Network Working Group                                        J. Peterson
Internet-Draft                                                   NeuStar
Expires: December 30, 2002                                  July 1, 2002


   Enhancements for Authenticated Identity Management in the Session
                       Initiation Protocol (SIP)
                     draft-peterson-sip-identity-01

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on December 30, 2002.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   The existing mechanisms for expressing identity in the Session
   Initiation Protocol oftentimes do not permit an administrative domain
   to verify securely the identity of the originator of a request.  This
   document recommends practices and conventions for authenticating end
   users, and proposes a way to distribute secure authenticated
   identities within SIP messages.








Peterson                Expires December 30, 2002               [Page 1]


Internet-Draft                SIP Identity                     July 2002


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  6
   3.  Sending Requests through an Authentication Service . . . . . .  7
   4.  Authentication Practices . . . . . . . . . . . . . . . . . . .  8
   4.1 Issuing Challenges with Realms . . . . . . . . . . . . . . . .  8
   4.2 Determining Identity with Credentials  . . . . . . . . . . . .  9
   4.3 Analyzing Requests . . . . . . . . . . . . . . . . . . . . . .  9
   4.4 Accounting for Authentication  . . . . . . . . . . . . . . . . 10
   4.5 Forwarding the Request . . . . . . . . . . . . . . . . . . . . 10
   5.  Sharing Verified Identities  . . . . . . . . . . . . . . . . . 11
   5.1 Authenticated Identity within a Body . . . . . . . . . . . . . 11
   5.2 Body Added by Authentication Service . . . . . . . . . . . . . 12
   5.3 Body Added by Client . . . . . . . . . . . . . . . . . . . . . 13
   5.4 Example of a Request with an Authenticated Identity Body . . . 14
   6.  Receiving an Authenticated Identity  . . . . . . . . . . . . . 16
   6.1 Proxy Server Handling  . . . . . . . . . . . . . . . . . . . . 17
   6.2 User Agent Handling  . . . . . . . . . . . . . . . . . . . . . 17
   7.  Identity in Responses  . . . . . . . . . . . . . . . . . . . . 19
   8.  Selective Sharing of Identity  . . . . . . . . . . . . . . . . 20
   8.1 Requesting Privacy . . . . . . . . . . . . . . . . . . . . . . 20
   8.2 Encryption of Identity . . . . . . . . . . . . . . . . . . . . 21
   8.3 Example of Encryption  . . . . . . . . . . . . . . . . . . . . 21
   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 23
   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 24
       Author's Address . . . . . . . . . . . . . . . . . . . . . . . 25
   A.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 26
   B.  To Do  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
       References . . . . . . . . . . . . . . . . . . . . . . . . . . 25
   C.  Changelog  . . . . . . . . . . . . . . . . . . . . . . . . . . 28
       Full Copyright Statement . . . . . . . . . . . . . . . . . . . 29



















Peterson                Expires December 30, 2002               [Page 2]


Internet-Draft                SIP Identity                     July 2002


1. Introduction

   This document provides enhancements to the existing mechanisms for
   authenticated identity management in the Session Initiation Protocol
   (SIP [1]).

   The baseline SIP protocol allows a user agent to express the identity
   of its user in a number of headers.  The primary place for identity
   information asserted by the sender of a request is the From header.
   The From header field contains a URI (like 'sip:alice@atlanta.com')
   and an optional display-name (like "Alice") that identifies the
   originator of the request.  A user may have many identities that are
   used in different contexts.

   Typically, this URI is an address-of-record that can be dereferenced
   in order to contact the originator of the request; specifically, it
   is usually the same address-of-record under which a user registers
   their devices in order to receive incoming requests.  This address-
   of-record is assigned and maintained by the administrator of the SIP
   service in the domain identified by the host portion of the address-
   of-record (which may have any of a number of relationships with the
   end user).  However, the From field of a request can usually be set
   arbitrarily by the user of a SIP user agent; the From header of a
   message provides no internal assurance that the originating user can
   legitimately claim this identity.  Nevertheless many SIP user agents
   will obligingly display the contents of the From field as the
   identity of the originator of a received request (as a sort of
   'Caller-ID' function).

   To satisfy the requirement for a more reliable way of identifying
   parties in a SIP session, a number of cryptographic authentication
   systems are described in the SIP standard, including mechanisms based
   on HTTP Digest, S/MIME and transport or network layer security.
   Among other things, these mechanisms allow a server to verify that a
   user agent can legitimately assert a specific identity.  Whether or
   not the recipient of these credentials can verify them is based on
   whether the credentials are asymmetric, and publicly verifiable by
   third parties, or symmetric, and verifiable only by parties that have
   a pre-existing relationship with the user.

   Symmetric: Authentication with symmetric keys usually entails the
      transmission of some sort of secret credentials (typically a
      username and password) from the client to the server.  Secrets-
      based authentication assumes a pre-existing relationship (an
      agreement on a secret) between the client that originates a
      request and the server that responds with a challenge.  Useful
      secrets-based authentication schemes use cryptography to conceal
      the credentials so they can not be observed and reused by



Peterson                Expires December 30, 2002               [Page 3]


Internet-Draft                SIP Identity                     July 2002


      eavesdroppers on the network.  Secrets are usually memorized by
      end users, and thus do not necessitate any special configuration
      of user agents.

   Asymmetric: Asymmetric credentials require a Public Key
      Infrastructure (PKI) that manages public and private keys.  PKI-
      based authentication usually relies on a certificate authority
      that issues a custom certificate to each entity that would like to
      prove its identity, and a common root certificate to each entity
      that would like to verify the identity of others.  In this system
      there is no need for any pre-existing relationship between the
      clients and servers (unless in the absence of a certificate
      authority self-signed certificates are used).  However, PKI has to
      date only been effective in asserting the identity of a hostname -
      there is a widespread belief that implementing a PKI for
      certificates that assert the identity of individuals is currently
      impractical.  Each host MUST be configured with any certificate
      that asserts its identity.

   Most user agents authenticate themselves with shared secrets.  In
   baseline SIP, the Digest authentication method (which is required for
   all user agents and servers) allows users to provide a username and
   password to authenticate themselves in the context of a particular
   realm (for example, the identity 'alice' within the realm
   'atlanta.com' might have the password 'x63Mdo+').

   Digest therefore works well for functions like SIP registration, in
   which the target of a request is a server within the realm in which a
   user can prove an identity.  However, the credentials with which a
   user proves that they are 'sip:alice@atlanta.com' cannot be verified
   by a server in another realm, like biloxi.com - Alice shares the
   secret with atlanta.com, not biloxi.com.  Thus, if Alice were to send
   a request to a proxy server in the biloxi.com realm, biloxi.com has
   no way of determining whether or not Alice can legitimately claim the
   identity 'sip:alice@atlanta.com'.  biloxi.com is then left only with
   the unreliable From field for ascertaining the identity of the
   originator of interdomain requests.

   However, were Alice to proxy her request through an atlanta.com proxy
   server, atlanta.com might be able to verify her identity before
   passing the request to its destination, biloxi.com.  Therefore, this
   document proposes a new logical role for network intermediaries
   called an authentication service.  The authentication service role
   would most likely be instantiated by the local outbound proxy server
   within an administrative domain.  Once an authentication service has
   verified the identity of the originator of a request, it can add the
   result of the authentication process to the request for the benefit
   of downstream recipients.



Peterson                Expires December 30, 2002               [Page 4]


Internet-Draft                SIP Identity                     July 2002


   User agents can be configured, statically or on a per-call basis, to
   send requests through an authentication service.  After a request has
   passed through an authentication service in a given domain (e.g.
   atlanta.com) downstream recipients (e.g.  in biloxi.com) will be able
   to determine that atlanta.com asserts a specific authenticated
   identity for the originator of this message, like
   'sip:alice@atlanta.com'.

   In some cases, this authenticated identity can be distributed by the
   authentication service to any potential recipients of the request
   without restriction.  In other cases, for reasons of network policy,
   or user privacy constraints, the distribution of the authenticated
   identity will be restricted.

   In summary, the identity that appears in the From field of a SIP
   request provides a way that the originator can be canonically reached
   (and therefore provides some accountability for that user).  The best
   way for a SIP user to prove that they can legitimately claim an
   identity is to provide the same credentials they would need to
   provide in order to register to receive requests for that identity.
   For that purpose, this document defines an authentication service
   that verifies the credentials of an end user in their local
   administrative domain before sending requests to their destinations.
   This authentication service can then sign the identity that results
   from this authentication and make this identity available to
   recipients of the request, thereby proving that the administrative
   domain responsible for the originating user registers has verified
   that user's identity.  Effectively, this allows a user's
   authentication with a single server to be bootstrapped into a
   publicly-verifiable authentication.

   By way of example, the manner in which a user authenticates
   themselves to an authentication service is in this document
   restricted to the mechanisms that are available in [1], specifically
   the Digest authentication scheme, as it is common to all SIP-
   compliant endpoints.  However, these mechanisms have no dependency on
   any particular authentication scheme.














Peterson                Expires December 30, 2002               [Page 5]


Internet-Draft                SIP Identity                     July 2002


2. Terminology

   In this document, the key words "MUST", "MUST NOT", "REQUIRED",
   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT
   RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as
   described in RFC2119 [2] and indicate requirement levels for
   compliant SIP implementations.












































Peterson                Expires December 30, 2002               [Page 6]


Internet-Draft                SIP Identity                     July 2002


3. Sending Requests through an Authentication Service

   An authentication service is a logical role played by a network
   intermediary, such as a SIP proxy server.  Commonly, the
   authentication service function will be instantiated by a local
   outbound proxy server.  Authentication services are capable of
   verifying the identity of users through some means.  Authentication
   services are also capable of sharing this verified identity in a
   secure manner.

   Requests from a user agent are sent through an authentication service
   because the user agent is configured (with a pre-loaded Route header,
   perhaps) to send all requests through the service.

   A user has some incentive to send calls through an authentication
   service, in that:

      Authentication services help to prevent identity theft, and the
      many potential annoyances that could result from being
      impersonated, and,

      Administrative domains could implement policies that reject
      requests from users that have not gone through an authentication
      service appropriate for the administrative domain listed in the
      From header of their messages.

   Optimally, a user should be able to send SIP messages to their
   authentication service directly, without going through any SIP proxy
   servers, since many authentication systems (including Digest) are not
   optimally secure when handled by intermediaries.  An authentication
   service will frequently be co-located with a user agent's first-hop
   local outbound proxy.



















Peterson                Expires December 30, 2002               [Page 7]


Internet-Draft                SIP Identity                     July 2002


4. Authentication Practices

   When a user first forms a connection to a SIP entity that implements
   the authentication service role, the user SHOULD make use of network
   or transport layer security, preferably contacting the authentication
   service without going through any intermediaries.  This document
   recommends the use of Transport Layer Security (TLS) to connect to
   the authentication service.  This in turn allows the authentication
   service to potentially offer a certificate directly to the end user,
   as well as ensuring confidentiality, integrity, and replay protection
   during the challenge phase.  If the user agent is more than one hop
   away from the authentication service, it may make sense to use the
   SIPS URI scheme to improve the security of requests routed through
   the authentication service.

   Any entity that implements the authentication service role MUST
   possess a certificate that has been issued by a certificate
   authority.  The SubjectAltName of the certificate SHOULD be the
   fully-qualified domain name of the device on which the authentication
   service is running.  Only one logical authentication service SHOULD
   operate in a given administrative domain.  The manner in which an
   authentication service can be recognized to be the canonical
   authority for an administrative domain is currently an open issue.

4.1 Issuing Challenges with Realms

   Obviously, all authentication services have their own sets of users
   and corresponding credentials; when a user is challenged by an
   authentication service, that user selects credentials that are
   appropriate for the service in question.  For the purposes of this
   document, following the terminology in Digest authentication, an
   authentication service has a 'realm' which provides a context in
   which a user is asked to authenticate.  For example, when an
   authentication service challenges a user for Digest authentication
   with the 407 status code, the challenge MUST be sent for a realm
   corresponding to the hostname of the authentication service.  Note
   that a user agent SHOULD consider it a cause for concern (though not
   necessarily an error condition) if the realm of a challenge does not
   correspond both with the hostname of the authentication service and
   any certificate presented by the authentication service on connection
   - users SHOULD be notified of this occurrence.

   Once again, note that Digest authentication is used merely by way of
   example.  Other mechanisms within SIP, or out-of-band mechanisms,
   could be used to authenticate the user.  If these authentication
   systems do not explicitly support the concept of realms, the realm in
   which a challenge occurs should be understood by the user agent to be
   the hostname of the authentication service.  Any method of



Peterson                Expires December 30, 2002               [Page 8]


Internet-Draft                SIP Identity                     July 2002


   authentication used by an authentication service, MUST therefore have
   a means of communicating, at the very least, its hostname to a user.
   If these authentication systems do not support credentials that
   express a specific username, then a username SHOULD be taken by the
   authentication service from the username portion of the URI in the
   From header field of the SIP request.

4.2 Determining Identity with Credentials

   If a user agent is challenged (in SIP Digest, for example, with a 401
   or 407 response code) and it has access to credentials for the realm
   in question, these credentials will be provided in a resubmission of
   the request to the authentication service.  In Digest, the
   authentication service MUST extract and verify these credentials from
   the resubmission of the request.

   The username associated with these credentials SHOULD be combined
   with the name of the administrative domain of the authentication
   service in order to form the authenticated identity of the user.  For
   example, if the credentials were valid for the username 'alice', for
   an authentication service within the atlanta.com administrative
   domain, the authenticated identity would be 'sip:alice@atlanta.com'.
   An authentication service MAY also have a particular display-name
   which it associates with particular users that will be included in
   the authenticated identity.

   Note that some user agents MAY provide 'anonymous' credentials with
   no password in a resubmission of a request after a challenge.
   Whether or not an authentication service considers this to be a
   successful authentication is a matter of local policy, but the
   authentication service SHOULD NOT assert this 'anonymous' identity to
   others in the manner described in Section 5.

   The credentials that a user provides to an authentication service
   SHOULD be the same credentials that are provided when the user
   registers in this administrative domain.

4.3 Analyzing Requests

   Some authentication services MAY wish to inspect the contents of the
   From header of an outbound request.  Depending on the policy of the
   authentication service, it might not be appropriate for the From
   header to differ from the authenticated identity that the service has
   verified.  Some authentication services MAY reject requests (with a
   403 Forbidden) that assert an inappropriate identity in the From.

   Authentication services MAY also place restrictions on the display-
   name as well as the URI associated with the From header.



Peterson                Expires December 30, 2002               [Page 9]


Internet-Draft                SIP Identity                     July 2002


   Note that some users MAY supply an anonymous From header (see [3])
   for some requests.  Authentication services generally SHOULD NOT
   consider this to conflict with any identity information learned in
   the authentication process.  For more information on the obligations
   of authentication services with respect to privacy, see Section 8.1.

   It may not be necessary for an authentication service to prevent the
   arbitrary assignment of the From field if the authentication service
   has another way of sharing authenticated identity information (see
   Section 5).  Steps for reconciling the user-asserted From header with
   authenticated identity data are given in Section 6.2.

4.4 Accounting for Authentication

   Authentication services MAY record the successful authentication of a
   request, including its dialog identifiers and Request-URI, in order
   to provide some accountability when administrative requests are made
   for information about the parties participating in a particular
   session.  Some mechanisms by which a user is authenticated and
   authorized may also persist accounting data about the request,
   although such mechanisms are outside the scope of this document.

   Authentication services MAY also wish to log failed authentication
   attempts, especially those that reflect repeated attempts to try
   different credentials for the same username.

4.5 Forwarding the Request

   Once an authentication service has authenticated the originator of a
   request, if it does not wish to provide any further identification
   services, it MUST subsequently forward the request in accordance with
   the conventional request routing logic in the SIP specification.

   If the authentication services also wishes to share the authenticated
   identity it has verified, it can use the mechanisms described in
   Section 5.















Peterson                Expires December 30, 2002              [Page 10]


Internet-Draft                SIP Identity                     July 2002


5. Sharing Verified Identities

   Authenticated identities SHOULD be shared unless the authentication
   service has a reason to do otherwise.  By authenticating themselves,
   originating users must understand that they are giving the
   authentication service the right to share the provided identity with
   others.  If they wish to prevent this, users MUST request privacy for
   their authentication information (see Section 8.1).

   Note that the practices described in this section can also be
   leveraged by a logical authentication service that is instantiated by
   a user agent, provided the user agent holds a certificate that is
   publicly verifiable.

5.1 Authenticated Identity within a Body

   As a way of sharing authenticated identity among parties in the
   network, a special type of MIME body, which will subsequently be
   referred to as an 'authenticated identity body', is defined in this
   section.  An authenticated identity body allows an authentication
   service to cryptographically sign the identity of the originator of
   the message in question.

   An authenticated identity body is a MIME body of type 'message/sip'
   or 'message/sipfrag' (see [4]).  This body MUST have a Content-
   Disposition disposition-type of 'auth-id', a new value defined in
   this document specifically for authenticated identity bodies.  The
   Content-Disposition header SHOULD also contain a 'handling' parameter
   indicating that this MIME body is optional.

   Authenticated identity bodies of the 'message/sipfrag' MIME type MUST
   contain the following headers: From, Date and Call-ID; they SHOULD
   also contain the To, Contact and Cseq header.  The From header field
   MUST be populated by the authentication service with the
   authenticated identity itself, as discussed above in Section 4.2; if
   the authentication service verifies the display-name of the From
   header field, it MUST be included in the authenticated identity body,
   and if it does not verify the display-name of the From header field
   it MUST NOT be included.  Authenticated identity bodies MAY contain
   any other headers that help to uniquely identify the transaction or
   provide related reference integrity.  An example of an authenticated
   identity body is:









Peterson                Expires December 30, 2002              [Page 11]


Internet-Draft                SIP Identity                     July 2002


   Content-Type: message/sipfrag
   Content-Disposition: auth-id; handling=optional

   From: Alice <sip:alice@atlanta.com>
   To: Bob <sip:bob@biloxi.com>
   Contact: <sip:alice@pc33.atlanta.com>
   Date: Thu, 21 Feb 2002 13:02:03 GMT
   Call-ID: a84b4c76e66710
   Cseq: 314159 INVITE

   Once the authenticated identity body has been fully populated, it
   MUST be signed by the authentication service that has created it.  An
   unsigned authenticated identity body MUST NOT be honored by any
   recipients.  An authenticated identity body MUST be signed with the
   public key corresponding to the same certificate that the
   authentication service uses to authenticate itself for the purposes
   of transport of network layer security such as TLS (see Section 4).
   A full example of a message with a signed authenticated identity MIME
   body is given in Section 5.4.

   After the authenticated body has been signed, some entity SHOULD
   added it to any existing MIME bodies in the request, if necessary by
   transitioning the outermost MIME body to a 'multipart/mixed' format.
   But which participant in the dialog should add the authenticated
   identity body, the authentication service or the originating user
   agent? Both options are considered in the following sections.
   Authentication services MUST support the mechanism in Section 5.3 and
   MAY support the mechanism in Section 5.2.

5.2 Body Added by Authentication Service

   The first possibility is that the authentication service could add
   the body to the request itself before forwarding the request.
   However, the authentication service role is usually played by
   entities that act as proxy servers for most requests, and proxy
   servers cannot modify message bodies.  In order to add an
   authenticated identity body, the authentication service needs to act
   as a transparent back-to-back user agent, effectively terminating the
   request and re-originating it with a new body appended to any
   existing MIME bodies.

   This mechanism has some potential advantages over sending the
   authenticated identity body back to the originating user agent.  For
   one, it saves on additional round-trip times for signaling that
   result from passing the body back to the user agent.  It also
   requires no new SIP mechanisms, whereas any method of asking a user
   agent to include a body in a resubmission to the current request
   would introduce new protocol requirements.



Peterson                Expires December 30, 2002              [Page 12]


Internet-Draft                SIP Identity                     July 2002


   However, there are proposed SIP integrity mechanisms that place a
   signature over the entire message body in a SIP message header.  Were
   a server to add to the body of a message that was protected by such
   signature, that could be perceived as an integrity violation by
   downstream recipients of the message.

5.3 Body Added by Client

   Alternatively, the authentication service could in some fashion
   return the authenticated identity MIME body to the originating user
   agent, prompting the user agent to retry the request with the
   authenticated identity MIME body attached.  No existing SIP mechanism
   performs this function.  Therefore, this document defines a 428 "Use
   Authenticated Identity" response code.

   An authentication service sends a 428 with a MIME body in order to
   request that a user agent add the enclosed MIME body to their request
   and retry the request.  A 428 MUST have at most a single MIME body.
   This MIME body MUST be signed by the authentication service.

   The use of 428 without any MIME body is also defined in this
   document.  It can be sent by any server to reject a request because
   the request does not contain an authenticated identity body.  A user
   agent receiving this rejection SHOULD retry their request through an
   authentication service.

   In order to signal to the authentication services that the
   originating user agent supports the receipt of the 428 response code,
   a new option-tag has been defined, the 'auth-id' option-tag.  User
   agents SHOULD supply the 'auth-id' option-tag in a Supported header
   whenever they provide credentials to a server (for example, in Digest
   authentication, whenever a Proxy-Authorization header is added to a
   request).

   Using the 428 response code may introduce extra round-trip times for
   messages, delaying the setup of requests (one RTT for the 407,
   another for the 428).  However, there are some circumstances under
   which extra RTTs may not impede performance.  If the originating user
   agent possesses a non-stale nonce (assuming Digest authentication)
   from the authentication service, it can pre-emptively include a
   Proxy-Authorization header, eliminating one RTT.  With regard to the
   second RTT, note that the request needn't necessarily go through the
   authentication service again once the authenticated identity body has
   been added - it could go directly to its destination, which reduce
   the impact of the second RTT.

   There are two reasons why the originating user agent should be the
   party responsible for adding the authenticated identity body to the



Peterson                Expires December 30, 2002              [Page 13]


Internet-Draft                SIP Identity                     July 2002


   request.  Firstly, because this gives the client the opportunity to
   inspect the body itself (perhaps only to see whether or not it is
   encrypted; see Section 8.2) in order to verify that the authenticated
   identity corresponds with the provided credentials and the user's
   preferences.  Secondly, the client can provide a signature over the
   entire body of the message (either with S/MIME or some header-based
   mechanism) so that the final recipient of messages can be assured
   that all information in the body is there at the originator's behest.

5.4 Example of a Request with an Authenticated Identity Body

   The following shows a full SIP INVITE request with an authenticated
   identity body (one that has been added by the originating user
   agent):

   INVITE sip:bob@biloxi.com SIP/2.0
   Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8
   To: Bob <sip:bob@biloxi.com>
   From: Alice <sip:alice@atlanta.com>;tag=1928301774
   Call-ID: a84b4c76e66710
   CSeq: 314159 INVITE
   Max-Forwards: 70
   Date: Thu, 21 Feb 2002 13:02:03 GMT
   Contact: <sip:alice@pc33.atlanta.com>
   Content-Type: multipart/mixed; boundary=unique-boundary-1

   --unique-boundary-1

   Content-Type: application/sdp
   Content-Length: 147

   v=0
   o=UserA 2890844526 2890844526 IN IP4 here.com
   s=Session SDP
   c=IN IP4 pc33.atlanta.com
   t=0 0
   m=audio 49172 RTP/AVP 0
   a=rtpmap:0 PCMU/8000

   --unique-boundary-1
   Content-Type: multipart/signed;
     protocol="application/pkcs7-signature";
     micalg=sha1; boundary=boundary42
   Content-Length: 608

   --boundary42
   Content-Type: message/sipfrag
   Content-Disposition: auth-id; handling=optional



Peterson                Expires December 30, 2002              [Page 14]


Internet-Draft                SIP Identity                     July 2002


   From: Alice <sip:alice@atlanta.com>
   To: Bob <sip:bob@biloxi.com>
   Contact: <sip:alice@pc33.atlanta.com>
   Date: Thu, 21 Feb 2002 13:02:03 GMT
   Call-ID: a84b4c76e66710
   Cseq: 314159 INVITE

   --boundary42
   Content-Type: application/pkcs7-signature; name=smime.p7s
   Content-Transfer-Encoding: base64
   Content-Disposition: attachment; filename=smime.p7s;
      handling=required

   ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6
   4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj
   n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
   7GhIGfHfYT64VQbnj756

   --boundary42--

   --unique-boundary-1--






























Peterson                Expires December 30, 2002              [Page 15]


Internet-Draft                SIP Identity                     July 2002


6. Receiving an Authenticated Identity

   There are a number of ways that identity information can be presented
   in a SIP request, and all of them must be reconcilable - that is,
   there must be a way to arrive at the identity that should be
   displayed to the user as the caller's identity, and so forth.

   It is therefore RECOMMENDED in this document that these forms of
   identity be reduced into two broad categories: suspect and valid
   identities.  All of the following SHOULD be considered suspect by
   recipients:

   o  Recipients may receive a normal From header field in the SIP
      message - unsigned and unverified.  All SIP requests must contain
      such a header, but in some cases it may not purport to contain a
      usable value (it may assert an anonymous identity), and no other
      identity might be asserted by the request.

   o  Recipients may receive a From header in an authenticated identity
      body that was signed by a self-signed certificate that is
      unrecognized and/or untrusted by the user, or signed by an
      authentication service using a certificate authority that the user
      cannot verify.

   o  Recipients may receive a From header in an authenticated identity
      body that has been signed by an authentication service with a
      valid certificate, but which has internal consistency problems:
      the hostname asserted by the certificate may not correspond to the
      domain in the From header, the Date may be obviously stale, the
      Call-ID may be a repeat of a recently received value, or mandatory
      headers may be missing from the authenticated identity body.

   Recipients may also unknowingly receive From headers in encrypted
   bodies which they cannot decrypt (see Section 8.2) that, of course,
   cannot be usable identities.

   The following are identities that SHOULD be considered valid by a
   recipient:

   o  Recipients may receive a From header in an authenticated identity
      body that has been signed by a self-signed certificate that is
      recognized and trusted by the recipient.

   o  Recipients may receive a From header in an authenticated identity
      body that has been signed by an end-user certificate issued by a
      certificate authority that is recognized and trusted by the
      recipient.




Peterson                Expires December 30, 2002              [Page 16]


Internet-Draft                SIP Identity                     July 2002


   o  Recipients may receive a From header in an authenticated identity
      body that has been signed by an authentication service that
      properly follows the practices described in Section 4.

   The exact behavior that is followed on receipt of a suspect or valid
   identity varies with the role of the recipient.

6.1 Proxy Server Handling

   Proxy servers generally should not attempt to inspect MIME bodies.
   However, intermediaries that implement the authentication service
   logical role MAY inspect MIME bodies in order to find one with a
   Content-Disposition of 'auth-id'.

   For the most part, the actual value of an authenticated identity is
   not likely to be of interest to a proxy server, though it MAY refuse
   to process a request that does not contain a valid authenticated
   identity body (using the 428 request, as described in Section 5.3).
   However, proxy servers MAY additionally maintain lists of known
   problem users that are banned from making requests, for example, and
   subsequently reject some requests after comparing their authenticated
   identities to this list.

6.2 User Agent Handling

   A user agent needs to determine which identity for the originator of
   a request should be displayed to the user, perhaps as a 'Caller-ID'
   function.  The following is a RECOMMENDED set of precedence rules for
   arriving at a single identity that should be displayed.

   If one valid form of identity is present, the user agent displays
   that identity.  If both valid forms of identity are present, the
   authenticated identity (rather than a recognized self-signed S/MIME
   signature) is preferred, but both potentially are viewable by a user.

   If neither of the valid forms of identity are available, the user
   agent displays the normal From field in the SIP message, but other
   identities are viewable by a user.  However, if that From field would
   display an anonymous identity, the user agent SHOULD display another
   value instead (probably an identity in a signed S/MIME body).

   When it displays an identity to its user, a user agent SHOULD also
   have some way of designating between a valid and suspect identity
   that is easy for the user to distinguish.

   Note that user agents also need to determine the identity of the
   originator of a request for the purposes of per-user blocking or
   screening before the user is alerted and any identity is displayed.



Peterson                Expires December 30, 2002              [Page 17]


Internet-Draft                SIP Identity                     July 2002


   Generally, if any of the asserted identities in a request match an
   identity that is blocked, the user should not be alerted and the
   request SHOULD be rejected.
















































Peterson                Expires December 30, 2002              [Page 18]


Internet-Draft                SIP Identity                     July 2002


7. Identity in Responses

   Many of the practices described in the preceding sections can be
   applied to responses as well as requests, with some important
   differences.  Primarily, the distinction is that a response cannot be
   challenged or resubmitted in the same manner as a request.  However,
   when a user agent registers under a particular identity, and thereby
   becomes eligible to receive requests and send responses associated
   with that identity, it provides credentials that prove its identity,
   and thus the registrar is in a reasonable position to act as an
   authentication service for responses.

   An authentication service that acts as a registrar can add to a
   response an authenticated identity body that corresponds to the
   identity of the originator of that response in roughly the same
   manner described in Section 5.2 - the authentication service adds the
   authenticated identity body to a response before it forwards the
   response towards the originator of the request.  There is no way for
   an authentication service to perform a function for responses
   comparable to the mechanism described in Section 5.3.

   The same rules for the creation of the authentication identity body
   for requests given in Section 5.1 apply to responses, including the
   mandatory and optional inclusion of various headers in
   'message/sipfrag' bodies, with the following exception - when the
   authentication service creates the authenticated identity body, it
   should substitute the actual identity of the user (derived, as
   described in Section 4.2, from the username and realm for which the
   user has registered) for any conflicting value in the To header field
   of the response before signing the response.

   When the originating user agent of a request receives a response
   containing an authenticated identity body, it SHOULD compare the
   identity in the To header field of the authenticated identity body of
   the response with the original value of the To header field in the
   request.  If these represent different identities, the user agent
   SHOULD render the identity in the authenticated identity body of the
   response to its user.  Note that a discrepancy in these identity
   fields is not necessary an indication of a security breach; normal
   retargeting may simply have directed the request to a different final
   destination.  User agents might furthermore indicate that this
   identity is suspect or valid in accordance with the guidelines given
   in Section 6.








Peterson                Expires December 30, 2002              [Page 19]


Internet-Draft                SIP Identity                     July 2002


8. Selective Sharing of Identity

   Most of the time, there is no need to restrict the propagation of
   verified identities in the network.  User agents and intermediaries
   benefit from receiving verified identities.  However, in some cases
   intermediaries wish to restrict the distribution of identity
   information, for example if

   o  the authenticated identity body contains an identity that is only
      meaningful as an internal identifier within a particular service
      provider's network, or,

   o  the originating user agent has requested privacy, and the
      unregulated distribution of the authenticated identity body would
      violate that request.

   If it is not appropriate to share an authenticated identity, an
   authenticated identity body SHOULD NOT be created and distributed.
   However, in some cases there may be other entities in the
   administrative domain of the authentication service that are
   consumers of the authenticated identity.  If, for example, each of
   these servers needed to challenge the user individually for identity,
   it might significantly delay the processing of the request.  For that
   reason, it may be appropriate to circulate authenticated identity
   bodies among a controlled set of entities.  For that purpose, an
   encryption mechanism for authenticated identities is provided.

8.1 Requesting Privacy

   When users provide credentials to an authentication service, they MAY
   explicitly notify the service that they do not wish their
   authenticated identity to be circulated.  Usually, the user in
   question would also be taking other steps to preserve their privacy
   (perhaps by including an anonymous From header).

   Therefore, authentication services MUST support the privacy
   mechanisms described in [3].  Users requesting privacy should also
   support the mechanisms described in that document.

   In particular, this document uses an identity-specific priv-value
   that can appear in the Privacy header, a value of 'id'.  This Privacy
   value requests that the results of authentication should not be
   shared by the authenticating server.  An authentication service
   SHOULD NOT create an authenticated identity body for a request when
   'id' privacy has been requested.  If such a body is created, it MUST
   be encrypted.





Peterson                Expires December 30, 2002              [Page 20]


Internet-Draft                SIP Identity                     July 2002


8.2 Encryption of Identity

   Many SIP entities that support the use of S/MIME for signatures will
   also support S/MIME encryption.  Encryption of a body prevents any
   parties other those that hold the decryption key from inspecting the
   body.  Note that the key used for encryption SHOULD be unrelated to
   the public key in a certificate that is used by an authentication
   service to prove its identity.

   While encryption of an authenticated identity body entails that only
   the holder of a specific key can decrypt the body, that single key
   could be distributed throughout a network of hosts that exist under
   common policies.  The security of the body is therefore predicated on
   the secure distribution of the key.  However, for some networks (in
   which there are federations of trusted hosts under a common policy),
   the widespread distribution of a decryption key could be appropriate.
   Some telephone networks, for example, might require this model.

   When an authenticated identity is encrypted, the authenticated
   identity body SHOULD always be encrypted before it is signed.  Note
   that this means that the recipients of the request, even if they are
   unable to inspect the authenticated identity body, will still be able
   to see which authentication service signed that body (although it
   will not necessarily be obvious that the body contains an
   authenticated identity).  An example of a signed and encrypted
   authenticated identity MIME body follows:

8.3 Example of Encryption

   The following is an example of an encrypted and signed authenticated
   identity body (without any of the preceding SIP headers).  In a
   rendition of this body sent over the wire, the text wrapped in
   asterisks would be encrypted.


















Peterson                Expires December 30, 2002              [Page 21]


Internet-Draft                SIP Identity                     July 2002


   Content-Type: multipart/signed;
     protocol="application/pkcs7-signature";
     micalg=sha1; boundary=boundary42
   Content-Length: 568

   --boundary42

   Content-Type: application/pkcs7-mime; smime-type=enveloped-data;
     name=smime.p7m
   Content-Transfer-Encoding: base64
   Content-Disposition: attachment; filename=smime.p7m
     handling=required
   Content-Length: 231

   ***********************************************************
   * Content-Type: message/sipfrag                           *
   * Content-Disposition: auth-id; handling=optional         *
   *                                                         *
   * From: sip:alice@atlanta.com                             *
   * Call-ID: a84b4c76e66710                                 *
   * Date: Thu, 21 Feb 2002 13:02:03 GMT                     *
   ***********************************************************

   --boundary42

   Content-Type: application/pkcs7-signature; name=smime.p7s
   Content-Transfer-Encoding: base64
   Content-Disposition: attachment; filename=smime.p7s;
      handling=required

   ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6
   4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj
   n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
   7GhIGfHfYT64VQbnj756

   --boundary42--















Peterson                Expires December 30, 2002              [Page 22]


Internet-Draft                SIP Identity                     July 2002


9. Security Considerations

   Users SHOULD NOT provide credentials to an authentication service to
   which they cannot initiate a direct connection, preferably one
   secured by a network or transport layer security protocol such as
   TLS.  If a user does not receive a certificate from the
   authentication service over this lower-layer protocol that
   corresponds to the realm in a challenge, then it is possible that a
   rogue server is attempting to pose as a authentication service for a
   realm that it does not control, possibly in an attempt to collect
   valid user passwords for that realm.

   If a user cannot connect directly to the desired authentication
   service, the user SHOULD at least use a SIPS URI to ensure that
   mutual TLS will be used to reach the remote server.

   The certificates that are required to operate an authentication
   service need to assert only the hostname of the authentication
   service, and for that reason, existing certificate authorities could
   provide adequate certificates for this mechanism.  However, not all
   proxy servers and user agents will be able support the root
   certificates of all certificate authorities, and moreover there are
   some significant differences in the policies by which certificate
   authorities issue their certificates.  This document makes no
   recommendations for the usage of particular certificate authorities,
   nor does it describe any particular policies that certificate
   authorities should follow, but it is anticipated that operational
   experience will create de facto standards for the purposes of
   authentication services.  Some federations of service providers, for
   example, might only trust certificates that have been provided by a
   certificate authority operated by the federation.




















Peterson                Expires December 30, 2002              [Page 23]


Internet-Draft                SIP Identity                     July 2002


10. IANA Considerations

   This document defines a new MIME Content-Disposition disposition-type
   value of 'auth-id'.  This value is reserved for MIME bodies that
   contain an authenticated identity, as described in section Section
   5.1.

   This document also defines a new SIP status code, 428 Use
   Authenticated Identity.  The use of this status code is further
   described below in Section 5.3.

   Finally, this document also uses a new priv-value for the Privacy
   header specified in [3], the token 'id'.  This is further described
   in Section 8.1.





































Peterson                Expires December 30, 2002              [Page 24]


Internet-Draft                SIP Identity                     July 2002


References

   [1]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
        Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP:
        Session Initiation Protocol", draft-ietf-sip-rfc2543bis-09 (work
        in progress), February 2002.

   [2]  Bradner, S., "Key words for use in RFCs to indicate requirement
        levels", RFC 2119, March 1997.

   [3]  Peterson, J., "A Privacy Mechanism for the Session Initiation
        Protocol (SIP)", draft-peterson-sip-privacy-00 (work in
        progress), April 2002.

   [4]  Sparks, R., "Internet Media Types message/sip and
        message/sipfrag", draft-sparks-sip-mimetypes-01 (work in
        progress), March 2002.


Author's Address

   Jon Peterson
   NeuStar, Inc.
   1800 Sutter St
   Suite 570
   Concord, CA  94520
   US

   Phone: +1 925/363-8720
   EMail: jon.peterson@neustar.biz
   URI:   http://www.neustar.biz/




















Peterson                Expires December 30, 2002              [Page 25]


Internet-Draft                SIP Identity                     July 2002


Appendix A. Acknowledgments

   The authors would like to thank Eric Rescorla, Rohan Mahy, Robert
   Sparks, Jonathan Rosenberg, Mark Watson and Patrik Faltstrom for
   their comments.














































Peterson                Expires December 30, 2002              [Page 26]


Internet-Draft                SIP Identity                     July 2002


Appendix B. To Do

   S/MIME authentication: If the authentication between the client and
      server is performed with S/MIME, possibly using a shared secret, a
      number of optimizations could be realized for this mechanism
      (essentially, the client could provide a version of the token that
      it asks the server to sign and/or encrypt).

   Priority of encryption/signing: When privacy is requested, should an
      auth service encrypt then sign, or sign then encrypt? In the
      former case, you may lose some integrity protection.  In the
      latter case, the certificate of the authentication service is
      associated with the message.  Need more analysis - sign then
      encrypt may be preferable.

   Identifying a canonical auth service: A lot of resistance was offered
      to the concept of a hostname convention for authentication
      services.  However, there must be some way for a recipient of an
      authenticated identity body to know that it was generated by a
      (the?) canonical authentication service of a particular
      administrative domain.  How can this be communicated? Perhaps with
      a certificate attribute?

   Assertion roles: Do we need a way to tie an authenticated identity
      body to a particular form of identity (called, calling,
      forwarding, referring, etc)? Currently, an authenticated identity
      body represents the identity of the originator of the message.
























Peterson                Expires December 30, 2002              [Page 27]


Internet-Draft                SIP Identity                     July 2002


Appendix C. Changelog

   Changes from draft-peterson-sip-identity-00:

      - Added a section on authenticated identities in responses

      - Removed hostname convention for authentication services

      - Added text about using 'message/sip' or 'message/sipfrag' in
      authenticated identity bodies, also RECOMMENDED a few more headers
      in sipfrags to increase reference integrity

      - Various other editorial corrections






































Peterson                Expires December 30, 2002              [Page 28]


Internet-Draft                SIP Identity                     July 2002


Full Copyright Statement

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Peterson                Expires December 30, 2002              [Page 29]