Somos Inc.

chris-ietf@chriswendt.net

art stir Identity multiple errors passport reason header field This document extends the current error-handling procedures for mapping of verification failure reasons to 4xx codes for Secure Telephone Identity Revisited (STIR) and the Authenticated Identity Management in the Session Initiation Protocol (SIP). It extends the ability to use the Reason header field as an option for conveying an error associated with an Identity header field to the upstream authentication service when local policy dictates that the call should continue in the presence of a verification failure. This document also defines procedures that enable a failure reason to be mapped to a specific Identity header field for scenarios that use multiple Identity header fields, where some may have errors and others may not. The handling of those situations is also defined.

Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .

Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

• .  Introduction
• .  Terminology
• .  Reason Header Field Protocol "STIR"
• .  Use of Provisional Response to Signal Errors without Terminating the Call
• .  Handling of a Verification Error When There Are Multiple Identity Header Fields
• .  Handling Multiple Verification Errors
• .  Removal of the Reason Header Field by Authentication Service
• .  IANA Considerations
• .  Security Considerations
• . References
  • .  Normative References
  • .  Informative References
• Acknowledgements
• Author's Address

Introduction The STIR framework as described in is an authentication framework for asserting a telephone number or URI-based identity using a digital signature and certificate-based framework, as described and , respectively. describes the use of the STIR framework in the SIP protocol . It defines both a) the authentication service that creates a PASSporT and delivers it in an Identity header field, and b) the verification service that correspondingly verifies the PASSporT and embedded originating identity. This document is concerned with errors in validating PASSporTs and Identity header fields and how they are communicated in special cases. This document also defines a solution to help address the potential issue of multiple Identity header fields and the plurality of potential verification errors. Additionally, it addresses the issue of the current 4xx error response, i.e., the call is terminated when a verification error is present. In some deployments, it may be the case that the policy for handling errors dictates that calls should continue even if there is a verification error. For example, in many cases of inadvertent or operational errors that do not represent any type of identity falsification attempt, the preferred policy may be to continue the call despite the unverified identity. In these cases, the authentication service should still be notified of the error so that corrective action can be taken to fix any issues. This specification will discuss the use of the Reason header field in subsequent provisional (1xx) responses in order to deliver the error back to the authentication service or other SIP path network equipment responsible for error handling. To handle multiple Identity header fields where some in a call may be verified while others may not (i.e., they have errors), this document defines a method by which an identifier is added to the header so that the authentication service can uniquely identify which Identity header field is being referred to in the case of an error.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Reason Header Field Protocol "STIR" This document defines a new Reason header field protocol, "STIR", for STIR applications using SIP as defined in . The use of "STIR" as a Reason header field protocol with the error defined in causes codes to allow the use of multiple Reason header fields as detailed in and updated in . Any provisional SIP response message or final response message, with the exception of a 100 (Trying), MAY contain one or more Reason header fields with a STIR-related cause code defined in or future specifications. The use of multiple Reason header fields is discussed in more detail later in the document.

Use of Provisional Response to Signal Errors without Terminating the Call In cases where local policy dictates that a call should continue regardless of any verification errors that may have occurred, including 4xx errors described in , the verification service MUST NOT send the 4xx as a response. Rather, it should include the error response code and reason phrase in a Reason header field in the next provisional or final response it sends to the authentication service. Example Reason header field: Reason: STIR ;cause=436 ;text="Bad Identity Info"

Handling of a Verification Error When There Are Multiple Identity Header Fields In cases where a SIP message includes multiple Identity header fields and one of those Identity header fields has an error, the verification service MUST include the error response code and reason phrase associated with the error in a Reason header field, defined in , in the next provisional or final responses sent to the authentication service. The reason cause in the Reason header field MUST represent the error that occurred when verifying the contents of the Identity header field. For a SIP INVITE containing multiple Identity header fields, the "ppi" parameter for the Reason header field is RECOMMENDED. As defined in , the STIR error codes used in responses are based on an error associated with a specific Identity header field representing a single error occurring with the verification and processing of that Identity header field. The association of a "ppi" parameter with a Reason header field using the protocol value of "STIR" defined in this document MUST only identify a single cause code in the context of a call dialog corresponding only to the STIR-related error codes defined in or future documents defining STIR-related error codes. The associated PASSporT object can be included either in full form or in compact form, where only the signature of the PASSporT is included with two periods as a prefix, as defined in , to identify the reported Identity header field with an error. Compact form is the recommended form, as full form may include information that could have privacy or security implications in some call scenarios; this is discussed in . Example Reason header field with a full form PASSporT: Reason: STIR ;cause=436 ;text="Bad Identity Info" ;ppi= \ "eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwieDV1I \ joiaHR0cHM6Ly9jZXJ0LmV4YW1wbGUub3JnL3Bhc3Nwb3J0LmNlciJ9.eyJ \ kZXN0Ijp7InVyaSI6WyJzaXA6YWxpY2VAZXhhbXBsZS5jb20iXX0sImlhdC \ I6IjE0NDMyMDgzNDUiLCJvcmlnIjp7InRuIjoiMTIxNTU1NTEyMTIifX0.r \ q3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpjlk-cpFYpFYs \ ojNCpTzO3QfPOlckGaS6hEck7w" Example Reason header field with a compact form PASSporT: Reason: STIR ;cause=436 ;text="Bad Identity Info" ;ppi= \ "..rq3pjT1akEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpjlk-cpFYpFYs \ ojNCpTzO3QfPOlckGaS6hEck7w"

Handling Multiple Verification Errors If there are multiple Identity header field verification errors being reported, the verification service MUST include a corresponding number of Reason header fields per error. These Reason header fields should include a "ppi" parameter, including the full or compact form of the PASSporT with cause and text parameters identifying each error. As mentioned previously, the potential use of multiple Reason header fields defined in is updated in , allowing multiple Reason header fields with the same protocol value. For this specification, "STIR" should be used for any STIR error defined in or future specifications. Example Reason header fields for two identity info errors: Reason: STIR ;cause=436 ;text="Bad Identity Info" ;ppi= \ "..rq3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpjlk-cpFY \ pFYsojNCpTzO3QfPOlckGaS6hEck7w" Reason: STIR ;cause=438 ;text="Invalid Identity Header" ;ppi= \ "..rJ6F1VOgFWSjHBr8Qjpjlk-cpFYpFYsq3pjT1hoRwakEGjHCnWSwUnsh \ d0-zckGaS6hEck7wojNCpTzO3QfPOl"

Removal of the Reason Header Field by Authentication Service When an authentication service receives the Reason header field with a PASSporT it generated as part of an Identity header field and the authentication of a call, it should first follow local policy to recognize and acknowledge the error (e.g., perform operational actions like logging or alarming). Then, it MUST remove the identified Reason header field to avoid the PASSporT information from going upstream to a User Agent Client (UAC) or User Agent Server (UAS) that may not be authorized to see claim information contained in the PASSporT for privacy or other reasons.

IANA Considerations IANA has registered the following new protocol value (and associated protocol cause) in the "Reason Protocols" registry under :

Protocol Value	Protocol Cause	Reference
STIR	STIR Error code

IANA has also registered a new header field parameter name in the "Header Field Parameters and Parameter Values" registry under :

Header Field	Parameter Name	Predefined Values	Reference
Reason	ppi	No	RFC 9410

Security Considerations This specification discusses the use of a PASSporT as an identifier for cases where there are multiple identity header field errors occurring as part of the Reason header field response. For some call scenarios (e.g., diversion-based call flows), the signer of the PASSporT(s) may not be the first-hop initiator of the call. In those cases, there may be some security or privacy concerns associated with PASSporT information that is passed upstream beyond the authentication service that originally signed the PASSporT(s) in the resulting error Reason header field. This specification states that the authentication service MUST remove the Reason header field with the PASSporT to protect the security (e.g., use of a potentially still-fresh PASSporT for replay attacks) and privacy of any potential information that could be passed beyond the authentication service response back in the direction of the call initiator. While this specification allows for both the full and compact form of the PASSporT to be used as the error identifier, use of the compact form is RECOMMENDED to avoid the potential exposure of call information contained in the full form of the PASSporT.

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document describes Session Initiation Protocol (SIP), an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions include Internet telephone calls, multimedia distribution, and multimedia conferences. [STANDARDS-TRACK] The REGISTER function is used in a Session Initiation Protocol (SIP) system primarily to associate a temporary contact address with an address-of-record. This contact is generally in the form of a Uniform Resource Identifier (URI), such as Contact: and is generally dynamic and associated with the IP address or hostname of the SIP User Agent (UA). The problem is that network topology may have one or more SIP proxies between the UA and the registrar, such that any request traveling from the user's home network to the registered UA must traverse these proxies. The REGISTER method does not give us a mechanism to discover and record this sequence of proxies in the registrar for future use. This document defines an extension header field, "Path" which provides such a mechanism. [STANDARDS-TRACK] RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. The baseline security mechanisms in the Session Initiation Protocol (SIP) are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document defines a mechanism for securely identifying originators of SIP requests. It does so by defining a SIP header field for conveying a signature used for validating the identity and for conveying a reference to the credentials of the signer. This document obsoletes RFC 4474. This document defines a method for creating and validating a token that cryptographically verifies an originating identity or, more generally, a URI or telephone number representing the originator of personal communications. The Personal Assertion Token, PASSporT, is cryptographically signed to protect the integrity of the identity of the originator and to verify the assertion of the identity information at the destination. The cryptographic signature is defined with the intention that it can confidently verify the originating persona even when the signature is sent to the destination party over an insecure channel. PASSporT is particularly useful for many personal-communications applications over IP networks and other multi-hop interconnection scenarios where the originating and destination parties may not have a direct trusted relationship. In order to prevent the impersonation of telephone numbers on the Internet, some kind of credential system needs to exist that cryptographically asserts authority over telephone numbers. This document describes the use of certificates in establishing authority over telephone numbers, as a component of a broader architecture for managing telephone numbers as identities in protocols like SIP. The SIP Reason header field as defined in RFC 3326 allows only one Reason value per protocol value. Experience with more recently defined protocols shows it is useful to allow multiple values with the same protocol value. This document updates RFC 3326 to allow multiple values for an indicated registered protocol when that protocol defines what the presence of multiple values means. Informative References Over the past decade, Voice over IP (VoIP) systems based on SIP have replaced many traditional telephony deployments. Interworking VoIP systems with the traditional telephone network has reduced the overall level of calling party number and Caller ID assurances by granting attackers new and inexpensive tools to impersonate or obscure calling party numbers when orchestrating bulk commercial calling schemes, hacking voicemail boxes, or even circumventing multi-factor authentication systems trusted by banks. Despite previous attempts to provide a secure assurance of the origin of SIP communications, we still lack effective standards for identifying the calling party in a VoIP session. This document examines the reasons why providing identity for telephone numbers on the Internet has proven so difficult and shows how changes in the last decade may provide us with new strategies for attaching a secure identity to SIP sessions. It also gives high-level requirements for a solution in this space.

Acknowledgements The author would like to thank for help identifying these error scenarios, as well as , , , , and others in the STIR Working Group for their helpful feedback and discussion.

Author's Address Somos Inc.

chris-ietf@chriswendt.net