OCSP Stapling for Secure Telephone Identity

The STIR problem statement discusses many attacks on the telephone network that are enabled by impersonation, including various forms of robocalling, voicemail hacking, and swatting. One of the most important components of a system to prevent impersonation is the implementation of credentials which identify the parties who control telephone numbers. The STIR certificates specification describes a credential system based on version 3 certificates in accordance with for that purpose. Those credentials can then be used by STIR authentication services to sign PASSporT objects carried in a SIP request. specifies an extension to X.509 that defines a Telephony Number (TN) Authorization List that may be included by certificate authorities in certificates. This extension provides additional information that relying parties can use when validating transactions with the certificate. When a SIP request, for example, arrives at a terminating administrative domain, the calling number attested by the SIP request can be compared to the TN Authorization List of the certificate that signed the request to determine if the caller is authorized to use that calling number in SIP. defines a means to use OCSP to establish that, at the time of STIR verification, a particular telephone number (the calling number) is within the scope of authority of a certificate. This is especially useful with STIR delegate certificates , which typically claim authority over telephone number ranges rather than Service Provider Codes (SPCs) in their TN Authorization List. However, this requires an additional round-trip request and response from the verification service to the OCSP responder, and the telephony applications are delay sensitive. Thus, this document specifies a means to incorporate an OCSP staple into the PASSporT object.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

At a high level, there are a number of potential solutions that could mitigate the round-trip time incurred on the verification service side to perform OCSP validation. A verification service validating a PASSporT acquires the certificate referenced by its "x5u" header element, if that certificate is not cached. Typically, that acquisition happens by derefencing the URI in the value of the "x5u" element. One could design an system where OCSP validation is piggybacked onto that network fetch. This solution is however not optimal for cases where signing certificates are long-lived and cached, so that queries will otherwise be very infrequent. Requiring certificate fetches every time a new telephone number is seen at the verification service would likely incur roughly the same number of round trips as the mechanism. There are also variants of the "x5u" approach that sidestep OCSP entirely, by decorating the "x5u" URI with query parameters that incorporate the calling telephone number. As the authentication service necessarily knows the telephone number from the "orig" field, and controls the contents of "x5u", it has the means to decorate the URI appropriately during PASSporT creation. The certificate repository (i.e. HTTP service) receiving a certificate fetch with a decorated URI could could then verify that the calling number is currently in the scope of the requested certificate - if it is not, the service could then fail to return a certificate, preventing the verification service from validating. However, like the approach above, this would have implications for certificate fetch frequency similar to short-lived certs, as the decorated URIs would be governed by HTTP caching mechanics. Thus, the solution proposed here is that the authentication service instead inserts a new PASSporT payload element, "stpl", which has as its value an OCSP staple compliant with the STIR extension defined in . Such staples can either be pre-generated ( Section 2.5) and published regularly to the authentication service, or the authentication service can query for a staple on a per-call basis. Note that OCSP for STIR does furnish a response concerning only a single telephone number, and thus if a certificate can sign for a large number range, one pre-generated staple would need to be furnished to the authentication service for each telephone number that could potentially originate a call. Generating OCSP staples on the fly may however cause a round-trip time delay of its own, which depending on how the authentication service and the certificate authority are connected, could effectively incur the same delay as an OCSP dip from the verification service. One alternative design would be to carry an OCSP staple at the SIP layer, in a body or header. But the because PASSporT can be used in non-SIP environments, and this OCSP extension is specific to certificates that use the TNAuthList extension, embedding the staple in the PASSporT is a superior choice. While encoding and embedding an OCSP response will increase the size of the PASSporT, that overall increase in SIP message size will ideally be the same as if the response had been placed in a separate header. Finally, it could be argued that the round-trip delay incurred at the verification service is not actually problematic, as there is a fungible delay on the terminating side during which ringing can be played to the caller without commencing alerting on the end-user called device. But also describes the potential privacy implications of revealing to the OCSP responder the verification service that has received a call for a particular calling number. On balance, stapling at the authentication service, especially pre-generated stapling, seems to offer the best all-around solution.

TBD.

This specification requests that the IANA add one new claim to the JSON Web Token Claims registry as defined in . Claim Name: "stpl" Claim Description: OCSP Staple Change Controller: IESG Specification Document(s): [RFCThis]

The use of OCSP stapling should largely mitigate the privacy risks noted in .

This document is entirely about security. For further information on certificate security and practices, see , in particular its Security Considerations. For OCSP-related security considerations see and .

We thank the STIR working group for its input into this document.