Re: [auth48] AUTH48: RFC-to-be 9475 <draft-ietf-stir-messaging-08> for your review

[Megan Ferguson <mferguson@amsl.com>]

Authors,

Just a friendly ping that this document awaits your action.  Please see below for more details.

Thank you.

RFC Editor/mf


> On Sep 22, 2023, at 2:35 PM, Megan Ferguson <mferguson@amsl.com> wrote:
> 
> Greetings,
> 
> Just a friendly weekly reminder that this document awaits your attention.  Please see the document-specific questions and AUTH48 announcement in this thread and let us know if we can be of assistance as you begin the AUTH48 review process.
> 
> Please note that the AUTH48 status page of this document is viewable at:
> 
> http://www.rfc-editor.org/auth48/rfc9475
> 
> AUTH48 FAQs are available at https://www.rfc-editor.org/faq/#auth48.
> 
> We look forward to hearing from you at your earliest convenience.
> 
> Thank you.
> 
> RFC Editor/mf
> 
>> On Sep 8, 2023, at 4:05 PM, rfc-editor@rfc-editor.org wrote:
>> 
>> Authors,
>> 
>> While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file.
>> 
>> 1) <!-- [rfced] Please note that the title of the document has been
>>    updated as follows:
>> 
>> Abbreviations have been expanded per Section 3.6 of RFC 7322 (“RFC
>> Style Guide”). Please review.
>> 
>> Original:
>> Messaging Use Cases and Extensions for STIR
>> 
>> Current:
>> Messaging Use Cases and Extensions for Secure Telephone Identity
>> Revisited (STIR)
>> 
>> -->
>> 
>> 
>> 2)  <!--[rfced] We had two questions about the first sentence in the
>>     Abstract:
>> 
>> a) Should "protocol" or "problem statement" or some other noun follow
>> the expansion of STIR in this text?  If we cut "STIR" and just read
>> with the expansion, this sounds a bit odd.
>> 
>> b) May we break up this sentence as suggested below for the ease of
>> the reader?
>> 
>> Original:
>> Secure Telephone Identity Revisited (STIR) provides a means of
>> attesting the identity of a telephone caller via a signed token in
>> order to prevent impersonation of a calling party number, which is a
>> key enabler for illegal robocalling.
>> 
>> Perhaps:
>> The Secure Telephone Identity Revisited (STIR) protocol provides a
>> means of attesting the identity of a telephone caller via a signed
>> token.  This prevents impersonation of a calling party number, which
>> is a key enabler for illegal robocalling.
>> 
>> 
>> -->
>> 
>> 
>> 3) <!--[rfced] FYI - we have broken up the information in the following
>>    sentence to make it easier for the reader to digest.  Please let
>>    us know if these changes have deviated from your intended
>>    meaning.
>> 
>> Original:
>>  For the first case, where SIP negotiates a session where the media
>>  will be text messages or MIME content, as, for example, with the
>>  Message Session Relay Protocol (MSRP) [RFC4975], the usage of STIR
>>  would deviate little from [RFC8224]. 
>> 
>> Current:
>>  In the first case described in Section 3, SIP negotiates a
>>  session in which the media will be text messages or MIME content, as,
>>  for example, with the Message Session Relay Protocol (MSRP)
>>  [RFC4975].  This usage of STIR would deviate little from [RFC8224].
>> -->
>> 
>> 
>> 4) <!--[rfced] Can the timestamp itself order things?  Or can the
>>    timestamp be used to order things?
>> 
>> Original:
>> ...duplicate messages are easily detected,
>>  and the timestamp can order messages displayed to the user inbox in a
>>  way that precludes showing stale messages as fresh.
>> 
>> Perhaps:
>> ...duplicate messages are easily detected, and the timestamp can be
>>  used to order messages displayed in the user inbox in a way that
>>  precludes showing stale messages as fresh.
>> -->
>> 
>> 
>> 5) <!--[rfced] FYI - We have updated the expansion of MMS as follows to
>>    match more common use in recent RFCs.  Please let us know any
>>    objections:
>> 
>> Original:
>> multimedia message system (MMS)
>> 
>> Current:
>> Multimedia Messaging Service (MMS)
>> -->
>> 
>> 
>> 6) <!--[rfced] How may we update this text for clarity?  We do not see
>>    "profiles" in RFC 8226.  (Note that we have made the change from
>>    "profiles defines" to "profiles define" pending more
>>    information).
>> 
>> Original:
>> The [RFC8226] STIR certificate profiles defines...
>> 
>> Perhaps:
>> "Secure Telephone Identity Credentials: Certificates" [RFC8226] defines...
>> 
>> Or perhaps:
>> The STIR certificate profiles defined in [RFC8226]...
>> -->
>> 
>> 
>> 7) <!--[rfced] This sentence describes a lot of things being "contain"ed.
>>    Might a rephrase benefit the reader?  If so, please let us know
>>    how we may update.
>> 
>> Original:
>> As the "orig" and "dest" field of PASSporTs may contain URIs
>> containing SIP URIs without telephone numbers, the STIR for messaging
>> mechanism contained in this specification is not inherently
>> restricted to the use of telephone numbers.
>> 
>> 
>> 
>> -->
>> 
>> 
>> 8) <!--[rfced] May we update the following to avoid awkward hyphenation?
>> 
>> Original:
>> This specification offers no guidance on certification authorities who
>> are appropriate to sign for non-telephone number "orig" values.
>> 
>> Perhaps:
>> This specification offers no guidance on certification authorities who
>> are appropriate to sign for "orig" values that are not for use with
>> telephone numbers.
>> 
>> -->
>> 
>> 
>> 9) <!--[rfced] Please note the following about the IANA Considerations
>>    and IANA-related text in the document:
>> 
>> a) Please note that we have changed IESG to be IETF for the Change
>> Controller of the "msgi" registration at
>> https://www.iana.org/assignments/jwt/jwt.xhtml.  This is in accordance
>> with the following note we received from IANA:
>> 
>> "Note: in accordance with recent practice, the change controller for
>> this registration has been changed from the IESG to the IETF."
>> 
>> b) We have cut the URL to the registry mentioned in Section 6.2 to
>> match Section 6.1.  Please let us know any objections.
>> 
>> c) We have removed the quote marks as they do not appear in the
>> corresponding registries.
>> 
>> -->
>> 
>> 
>> 10) <!-- [rfced] We have added RFC 4648 as an Informative Reference. Please let us know if it should be Normative instead.
>> 
>> Original: 
>>  The subsequent characters in the claim value are the base64 encoded
>>  [RFC4648] digest of a canonicalized and concatenated string or binary data
>>  based MIME body of the message. -->
>> 
>> 
>> 11) <!--[rfced] We had the following questions related to terminology use
>>    throughout the document:
>> 
>> a) We note the use of the following similar terms:
>> 
>> SIP Identity header
>> Identity header
>> Identity
>> identity
>> 
>> Please review these instances and let us know if any updates are
>> necessary for clarity (e.g., should all "Identity header"s be called
>> "SIP Identity header"s).
>> 
>> b) We see both:
>> 
>> "orig" field
>> "orig" values
>> 
>> Should the latter be made "orig" field values?
>> 
>> c) We see the following uses of "baseline":
>> 
>>  i) At a high level, baseline PASSporT [RFC8225] claims provide similar
>>  value to...
>> 
>>  ii) Current usage of baseline [RFC8224] Identity is largely confined to
>>  INVITE requests that initiate telephone calls.
>> 
>>  iii) Per baseline [RFC8224], this specifications leaves it to local policy
>>  to determine how messages are handled after verification succeeds or
>>  fails.
>> 
>> For i), we see the use of "baseline claims" in RFC 8225, so we would
>> simply suggest moving the citation tag as follows:
>> 
>>  Perhaps:
>>  At a high level, baseline PASSporT claims (see [RFC8225]) provide similar
>>  value to...
>> 
>> For ii), we note that "baseline Identity" is not mentioned in RFC
>> 8224.  Please review this text and let us know how to update.
>> 
>> For iii), we see RFC 8225 referred to as "the baseline PASSporT
>> specification" in RFC 8224.  Please review this text and let us know
>> how to update.
>> 
>>  Perhaps:
>>  Per the guidance in the baseline PASSporT specification [RFC8225], this
>>  specification leaves it to local policy to determine how messages
>>  are handled after verification succeeds or fails.
>> 
>> d) We see both PASSporT Type and PASSporT type.  We updated to use the
>> lowercase "type" throughout.  Please let us know any objections.
>> 
>> -->
>> 
>> 
>> 12) <!-- [rfced] Please review the "Inclusive Language" portion of the
>>    online Style Guide
>>    <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
>>    and let us know if any changes are needed.
>> 
>> For example, please consider whether the following should be updated:
>> 
>> 
>> ...authorized to use the calling party number (or, for native SIP cases,...
>> 
>> 
>> In addition, please consider whether "tradition" should be updated for
>> clarity.  While the NIST website
>> <https://www.nist.gov/nist-research-library/nist-technical-series-publications-author-instructions#table1>
>> indicates that this term is potentially biased, it is also ambiguous.
>> "Tradition" is a subjective term, as it is not the same for everyone.
>> 
>> 
>> ...value to number-based messaging as they do to traditional
>> telephone...
>> 
>> ...treatment that differs from traditional delivery expectations of
>> SIP...
>> 
>> ...the traditional telephone network and those based on
>> over-the-top...
>> -->
>> 
>> 
>> Thank you.
>> 
>> RFC Editor/kf/mf
>> 
>> *****IMPORTANT*****
>> 
>> Updated 2023/09/08
>> 
>> RFC Author(s):
>> --------------
>> 
>> Instructions for Completing AUTH48
>> 
>> Your document has now entered AUTH48.  Once it has been reviewed and 
>> approved by you and all coauthors, it will be published as an RFC.  
>> If an author is no longer available, there are several remedies 
>> available as listed in the FAQ (https://www.rfc-editor.org/faq/).
>> 
>> You and you coauthors are responsible for engaging other parties 
>> (e.g., Contributors or Working Group) as necessary before providing 
>> your approval.
>> 
>> Planning your review 
>> ---------------------
>> 
>> Please review the following aspects of your document:
>> 
>> *  RFC Editor questions
>> 
>>  Please review and resolve any questions raised by the RFC Editor 
>>  that have been included in the XML file as comments marked as 
>>  follows:
>> 
>>  <!-- [rfced] ... -->
>> 
>>  These questions will also be sent in a subsequent email.
>> 
>> *  Changes submitted by coauthors 
>> 
>>  Please ensure that you review any changes submitted by your 
>>  coauthors.  We assume that if you do not speak up that you 
>>  agree to changes submitted by your coauthors.
>> 
>> *  Content 
>> 
>>  Please review the full content of the document, as this cannot 
>>  change once the RFC is published.  Please pay particular attention to:
>>  - IANA considerations updates (if applicable)
>>  - contact information
>>  - references
>> 
>> *  Copyright notices and legends
>> 
>>  Please review the copyright notice and legends as defined in
>>  RFC 5378 and the Trust Legal Provisions 
>>  (TLP – https://trustee.ietf.org/license-info/).
>> 
>> *  Semantic markup
>> 
>>  Please review the markup in the XML file to ensure that elements of  
>>  content are correctly tagged.  For example, ensure that <sourcecode> 
>>  and <artwork> are set correctly.  See details at 
>>  <https://authors.ietf.org/rfcxml-vocabulary>.
>> 
>> *  Formatted output
>> 
>>  Please review the PDF, HTML, and TXT files to ensure that the 
>>  formatted output, as generated from the markup in the XML file, is 
>>  reasonable.  Please note that the TXT will have formatting 
>>  limitations compared to the PDF and HTML.
>> 
>> 
>> Submitting changes
>> ------------------
>> 
>> To submit changes, please reply to this email using ‘REPLY ALL’ as all 
>> the parties CCed on this message need to see your changes. The parties 
>> include:
>> 
>>  *  your coauthors
>> 
>>  *  rfc-editor@rfc-editor.org (the RPC team)
>> 
>>  *  other document participants, depending on the stream (e.g., 
>>     IETF Stream participants are your working group chairs, the 
>>     responsible ADs, and the document shepherd).
>> 
>>  *  auth48archive@rfc-editor.org, which is a new archival mailing list 
>>     to preserve AUTH48 conversations; it is not an active discussion 
>>     list:
>> 
>>    *  More info:
>>       https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc
>> 
>>    *  The archive itself:
>>       https://mailarchive.ietf.org/arch/browse/auth48archive/
>> 
>>    *  Note: If only absolutely necessary, you may temporarily opt out 
>>       of the archiving of messages (e.g., to discuss a sensitive matter).
>>       If needed, please add a note at the top of the message that you 
>>       have dropped the address. When the discussion is concluded, 
>>       auth48archive@rfc-editor.org will be re-added to the CC list and 
>>       its addition will be noted at the top of the message. 
>> 
>> You may submit your changes in one of two ways:
>> 
>> An update to the provided XML file
>> — OR —
>> An explicit list of changes in this format
>> 
>> Section # (or indicate Global)
>> 
>> OLD:
>> old text
>> 
>> NEW:
>> new text
>> 
>> You do not need to reply with both an updated XML file and an explicit 
>> list of changes, as either form is sufficient.
>> 
>> We will ask a stream manager to review and approve any changes that seem
>> beyond editorial in nature, e.g., addition of new text, deletion of text, 
>> and technical changes.  Information about stream managers can be found in 
>> the FAQ.  Editorial changes do not require approval from a stream manager.
>> 
>> 
>> Approving for publication
>> --------------------------
>> 
>> To approve your RFC for publication, please reply to this email stating
>> that you approve this RFC for publication.  Please use ‘REPLY ALL’,
>> as all the parties CCed on this message need to see your approval.
>> 
>> 
>> Files 
>> -----
>> 
>> The files are available here:
>>  https://www.rfc-editor.org/authors/rfc9475.xml
>>  https://www.rfc-editor.org/authors/rfc9475.html
>>  https://www.rfc-editor.org/authors/rfc9475.pdf
>>  https://www.rfc-editor.org/authors/rfc9475.txt
>> 
>> Diff file of the text:
>>  https://www.rfc-editor.org/authors/rfc9475-diff.html
>>  https://www.rfc-editor.org/authors/rfc9475-rfcdiff.html (side by side)
>> 
>> Diff of the XML: 
>>  https://www.rfc-editor.org/authors/rfc9475-xmldiff1.html
>> 
>> The following files are provided to facilitate creation of your own 
>> diff files of the XML.  
>> 
>> Initial XMLv3 created using XMLv2 as input:
>>  https://www.rfc-editor.org/authors/rfc9475.original.v2v3.xml 
>> 
>> XMLv3 file that is a best effort to capture v3-related format updates 
>> only: 
>>  https://www.rfc-editor.org/authors/rfc9475.form.xml
>> 
>> 
>> Tracking progress
>> -----------------
>> 
>> The details of the AUTH48 status of your document are here:
>>  https://www.rfc-editor.org/auth48/rfc9475
>> 
>> Please let us know if you have any questions.  
>> 
>> Thank you for your cooperation,
>> 
>> RFC Editor
>> 
>> --------------------------------------
>> RFC9475 (draft-ietf-stir-messaging-08)
>> 
>> Title            : Messaging Use Cases and Extensions for STIR
>> Author(s)        : J. Peterson, C. Wendt
>> WG Chair(s)      : Ben Campbell, Robert Sparks, Russ Housley
>> Area Director(s) : Murray Kucherawy, Francesca Palombini
>> 
>> 
>