SHAKEN TN Certificate Framework
1y ago
24 Views
1 Downloads
2.69 MB
21 Pages
Report/dmca
Download PDF

Transcription

SHAKEN TN Certificate FrameworkChris Wendt1

Reminder TN-POP and other approaches discussed were an evolution to get here Probably confused folks, sorry :( But it did lead to a lot of productive conversations and got the issue outthere that a solution is needed We think we hopefully have consensus among the primary SMEs goingforward, including documents in IETF2

Certificate delegation draft-peterson-stir-cert-delegation-00 will be adopted as working groupdocument draft-ietf-acme-authority-token-tnauthlist-03 has been updated to includeability to indicate ‘ca’ certs (more on this later) Certificate delegation defines a STIR specific mechanism to extend thecertificate chain incorporating a TNAuthList defined telephone block ornumber scope to STIR certificates. This allows a telephone number provider (delegating from) to create acertificate with limited authoritative scope to a customer (delegating to) andrestrict what telephone number(s) it has authority to sign.3

Certificate delegation Advantage of certificate delegation framework (over past ideas) Follows almost identical set of common procedures and protocolsfrom base SHAKEN for both AS and VS and certificate frameworks Allows for very flexible deployment scenarios for different use cases,VoIP providers, enterprise, call centers, etc.4

Two Identity headers As discussed in last face to face ‘shaken’ passport will continue to be inserted by originating providerwith attestation and origID to facilitate traceback For signing calls with TN/block level validation using delegatecertificates ‘rcd’ passport based identity header will be used5

Trust model ‘shaken’ uses SPC level TNAuthList only ‘rcd’ will use SPC TN level TNAuthList The SPC - TN mapping will need to be validated by STI-PA (via LERG/NPAC lookup) The delegating TN provider will acquire an SPC token to create a SPCto TN block or TN ‘ca’ or intermediate cert The delegated-to customer will request an end-entity cert from thesubordinate CA chosen by delegating TN provider that has theintermediate cert configured. The certificate chain will look similar to before, however typically willhave additional level of intermediate cert.6

Certificate Chain for Delegated Cert7

Certificate Management Framework for DelegateCerts8

Deployment Scenarios Because there is many scenarios and ‘VoIP Entities’ in the SHAKENeco-system with various levels of capabilities, use-cases, and needsfor signing calls directly or through 3rd parties, we wanted to detailthese potential ways of implementing/deploying delegate certs9

Deployment Scenarios Service Provider obtains Delegate End-Entity Certificates from STI-CA10

Deployment Scenarios Service Provider Hosts Subordinate CA to serve Customer AF11

Deployment Scenarios Service Provider Hosts Subordinate CA to serve Itself12

Deployment Scenarios Service Provider obtains Delegate End-Entity Certificates from 3rdparty13

Deployment Scenarios Customer AF Hosts Subordinate CA14

RCD document dependencies/changes RCD will be supported at two levels First, for base SHAKEN you can still add ‘rcd’ claim into ‘shaken’passport For traditional carrier and landline devices where ‘shaken’-onlyattest ‘A’ calls Second, ‘rcd’ passport will become primary identity header to carrysignature from delegate certs. New text describing new logical elements, RCD-AS and RCD-VS15

RCD for delegate certs - origination Originating Customer AF supports RCD Authentication16

RCD for shaken certs - origination Add SHAKEN “rcd” claim for Originating Customer AF that does notsupport RCD-AS17

RCD for delegate certs - origination Add 2nd RCD Identity Header for Originating Customer AF that doesnot support RCD-AS18

RCD for delegate certs - termination SHAKEN & RCD Identity Headers received – Terminating Customer AFsupports RCD-VS19

RCD for delegate certs - termination SHAKEN & RCD Identity Headers received – Terminating Customer AFdoes not support RCD-VS20

RCD for shaken certs - termination SHAKEN PASSporT “rcd” claim received – Terminating Customer AFdoes not support RCD-VS21

to TN block or TN 'ca' or intermediate cert The delegated-to customer will request an end-entity cert from the subordinate CA chosen by delegating TN provider that has the intermediate cert configured. The certificate chain will look similar to before, however typically will have additional level of intermediate cert. 6

Related Books

Shaken Baby Syndrome

Shaken Baby Syndrome

SIP Forum Handout

SIP Forum Handout

eXe aY§a W - Out Upon the Waters

eXe aY§a W - Out Upon the Waters

Eleventh International Conference on Shaken Baby Syndrome .

Eleventh International Conference on Shaken Baby Syndrome .

Prepare for the FCC SHAKEN Deadline - TransNexus

Prepare for the FCC SHAKEN Deadline - TransNexus

PIV Certificate Activation Steps

PIV Certificate Activation Steps

Comodo CPAC Outlook 2003

Comodo CPAC Outlook 2003

Graduate Mathematics Certificate (New Certificate)

Graduate Mathematics Certificate (New Certificate)

Cisco Root CA 2048 Certificate Policy

Cisco Root CA 2048 Certificate Policy

CHAPTER 1: CAREERS IN TODAY S PARALEGAL PROFESSION

CHAPTER 1: CAREERS IN TODAY S PARALEGAL PROFESSION

Symantec Managed PKI AATL Certificate for PDF Impress

Symantec Managed PKI AATL Certificate for PDF Impress

PopularTags

Recent Views