Internet Engineering Task Force (IETF)                          R. Singh
Request for Comments: 8443                                  Vencore Labs
Category: Standards Track                                       M. Dolly
ISSN: 2070-1721                                                     AT&T
                                                                  S. Das
                                                            Vencore Labs
                                                               A. Nguyen
                                  Office of Emergency Communications/DHS
                                                             August 2018
        
Internet Engineering Task Force (IETF)                          R. Singh
Request for Comments: 8443                                  Vencore Labs
Category: Standards Track                                       M. Dolly
ISSN: 2070-1721                                                     AT&T
                                                                  S. Das
                                                            Vencore Labs
                                                               A. Nguyen
                                  Office of Emergency Communications/DHS
                                                             August 2018
        

Personal Assertion Token (PASSporT) Extension for Resource Priority Authorization

资源优先级授权的个人断言令牌(PASSporT)扩展

Abstract

摘要

This document extends the Personal Assertion Token (PASSporT) specification defined in RFC 8225 to allow the inclusion of cryptographically signed assertions of authorization for the values populated in the Session Initiation Protocol (SIP) 'Resource-Priority' header field, which is used for communications resource prioritization.

本文档扩展了RFC 8225中定义的个人断言令牌(PASSporT)规范,以允许对会话启动协议(SIP)“资源优先级”标题字段中填充的值包含加密签名的授权断言,该字段用于通信资源优先级。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8443.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8443.

Copyright Notice

版权公告

Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2018 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  PASSporT "rph" Claim  . . . . . . . . . . . . . . . . . . . .   4
   4.  "rph" in SIP  . . . . . . . . . . . . . . . . . . . . . . . .   5
     4.1.  Authentication Service Behavior . . . . . . . . . . . . .   5
     4.2.  Verification Service Behavior . . . . . . . . . . . . . .   6
   5.  Further Information Associated with the SIP
       'Resource-Priority' Header Field  . . . . . . . . . . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
     6.1.  JSON Web Token Claims . . . . . . . . . . . . . . . . . .   7
     6.2.  PASSporT Types  . . . . . . . . . . . . . . . . . . . . .   7
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
     7.1.  Avoidance of Replay and Cut-and-Paste Attacks . . . . . .   8
     7.2.  Solution Considerations . . . . . . . . . . . . . . . . .   8
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  PASSporT "rph" Claim  . . . . . . . . . . . . . . . . . . . .   4
   4.  "rph" in SIP  . . . . . . . . . . . . . . . . . . . . . . . .   5
     4.1.  Authentication Service Behavior . . . . . . . . . . . . .   5
     4.2.  Verification Service Behavior . . . . . . . . . . . . . .   6
   5.  Further Information Associated with the SIP
       'Resource-Priority' Header Field  . . . . . . . . . . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
     6.1.  JSON Web Token Claims . . . . . . . . . . . . . . . . . .   7
     6.2.  PASSporT Types  . . . . . . . . . . . . . . . . . . . . .   7
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
     7.1.  Avoidance of Replay and Cut-and-Paste Attacks . . . . . .   8
     7.2.  Solution Considerations . . . . . . . . . . . . . . . . .   8
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10
        
1. Introduction
1. 介绍

PASSporT [RFC8225] is a token format based on JSON Web Token (JWT) [RFC7519] for conveying cryptographically signed information about the identities involved in personal communications. PASSporT with Secure Telephone Identity Revisited (STIR) [RFC8224] provides a mechanism by which an authority on the originating side of a call, using a protocol like SIP [RFC3261], can provide a cryptographic assurance of the validity of the calling party telephone number in order to prevent impersonation attacks.

PASSporT[RFC8225]是一种基于JSON Web令牌(JWT)[RFC7519]的令牌格式,用于传输有关个人通信中涉及的身份的加密签名信息。PASSporT with Secure Telephone Identity Retrieved(STIR)[RFC8224]提供了一种机制,通过该机制,呼叫发起方的机构可以使用类似SIP[RFC3261]的协议,对呼叫方电话号码的有效性提供加密保证,以防止模拟攻击。

[RFC4412] defines a mechanism to prioritize access to SIP-signaled resources during periods of communications resource scarcity using the SIP 'Resource-Priority' header. As specified in [RFC4412], the SIP 'Resource-Priority' header field may be used by SIP user agents (UAs) [RFC3261] (including Public Switched Telephone Network (PSTN) gateways and SIP proxy servers) to influence prioritization afforded to communication sessions, including PSTN calls (e.g., to manage scarce network resources during network congestion scenarios). However, the SIP 'Resource-Priority' header field could be spoofed and abused by unauthorized entities, the threat models and use cases of which are described in [RFC7375] and [RFC7340], respectively.

[RFC4412]定义了一种机制,使用SIP“资源优先级”报头在通信资源短缺期间优先访问SIP信号资源。如[RFC4412]中所述,SIP“资源优先级”报头字段可由SIP用户代理(UAs)[RFC3261](包括公共交换电话网络(PSTN)网关和SIP代理服务器)使用,以影响提供给通信会话的优先级,包括PSTN呼叫(例如,在网络拥塞情况下管理稀缺的网络资源)。但是,SIP“资源优先级”头字段可能被未经授权的实体欺骗和滥用,其威胁模型和用例分别在[RFC7375]和[RFC7340]中描述。

Compromise of the SIP 'Resource-Priority' header field [RFC4412] could lead to misuse of network resources (i.e., during congestion scenarios), impacting the application services supported using the SIP 'Resource-Priority' header field.

SIP“资源优先级”头字段[RFC4412]的泄露可能导致网络资源的误用(即在拥塞情况下),影响使用SIP“资源优先级”头字段支持的应用程序服务。

[RFC8225] allows extensions by which an authority on the originating side verifying the authorization of a particular communication for the SIP 'Resource-Priority' header field can use a PASSPorT claim to cryptographically sign the SIP 'Resource-Priority' header field and convey assertion of the authorization for the SIP 'Resource-Priority' header field. A signed SIP 'Resource-Priority' header field will allow a receiving entity (including entities located in different network domains/boundaries) to verify the validity of assertions authorizing the SIP 'Resource-Priority' header field and to act on the information with confidence that the information has not been spoofed or compromised.

[RFC8225]允许扩展,通过该扩展,验证SIP“资源优先级”头字段特定通信授权的发起方机构可以使用PASSPorT声明对SIP“资源优先级”头字段进行加密签名,并传递SIP“资源优先级”头字段授权的断言。签名的SIP“资源优先级”头字段将允许接收实体(包括位于不同网络域/边界中的实体)验证授权SIP“资源优先级”头字段的断言的有效性,并在信息未被欺骗或泄露的情况下对信息采取行动。

This specification documents an extension to PASSporT and the associated STIR mechanisms to provide a function to cryptographically sign the SIP 'Resource-Priority' header field. This PASSporT object is used to provide attestation of a calling-user authorization for priority communications. This is necessary in addition to the PASSporT object that is used for calling-user telephone-number attestation. How this extension to PASSporT is used for real-time communications supported using the SIP 'Resource-Priority' header field is outside the scope of this document. In addition, the PASSPorT extension defined in this document is intended for use in environments where there are means to verify that the signer of the SIP 'Resource-Priority' header field is authoritative.

本规范记录了PASSporT和相关STIR机制的扩展,以提供对SIP“资源优先级”头字段进行加密签名的功能。此PASSporT对象用于为优先级通信提供呼叫用户授权的证明。除了用于呼叫用户电话号码认证的PASSporT对象之外,这也是必需的。如何将此PASSporT扩展用于使用SIP“Resource Priority”标头字段支持的实时通信不在本文档的范围内。此外,本文档中定义的PASSPorT扩展旨在用于有方法验证SIP“资源优先级”头字段的签名者是否具有权威性的环境中。

2. Terminology
2. 术语

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。

3. PASSporT "rph" Claim
3. 护照“rph”索赔

This specification defines a new JSON Web Token claim for "rph" that provides an assertion for information in the SIP 'Resource-Priority' header field.

该规范为“rph”定义了一个新的JSON Web令牌声明,该声明为SIP“Resource Priority”头字段中的信息提供了一个断言。

The creator of a PASSporT object adds a "ppt" value of "rph" to the header of a PASSporT object. The PASSporT claims MUST contain an "rph" claim, and any entities verifying the PASSporT object will be required to understand the "ppt" extension in order to process the PASSporT in question. A PASSPorT header with the "ppt" included will look as follows:

PASSporT对象的创建者将“ppt”值“rph”添加到PASSporT对象的标题中。护照声明必须包含“rph”声明,任何验证护照对象的实体都必须理解“ppt”扩展,以便处理相关护照。包含“ppt”的PASSPorT标题如下所示:

   {
   "typ":"passport",
     "ppt":"rph",
     "alg":"ES256",
     "x5u":"https://www.example.org/cert.cer"
   }
        
   {
   "typ":"passport",
     "ppt":"rph",
     "alg":"ES256",
     "x5u":"https://www.example.org/cert.cer"
   }
        

The "rph" claim will provide an assertion of authorization, "auth", for information in the SIP 'Resource-Priority' header field based on [RFC4412]. The syntax is:

“rph”声明将根据[RFC4412]为SIP“资源优先级”报头字段中的信息提供授权断言“auth”。语法是:

   {
   Resource-Priority = "Resource-Priority" : r-value,
   r-value = namespace  "."  r-priority
   }
        
   {
   Resource-Priority = "Resource-Priority" : r-value,
   r-value = namespace  "."  r-priority
   }
        

Specifically, the "rph" claim includes an assertion of the priority level of the user to be used for a given communication session. The value of the "rph" claim is an object with one or more keys. Each key is associated with a JSON array. These arrays contain strings that correspond to the r-values indicated in the SIP 'Resource-Priority' header field.

具体而言,“rph”权利要求包括对用于给定通信会话的用户的优先级的断言。“rph”声明的值是具有一个或多个键的对象。每个键都与一个JSON数组相关联。这些数组包含与SIP“资源优先级”标头字段中指示的r值相对应的字符串。

The following is an example "rph" claim for a SIP 'Resource-Priority' header field with one r-value of "ets.0" and with another r-value of "wps.0":

以下是SIP“资源优先级”头字段的“rph”声明示例,其中一个r值为“ets.0”,另一个r值为“wps.0”:

    {
     "orig":{"tn":"12155550112"},
     "dest":{["tn":"12125550113"]},
     "iat":1443208345,
     "rph":{"auth":["ets.0", "wps.0"]}
    }
        
    {
     "orig":{"tn":"12155550112"},
     "dest":{["tn":"12125550113"]},
     "iat":1443208345,
     "rph":{"auth":["ets.0", "wps.0"]}
    }
        

After the header and claims PASSporT objects have been constructed, their signature is generated normally per the guidance in [RFC8225] using the full form of PASSPorT. The credentials (i.e., Certificate) used to create the signature must have authority over the namespace of the "rph" claim, and there is only one authority per claim. The authority MUST use its credentials associated with the specific service supported by the resource priority namespace in the claim. If r-values are added or dropped by the intermediaries along the path, the intermediaries must generate a new "rph" header and sign the claim with their own authority.

构造标头和索赔PASSporT对象后,通常根据[RFC8225]中的指南,使用PASSporT的完整格式生成其签名。用于创建签名的凭据(即证书)必须对“rph”声明的命名空间具有权限,并且每个声明只有一个权限。授权机构必须使用与声明中的资源优先级命名空间支持的特定服务关联的凭据。如果中介机构沿路径添加或删除r值,则中介机构必须生成新的“rph”标头,并使用自己的权限签署索赔。

The use of the compact form of PASSporT is not specified in this document.

本文件未规定使用紧凑型护照。

4. "rph" in SIP
4. SIP中的“rph”

This section specifies SIP-specific usage for the "rph" claim in PASSporT.

本节规定了PASSporT中“rph”声明的SIP特定用法。

4.1. Authentication Service Behavior
4.1. 身份验证服务行为

The Authentication Service will create the "rph" claim using the values discussed in Section 3 of this document that are based on [RFC4412]. The construction of the "rph" claim follows the steps described in Section 4.1 of [RFC8224].

认证服务将使用本文档第3节中讨论的基于[RFC4412]的值创建“rph”声明。“rph”索赔的解释遵循[RFC8224]第4.1节中描述的步骤。

The resulting Identity header for "rph" might look as follows (backslashes shown for line folding only):

“rph”的最终标识标头可能如下所示(显示的反斜杠仅用于折线):

      Identity:eyJhbGciOiJFUzI1NiIsInBwdCI6InJwaCIsInR5cCI6InBhc3Nwb3J0\
      IiwieDV1IjoiaHR0cHM6Ly93d3cuZXhhbXBsZS5jb20vY2VydC5jZXIifQo.eyJkZ\
      XN0Ijp7WyJ0biI6IjEyMTI1NTUwMTEzIl19LCJpYXQiOiIxNDQzMjA4MzQ1Iiwib3\
      JpZyI6eyJ0biI6IjEyMTU1NTUwMTEyIn0sInJwaCI6eyJhdXRoIjpbImV0cy4wIiw\
      id3BzLjAiXX19Cg.s37S6VC8HM6Dl6YzJeQDsrZcwJ0lizxhUrA7f_98oWBHvo-cl\
      -n8MIhoCr18vYYFy3blXvs3fslM_oos2P2Dyw;info=<https://www.example.\
      org/cert.cer>;alg=ES256;ppt="rph"
        
      Identity:eyJhbGciOiJFUzI1NiIsInBwdCI6InJwaCIsInR5cCI6InBhc3Nwb3J0\
      IiwieDV1IjoiaHR0cHM6Ly93d3cuZXhhbXBsZS5jb20vY2VydC5jZXIifQo.eyJkZ\
      XN0Ijp7WyJ0biI6IjEyMTI1NTUwMTEzIl19LCJpYXQiOiIxNDQzMjA4MzQ1Iiwib3\
      JpZyI6eyJ0biI6IjEyMTU1NTUwMTEyIn0sInJwaCI6eyJhdXRoIjpbImV0cy4wIiw\
      id3BzLjAiXX19Cg.s37S6VC8HM6Dl6YzJeQDsrZcwJ0lizxhUrA7f_98oWBHvo-cl\
      -n8MIhoCr18vYYFy3blXvs3fslM_oos2P2Dyw;info=<https://www.example.\
      org/cert.cer>;alg=ES256;ppt="rph"
        

A SIP authentication service will derive the value of "rph" from the SIP 'Resource-Priority' header field based on policy associated with service-specific use of r-values, defined as follows in [RFC4412]:

SIP认证服务将根据与特定于服务的r值使用相关联的策略,从SIP“资源优先级”头字段中导出“rph”值,定义如下[RFC4412]:

r-value = namespace "." r-priority

r-value=命名空间“.”r-priority

The authentication service derives the value of the PASSPorT claim by verifying the authorization for the SIP 'Resource-Priority' header field (i.e., verifying a calling-user privilege for the SIP 'Resource-Priority' header field based on its identity). The authorization might be derived from customer-profile data or access to external services.

身份验证服务通过验证SIP“资源优先级”头字段的授权(即,基于SIP“资源优先级”头字段的身份验证呼叫用户权限)来获取PASSPorT声明的值。授权可能来自客户配置文件数据或对外部服务的访问。

[RFC4412] allows multiple "namespace "." priority value" pairs, either in a single SIP 'Resource-Priority' header field or across multiple SIP 'Resource-Priority' header fields. An authority is responsible for signing all the content of a SIP 'Resource-Priority' header field for which it has the authority.

[RFC4412]允许在单个SIP“资源优先级”头字段中或跨多个SIP“资源优先级”头字段使用多个“命名空间”“优先级值”对。授权机构负责对其拥有权限的SIP“资源优先级”头字段的所有内容进行签名。

4.2. Verification Service Behavior
4.2. 验证服务行为

[RFC8224], Section 6.2, Step 5 requires that specifications defining "ppt" values describe any additional verifier behavior. The behavior specified for the "ppt" values of "rph" is as follows:

[RFC8224]第6.2节第5步要求定义“ppt”值的规范描述任何其他验证器行为。为“rph”的“ppt”值指定的行为如下:

The verification service MUST extract the value associated with the "auth" key in a full-form PASSPorT with a "ppt" value of "rph". If the signature validates, then the verification service can use the value of the "rph" claim as validation that the calling party is authorized for SIP 'Resource-Priority' header fields as indicated in the claim. This value would, in turn, be used for priority treatment in accordance with local policy for the associated communication service. If the signature validation fails, the verification service should infer that the calling party is not authorized for SIP 'Resource-Priority' header fields as indicated in the claim. In such cases, the priority treatment for the associated communication service is handled as per the local policy of the verifier. In such scenarios, the SIP 'Resource-Priority' header field SHOULD be stripped from the SIP request, and the network entities should treat the call as an ordinary call.

验证服务必须提取“ppt”值为“rph”的完整护照中与“auth”密钥相关的值。如果签名验证,则验证服务可以使用“rph”声明的值作为验证,以验证呼叫方是否有权使用声明中所示的SIP“资源优先级”头字段。根据相关通信服务的当地政策,该值将反过来用于优先处理。如果签名验证失败,验证服务应推断呼叫方未被授权使用声明中所示的SIP“资源优先级”头字段。在这种情况下,根据验证器的本地策略处理相关通信服务的优先级处理。在这种情况下,SIP“资源优先级”报头字段应从SIP请求中剥离,网络实体应将该呼叫视为普通呼叫。

In addition, [RFC8224], Section 6.2, Step 4 requires the "iat" value in "rph" claim to be verified.

此外,[RFC8224]第6.2节第4步要求验证“rph”索赔中的“iat”值。

The behavior of a SIP UA upon receiving an INVITE containing a PASSporT object with an "rph" claim will largely remain a matter of implementation policy for the specific communication service. In most cases, implementations would act based on confidence in the veracity of this information.

SIP UA在接收到包含PASSporT对象且具有“rph”声明的INVITE时的行为在很大程度上仍然是特定通信服务的实现策略问题。在大多数情况下,实现将基于对这些信息的准确性的信心。

5. Further Information Associated with the SIP 'Resource-Priority' Header Field

5. 与SIP“资源优先级”标题字段相关的更多信息

There may be additional information about the calling party or the call that could be relevant to authorization for the SIP 'Resource-Priority' header field. This may include information related to the device subscription of the caller, to any institutions that the caller or device is associated with, or even to categories of institutions. All of these data elements would benefit from the secure attestations provided by the STIR and PASSporT frameworks. The specification of the "rph" claim could entail the optional presence of one or more such additional information fields applicable to the SIP 'Resource-Priority' header field.

可能存在与SIP“资源优先级”头字段的授权相关的关于呼叫方或呼叫的附加信息。这可以包括与呼叫者的设备订阅、与呼叫者或设备相关联的任何机构、甚至与机构类别相关的信息。所有这些数据元素都将受益于STIR和PASSporT框架提供的安全认证。“rph”权利要求的规范可能要求可选地存在适用于SIP“资源优先级”报头字段的一个或多个这样的附加信息字段。

A new IANA registry has been defined to hold potential values of the "rph" array; see Section 6.2. The definition of the "rph" claim may have one or more such additional information field(s). Details of how an "rph" claim encompasses other data elements are left for future specifications.

定义了一个新的IANA注册表来保存“rph”数组的潜在值;见第6.2节。“rph”索赔的定义可能包含一个或多个此类附加信息字段。“rph”声明如何包含其他数据元素的详细信息留待将来的规范。

6. IANA Considerations
6. IANA考虑
6.1. JSON Web Token Claims
6.1. JSON Web令牌声明

IANA has added a new claim to the "JSON Web Token Claims" registry as defined in [RFC7519].

IANA向[RFC7519]中定义的“JSON Web令牌声明”注册表添加了一个新声明。

o Claim Name: "rph"

o 索赔名称:“rph”

o Claim Description: Resource Priority Header Authorization

o 索赔说明:资源优先级标头授权

o Change Controller: IESG

o 更改控制器:IESG

o Specification Document(s): Section 3 of RFC 8443

o 规范文件:RFC 8443第3节

6.2. PASSporT Types
6.2. 护照类型

IANA has created a new entry in the "Personal Assertion Token (PASSporT) Extensions" registry for the type "rph", which is specified in this document. In addition, the "PASSporT Resource Priority Header (rph) Types" registry has been created in which each entry must contain two fields: the name of the "rph" type and the

IANA已在“个人断言令牌(PASSporT)扩展”注册表中为本文档中指定的“rph”类型创建了一个新条目。此外,还创建了“PASSporT Resource Priority Header(rph)Types”注册表,其中每个条目必须包含两个字段:“rph”类型的名称和

specification in which the type is described. This registry has been initially populated with the single value for "auth", which is specified in this document. Registration of new "rph" types shall be under the Specification Required policy[RFC8126].

描述类型的规范。此注册表最初使用本文档中指定的“auth”的单个值填充。新“rph”类型的注册应符合规范要求的政策[RFC8126]。

7. Security Considerations
7. 安全考虑

The security considerations discussed in [RFC8224], Section 12, are applicable here.

[RFC8224]第12节中讨论的安全注意事项适用于此处。

7.1. Avoidance of Replay and Cut-and-Paste Attacks
7.1. 避免重播和剪切粘贴攻击

The PASSporT extension with a "ppt" value of "rph" MUST only be sent with SIP INVITE when the SIP 'Resource-Priority' header field is used to convey the priority of the communication, as defined in [RFC4412]. To avoid replay and cut-and-paste attacks, the recommendations provided in Section 12.1 of [RFC8224] MUST be followed.

“ppt”值为“rph”的PASSporT扩展只有在SIP“资源优先级”头字段用于传达通信优先级时才能与SIP INVITE一起发送,如[RFC4412]中所定义。为避免重播和剪切粘贴攻击,必须遵循[RFC8224]第12.1节中的建议。

7.2. Solution Considerations
7.2. 解决方案考虑

Using extensions to PASSporT tokens with a "ppt" value of "rph" requires knowledge of the authentication, authorization, and reputation of the signer to attest to the identity being asserted, including validating the digital signature and the associated certificate chain to a trust anchor. The following considerations should be recognized when using PASSporT extensions with a "ppt" value of "rph":

对“ppt”值为“rph”的PASSporT令牌使用扩展需要了解签名者的身份验证、授权和信誉,以证明所断言的身份,包括验证数字签名和与信任锚关联的证书链。使用“ppt”值为“rph”的护照扩展时,应注意以下事项:

o A signer is only allowed to sign the content of a SIP 'Resource-Priority' header field for which it has the proper authorization. Before signing tokens, the signer MUST have a secure method for authentication of the end user or the device being granted a token.

o 签名者仅允许对其具有适当授权的SIP“资源优先级”头字段的内容进行签名。在对令牌进行签名之前,签名者必须有一个安全的方法来验证最终用户或被授予令牌的设备。

o The verification of the signature MUST include means of verifying that the signer is authoritative for the signed content of the resource priority namespace in the PASSporT.

o 签名验证必须包括验证签名者对PASSporT中资源优先级命名空间的签名内容是否具有权威性的方法。

8. References
8. 工具书类
8.1. Normative References
8.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.

[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, <https://www.rfc-editor.org/info/rfc3261>.

[RFC3261]Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,DOI 10.17487/RFC3261,2002年6月<https://www.rfc-editor.org/info/rfc3261>.

[RFC4412] Schulzrinne, H. and J. Polk, "Communications Resource Priority for the Session Initiation Protocol (SIP)", RFC 4412, DOI 10.17487/RFC4412, February 2006, <https://www.rfc-editor.org/info/rfc4412>.

[RFC4412]Schulzrinne,H.和J.Polk,“会话启动协议(SIP)的通信资源优先级”,RFC 4412,DOI 10.17487/RFC4412,2006年2月<https://www.rfc-editor.org/info/rfc4412>.

[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, <https://www.rfc-editor.org/info/rfc7519>.

[RFC7519]Jones,M.,Bradley,J.和N.Sakimura,“JSON网络令牌(JWT)”,RFC 7519,DOI 10.17487/RFC7519,2015年5月<https://www.rfc-editor.org/info/rfc7519>.

[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.

[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.

[RFC8224] Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, "Authenticated Identity Management in the Session Initiation Protocol (SIP)", RFC 8224, DOI 10.17487/RFC8224, February 2018, <https://www.rfc-editor.org/info/rfc8224>.

[RFC8224]Peterson,J.,Jennings,C.,Rescorla,E.,和C.Wendt,“会话启动协议(SIP)中的身份验证管理”,RFC 8224,DOI 10.17487/RFC82242018年2月<https://www.rfc-editor.org/info/rfc8224>.

[RFC8225] Wendt, C. and J. Peterson, "PASSporT: Personal Assertion Token", RFC 8225, DOI 10.17487/RFC8225, February 2018, <https://www.rfc-editor.org/info/rfc8225>.

[RFC8225]Wendt,C.和J.Peterson,“护照:个人主张令牌”,RFC 8225,DOI 10.17487/RFC82252018年2月<https://www.rfc-editor.org/info/rfc8225>.

8.2. Informative References
8.2. 资料性引用

[RFC7340] Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure Telephone Identity Problem Statement and Requirements", RFC 7340, DOI 10.17487/RFC7340, September 2014, <https://www.rfc-editor.org/info/rfc7340>.

[RFC7340]Peterson,J.,Schulzrinne,H.和H.Tschofenig,“安全电话身份问题声明和要求”,RFC 7340,DOI 10.17487/RFC7340,2014年9月<https://www.rfc-editor.org/info/rfc7340>.

[RFC7375] Peterson, J., "Secure Telephone Identity Threat Model", RFC 7375, DOI 10.17487/RFC7375, October 2014, <https://www.rfc-editor.org/info/rfc7375>.

[RFC7375]Peterson,J.,“安全电话身份威胁模型”,RFC 7375,DOI 10.17487/RFC7375,2014年10月<https://www.rfc-editor.org/info/rfc7375>.

[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, <https://www.rfc-editor.org/info/rfc8126>.

[RFC8126]Cotton,M.,Leiba,B.,和T.Narten,“在RFC中编写IANA考虑事项部分的指南”,BCP 26,RFC 8126,DOI 10.17487/RFC8126,2017年6月<https://www.rfc-editor.org/info/rfc8126>.

Acknowledgements

致谢

We would like to thank STIR Working Group members, the ATIS/SIP Forum Task Force on IPNNI members, and the NS/EP Priority Services community for contributions to this problem statement and specification. We would also like to thank David Hancock and Ning Zhang for their valuable inputs.

我们要感谢STIR工作组成员、ATIS/SIP论坛IPNNI成员特别工作组以及NS/EP优先服务社区对本问题陈述和规范的贡献。我们还要感谢David Hancock和Ning Zhang的宝贵投入。

Authors' Addresses

作者地址

Ray P. Singh Vencore Labs 150 Mount Airy Road New Jersey, NJ 07920 United States of America

美国新泽西州艾里山路150号Ray P.Singh Vencore实验室,邮编:07920

   Email: rsingh@vencorelabs.com
        
   Email: rsingh@vencorelabs.com
        

Martin Dolly AT&T 200 Laurel Avenue Middletown, NJ 07748 United States of America

美国新泽西州米德尔顿劳雷尔大道200号马丁·多利电话电报公司,邮编:07748

   Email: md3135@att.com
        
   Email: md3135@att.com
        

Subir Das Vencore Labs 150 Mount Airy Road New Jersey, NJ 07920 United States of America

美国新泽西州艾里山路150号Subir Das Vencore实验室,邮编:07920

   Email: sdas@vencorelabs.com
        
   Email: sdas@vencorelabs.com
        

An Nguyen Office of Emergency Communications Department of Homeland Security 245 Murray Lane, Building 410 Washington, DC 20528 United States of America

美国华盛顿特区410号楼莫里巷245号国土安全部应急通信部阮办事处20528

   Email: an.p.nguyen@HQ.DHS.GOV
        
   Email: an.p.nguyen@HQ.DHS.GOV