind access to Key Agents for its
identity entries(s), if the Registrar supports such a model, as
described in the next section.
6.1. Key Agents and Third-Party Private Agents
One of the use-cases a Caller-ID verification mechanism needs to
support is that of enabling a third-party to assert someone else's
Caller-ID for outbound calls/communications. An example of this
need is outsourced call-centers making calls on behalf of a company,
or even a doctor using her personal mobile phone to make calls with
her medical office's number as her Caller-ID.
CIDER supports this in two ways: by either having the CIDER
Registrar support an Assignee and one or more designated Key Agents
for the same identity entry, or by having the Registrar only know
about the CIDER Assignee and having the third-parties upload their
public keys through the Assignee as Third-Party Private Agents.
The difference between a Key Agents and Third-Party Private Agents
is one of involvement with the Registrar and Registry. If a
Registrar supports Key Agents, then the Assignee has to grant this
role, and the Registrar has to know about them, have credentials for
them, etc. With Third-Party Private Agents, however, the Registrar
knows nothing about it - the third-party uploads public keys to the
Assignee directly (e.g., using CAPP), which then uploads them to the
Registry in the same manner as its own public keys (again using
CAPP).
Kaplan Expires - January 2014 [Page 14]
Internet-Draft CIDER July 2013
From a Caller-ID verifier's perspective - from the data it can view
in the retrieved Resource Records - there is no difference between
Assignee, Key Agents or Third-Party Private Agents. In fact the
verifier can't even discern who the Assignee is.
7. Using CIDER for Caller-ID Verification
CIDER specifies a key retrieval mechanism The mechanics of Caller-ID
verification that use the key is left for definition by a separate
document. One example of such a mechanism is defined in [draft-
ikes]. This section defines the information a verifier CIDER client
needs in order to retrieve the appropriate public key for a
verification mechanism, and how the retrieval is performed.
7.1. CIDER DNS Client Requirements
A Caller-ID verifier acting as a CIDER DNS client MUST implement DNS
over UDP using [EDNS0] in order to handle message sizes larger than
512 bytes. The client MUST be prepared to receive DNSSEC responses,
unknown RRs, etc.
If the verifier supports email-style identities, it MUST be able to
query DNS servers which resolve public Internet DNS names.
If the verifier supports E.164-base identities, it is RECOMMENDED
that the client be configurable to use different DNS server(s) for
this purpose, separate from the one(s) used for other identity
types. The client SHOULD also support being configurable for using
a different anchor domain name for this purpose, separately from the
one used for number code identities.
If the verifier supports number code-based identities, it is
RECOMMENDED that the client be configurable to use a different DNS
server(s) for this purpose, separate form the one(s) used for other
identity types. The client SHOULD also support being configurable
for using a different anchor domain name for this purpose,
separately from the one used for E.164-based identities.
The client MAY be a recursive resolver, but it is strongly
RECOMMENDED that it be a stub resolver and allow the DNS servers to
resolve on its behalf. Otherwise, it will be difficult to use such
a client in access-restricted CIDER deployments, such as private or
federated ones. For example if the CIDER Registry is a private one
for one or more nations. (see Appendix A)
Kaplan Expires - January 2014 [Page 15]
Internet-Draft CIDER July 2013
7.2. Information Needed by the Caller-ID Verifier
For CIDER to function properly, a Caller-ID verifier needs to know
the following information:
o The source identity value
o The source identity type: domain-based, E.164-based, or number
code-based
o The public key index value
The public key index value identifies which of several possible
public keys for a given source identity should be used for verifying
the message.
The source identity value need not be the whole source identity as a
URI or 'user@domain' string - it only needs to be the information
used for the CIDER query as defined in the next section.
7.3. Generating the CIDER DNS query
In order to generate a CIDER DNS query, the CIDER verifier performs
slightly different actions depending on the source identity type, as
defined in these sections.
7.3.1 Query for Email-style Identity
For an email-style source identity, the verifier CIDER client takes
the 'user@domain' string and ignores the "user@" portion. The
remaining domain name becomes the base of the DNS query key. The
verifier prepends the CIDER public key index value as a subdomain,
followed by the subdomain "_cidkey", in front of the domain name.
For example, if the source identity being verified is
"alice@example.com" with a public key index value of 3, the DNS
query key becomes "3._cidkey.example.com".
The verifier then issues a DNS query with the above query key to the
public Internet DNS.
7.3.2 Query for E.164-based Identity
For an E.164-based source identity, the verifier CIDER client takes
the international E.164 digit string, removes any leading '+' or
visual separators, puts dots (".") between each digit, and reverses
the order of digits. The verifier then appends the E.164-based
CIDER Registrar domain name to the end, and prepends the CIDER
public key index value as a subdomain, followed by the subdomain
"_cidkey".
Kaplan Expires - January 2014 [Page 16]
Internet-Draft CIDER July 2013
For example, if the source identity being verified is "+16035551010"
with a public key index value of 2, and a CIDER Registrar domain for
the country-code 1 of "1.cid.example.org", then the DNS query key
becomes "2._cidkey.0.1.0.1.5.5.5.3.0.6.1.cid.example.org".
The verifier then issues a DNS query with the above query key to
either the public Internet DNS, or to the DNS server provisioned for
such a purpose.
7.3.3 Query for Number Code-based Identity
For a nationally-specific number code-based source identity, the
verifier CIDER client takes the number code digit string, prepends
the country-code the number code is nationally-specific for, puts
dots (".") between each digit, and reverses the order of digits.
The verifier then appends the Number-code CIDER Registrar domain
name to the end, and prepends the CIDER public key index value as a
subdomain, followed by the subdomain "_cidkey".
For example, if the source identity being verified is "911" for the
country-code 1, with a public key index value of 2, and a Number-
code CIDER Registrar domain of "cid.example.org", then the DNS query
key becomes "2._cidkey.1.1.9.1.cid.example.org".
The verifier then issues a DNS query with the above query key to
either the public Internet DNS, or to the DNS server provisioned for
such a purpose.
7.4. Processing the DNS Answer
Based on the DNS binding format defined in Section 8, a successful
CIDER DNS query will produce a DNS answer with a TXT RR as defined
in Section 8.3. The verifier needs to parse the TXT RR, to verify
the version is "CIDER1", the key-type is "rsa" or some token the
verifier understands, and to base64 decode the public key data.
If the version is not "CIDER1", or the key-type is not one the
verifier understands, or the public key cannot be decoded or is not
of a key size the verifier supports, then the verifier should treat
it as a failure. If the public key is empty, the verifier should
treat it as a failure. If the DNS answer is 'not found', the
verifier should treat it as a failure. If the DNS query times out,
the client should try any alternate servers it is provisioned for;
if there are no more, it should treat it as a failure.
The action to take for a CIDER query failure is dependent on local
policy and not defined in this document.
Kaplan Expires - January 2014 [Page 17]
Internet-Draft CIDER July 2013
8. DNS Binding
A binding using DNS TXT records as a key service is hereby defined.
All implementations MUST support this binding.
8.1. Subdomain Namespace
All CIDER keys are stored in a subdomain named "_cidkey", with a
node name of the key index value. Given an email-style source
identity of "alice@example.com" and a key index of "3", the DNS
query will be for "3._cidkey.example.com". Given an E.164 source
identity of "16035551010" and a key index of "1", the DNS query will
be for "1._cideky.0.1.0.1.5.5.5.3.0.6.1.cid.example.org". Given a
nationally-specific number code for "911" in the North-American
Numbering Plan region (country-code 1), and a key index of "6", the
DNS query will be for "6._cidkey.1.1.9.1.cid.example.org".
8.2. Resource Record Type for Key Storage
The DNS Resource Record type used in this specification is a TXT
Resource Record (RR). A later extension of this standard may define
another RR type.
Strings in a TXT RR MUST be concatenated together before use with no
intervening whitespace. TXT RRs MUST be unique for a particular key
index value; that is, if there are multiple records in an RRset, the
results are undefined.
8.3. TXT Record Format
The TXT RR used for the CIDER key MUST follow the format specified
in this section, in order to provide future extension capability.
No whitespace is allowed in this format, and all values are case-
sensitive. The format is based on the following ABNF:
txt-record = version-param SEMI key-param [ SEMI txt-param ]
version-param = "v=" "CIDER1"
key-param = key-type SEMI key-data
key-type = "k=" ("rsa" / hyphenated-word)
key-data = "p=" DQUOTE [ base64 ] DQUOTE
The version identifies the TXT record content syntax and semantics,
which for this document is defined as "CIDER1".
The key-type identifies the CIDER public key's (the "p=" value)
type, which for this specification uses the "rsa" key type to
indicate that an ASN.1 DER-encoded [ITU.X660.1997] RSAPublicKey
[RFC3447] is being used in the key-data's value. Future
Kaplan Expires - January 2014 [Page 18]
Internet-Draft CIDER July 2013
specifications may define other key types by assigning thi field a
different value, but still using the "CIDER1" version.
The key-data identifies the CIDER public key value, in base64
encoded form. An empty value (the literal string 'p=""'), means the
public key for this index is not usable or has been explicitly
revoked as opposed to simply removed. This might be useful if the
CIDER DNS authority wishes to prevent use of a specific key index
node entry for some time period of time by having an essentially
empty TXT RR, as opposed to deleting the entry and re-using it when
the next public key is uploaded by the assigned party.
9. Security Considerations
The same security considerations as described in [DKIM] apply to
CIDER; in particular Sections 8.2, 8.3, 8.4, 8.6, and 8.7 of [DKIM].
9.1. Privacy of Assignee
For E.164-based CIDER Registries, privacy of assignee is a concern.
The concern stems from the need to keep the assignee of an E.164
number unknown in general - to prevent simple scripts from being
used to walk the CIDER DNS tree and learn what E.164 numbers are
assigned to which carrier, for example. An example of why this
needs to remain private is that using such knowledge one could learn
how many subscribers a publicly-traded mobile provider has gained or
lost in a quarter, and be able to buy or sell stock based on such
knowledge in advance of the provider's quarterly-reported
statements.
Such information could be easily learned if only one a few public
keys are used by a carrier for all of its numbers in the CIDER
Registry. To defend against such abuse, it is strongly RECOMMENDED
that assignees only re-use the same public key for a limited number
of CIDER entries. For example a large assignee might use the same
public key for a thousand or ten thousand of its E.164 numbers.
It should be noted that this security concern is not specific to
using DNS - any open-access database protocol would be vulnerable to
a script querying all entries. Controlled-access databases would be
of less concern, but CIDER can also be used in a controlled-access
model.
10. Open Issues
- How to handle open numbering plan assignment country-codes.
Kaplan Expires - January 2014 [Page 19]
Internet-Draft CIDER July 2013
11. IANA Considerations
This document makes no request of IANA yet.
12. Acknowledgments
The general concept of using DNS in an ENUM model for caller-id
verification has been discussed in the IETF for many years. Thanks
to Dave Crocker for pointing out the DKIM similarities and usage,
and for reviewing the draft in detail.
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
13. References
13.1. Normative References
[EDNS0] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
2671, August 1999.
[DDNS] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, November 2000.
[ITU.X660.1997] "Information Technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules (DER)",
ITU-T Recommendation X.660, 1997.
[RFC3447] Jonsson, J., and Kaliski, B., "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications Version
2.1", RFC 3447, February 2003.
13.2. Informative References
[fcc-doc] http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-11-
1089A1.doc
[draft-ikes] Kaplan, H., "An Identity Key-based and Effective
Signature for Origin-Unknown Types", draft-kaplan-stir-ikes-
out-00, July 2013.
[RFC4474] Peterson, J., and Jennings, C., "Enhancements for
Authenticated Identity Management in the Session Initiation
Protocol (SIP)", RFC 4474, August 2006.
[draft-4474bis] Peterson, J., Jennings, C., and Rescorla, E.,
"Authenticated Identity Management in the Session Initiation
Kaplan Expires - January 2014 [Page 20]
Internet-Draft CIDER July 2013
Protocol (SIP)", draft-jennings-dispatch-rfc4474bis-00, May
2013.
[DKIM] Allman, E., et al, "DomainKeys Identified Mail (DKIM)
Signatures", RFC 4871, May 2007.
Author's Address
Hadriel Kaplan
Email: hadrielk@yahoo.com
Appendix A. Possible Deployment Model
In order to understand how CIDER could work in the real world, this
section provides an example of how CIDER could be deployed in the
North American Numbering Plan (NANP). This was chosen for the
example because the NANP is one of the most complicated numbering
models in the World: it has 24 member countries and territories,
full number portability for both fixed and mobile line numbers in
certain countries, separate numbering authorities (e.g., CRTC/CNA
and NANC/NANPA), and multi-tiered numbering assignment/delegation
behavior.
Today, the entire +1 NANP is administered by the North American
Numbering Plan Administrator (NANPA), but certain functions are
handled by separate organizations: the Canadian Number Administrator
(CNA) handles certain functions for Canadian area-codes, for
example, and the USA and Canada each have a separate administrator
for their respective number portability databases. Within each
country, numbers are officially assigned in blocks to legally-
authorized carriers, who then (unofficially) assign them to their
customers: non-carrier service providers, enterprises, and
consumers. For the countries in NANP that support number
portability, the original carrier "donates" the ported number to
another carrier, and the number portability database is updated with
a mapping of the ported number to an assigned switch number: the
Location Routing Number (LRN). Numbers are not portable across
countries within the NANP, and are not portable in certain cases
even within a country.
One way CIDER could be deployed in the NANP is by having NANPA be
the CIDER Registrar for the country-code 1 top domain, and delegate
DNS domains for country-specific area-codes to their respective
country administrators. For example, NANPA could be the CIDER
Registrar for '.1.cid.example.org', but then delegate authority of
the DNS subdomains '.4.0.2.1.cid.example.org',
Kaplan Expires - January 2014 [Page 21]
Internet-Draft CIDER July 2013
'.6.3.2.1.cid.example.org', etc., (representing the Canadian area
codes 204, 236, etc.) to the CRTC/CNA if they wish it. Thus the
CRTC/CNA would be the CIDER Registrar for those area-code branches
of the number tree.
An alternative would be to have a private organization be the CIDER
Registrar for the +1 country-code using its own domain for the
Registry, such as '.1.example.org'. This would only be useful if
carriers/service-providers agreed to use this Registry, of course,
but this might make sense as a way to get the effort started and
eventually transition it over to NANPA.
One specific model for who the Registrar could be would be to use
the same administrator as that used for number portability.
Currently the US-based FCC selects a company to run the NPAC (Number
Portability Administration Center) for the US, and the CRTC selects
one for Canada; they could contract the CIDER Registrar role to the
same companies they contract number portability administration to.
This has some obvious benefits, but also some drawbacks with regard
to federal regulatory involvement and monopoly-type power/position
for the contracted vendor(s).
Regardless of whom the Registrar is and what the Registry top domain
name is, the officially assigned carriers for numbers would be
designated as the Assignees of their respective number identity
nodes. They can upload public keys for those number nodes, in order
to perform the role of caller-id signers. When they assign numbers
to their customers, they could either add them as Key Agents in the
Registry, or handle them as Private Agents, as described in Section
6.1. In practice, it's likely they would only add their customers
as Key Agents if the "customers" were service providers, but
otherwise handle customers as Third-Party Private Agents.
When a number is ported from one carrier to another, the Assignee
carrier would transfer assignee control by "donating" their identity
to the other carrier, as described in Section 6. This would need to
occur at the same general time as porting the number in the number
portability databases, and would need to take effect within 15
minutes.
Having a defined protocol between the Assignee and the Registry, for
publishing the keys into identity nodes, would help this process
greatly. This would be implemented in the same carrier back-office
systems that are used today for number porting, for example.
From a DNS query access perspective, it is likely that the CIDER
Registry for NANP begin as a private database model. Only
authorized entities would be able to query the CIDER Registry,
Kaplan Expires - January 2014 [Page 22]
Internet-Draft CIDER July 2013
either using IPSEC/VPN-style access, or by having each carrier have
a local read-only copy of the CIDER Registry.
Most carriers would likely have such local copies of the Registry,
in servers they deploy within their core call control network, to
reduce verification time and control availability/reliability. All
500 million current NANP numbers instantiated in a CIDER Registry
would fit in ~500GB, which even laptops have sufficient storage for.
It would only take two or three modern high-end servers to fit it
all in *RAM*, let alone hard-drive/flash.
For carriers to have local copies of the Registry, they could use
[AXFR], [IXFR], and [DNS-NOTIFY]; or a more-efficient protocol could
be defined for this purpose. Modern DNS servers offer more than
just the legacy DNS-based zone transfer/update protocols, and the
newer protocols could be investigated for re-use for CIDER local
copying.
If each national CIDER Registry is not publicly accessible for DNS
querying on the public Internet, this causes some issues for
international call scenarios. The goal of CIDER is to enable
caller-id verification even for international calls/communications.
This is still achievable, however, because there aren't that many
country-codes and national numbering plans - there are approximately
~160 such in the World.
Therefore, it is reasonable for each national CIDER Registry to have
a private, controlled connection to every other national Registry,
creating a full mesh of connections. The private connections could
be used to either provide server resolution of private DNS queries
on behalf of the local nation's carriers' verification clients, or
for the local nation's Registrar to itself have a local copy of the
CIDER Registry of other nations, using the same protocol mechanics
as the carriers use for their local Registry copies. Even 10
Billion number entries in a CIDER Registry read-only database would
only consume ~10 Terabytes of storage, which is achievable for
reasonable cost today. In practice, each national Registry would
likely use a hybrid model: performing DNS queries to nations that
are infrequent callers, while having local copies of Registries of
frequent calling nations.
Appendix B. Requirements for a CAPP Mechanism
In order for CIDER to be usable in large scale across many carriers,
there needs to be a defined protocol for how CIDER Assignees perform
their allowed actions to the Registry. This document describes such
a protocol as CIDER Assignee Publishing Protocol (CAPP), and this
section gives the requirements for such a protocol, as input to
Kaplan Expires - January 2014 [Page 23]
Internet-Draft CIDER July 2013
another document to specify the CAPP protocol itself. Some of the
requirements are based on the actions described in Section 6.
Requirements for CAPP:
o It must support the add, modify, and delete actions for CIDER
identity node data.
o It may only support handling the data in an opaque/blob
manner. For example CAPP may only support uploading a TXT RR
text string, instead of explicitly handling the public key
value, version, and key type as discrete elements. This way
it's not specific to CIDER usage.
o It should support the add, modify, or delete actions for other
DNS Resource Record types, or at least be extensible to do so
in the future. This would allow non-CIDER usage, as well as
allow extending CIDER for other number mapping use-cases: such
as CNAM, number portability, or request routing purposes.
o When adding new public key data (or a new TXT RR), it should
be possible for the Assignee not to specify the key index
(i.e., subnode) value for the new record, and instead for the
server to return the new value it allocates. This is useful
for Third-Party Private Agent model, where the Third-Party may
not know the next available index value to use.
o It should support a means of adding new data and returning the
new key index value in separate transactions - or at least in
some manner that allows for multiple minutes of time to pass
between the addition of data and returning of new index value.
o When adding new data, it must allow the Assignee to define an
expiration time for the data. This is useful for the Third-
Party Agent model described in Section 6.1, for example.
o It must allow the Assignee to permanently transfer the
Assignee role to another party, called "donate" in this
document.
o It should allow the Assignee to grant/rescind another entity
the role of Key Agent for a given identity entry node,
permanently or with an expiration time.
o It must support an action/transaction model that allows for
database atomicity, consistency, isolation, and durability
(ACID).
o It should provide a means for the Assignee to add or modify
multiple identity node entries using one TXT RR (or one public
key) in one transaction. This is a useful optimization for
carriers that have millions of numbers, and re-use public keys
across them. To support ACID more easily, however, this might
be done using an indirection model.
o It must specify distinct failure and error results, in a
machine-consumable fashion.
o It must support a means of logging each transaction
(action/result) on both the client and server side such that
both sides can easily reference the same event; for example by
Kaplan Expires - January 2014 [Page 24]
Internet-Draft CIDER July 2013
encoding transaction identifiers and timestamps in the CAPP
protocol messages.
o It must support a means for the Registry server to
authenticate a client Assignee; for example using credentials
of a username/password digest-challenge model.
o It must support a means for the client Assignee to
authenticate the Registry server; for example by using TLS
server-side certificates.
o It must support a means of preventing eavesdropping and
repudiation, for example by using TLS.
Kaplan Expires - January 2014 [Page 25]