| TOC |
|
By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 28, 2006.
Copyright © The Internet Society (2006).
Chained or transitive trust can be used to determine whether incoming communication is likely to be desirable or not. We can build a chained trust relationship by introducing friends to our friends, for example. We propose mechanisms for discovering trust paths and binary responsive trustworthiness. The trust paths are based on a chain of trust relationships between users, a user and a domain, and domains. We apply this model to establishing relatively low-value trust suitable for deciding whether to accept communication requests such as emails, calls, or instant messages from strangers.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) [1].
1.
Introduction
2.
Protection Mechanisms for Unsolicited Bulk Messages
3.
Our Goal and Approach
4.
Trust Indicators
4.1.
What are Trust Indicators?
4.2.
How to Utilize Trust Indicators
5.
Requirements
5.1.
Generic Requirements
5.2.
Security Requirements
6.
Operations on Trust Paths
6.1.
Push-based Model vs. Query-based Model
6.2.
Generating Trust Paths and Exchange Peer List
6.3.
Propagating Trust Paths
6.4.
Aggregating Trust Paths
6.5.
Querying Trust Paths at Reference URI
7.
Opinion Event Package
7.1.
Publication and Subscription
7.2.
Exchange Peer List
8.
Message Formats of Trust Paths
8.1.
Examples of Trust Paths
9.
IANA Considerations
10.
Security Considerations
11.
Changes
11.1.
Changes from -01.txt
11.2.
Changes from -00.txt
12.
References
12.1.
Normative References
12.2.
Informative References
§
Authors' Addresses
§
Intellectual Property and Copyright Statements
| TOC |
When dealing with strangers in electronic interactions, establishing trust for authorization is the core challenge as mere authentication does not yield more than a name or URI. Trust depends on the type of interaction, such as e-commerce and answering the phone. The level of trust required depends on the potential impact and risk of the interaction. We focus here on relatively low-risk interactions where more potential parties are trustworthy, such as emails, calls or instant messages.
There are several methods to determine the trustworthiness of a stranger in networks. One method is to ask a third party, such as a reputation system that rates the entity by some numerical scale such as "trust points". The trust points are based on evaluations that other anonymous entities have performed, including the experience from past transactions. Such trust points are often used for e-commerce, such as auction sites or small sellers aggregated by a large e-commerce site. Another method is to ask trusted friends for their opinions of the stranger. We generally trust our own friends more than the unknown third party.
However, we assume that the number of people in the circle of our friends is relatively small, given the number of members at a popular reputation system, and none of them may know the stranger directly. For communication interactions, instead of a trust scale, only a simple question needs to be answered, namely whether the person making the trust statement would be willing to accept communication requests from the stranger.
The underlying model is that the number of individuals generating unsolicited bulk mails or spam, spit (Spam over Internet Telephony) and other undesirable communications is very small compared to the total population, and thus the likelihood that even a friend-of-a-friend would know or trust such a spammer is also very low. Also, communications often occur in subsets of the total human population that share common values or profession, making it likely that legitimate strangers are known indirectly.
In this document, we are not too concerned with establishing trust or bona fides within the spammer community itself. They are invited to address this problem in appropriate fora.
Instead of determining the reputation of an individual, it is often sufficient to gauge the trustworthiness of a whole DNS domain. If the domain has a positive reputation and maintains strict rules for minting identifiers for its users, as is common for many large enterprises, we can trust users within the domain without having to establish trust to each individual.
This is not likely to be true for high-value and high-risk transactions such as selling a used car, but as noted above, we are focusing on lower-risk transactions in this document.
For gathering trustworthy opinions of our friends or community, we need to find trust paths where we can apply transitive trust. The trust paths are based on a chain of trust relationships between users, a user and a domain, and domains, in terms of accepting communication requests, such as a call. This document defines trust indicators to generate trust paths and a set of requirements for a mechanism to obtain binary trustworthiness by making use of the trust paths. Additionally, this document proposes a mechanism that combines a push-based and a query-based model for exchanging the trust paths among entities. We believe that it can provide one component of a system to reduce the amount of unsolicited bulk communication.
| TOC |
A variety of mechanisms have been proposed to protect recipients against undesirable communication:
| TOC |
Our goal is to help a recipient of a communication attempt, i.e., a mail transfer agent, an email receiver, callee or target of an instant message, judge whether to accept the message from a stranger. This requires a binary decision of trust. That stranger may later be added to a whitelist or blacklist, once the recipient has confirmed that future communication is desirable or not.
Our approach is to find chains of trust relationships that exist between individuals, an individual and a domain, and domains. If a friend of ours tells us that the stranger is his or her friend, we can decide to accept the communication attempt. If the stranger belongs to a certain trust domain, we might accept it. We call the chains of trust relationships, "trust paths".
Our approach requires that the identities of the friends are authenticated using some of the anti-spoofing mechanisms shown in Section 2 (Protection Mechanisms for Unsolicited Bulk Messages).
| TOC |
We provide what indicates trust relationships. We also provide how we can utilize trust indicators to find trust paths.
| TOC |
Below, we provide examples of how such trust relationships might be established, between users, a user and a domain, and domains. We can handle these activity records as trust indicators.
| TOC |
First, trust indicators are utilized to generate "trust paths" that contain the identifiers that the generator trusts, then these trust paths are exchanged among the trusted identifiers.
We need to consider the types of identifiers in trust paths, especially for users. The type of an identifier is either SIP-URI, tel-URI, presence URI, or email address, depending on the trust indicators to generate the trust paths. The appropriate type is determined by the type of application which needs the sender-based filtering. For example, an email address in a trust path is useful to judge whether to accept an email from a stranger, but not for a SIP voice call. Therefore, a single user can have a trust path that unify the type of identifiers for each application.
When exchanging trust paths, users and domains limit the identifiers to those peers having closer relationships than those for filtering, because the exchange has potentially more risk (i.e., requiring more efforts or a breach of privacy). For example, trust paths generated from a user's watcher list generally show closer relationships than those from his or her mail log, because disclosing his or her presence requires a closer relationship than sending only emails.
| TOC |
| TOC |
Below are some of generic requirements for mechanisms to discover trust paths.
REQ-GEN-1: The solution MUST be simple and scalable enough to handle the circle of friends in a few hops.
REQ-GEN-2: It SHOULD require a recipient less of the costs to obtain trust paths than the originator.
REQ-GEN-3: It SHOULD enable entities to obtain the trust path prior to being needed or quickly enough for determining whether they accept a voice call.
REQ-GEN-4: It SHOULD enable entities to set the maximum length of the trust path. The reliability of trust paths diminishes as their length increases.
| TOC |
Below are security requirements for mechanisms to discover trust paths.
REQ-SEC-1: The solution MUST enable entities to obtain trust paths from one or more trusted and authenticated entities.
REQ-SEC-2: It MUST enable entities to obtain trust paths from one or more trusted entities without revealing its content to unauthorized third parties.
REQ-SEC-3: It MUST enable entities to detect forgery of a trust path.
REQ-SEC-4: It SHOULD enable entities to select parts of the trust path to be revealed.
| TOC |
Trust paths are chains of trust relationships between entities. Each entity generates its own trust paths and exchanges them with peers based on its trust indicators in advance or on demand. We call a model push-based where each entity propagates its own trust paths to its community in advance of receiving a communication attempt message from a stranger. On the other hand, we call a model query-based where an entity sends queries following its trust paths about the stranger. We discuss two exchange models, the push-based and the query-based to meet the above requirements, and explain operations required for the exchange.
| TOC |
The push-based model enables entities to quickly determine the trustworthiness of a stranger, since they exchange their trust paths beforehand. Additionally, this model enables them to free from guessing the appropriate query based on the name of the stranger. This model, however, may have some disadvantages of the efficiency in the procedure and privacy, since entities propagate trust paths independently of the stranger's name.
In the query-based model, if the name of the stranger contains a good hint for the query, entities can query efficiently limited users and domains about the trustworthiness. If not, they need to ask all users or domains whom they trust, then the trustees need to ask their trustees. This query procedure needs to be recursive in certain cycles. It would be not so efficient. We estimate that the possibility that the name of stranger contains some hints is very low, because the user part of the name contains few hints, though the domain part of the name often contains some hints. Therefore, the query-based model has no advantage of efficiency in the query procedure, compared to the propagation procedure in the push-based model, and does not meet the REQ-GEN-2 and REQ-GEN-3 requirements.
Trust paths are potentially privacy-sensitive, especially when they contain trust relationships between users. In the push-based model, entities need to exclude privacy-sensitive information from their trust paths propagating. In the query-based model, entities need to give binary responses to queries on the basis of their trust paths. Such queries and responses are less privacy-sensitive than the exchange of trust paths, but they are still potentially privacy-sensitive if they are related to their private relationships. Therefore, entities need to exclude privacy-sensitive information from their trust paths to be used as the basis for the responses. In the both models, trust paths can contain public information only.
To moderate the disadvantages of both models, we take an approach combined two models, a via-reference model where entities find trust paths via references. It enables entities to search trust paths bidirectionally. If a stranger shows the recipient an URI containing a referrer's opinion about him or her, the URI may reduce the number of chains to reach the stranger, since the URI are a possible intersection for the trust paths between the stranger and the recipient. We call the URI a "reference URI".
In Figure 1 (Overview of Via-reference Exchange Model), Dave wants to call to Alice who does not know him directly. Before his calling, Dave obtains some URIs to show his references from the circle of his friends, e.g., Bob and Carol, for Alice in order to check his trustworthiness via them. Dave selects some URIs of referrers, e.g., Bob, who are potentially in the circle of Alice's friends. When Dave makes calls to Alice, he provides Bob's reference URI within a call attempt message, e.g., an INVITE method in SIP.
When Alice receives the call attempt message with the reference URIs, she queries the reference URI about Dave's trustworthiness, if if Bob allows her to query the URI. If not, Alice asks her friends to access the URI. If Dave belongs to the circle of Bob's friends at Bob's reference URI, Alice will accept the call from Dave. If not, Alice might reject his call. In this way, this approach requires neither finding a complete trust path between Alice and Dave beforehand nor querying the complete trust path after receiving the call attempt. This enables the recipient to reduce the query cost of the trust path so that this satisfies REQ-GEN-2 and REQ-GEN-3.
Alice (A) Bob (B) Carol (C) Dave (D)
| | | |
| |<-----|<-----| 1. Push D's
| | | | trust path
| |----->|----->| 2. Be pushed B's
| | | | trust path
| | | |
|<-----|------|------| 3. Call to A
| | | | w/B's reference
4. Query B about D |----->| | |
5. Get the response |<-----| | |
| | | |
6. Judge using the response | | | |
| | | |
| Figure 1: Overview of Via-reference Exchange Model |
In the via-reference model, an originator need to exchange his or her trust paths with fewer hops than in the push-based model. Yet, trust paths can contain public information only.
| TOC |
All trust paths and the exchange peer list are generated from trust indicators described in Section 4.1 (What are Trust Indicators?).
A user SHOULD generate one or more trust paths containing who trusts whom and the exchange peer list. A user MAY generate multiple list of exchange peer separately considering with a privacy issue, such as private and business.
| TOC |
Trust paths MUST consist of tuples containing the following information.
- Note: Information propagated over many hops is likely to be less reliable, so it is desirable to limit the length of the chain. However, there is no single limit that works in all circumstances, so we rely on including the number of hops that a trust path has traversed and then having recipients make decisions on whether to further propagate trust paths that have traveled far.
In addition, a trust path MAY contain the expiry time and the weight of the trustworthiness of individuals or domains.
Expiry time: the time duration for validity. For example, when trust paths are extracted from watcher list that contains the subscription duration, entities MAY set the expiry time of the trust paths based on the subscription duration.
Weight of the trustworthiness: Trustworthiness of individuals or domains.
[Note: Recipients of trust paths may weigh them differently depending on who has forwarded them. However, we decided against including weights as mandatory data in the trust paths, since this appears difficult to make commensurate among participants.]
| TOC |
The list is a subset of neighbor URIs in the trust paths of an entity. The list limits the entities that the trust paths can be propagated to or be accessed by.
As described in Section 4.2 (How to Utilize Trust Indicators), users exchange their trust paths only with a limited set of entries extracted from the users' watcher list. Therefore, the user identifiers in the exchange peer list contains only SIP-URIs, while the exchange peer list for domains contains domain URIs.
Users and domains have to translate from the exchange peer list to the network addresses for the exchange. Users' SIP-URIs are Address-of-Records (AoRs), from which a location service translates to contact addresses that contains FQDNs or IP addresses. However, only SIP proxy/redirect servers can invoke the location service. Therefore, a user needs another service such as a presence service in order to obtain the network addresses corresponding to the friends' AoRs.
| TOC |
| TOC |
Propagating trust paths is somewhat similar to propagating path vectors in routing protocol such as BGP (Rekhter, Y. and T. Li, “A Border Gateway Protocol 4 (BGP-4),” March 1995.) [17].
Figure 2 (Trust relationship and indicators) depicts an example of trust relationships among five people. We assume mutual trust relationships between Alice and Bob, Bob and Carol, Carol and Ed, Ed and Dave, and Dave and Alice.
Dave (D) <---------------------> Ed (E) ^ ^ | | | | v v Alice (A) <---> Bob (B) <---> Carol (C)
A <-> B: A and B trusts each other mutually.
| Figure 2: Trust relationship and indicators |
- Note: Alice can vary her trust paths according to the recipients.
| TOC |
Trust paths can be processed and propagated in a peering model or client-server model. Entities SHOULD use a client-server model where an opinion server stores their trust paths of users and propagate them on behalf of users and domains since the server make user authentication easier. Additionally, the via-reference model requires higher service availability of trust paths at reference URIs.
| TOC |
Propagation via opinion servers benefits user entities by being free from the presence status of a peer (i.e., on-line or off-line). A user has access to his friends' trust paths at their opinion servers at any time the servers run. Although their trust paths themselves are not as frequently changed as their presence status, they often add some trust paths by exchanging them with their friends. Therefore, they need to access their friends' opinion server to check if the trust paths were recently updated. There are two ways to recognize the update: one is a periodical access and another is the subscription mechanism (Roach, A., “Session Initiation Protocol (SIP)-Specific Event Notification,” June 2002.) [3]. We apply the subscription mechanism to the propagation, since this can provide rapid update notification. We also apply the publication mechanism (Niemi, A., “Session Initiation Protocol (SIP) Extension for Event State Publication,” October 2004.) [4] between users and their opinion servers. The specification is described in Section 7 (Opinion Event Package).
| TOC |
The propagation method of users' trust path is also applicable to domain servers. They maintain their own trust paths and propagate them each other. The difference to the users' way is that domain servers usually have their own opinion servers inside their domains. Therefore, domain servers MAY use other ways than the publication mechanism for intra-domain communication, while they MUST use the subscription mechanism for inter-domains communication.
| TOC |
As Carol selects a shorter path in the example of Figure 2 (Trust relationship and indicators), an entity needs to aggregate receiving trust paths with its own trust paths. An entity SHOULD select the shortest path to the same entity, unless the trust paths contain different opinions. An entity MAY select the most reliable path to the same entity according to the local preference based on the weight of the trustworthiness. If an entity receives different opinions on the same entity, trustworthy and untrustworthy, it is safer to prioritize the negative opinion, untrustworthy.
| TOC |
When an entity receives a communication attempt from a stranger attached with a reference URI, it MAY access the reference URI to obtain the trustworthiness of the stranger, i.e., in a SIP call, a SIP UA MAY receive a INVITE method with the reference URI at one of the parameters of SIP identity. If the referrer is a friend of the recipient, the recipient can directly access the reference URI. If not, the recipient queries its friends about the referrer and access the reference URI to obtain the trustworthiness of the stranger. The entities to be queried SHOULD NOT expand the query to their friends, since the query time is limited and longer trust paths are useless to determine the trustworthiness of the stranger.
| TOC |
| TOC |
When a user generates or aggregates new trust paths, he MUST send his own trust paths to his opinion server in the PUBLISH request. When a user needs to know his friends' trust paths, he MUST subscribe each of his friends' opinion servers to know their trust paths by sending the SUBSCRIBE requests. The opinion servers that accept the subscriptions, MUST send the NOTIFY requests containing updated trust paths to the subscribers.
For scalability, a user and an opinion server SHOULD support both of the partial publication mechanism and partial notification mechanism, such as [5] (Niemi, A., Lonnfors, M., and E. Leppanen, “Publication of Partial Presence Information,” March 2006.) [6] (Lonnfors, M., “Session Initiation Protocol (SIP) extension for Partial Notification of Presence Information,” June 2006.).
| TOC |
The name of this event package is "opinion". The Content-Type is 'application/tpdf+xml' for the publication and notification of trust paths, and 'application/tpdf-diff+xml for the partial publish and notification.
| TOC |
For the authorization of accessing user's trust paths at an opinion server, a user MUST set the exchange peer list as the authorization list for his trust paths. Since the destination list is only updated by the user, the watcher list mechanism for this is not needed.
| TOC |
The message format of trust paths uses the XML (Mealling, M., “The IETF XML Registry,” January 2004.) [7] data format. The data size of the trust paths depends on the number of a user's friends and the length of the chain.
| TOC |
TBD
| TOC |
This document proposes a new event package, "opinion", and new Content-Types, "application/tpdf+xml" and "application/tpdf.diff+xml".
| TOC |
In the generation phase, some entities generate wrong trust paths that includes a hostile entity as a trustworthy one. Additionally, in the aggregation phase, some entities improperly add or modify trust paths propagated from other entities. Therefore, the traceability of the trust paths SHOULD be supported. Entities SHOULD attach the signature, before the propagation, using XML-signature (Eastlake, D., Reagle, J., and D. Solo, “(Extensible Markup Language) XML-Signature Syntax and Processing,” March 2002.) [8] to the path element of the trust path data generated from their own trust indicators. Since the aggregation of the trust paths makes the signature invalid, entities SHOULD log the trust paths that contains generator's signature before the aggregation. Entities SHOULD check if the signature exists and is valid, when the trust path is propagated by the originator of the trust paths.
In the propagation phase, we have to consider impersonating a user or domain entity, as well as an opinion server, by a malicious user or server. Additionally, we have to consider tampering trust paths by a malicious one. To protect against these attacks, user entities and opinion servers MUST authenticate mutually, and the data integrity of transmitted trust paths MUST be protected. Since they use the publication and subscription mechanisms for the propagation of the trust paths, authentication and data integrity protection follow those of the mechanisms. User and domain entities, and an opinion server MUST support TLS. User and domain entities MUST authenticate an opinion server with the public key certificate during the TLS handshake protocol. If there is no direct TLS connection, transitive trust MUST be applied. An opinion server MUST authenticate a user who belongs to the server by HTTP Digest Authentication, whereas using by the SIP identity mechanism for a user who does not belong to.
| TOC |
| TOC |
| TOC |
| TOC |
| TOC |
| [1] | Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” RFC 2119, March 1997. |
| [2] | Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, “SIP: Session Initiation Protocol,” RFC 3261, June 2002. |
| [3] | Roach, A., “Session Initiation Protocol (SIP)-Specific Event Notification,” RFC 3265, June 2002. |
| [4] | Niemi, A., “Session Initiation Protocol (SIP) Extension for Event State Publication,” RFC 3903, October 2004. |
| [5] | Niemi, A., Lonnfors, M., and E. Leppanen, “Publication of Partial Presence Information,” draft-ietf-simple-partial-publish-04 (work in progress), March 2006. |
| [6] | Lonnfors, M., “Session Initiation Protocol (SIP) extension for Partial Notification of Presence Information,” draft-ietf-simple-partial-notify-07 (work in progress), June 2006. |
| [7] | Mealling, M., “The IETF XML Registry,” RFC 3688, January 2004. |
| [8] | Eastlake, D., Reagle, J., and D. Solo, “(Extensible Markup Language) XML-Signature Syntax and Processing,” RFC 3275, March 2002. |
| [9] | Dierks, T. and C. Allen, “The TLS Protocol Version 1.0,” RFC 2246, January 1999. |
| TOC |
| [10] | Rosenberg, J., “The Session Initiation Protocol (SIP) and Spam,” draft-ietf-sipping-spam-02 (work in progress), February 2006. |
| [11] | Crocker, D., “Certified Server Validation (CSV),” draft-ietf-marid-csv-intro-02 (work in progress), February 2005. |
| [12] | Leslie, J., “Domain Name Accreditation (DNA),” draft-ietf-marid-csv-dna-02 (work in progress), February 2005. |
| [13] | Lyon, J. and M. Wong, “Sender ID: Authenticating E-Mail,” RFC 4406, April 2006. |
| [14] | Delany, M., “Domain-based Email Authentication Using Public-Keys Advertised in the DNS (DomainKeys),” draft-delany-domainkeys-base-04 (work in progress), March 2006. |
| [15] | Peterson, J. and C. Jennings, “Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP),” draft-ietf-sip-identity-06 (work in progress), October 2005. |
| [16] | Rosenberg, J., “A Watcher Information Event Template-Package for the Session Initiation Protocol (SIP),” RFC 3857, August 2004. |
| [17] | Rekhter, Y. and T. Li, “A Border Gateway Protocol 4 (BGP-4),” RFC 1771, March 1995. |
| [18] | Jennings, C., Peterson, J., and J. Fischl, “Certificate Management Service for The Session Initiation Protocol (SIP),” draft-ietf-sip-certs-00 (work in progress), May 2006. |
| TOC |
| Kumiko Ono | |
| Columbia University | |
| Department of Computer Science | |
| New York, NY 10027 | |
| USA | |
| Email: | kumiko@cs.columbia.edu |
| Henning Schulzrinne | |
| Columbia University | |
| Department of Computer Science | |
| 450 Computer Science Building | |
| New York, NY 10027 | |
| USA | |
| Email: | hgs@cs.columbia.edu |
| TOC |
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
This document and the information contained herein are provided on an “AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright © The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
Funding for the RFC Editor function is currently provided by the Internet Society.