IETF Logo Mail Archive

Re: [auth48] AUTH48: RFC-to-be 9410 <draft-ietf-stir-identity-header-errors-handling-08> for your review

Chris Wendt <chris-ietf@chriswendt.net> Wed, 12 July 2023 12:26 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33028C151531; Wed, 12 Jul 2023 05:26:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GEOo9TA0ZNAE; Wed, 12 Jul 2023 05:26:15 -0700 (PDT)
Received: from caracal.birch.relay.mailchannels.net (caracal.birch.relay.mailchannels.net [23.83.209.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4096DC15106E; Wed, 12 Jul 2023 05:26:13 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|chris-ietf@chriswendt.net
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 47E672C10B2; Wed, 12 Jul 2023 12:26:13 +0000 (UTC)
Received: from pdx1-sub0-mail-a302.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id AE7B22C1263; Wed, 12 Jul 2023 12:26:12 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1689164772; a=rsa-sha256; cv=none; b=L6QmqUBPc1tzxjwIojq3gPsYt5CosNqmdmRc51flYsrQ4GYdEYJXARGnjsLhtGGXw9SXt0 89UpEd9AUwEizvjmItVFU/lHHvar8CjXwlBxxn+W6MfGB4clxb3ToQqNSZ4MXvzrG4flxM m0a6a/DEmcUO9m99DRi0O5RT41KHv4Mm4ARpwZ3Kyk0TqylP/okGKeB8jSWzHKwlt5tl20 RZ9nYiuX/K4aXRK0njxAUDdF9s5FYrivR9CWXb4Okla+DpqRVSPnqiGZF3QFxlXngV0VuL 5A56L1ImrTNibar26X9mE8n0AXnWnEj/d/uTFP2lHzjRRNNZDIELumYb0T7aTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1689164772; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=1ibjIZgr0ACBh+ZWRhP7Z5+0C0GA3FfH3GKHWN58+Qg=; b=s0BjmSUw2TEeO7R1xLYTCtxRLXlSbXHHpY/gIvP4HumNA6NvP07c0/NoOd4C3J+ON0ZtVc Sq0w0BWubF1uHmZEnG40xkj8MEjTBriq82hbUSGnjm4OKip5KNJvF/dZin7g0fd04vXoxB Kbervo6nzceJF0Udvix2wPQWLZUuSTOAIsKW8+QyyHW3ZjT62PCNeThVHRHD3aJsgn8Yd7 X1dMx/+stCyqOwqe8KJUXBLxToPwFijcVDuWCoSQ+C7Qm+RJnvpi4Cu5oandCpWujdCjCg bkwdNnIpZFZ/vAjulp0xA7Kh3IypEZG4fW7+TwqPG4V+rYYIWDT5tMtndygkMg==
ARC-Authentication-Results: i=1; rspamd-5595f87fc9-9k5ps; auth=pass smtp.auth=dreamhost smtp.mailfrom=chris-ietf@chriswendt.net
X-Sender-Id: dreamhost|x-authsender|chris-ietf@chriswendt.net
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|chris-ietf@chriswendt.net
X-MailChannels-Auth-Id: dreamhost
X-Drop-Reaction: 7ae81f0026fb9ba9_1689164773030_3519895629
X-MC-Loop-Signature: 1689164773030:2070593864
X-MC-Ingress-Time: 1689164773030
Received: from pdx1-sub0-mail-a302.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.119.45.70 (trex/6.9.1); Wed, 12 Jul 2023 12:26:13 +0000
Received: from smtpclient.apple (unknown [172.56.2.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: chris-ietf@chriswendt.net) by pdx1-sub0-mail-a302.dreamhost.com (Postfix) with ESMTPSA id 4R1H5t5mlLzRt; Wed, 12 Jul 2023 05:26:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt.net; s=dreamhost; t=1689164772; bh=1ibjIZgr0ACBh+ZWRhP7Z5+0C0GA3FfH3GKHWN58+Qg=; h=Content-Type:Subject:From:Date:Cc:Content-Transfer-Encoding:To; b=IjVJQ+9G3mlLEQcG+kELuxoWgnvLY+4UIzPZrM6kBdML4jKAhM2lowJMXrWnPM++S eEZgW6uHE38aVtP8P4AZnk3uEum79VAIvAhMHjB2/igFyJ++He8oFpvSB/I3J3qlRp Ubw6yrziWb+KJ/BCKxLd0dn3ftqEctnPila1ZyQ1CDwcF1v/1jMTwUI1mKgCmofBkw LGCKXbYiVIqzQ9wFJg87dmrz76rEZY6ap6syanYZSkUSP01iladLSf0Qwi6jQdTDzB RHev3kwotywzxJWY6AhZl2Kvd8Nwo2PLNyGYj4QR1uu/OIdUHp9iMPVOGdCjO3JCKB Il88w6mI2438A==
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: Chris Wendt <chris-ietf@chriswendt.net>
In-Reply-To: <20230711035118.CE02A119E2@rfcpa.amsl.com>
Date: Wed, 12 Jul 2023 08:25:59 -0400
Cc: Chris Wendt <chris-ietf@chriswendt.net>, stir-ads@ietf.org, STIR Chairs <stir-chairs@ietf.org>, Ben Campbell <ben@nostrum.com>, "Murray S. Kucherawy" <superuser@gmail.com>, auth48archive@rfc-editor.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <CA88E251-A61F-464B-8705-D3D24E3CA37D@chriswendt.net>
References: <20230711035118.CE02A119E2@rfcpa.amsl.com>
To: RFC Editor <rfc-editor@rfc-editor.org>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/09GwqcZQGcUFHKVlc2YZ7iAl9NQ>
Subject: Re: [auth48] AUTH48: RFC-to-be 9410 <draft-ietf-stir-identity-header-errors-handling-08> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jul 2023 12:26:19 -0000

Responses inline.

> On Jul 10, 2023, at 11:51 PM, rfc-editor@rfc-editor.org wrote:
> 
> Authors,
> 
> While reviewing this document during AUTH48, please resolve (as necessary) 
> the following questions, which are also in the XML file.
> 
> 1) <!-- [rfced] Note that the title of the document has been updated as
> follows. Please review and let us know if updates are required. 
> 
> Original:
> Identity Header Errors Handling for STIR
> 
> Current: 
> Handling of Identity Header Errors for Secure Telephone Identity
> Revisited (STIR) -->
> 

ok

> 
> 2) <!-- [rfced] Please insert any keywords (beyond those that appear in the
> title) for use on https://www.rfc-editor.org/search. -->  
> 

multiple errors, passport, reason header field

> 
> 3) <!-- [rfced] We suggest rephrasing the following text in the abstract 
> into two seperate sentences for better comprehension. Does the following
> suggestion retain your intended meaning?
> 
> Original: 
> This document extends STIR and the Authenticated Identity Management
> in the Session Initiation Protocol (SIP) error handling procedures to 
> include the mapping of verification failure reasons to STIR defined 4xx 
> codes so the failure reason of an Identity header field can be conveyed to 
> the upstream authentication service when local policy dictates that the 
> call should continue in the presence of a verification failure.
> 
> Perhaps: 
> This document extends Secure Telephone Identity Revisited (STIR) and
> the Authenticated Identity Management in the Session Initiation Protocol 
> (SIP) error-handling procedures to include the mapping of verification 
> failure reasons to STIR-defined 4xx codes. The failure reason of an 
> Identity header field can be conveyed to the upstream authentication 
> service when local policy dictates that the call should continue in the 
> presence of a verification failure.-->
> 

I would include this slight variation to clarify the meaning:

> This document extends the Secure Telephone Identity Revisited (STIR) and
> the Authenticated Identity Management in the Session Initiation Protocol 
> (SIP) current error-handling procedures for the mapping of verification 
> failure reasons to STIR-defined 4xx codes. It extends the ability to use the reason header field as an option of conveying an error associated with an 
> Identity header field to the upstream authentication 
> service when local policy dictates that the call should continue in the 
> presence of a verification failure.

> 
> 4) <!-- [rfced] We suggest rephrasing the following sentence for
> readability. Does the following suggestion retain your intended meaning?
> 
> Original: 
> [RFC8224] describes the use of the STIR framework in the SIP
> protocol [RFC3261] and defines both the authentication service that creates 
> a PASSporT, defined in [RFC8225], and delivers it in an Identity header 
> field and the verification service that correspondingly verifies the 
> PASSporT and embedded originating identity.
> 
> Perhaps: 
> [RFC8224] describes the use of the STIR framework in the SIP
> protocol [RFC3261].  It defines both a) the authentication service that 
> creates a PASSporT [RFC8225] and delivers it in an Identity header field, 
> and b) the verification service that correspondingly verifies the PASSporT 
> and embedded originating identity.-->
> 

ok

> 
> 5) <!-- [rfced] We suggest rephrasing the following sentence for clarity. Does the following suggestion retain your intended meaning?
> 
> Original: 
> Additionally, it addresses the issue of the current 4xx error
> response and that when there is a verification error, the call is terminated.
> 
> Perhaps: 
> Additionally, it addresses the issue of the current 4xx error
> response, i.e., the call is terminated when a verification error is
> present. -->

ok

> 
> 
> 6) <!-- [rfced] We have rephrased the following sentence for clarity. 
> Please let us know any objections.
> 
> Original: 
> In many cases of, for example, inadvertent or operational errors
> that do not represent any identity falsification type of attempt, the 
> policy of continuing the call even though the identity is not verified, may 
> be the preferred policy.
> 
> Current: 
> For example, in many cases of inadvertent or operational errors that
> do not represent any type of identity falsification attempt, the preferred
> policy may be to continue the call despite the unverified
> identity. -->

ok

> 
> 
> 7) <!-- [rfced] For readability, please consider whether the following correctly conveys the intended meaning. 
> 
> Original:
>   For the handling of multiple Identity header fields and the potential
>   situation that some of the Identity header fields in a call may pass
>   verification but others may have errors, this document defines the
>   method of adding an identifier so that the authentication service can
>   uniquely identify which Identity header field is being referred to in
>   the case of an error.
> 
> Perhaps:
>   To handle multiple Identity header fields where 
>   some in a call may be verified while others may not (i.e., they have 
>   errors), this document defines a method by which an identifier is added 
>   to the header so that the authentication service can uniquely identify 
>   which Identity header field is being referred to in
>   the case of an error.
> -->
> 

ok

> 
> 8) <!-- [rfced] We have updated artwork elements to sourcecode throughout 
> the document. Please review the "type" attribute of each sourcecode element
> in the XML file to ensure correctness. If the current list of preferred
> values for "type" 
> (https://www.rfc-editor.org/materials/sourcecode-types.txt) does not
> contain an applicable type, then feel free to let us know. Also, it is
> acceptable to leave the "type" attribute not set. -->
> 

I think that is ok to have the artwork as sourcecode. But i’ll also defer to editor or others cc’d if there is better feedback.

> 
> 9) <!-- [rfced] Please review the following text. Terms such as "cause code" and "call dialog" do not appear in RFC 8824.  Please let us know how/if we should update the text and/or citation.
> 
> Original: 
>   The
>   association of a "ppi" parameter with a Reason header field using
>   "STIR" protocol MUST only identify a single cause code in the context
>   of a call dialog defined in [RFC8224] or in future documents defining
>   STIR related errors.
> -->
> 

Good question, the cause codes (i.e. 4xx) are defined in 8224, but the Reason header and cause code are defined in 3326.  Call dialog as a term is defined in 3261.

So perhaps the following:

The association of a “ppi” parameter with a Reason header field [RFC3326] using the protocol value of “STIR” defined in this document MUST only identify a single cause code [RFC3326] in the context of a call dialog [RFC3261] corresponding to only the STIR related error codes defined in [RFC8224] or in future documents defining new STIR related error codes.

> 
> 10) <!-- [rfced] FYI - We have added expansions for the following 
> abbreviations per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please 
> review each expansion in the document carefully to ensure correctness.
> 
> Secure Telephone Identity Revisited (STIR)
> User Agent Client (UAC)
> User Agent Server (UAS) -->

Yes these are correct

> 
> 
> 11) <!-- [rfced] Please review the "Inclusive Language" portion of the 
> online Style Guide
> <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let
> us know if any changes are needed.  Note that our script did not flag any
> words in particular, but this should still be reviewed as a best
> practice. -->
> 

I did not find any opportunities to change anything.

> 
> Thank you.
> 
> RFC Editor
> 
> 
> On Jul 10, 2023, at 8:45 PM, rfc-editor@rfc-editor.org wrote:
> 
> *****IMPORTANT*****
> 
> Updated 2023/07/10
> 
> RFC Author(s):
> --------------
> 
> Instructions for Completing AUTH48
> 
> Your document has now entered AUTH48.  Once it has been reviewed and 
> approved by you and all coauthors, it will be published as an RFC.  
> If an author is no longer available, there are several remedies 
> available as listed in the FAQ (https://www.rfc-editor.org/faq/).
> 
> You and you coauthors are responsible for engaging other parties 
> (e.g., Contributors or Working Group) as necessary before providing 
> your approval.
> 
> Planning your review 
> ---------------------
> 
> Please review the following aspects of your document:
> 
> *  RFC Editor questions
> 
>   Please review and resolve any questions raised by the RFC Editor 
>   that have been included in the XML file as comments marked as 
>   follows:
> 
>   <!-- [rfced] ... -->
> 
>   These questions will also be sent in a subsequent email.
> 
> *  Changes submitted by coauthors 
> 
>   Please ensure that you review any changes submitted by your 
>   coauthors.  We assume that if you do not speak up that you 
>   agree to changes submitted by your coauthors.
> 
> *  Content 
> 
>   Please review the full content of the document, as this cannot 
>   change once the RFC is published.  Please pay particular attention to:
>   - IANA considerations updates (if applicable)
>   - contact information
>   - references
> 
> *  Copyright notices and legends
> 
>   Please review the copyright notice and legends as defined in
>   RFC 5378 and the Trust Legal Provisions 
>   (TLP – https://trustee.ietf.org/license-info/).
> 
> *  Semantic markup
> 
>   Please review the markup in the XML file to ensure that elements of  
>   content are correctly tagged.  For example, ensure that <sourcecode> 
>   and <artwork> are set correctly.  See details at 
>   <https://authors.ietf.org/rfcxml-vocabulary>.
> 
> *  Formatted output
> 
>   Please review the PDF, HTML, and TXT files to ensure that the 
>   formatted output, as generated from the markup in the XML file, is 
>   reasonable.  Please note that the TXT will have formatting 
>   limitations compared to the PDF and HTML.
> 
> 
> Submitting changes
> ------------------
> 
> To submit changes, please reply to this email using ‘REPLY ALL’ as all 
> the parties CCed on this message need to see your changes. The parties 
> include:
> 
>   *  your coauthors
> 
>   *  rfc-editor@rfc-editor.org (the RPC team)
> 
>   *  other document participants, depending on the stream (e.g., 
>      IETF Stream participants are your working group chairs, the 
>      responsible ADs, and the document shepherd).
> 
>   *  auth48archive@rfc-editor.org, which is a new archival mailing list 
>      to preserve AUTH48 conversations; it is not an active discussion 
>      list:
> 
>     *  More info:
>        https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc
> 
>     *  The archive itself:
>        https://mailarchive.ietf.org/arch/browse/auth48archive/
> 
>     *  Note: If only absolutely necessary, you may temporarily opt out 
>        of the archiving of messages (e.g., to discuss a sensitive matter).
>        If needed, please add a note at the top of the message that you 
>        have dropped the address. When the discussion is concluded, 
>        auth48archive@rfc-editor.org will be re-added to the CC list and 
>        its addition will be noted at the top of the message. 
> 
> You may submit your changes in one of two ways:
> 
> An update to the provided XML file
> — OR —
> An explicit list of changes in this format
> 
> Section # (or indicate Global)
> 
> OLD:
> old text
> 
> NEW:
> new text
> 
> You do not need to reply with both an updated XML file and an explicit 
> list of changes, as either form is sufficient.
> 
> We will ask a stream manager to review and approve any changes that seem
> beyond editorial in nature, e.g., addition of new text, deletion of text, 
> and technical changes.  Information about stream managers can be found in 
> the FAQ.  Editorial changes do not require approval from a stream manager.
> 
> 
> Approving for publication
> --------------------------
> 
> To approve your RFC for publication, please reply to this email stating
> that you approve this RFC for publication.  Please use ‘REPLY ALL’,
> as all the parties CCed on this message need to see your approval.
> 
> 
> Files 
> -----
> 
> The files are available here:
>   https://www.rfc-editor.org/authors/rfc9410.xml
>   https://www.rfc-editor.org/authors/rfc9410.html
>   https://www.rfc-editor.org/authors/rfc9410.pdf
>   https://www.rfc-editor.org/authors/rfc9410.txt
> 
> Diff file of the text:
>   https://www.rfc-editor.org/authors/rfc9410-diff.html
>   https://www.rfc-editor.org/authors/rfc9410-rfcdiff.html (side by side)
> 
> Diff of the XML: 
>   https://www.rfc-editor.org/authors/rfc9410-xmldiff1.html
> 
> The following files are provided to facilitate creation of your own 
> diff files of the XML.  
> 
> Initial XMLv3 created using XMLv2 as input:
>   https://www.rfc-editor.org/authors/rfc9410.original.v2v3.xml 
> 
> XMLv3 file that is a best effort to capture v3-related format updates 
> only: 
>   https://www.rfc-editor.org/authors/rfc9410.form.xml
> 
> 
> Tracking progress
> -----------------
> 
> The details of the AUTH48 status of your document are here:
>   https://www.rfc-editor.org/auth48/rfc9410
> 
> Please let us know if you have any questions.  
> 
> Thank you for your cooperation,
> 
> RFC Editor
> 
> --------------------------------------
> RFC9410 (draft-ietf-stir-identity-header-errors-handling-08)
> 
> Title            : Identity Header Errors Handling for STIR
> Author(s)        : C. Wendt
> WG Chair(s)      : Ben Campbell, Robert Sparks, Russ Housley
> Area Director(s) : Murray Kucherawy, Francesca Palombini
> 
>

v2.23.0 | Report a Bug | By Email