Network Working Group C. Jennings Request for Comments: 3325 Cisco Systems Category: Informational J. Peterson NeuStar, Inc. M. Watson Nortel Networks November 2002 Private Extensions to the Session Initiation Protocol (SIP) for
Asrted Identity within Trusted Networks
思维扩散Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Rerved. Abstract
This document describes private extensions to the Session Initiation Protocol (SIP) that enable a network of trusted SIP rvers to asrt the identity of authenticated urs, and the application of existing privacy mechanisms to the identity problem. The u of the
extensions is only applicable inside an administrative domain with
previously agreed-upon policies for generation, transport and usage
of such information. This document does NOT offer a general privacy or identity model suitable for u between different trust domains,
or u in the Internet at large.
Table of Contents
1. Applicability Statement . . . . . . . . . . . . . . . . . . 2
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Proxy Behavior . . . . . . . . . . . . . . . . . . . . . . . 5
6. Hints for Multiple Identities . . . . . . . . . . . . . . . 6
7. Requesting Privacy . . . . . . . . . . . . . . . . . . . . . 6
8. Ur Agent Server Behavior . . . . . . . . . . . . . . . . . 7
9. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . 7 9.1 The P-Asrted-Identity Header . . . . . . . . . . . . 8 9.2 The P-Preferred-Identity Header . . . . . . . . . . . . 8 9.3 The "id" Privacy Type . . . . . . . . . . . . . . . . . 9 Jennings, et. al. Informational [Page 1]
10. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 9 10.1 Network Asrted Identity pasd to trusted gateway . . 9
10.2 Network Asrted Identity Withheld . . . . . . . . . . 11
11. Example of Spec(T) . . . . . . . . . . . . . . . . . . . . . 13
12. Security Considerations . . . . . . . . . . . . . . . . . . 14
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . 14 13.1 Registration of new SIP header fields . . . . . . . . . 14
13.2 Registration of "id" privacy type for SIP Privacy header 15
14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 Normative References . . . . . . . . . . . . . . . . . . . . 15 Informational References . . . . . . . . . . . . . . . . . . 16 Authors’ Address . . . . . . . . . . . . . . . . . . . . . 17 Full Copyright Statement . . . . . . . . . . . . . . . . . . 18
1. Applicability Statement
This document describes private extensions to SIP [1] that enable a
network of trusted SIP rvers to asrt the identity of end urs or end systems, and to convey indications of end-ur requested privacy. The u of the extensions is only applicable inside a ’Trust
Domain’ as defined in Short term requirements for Network Asrted
Identity [5]. Nodes in such a Trust Domain are explicitly trusted by its urs and end-systems to publicly asrt the identity of each
party, and to be responsible for withholding that identity outside of the Trust Domain when privacy is requested. The means by which the
network determines the identity to asrt is outside the scope of
过热this document (though it commonly entails some form of
authentication).
A key requirement of [5] is that the behavior of all nodes within a
given Trust Domain ’T’ is known to comply to a certain t of
specifications known as ’Spec(T)’. Spec(T) MUST specify behavior for the following:
1. The manner in which urs are authenticated
2. The mechanisms ud to cure the communication among nodes within the Trust Domain
3. The mechanisms ud to cure the communication between UAs and发芽的土豆怎么种
nodes within the Trust Domain
Jennings, et. al. Informational [Page 2]
4. The manner ud to determine which hosts are part of the Trust
Domain
5. The default privacy handling when no Privacy header field is
prent
6. That nodes in the Trust Domain are compliant to SIP [1]
7. That nodes in the Trust Domain are compliant to this document
8. Privacy handling for identity as described in Section 7.
An example of a suitable Spec(T) is shown in Section 11.
This document does NOT offer a general privacy or identity model
suitable for inter-domain u or u in the Internet at large. Its
assumptions about the trust relationship between the ur and the
network may not apply in many applications. For example, the
extensions do not accommodate a model whereby end urs can
independently asrt their identity by u of the extensions defined here. Furthermore, since the asrted identities are not
易经全文完整版cryptographically certified, they are subject to forgery, replay, and falsification in any architecture that does not meet the requirements of [5].
The asrted identities also lack an indication of who specifically
is asrting the identity, and so it must be assumed that the Trust
Domain is asrting the identity. Therefore, the information is only meaningful when curely recei
ved from a node known to be a member of the Trust Domain.
Despite the limitations, there are sufficiently uful specialized deployments that meet the assumptions described above, and can accept the limitations that result, to warrant informational publication of this mechanism. An example deployment would be a clod network
which emulates a traditional circuit switched telephone network.
2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [3]. Throughout this document requirements for or references to proxy
rvers or proxy behavior apply similarly to other intermediaries
within a Trust Domain (ex: B2BUAs).
Jennings, et. al. Informational [Page 3]
The terms Identity, Network Asrted Identity and Trust Domain in
this document have meanings as defined in [5].
3. Introduction
Various providers offering a telephony rvice over IP networks have lected SIP as a call establishment protocol. Their environments
宝宝多大不吐奶
require a way for trusted network elements operated by the rvice收益保
providers (for example SIP proxy rvers) to communicate the identity of the subscribers to such a rvice, yet also need to withhold this information from entities that are not trusted when necessary. Such networks typically assume some level of transitive trust amongst
providers and the devices they operate.
The networks need to support certain traditional telephony rvices and meet basic regulatory and public safety requirements. The
include Calling Identity Delivery rvices, Calling Identity Delivery Blocking, and the ability to trace the originator of a call. While
baline SIP can support each of the rvices independently,
certain combinations cannot be supported without the extensions
described in this document. For example, a caller that wants to
maintain privacy and conquently provides limited information in the SIP From header field will not be identifiable by recipients of the
call unless they rely on some other means to discover the identity of the caller. Masking identity information at the originating ur
agent will prevent certain rvices, e.g., call trace, from working
in the Public Switched Telephone Network (PSTN) or being performed at intermediaries not privy to the authenticated identity of the ur.
This document attempts to provide a network asrted identity rvice using a very limited, simple mechanism, bad on requirements in [5]. This work is derived from a previous attempt, [6], to solve veral
problems related to privacy and identity in Trust Domains. A more
comprehensive mechanism, [7] which us cryptography to address this problem is the subject of current study by the SIP working group.
Providing privacy in a SIP network is more complicated than in the溢于言表的意思
PSTN. In SIP networks, the participants in a ssion are typically
able to exchange IP traffic directly without involving any SIP
rvice provider. The IP address ud for the ssions may
themlves reveal private information. A general purpo mechanism
for providing privacy in a SIP environment is discusd in [2]. This document applies that privacy mechanism to the problem of network
asrted identity.
Jennings, et. al. Informational [Page 4]
4. Overview
The mechanism propod in this document relies on a new header field called ’P-Asrted-Identity’ that contains a URI (commonly a SIP URI) and an optional display-name, for example:
P-Asrted-Identity: "Cullen Jennings" <sip:>
A proxy rver which handles a message can, after authenticating the originating ur in some way (for example: Digest authentication),
inrt such a P-Asrted-Identity header field into the message and
forward it to other trusted proxies. A proxy that is about to
forward a message to a proxy rver or UA that it does not trust MUST remove all the P-Asrted-Identity header field values if the ur
乡村英文requested that this information be kept private. Urs can request
this type of privacy as described in Section 7.
The formal syntax for the P-Asrted-Identity header is prented in Section 9.
5. Proxy Behavior
A proxy in a Trust Domain can receive a message from a node that it
trusts, or a node that it does not trust. When a proxy receives a
message from a node it does not trust and it wishes to add a P-
Asrted-Identity header field, the proxy MUST authenticate the
originator of the message, and u the identity which results from
this authentication to inrt a P-Asrted-Identity header field into the message.
If the proxy receives a message (request or respon) from a node
that it trusts, it can u the information in the P-Asrted-Identity header field, if any, as if it had authenticated the ur itlf.
If there is no P-Asrted-Identity header field prent, a proxy MAY add one containing at most one SIP or SIPS URI, and at most one tel
URL. If the proxy received the message from an element that it does not trust and there is a P-Asrted-Identity header prent which
contains a SIP or SIPS URI, the proxy MUST replace that SIP or SIPS
URI with a single SIP or SIPS URI or remove this header field.
Similarly, if the proxy received the message from an element that it does not trust and there is a P-Asrted-Identity header prent
which contains a tel URI, the proxy MUST replace that tel URI with a single tel URI or remove the header field.
When a proxy forwards a message to another node, it must first
determine if it trusts that node or not. If it trusts the node, the proxy does not remove any P-Asrted-Identity header fields that it Jennings, et. al. Informational [Page 5]
generated itlf, or that it received from a trusted source. If it
does not trust the element, then the proxy MUST examine the Privacy
header field (if prent) to determine if the ur requested that
asrted identity information be kept private.
6. Hints for Multiple Identities
If a P-Preferred-Identity header field is prent in the message that a proxy receives from an entity that it does not trust, the proxy MAY u this information as a hint suggesting which of multiple valid
identities for the authenticated ur should be asrted. If such a hint does not correspond to any valid identity known to the proxy for that ur, the proxy can add a P-Asrted-Identity header of its own construction, or it can reject the request (for example, with a 403
Forbidden). The proxy MUST remove the ur-provided P-Preferred-
Identity header from any message it forwards.
A ur agent only nds a P-Preferred-Identity header field to proxy rvers in a Trust Domain; ur agents MUST NOT populate the P-
Preferred-Identity header field in a message that is not nt
directly to a proxy that is trusted by the ur agent. Were a ur
agent to nd a message containing a P-Preferred-Identity header
field to a node outside a Trust Domain, then the hinted identity
might not be managed appropriately by the network, which could have
negative ramifications for privacy.
7. Requesting Privacy
Parties who wish to request the removal of P-Asrted-Identity header fields before they are transmitted to an element that is not trusted may add the "id" privacy token defined in this document to the
Privacy header field. The Privacy header field is defined in [6].
If this token is prent, proxies MUST remove all the P-Asrted-
Identity header fields before forwarding messages to elements that
are not trusted. If the Privacy header field value is t to "none" then the proxy MUST NOT remove the P-Asrted-Identity header fields. When a proxy is forwarding the request to an element that is not
trusted and there is no Privacy header field, the proxy MAY include
the P-Asrted-Identity header field or it MAY remove it. This
decision is a policy matter of the Trust Domain and MUST be specified in Spec(T). It is RECOMMENDED that the P-Asrted-Identity header
fields SHOULD NOT be removed unless local privacy policies prevent
it, becau removal may cau rvices bad on Asrted Identity to fail.
Jennings, et. al. Informational [Page 6]
