draft-ietf-stir-rfc4916-update — Connected Identity for STIR
draft-ietf-stir-rfc4916-update (Peterson, Wendt) modernizes RFC 4916 (Connected Identity for the Session Initiation Protocol) for the post-STIR signing model. I co-author with Jon Peterson. Currently in AUTH48 / RFC Editor queue — close to publication. Standards Track.
The original RFC 4916 (2007) defined how SIP could carry caller identity in the backwards direction (from called to calling party) using the now-deprecated SIP Identity header from RFC 4474. This draft brings that mechanism forward to work with STIR’s PASSporT-based signing (RFC 8224 / RFC 8225) and adds capabilities that make connected identity meaningful in the modern threat environment.
What the draft specifies
The rsp PASSporT type. A new PASSporT type for response
identity. The called party signs an rsp PASSporT during call
setup (typically in a 200 OK or earlier response), asserting its
identity back to the caller using the called party’s own STIR
credentials. The rsp PASSporT carries the same orig and
dest values as the originating PASSporT, with a fresh iat,
and is signed by a certificate authorized for the dest
telephone number.
div chain validation back to the rsp. When a call has
been retargeted (call forwarding, transfer, sequential ring),
the called party may not match the original dest value.
Implementations validate the div PASSporT chain (RFC 8946) on
identity headers in responses back to the original rsp —
giving the calling party a verifiable trail showing how the call
reached its actual destination, even after legitimate retargeting.
Mid-dialog and dialog-terminating events. The mechanism covers more than the initial response. Mid-dialog requests — including BYE — can carry connected identity, addressing fraud patterns where intermediaries forge BYE in one direction to manufacture billing discrepancies (the “short-stopping” attack). Authenticated BYE in both directions closes that vector.
Authorization policy for callers. The draft articulates a policy model for callers requiring connected identity verification on a per-call basis — analogous to media-layer requirements in SIPBRANDY (RFC 8862). When a caller marks a call as requiring verified connected identity, the call should not be completed if the responding party can’t be authenticated.
Two-factor authentication relevance. Connected identity provides cryptographic assurance that a call or message reached the actual user of a telephone number — useful for telephone- based 2FA flows where the assumption that a TFA SMS or callback reached the legitimate number-holder is exactly what an attacker would target.
What’s out of scope
The draft explicitly doesn’t address conferencing (especially meshed conferencing systems) or media-layer substitution after dialog establishment. RFC 4916 noted these limits — once a call is answered, the connected party can be replaced through back-to-back user agents, call park and retrieval, etc., and signaling-layer authentication can’t catch every such case. Connected identity validates the signaling, not the media or the user actually speaking.
Status
Currently draft-ietf-stir-rfc4916-update, in AUTH48 / RFC
Editor queue. Once published it will obsolete the existing
RFC 4916 and update the Connected Identity model for the
STIR-based signing world. Connected Identity is a load-bearing
piece of the broader trust framework — it’s what enables
bidirectional mutual authentication that the original
one-directional STIR/SHAKEN model doesn’t provide. The
VESPER topic page covers how VESPER
integrates with Connected Identity at the certificate-profile
level; this draft is the protocol mechanism the integration
relies on.