IETF — RFCs and active drafts
This page is the catalog of IETF documents referenced across the library — published RFCs and active working-group drafts. Each document has its own page; the topic pages elsewhere on the site (STIR, SHAKEN, SIP, ENUM, ACME, vCon, and others) link here as the canonical home for what each document specifies.
The list is curated, not exhaustive. A document earns a place here when it’s referenced in a topic page somewhere on the site. The topic pages provide framing — what this document does for the context that matters there. The per-document pages provide depth — what the document actually says, who authored it, and which design choices are worth understanding.
Where I am a co-author of a document, the per-document page says so explicitly. Authority claims are positional: I’m describing the document I helped write, not summarizing from outside.
STIR family
The Secure Telephone Identity Revisited working group’s output — the cryptographic protocol for caller authentication and its extensions. For framing on how these documents relate to each other and what order to read them in, see STIR and SHAKEN.
Published RFCs
- RFC 7340 — STIR Problem Statement and Requirements (page forthcoming)
- RFC 7375 — STIR Threat Model (page forthcoming)
- RFC 8224 — Authenticated Identity Management in the Session Initiation Protocol
- RFC 8225 — PASSporT: Personal Assertion Token
- RFC 8226 — Secure Telephone Identity Credentials: Certificates
- RFC 8443 — PASSporT Extension for Resource Priority Authorization
- RFC 8588 — PASSporT Extension for SHAKEN
- RFC 8816 — STIR Out-of-Band Architecture and Use Cases
- RFC 8946 — PASSporT Extension for Diverted Calls (page forthcoming)
- RFC 9027 — Assertion Values for Resource Priority Header and SIP Priority Header Claims in Support of Emergency Services Networks
- RFC 9060 — STIR Certificate Delegation
- RFC 9118 — Enhanced JWT Claim Constraints for STIR Certificates (updates RFC 8226)
- RFC 9410 — Handling of Identity Header Errors for STIR
- RFC 9475 — Messaging Use Cases and Extensions for STIR
- RFC 9795 — STIR PASSporT Extension for Rich Call Data
- RFC 9888 — Out-of-Band STIR for Service Providers
Active working group drafts
- draft-ietf-stir-8588bis — Revision of the SHAKEN PASSporT Extension (submitted to the IESG, Publication Requested, -01)
- draft-ietf-stir-certificate-transparency — STI Certificate Transparency (submitted to the IESG, Publication Requested)
- draft-ietf-stir-certificates-ocsp — OCSP Usage for STI Certificates (approved by the IESG, in the RFC Editor queue, -14)
- draft-ietf-stir-certificates-shortlived — Short-Lived Certificates for STI (in IESG)
- draft-ietf-stir-rfc4916-update — Connected Identity for STIR (in RFC Editor queue, AUTH48)
VESPER
VESPER (Verifiable STI Presentation and Evidence for RTU) is being developed across a coordinated set of individual drafts at the IETF. The conceptual home for VESPER on this site is the VESPER topic page — what VESPER is, why it’s structured the way it is, the four roles, the certificate profile, the relationship to STIR/SHAKEN, and the ten use cases all live there. The per-draft pages below cover what’s specific to each individual draft (current revision, status in the IETF process, technical scope, what changed in each iteration). The sliwa CPS URI extension is grouped here because it’s the discovery substrate that VESPER OOB consumes.
- draft-wendt-stir-vesper — VESPER core specification (currently -07)
- draft-wendt-stir-vesper-use-cases — VESPER use cases and requirements (informational, currently -03)
- draft-wendt-stir-vesper-oob — VESPER out-of-band interface (currently -02)
- draft-sliwa-stir-cert-cps-ext — CPS URI Certificate Extension for STI Certificates
ACME and certificate issuance
The Automated Certificate Management Environment family. ACME shows up in STIR/SHAKEN because the authority-token extensions are how SHAKEN certificate authorities prove a delegate’s authority over a specific number range at issuance time. The same documents apply broadly to other ACME-style issuance flows.
- RFC 8555 — Automated Certificate Management Environment (page forthcoming)
- RFC 9447 — ACME Challenges Using an Authority Token
- RFC 9448 — TNAuthList Profile of ACME Authority Token
- draft-ietf-acme-authority-token-jwtclaimcon — JWTClaimConstraints profile of ACME Authority Token (currently -01)
SIP
The session-initiation foundation underneath everything else on this site. See SIP for topical framing.
- RFC 3261 — Session Initiation Protocol (page forthcoming)
- RFC 9796 — SIP Call-Info Parameters for Rich Call Data (SIPCORE)
ENUM and DNS
The DNS-based mappings used for telephone-number-to-URI resolution and emerging agent-identity discovery work. See ENUM and DNS and domain trust for topical framing.
- RFC 3761 — The E.164 to URI DDDS Application (page forthcoming, obsoleted by 6116)
- RFC 6116 — The E.164 to URI DDDS Application (ENUM) (page forthcoming)
- RFC 8484 — DNS Queries over HTTPS (DoH) (page forthcoming)
vCon (Virtualized Conversations)
The vCon working group’s output — a JSON container format for conversation data, with metadata about participants, content, analysis, and provenance. I co-chair this working group with Brian Rosen. See vCon for topical framing.
The working group has not yet produced any published RFCs; all documents are active or recently-active drafts.
Active working group drafts
- draft-ietf-vcon-vcon-core — The JSON format for vCon (the core specification) (active working group document, currently -02, heading toward WG Last Call)
- draft-ietf-vcon-overview — vCon Overview (active working group document, Informational, currently -01)
- draft-ietf-vcon-cc-extension — vCon Contact Center Extension (WG document, currently -01, technically expired pending refresh)
- draft-ietf-vcon-privacy-primer — Privacy Primer for vCon Developers (page forthcoming — recently expired, expected to revive)
- draft-ietf-vcon-mimi-messages — vCon for MIMI Messages (page forthcoming — recently expired, expected to revive)
A note on the “page forthcoming” markers
Many of the documents listed here are placeholders pending their own per-document page. The structure of this catalog is what’s being established first; pages fill in incrementally. The list is expected to grow and shrink as the topical coverage of the site matures — documents drop off when no topic page references them anymore, and new ones appear as new work is integrated.
In this section
-
draft-ietf-acme-authority-token-jwtclaimcon — JWTClaimConstraints profile of ACME Authority Token
The IETF working group draft (in the ACME WG) defining a JWTClaimConstraints profile of the ACME Authority Token framework. Extends RFC 9447 (ACME Authority Token) with a token type carrying JWTClaimConstraints (RFC 9118), enabling certification authorities to issue STIR certificates with embedded claim constraints that restrict which PASSporT claims and claim values the certificate is authorized to sign. Foundational to VESPER's issuance flow, where JWTClaimConstraints Authority Tokens optionally accompany TNAuthList Authority Tokens during certificate issuance. Currently at -01 (March 2026). I co-author with David Hancock.
-
draft-ietf-stir-8588bis — Revision of the SHAKEN PASSporT Extension
The IETF working group revision of RFC 8588 (the SHAKEN PASSporT extension defining the `shaken` PASSporT type with `attest` and `origid` claims). A narrowly scoped update — fixes an `iat` example error in RFC 8588, pins `origid` to UUID format per RFC 9562, and updates the ATIS-1000074 reference. Currently `draft-ietf-stir-8588bis-01` (April 2026), submitted to the IESG (Publication Requested), having replaced the earlier individual `draft-barnes-stir-8588bis`. I co-author with Mary Barnes — same authorship as the original RFC 8588.
-
draft-ietf-stir-certificate-transparency — STI Certificate Transparency
The IETF working group draft applying the Certificate Transparency framework (RFC 6962 / RFC 6962-bis) to Secure Telephone Identity certificates. Defines public logging of STI certificates and delegate certificates as they are issued, enabling auditable detection of unauthorized duplicate certificate issuance for telephone-number authority spoofing. Foundational to VESPER's transparency-log-grounded trust model. I am the primary author with Sliwa (Somos), Fenichel (TransNexus), and Gaikwad (Twilio). Currently submitted to the IESG (Publication Requested).
-
draft-ietf-stir-certificates-ocsp — OCSP Usage for STIR Certificates
The IETF working group draft specifying how the Online Certificate Status Protocol (OCSP) is used for STI certificates with telephone-number-specific extensions to address the dynamism of telephone-number assignments. Authored by Peterson and Turner. Currently at -14 (June 2026), approved by the IESG and in the RFC Editor queue. Important industry context — OCSP has been broadly deprecated as a preferred revocation mechanism across modern PKI deployments, and adoption of this draft by the industry is unlikely. The companion short-lived certificates draft addresses the same freshness problem through a mechanism much more likely to see wider deployment.
-
draft-ietf-stir-certificates-shortlived — Short-Lived Certificates for STI
The IETF working group draft specifying short-lived certificates as the freshness mechanism for Secure Telephone Identity certificates — issuing certificates valid for days or hours rather than months or years, with ACME for automated reissuance. Beyond the centralized CRL approach currently used in STIR/SHAKEN, short-lived is the path most likely to be adopted going forward, and is mandated by VESPER as the freshness model. Authored by Peterson. Currently at -05 (April 2026), in IESG.
-
draft-ietf-stir-rfc4916-update — Connected Identity for STIR
The IETF working group draft modernizing RFC 4916 (Connected Identity for SIP) for the post-STIR signing model. Defines the `rsp` PASSporT type for asserting the called party's identity back to the caller, with validation of the `div` chain back to the `rsp` to handle retargeting. Enables bidirectional mutual authentication and detection of mobile-fraud patterns like short-stopping. Currently in AUTH48 / RFC Editor queue. Co-authored with Jon Peterson.
-
draft-ietf-vcon-cc-extension — vCon Contact Center Extension
The IETF vCon working group's Contact Center extension — adds a small set of contact-center-specific parameters (role, contact_list, campaign, interaction_type, interaction_id, skill) to the core vCon schema, and registers the "CC" extension token. A compatible extension that doesn't change core semantics. Edited by Daniel Petrie (SIPez) and Jonathan Rosenberg (Five9). Currently `draft-ietf-vcon-cc-extension-01` (16 October 2025), Standards Track, technically expired pending refresh. I co-chair the vCon working group with Brian Rosen.
-
draft-ietf-vcon-overview — vCon Overview
The vCon working group's informational overview document — sets the framing for what a vCon is, why a standardized conversational data container matters, and how three illustrative use cases (contact centers, healthcare messaging, emergency services) shape the core requirements. A companion to the core specification, not a normative document. Edited by Thomas McCarthy-Howe of Strolid (a vCon co-originator). Currently `draft-ietf-vcon-overview-01` (2 March 2026), active working group document, Informational. I co-chair the vCon working group with Brian Rosen.
-
draft-ietf-vcon-vcon-core — The JSON format for vCon (the core specification)
The IETF vCon working group's core specification — defines the JSON format for representing conversational data as a structured container with metadata, parties, dialog, analysis, and attachments. Three forms — unsigned, JWS-signed, and JWE-encrypted — allow vCons to flow across trust boundaries. Edited by Daniel Petrie of SIPez LLC. Currently `draft-ietf-vcon-vcon-core-02` (22 January 2026), active working group document, Standards Track. Heading toward WG Last Call. I co-chair the vCon working group with Brian Rosen.
-
draft-sliwa-stir-cert-cps-ext — CPS URI Certificate Extension for STI Certificates
The IETF individual draft defining a non-critical X.509 certificate extension that conveys the HTTPS URI of a Call Placement Service associated with the telephone numbers authorized in a STI certificate. The discovery substrate that VESPER-OOB consumes — the CPS URI becomes publicly verifiable through STI Certificate Transparency log monitoring once the certificate carrying it is logged. Currently at -02. I am a co-author.
-
draft-wendt-stir-vesper-oob — VESPER out-of-band interface
The IETF individual draft defining VESPER's HTTPS-based publish-and-retrieve interface for delivering signed PASSporTs out-of-band, with Connected Identity support and a transparent CPS discovery model based on STI Certificate Transparency log monitoring. Currently at -02. I am the primary author with Rob Sliwa. The conceptual framing lives on the VESPER topic page and the out-of-band topic page; this page covers what's specific to this draft.
-
draft-wendt-stir-vesper-use-cases — VESPER use cases and requirements
The IETF informational individual draft that develops the use cases motivating VESPER's design and the requirements those use cases impose on the technical specification. The use case enumeration and conceptual framing live on the VESPER topic page; this page covers what's specific to this draft. Currently at -03. I am the primary author.
-
draft-wendt-stir-vesper — VESPER core specification
The IETF individual draft that defines VESPER's normative specification — the certificate profile, the issuance flow, the authentication and verification procedures, and the RTU Token form. The conceptual framing for VESPER lives on the VESPER topic page; this page covers what's specific to this draft. Currently at -07. I am the primary author with Rob Sliwa.
-
RFC 8224 — Authenticated Identity Management in the Session Initiation Protocol
The IETF specification for how cryptographically authenticated caller identity travels in SIP signaling. The core of the STIR protocol layer.
-
RFC 8225 — PASSporT, the Personal Assertion Token
The token format STIR uses to carry signed identity claims in SIP signaling. A constrained JWT with a claim set tailored to telephone identity, designed for extensibility.
-
RFC 8226 — Secure Telephone Identity Credentials (Certificates)
The IETF specification that defines the X.509 certificate profile for STIR and the TNAuthList certificate extension — the central data structure that binds a public key to authority over a telephone number, telephone number range, or Service Provider Code. The credential-system foundation underneath everything else in the STIR/SHAKEN framework. Also defines the JWT Claim Constraints primitives that later RFCs (9118 and the delegation drafts) extend, and the AIA-by-reference mechanism for delivering large TN lists out-of-band from the certificate itself.
-
RFC 8443 — PASSporT Extension for Resource Priority Authorization
The IETF specification that extends PASSporT with cryptographically signed assertions of authorization for SIP Resource-Priority header field values — the mechanism that lets a call carry both a priority assertion and a signed proof that the originator is authorized to assert that priority. The base specification for protecting prioritized communications (NS/EP, MLPP, emergency services) against unauthorized priority claims; RFC 9027 layers emergency-services-specific assertion values on top.
-
RFC 8588 — PASSporT Extension for SHAKEN
The IETF specification that defines the SHAKEN PASSporT extension type — the on-the-wire format for the attestation level (A/B/C) and origination identifier (origid) that ATIS-1000074 SHAKEN profiles into the framework. The original spec from May 2019; soon to be obsoleted by 8588bis (currently active WG work) which removes the privacy-problematic encoded-string forms and tightens the registry. The protocol substrate behind every SHAKEN-signed call in deployment.
-
RFC 8816 — STIR Out-of-Band Architecture and Use Cases
The IETF Informational specification that defines the out-of-band (OOB) architecture for STIR — how a PASSporT can reach the terminating network when the call's signaling path doesn't carry SIP end-to-end. Introduces the Call Placement Service (CPS) as the storage-and-retrieval intermediary, defines the use cases (TDM-segment paths, partial-IP paths, SMS gateways, calls into legacy networks), and frames the architectural choice between push and pull models. The transitional-and-permanent answer to "what about calls that aren't pure SIP?" — foundational to all the OOB work that followed.
-
RFC 9027 — Assertion Values for RPH/SIP Priority Header Claims for Emergency Services Networks
The IETF specification that adds emergency-services-specific assertion values to the "rph" PASSporT claim from RFC 8443, plus a new "sph" claim for protecting the SIP "Priority" header field's "psap-callback" value. Targets the security gap around emergency-service-destined calls and PSAP callback paths — making it possible to cryptographically authorize that a call really is destined for an emergency service or really is a callback from one. Companion to RFC 8443; together they secure the priority-marking ecosystem for emergency communications.
-
RFC 9060 — STIR Certificate Delegation
The IETF specification that defines how STIR certificate authority can be delegated from a parent certificate to a subordinate one — the protocol foundation for the carrier→enterprise certificate-issuance pattern that lets an enterprise sign calls under its own credential while still binding to the carrier's TN authority. Uses RPKI-style "encompassing" semantics — a delegate's TNAuthList must be a subset of the parent's. The mechanism behind every legitimate-spoofing scenario where a call is signed by something other than the originating service provider.
-
RFC 9118 — Enhanced JWT Claim Constraints for STIR Certificates
The IETF specification that updates RFC 8226's JWT Claim Constraints with an Enhanced version — adding a "mustExclude" capability that lets a parent certificate prevent a delegate from including specific claims in its signed PASSporTs. The structurally necessary primitive for delegation deployments where the parent needs to retain certain assertion authority while granting most claims to the delegate. The acknowledgements section credits Chris Wendt for identifying the operational need; the PASSporT-extension-for-RCD work was the motivating use case.
-
RFC 9410 — Handling of Identity Header Errors for STIR
The IETF specification that fills a gap RFC 8224 explicitly left for future work — how a verification service signals errors with specific Identity header fields back upstream when local policy says the call should continue despite verification failure, and how to disambiguate which of multiple Identity header fields produced the error. Defines a new Reason header field protocol "STIR" and a "ppi" parameter that carries a PASSporT identifier. A small but operationally important supplement to the STIR base specification.
-
RFC 9447 — ACME Challenges Using an Authority Token
The IETF specification that defines a generic Authority Token Challenge for ACME — the mechanism that lets a certificate authority validate a client's right to a non-DNS resource (like a telephone number) by consulting an external authority that issues a signed token. The generic half of the ACME-for-STIR pair; RFC 9448 is the TNAuthList-specific profile.
-
RFC 9448 — TNAuthList Profile of ACME Authority Token
The IETF specification that defines the TNAuthList ACME identifier type and the profile of the Authority Token Challenge from RFC 9447 used to obtain STI certificates carrying telephone-number authority. The document that lets a service provider acquire a SHAKEN-eligible certificate from a CA over ACME, with authority over the SPC or telephone numbers proven by a token from an external Token Authority rather than a direct control-proof. The deployed mechanism behind certificate issuance in the US STI hierarchy.
-
RFC 9475 — Messaging Use Cases and Extensions for STIR
The IETF specification that extends STIR's PASSporT and certificate framework from voice calling to text and multimedia messaging. Defines a new "msg" PASSporT type and an optional "msgi" claim that carries a message-integrity digest, enabling cryptographically authenticated messaging identity using the same trust hierarchy that authenticates voice. Covers both messaging-as-payload (SIP MESSAGE method) and session-negotiated messaging (MSRP and similar). The basis for extending caller-authentication trust into the messaging ecosystem where the same impersonation patterns appear.
-
RFC 9795 — PASSporT Extension for Rich Call Data
The IETF specification that extends PASSporT with rich call metadata — caller name, branding, reason for call, and other content beyond the calling number — cryptographically signed and integrity-protected so that called parties can rely on what they see, not just on the asserted phone number. Defines the "rcd" PASSporT type and the rcd JSON claim. The signed-content half of the verified caller-identity story; RFC 9796 is the SIP delivery half over the UNI to end devices. The protocol foundation for branded calling under cryptographic trust.
-
RFC 9796 — SIP Call-Info Parameters for Rich Call Data
The IETF specification that defines how a terminating network conveys its normalized, authenticated view of Rich Call Data to the SIP UA over the authenticated User-Network Interface. Specifies three new Call-Info header field parameters (call-reason, verified, integrity) and a "jcard" purpose token. Importantly, 9796 is agnostic about how the network arrived at the RCD view — the source can be a fully validated RFC 9795 PASSporT in an Identity header, legacy SIP signaling, a terminating-side CNAM dip, or any combination thereof. The mechanism gives endpoints a single, trust-tagged delivery path for caller-identity content the network has already vetted, while leaving room for endpoint-side additional logic.
-
RFC 9888 — Out-of-Band STIR for Service Providers
The IETF specification (RFC 9888, June 2026, Proposed Standard) defining a service-provider deployment model for STIR out-of-band PASSporT delivery, published from draft-ietf-stir-servprovider-oob. Extends RFC 8816 (which covers the general STIR OOB framework) with operational specifics for large service providers — Out-of-Band Authentication Service and Verification Service roles, mutual TLS authentication using STIR credentials, push and pull retrieval models, multi-provider CPS handling. Authored by Jon Peterson. Distinct from the individual draft-wendt-stir-vesper-oob which is the VESPER-aligned approach.