appliedbits
LIBRARY  ·  IETF LIBRARY ENTRY
Last updated 2026-05-06 drafted

draft-ietf-stir-rfc4916-update — Connected Identity for STIR

draft-ietf-stir-rfc4916-update (Peterson, Wendt) modernizes RFC 4916 (Connected Identity for the Session Initiation Protocol) for the post-STIR signing model. I co-author with Jon Peterson. Currently in AUTH48 / RFC Editor queue — close to publication. Standards Track.

The original RFC 4916 (2007) defined how SIP could carry caller identity in the backwards direction (from called to calling party) using the now-deprecated SIP Identity header from RFC 4474. This draft brings that mechanism forward to work with STIR’s PASSporT-based signing (RFC 8224 / RFC 8225) and adds capabilities that make connected identity meaningful in the modern threat environment.

What the draft specifies

The rsp PASSporT type. A new PASSporT type for response identity. The called party signs an rsp PASSporT during call setup (typically in a 200 OK or earlier response), asserting its identity back to the caller using the called party’s own STIR credentials. The rsp PASSporT carries the same orig and dest values as the originating PASSporT, with a fresh iat, and is signed by a certificate authorized for the dest telephone number.

div chain validation back to the rsp. When a call has been retargeted (call forwarding, transfer, sequential ring), the called party may not match the original dest value. Implementations validate the div PASSporT chain (RFC 8946) on identity headers in responses back to the original rsp — giving the calling party a verifiable trail showing how the call reached its actual destination, even after legitimate retargeting.

Mid-dialog and dialog-terminating events. The mechanism covers more than the initial response. Mid-dialog requests — including BYE — can carry connected identity, addressing fraud patterns where intermediaries forge BYE in one direction to manufacture billing discrepancies (the “short-stopping” attack). Authenticated BYE in both directions closes that vector.

Authorization policy for callers. The draft articulates a policy model for callers requiring connected identity verification on a per-call basis — analogous to media-layer requirements in SIPBRANDY (RFC 8862). When a caller marks a call as requiring verified connected identity, the call should not be completed if the responding party can’t be authenticated.

Two-factor authentication relevance. Connected identity provides cryptographic assurance that a call or message reached the actual user of a telephone number — useful for telephone- based 2FA flows where the assumption that a TFA SMS or callback reached the legitimate number-holder is exactly what an attacker would target.

What’s out of scope

The draft explicitly doesn’t address conferencing (especially meshed conferencing systems) or media-layer substitution after dialog establishment. RFC 4916 noted these limits — once a call is answered, the connected party can be replaced through back-to-back user agents, call park and retrieval, etc., and signaling-layer authentication can’t catch every such case. Connected identity validates the signaling, not the media or the user actually speaking.

Status

Currently draft-ietf-stir-rfc4916-update, in AUTH48 / RFC Editor queue. Once published it will obsolete the existing RFC 4916 and update the Connected Identity model for the STIR-based signing world. Connected Identity is a load-bearing piece of the broader trust framework — it’s what enables bidirectional mutual authentication that the original one-directional STIR/SHAKEN model doesn’t provide. The VESPER topic page covers how VESPER integrates with Connected Identity at the certificate-profile level; this draft is the protocol mechanism the integration relies on.