Re: [auth48] AUTH48: RFC-to-be 9475 <draft-ietf-stir-messaging-08> for your review

[Megan Ferguson <mferguson@amsl.com>]

Authors,

Just hoping for a confirmation of receipt of the emails regarding this document.

Please see further AUTH48 instructions in this email thread. 

The AUTH48 status page of this document is viewable at:

http://www.rfc-editor.org/auth48/rfc9475

AUTH48 FAQs are available at https://www.rfc-editor.org/faq/#auth48.

We look forward to hearing from you at your earliest convenience.

Thank you.

RFC Editor/mf



> On Oct 2, 2023, at 10:16 AM, Megan Ferguson <mferguson@amsl.com> wrote:
> 
> Authors,
> 
> Just a friendly ping that this document awaits your action.  Please see below for more details.
> 
> Thank you.
> 
> RFC Editor/mf
> 
> 
>> On Sep 22, 2023, at 2:35 PM, Megan Ferguson <mferguson@amsl.com> wrote:
>> 
>> Greetings,
>> 
>> Just a friendly weekly reminder that this document awaits your attention.  Please see the document-specific questions and AUTH48 announcement in this thread and let us know if we can be of assistance as you begin the AUTH48 review process.
>> 
>> Please note that the AUTH48 status page of this document is viewable at:
>> 
>> http://www.rfc-editor.org/auth48/rfc9475
>> 
>> AUTH48 FAQs are available at https://www.rfc-editor.org/faq/#auth48.
>> 
>> We look forward to hearing from you at your earliest convenience.
>> 
>> Thank you.
>> 
>> RFC Editor/mf
>> 
>>> On Sep 8, 2023, at 4:05 PM, rfc-editor@rfc-editor.org wrote:
>>> 
>>> Authors,
>>> 
>>> While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file.
>>> 
>>> 1) <!-- [rfced] Please note that the title of the document has been
>>>   updated as follows:
>>> 
>>> Abbreviations have been expanded per Section 3.6 of RFC 7322 (“RFC
>>> Style Guide”). Please review.
>>> 
>>> Original:
>>> Messaging Use Cases and Extensions for STIR
>>> 
>>> Current:
>>> Messaging Use Cases and Extensions for Secure Telephone Identity
>>> Revisited (STIR)
>>> 
>>> -->
>>> 
>>> 
>>> 2)  <!--[rfced] We had two questions about the first sentence in the
>>>    Abstract:
>>> 
>>> a) Should "protocol" or "problem statement" or some other noun follow
>>> the expansion of STIR in this text?  If we cut "STIR" and just read
>>> with the expansion, this sounds a bit odd.
>>> 
>>> b) May we break up this sentence as suggested below for the ease of
>>> the reader?
>>> 
>>> Original:
>>> Secure Telephone Identity Revisited (STIR) provides a means of
>>> attesting the identity of a telephone caller via a signed token in
>>> order to prevent impersonation of a calling party number, which is a
>>> key enabler for illegal robocalling.
>>> 
>>> Perhaps:
>>> The Secure Telephone Identity Revisited (STIR) protocol provides a
>>> means of attesting the identity of a telephone caller via a signed
>>> token.  This prevents impersonation of a calling party number, which
>>> is a key enabler for illegal robocalling.
>>> 
>>> 
>>> -->
>>> 
>>> 
>>> 3) <!--[rfced] FYI - we have broken up the information in the following
>>>   sentence to make it easier for the reader to digest.  Please let
>>>   us know if these changes have deviated from your intended
>>>   meaning.
>>> 
>>> Original:
>>> For the first case, where SIP negotiates a session where the media
>>> will be text messages or MIME content, as, for example, with the
>>> Message Session Relay Protocol (MSRP) [RFC4975], the usage of STIR
>>> would deviate little from [RFC8224]. 
>>> 
>>> Current:
>>> In the first case described in Section 3, SIP negotiates a
>>> session in which the media will be text messages or MIME content, as,
>>> for example, with the Message Session Relay Protocol (MSRP)
>>> [RFC4975].  This usage of STIR would deviate little from [RFC8224].
>>> -->
>>> 
>>> 
>>> 4) <!--[rfced] Can the timestamp itself order things?  Or can the
>>>   timestamp be used to order things?
>>> 
>>> Original:
>>> ...duplicate messages are easily detected,
>>> and the timestamp can order messages displayed to the user inbox in a
>>> way that precludes showing stale messages as fresh.
>>> 
>>> Perhaps:
>>> ...duplicate messages are easily detected, and the timestamp can be
>>> used to order messages displayed in the user inbox in a way that
>>> precludes showing stale messages as fresh.
>>> -->
>>> 
>>> 
>>> 5) <!--[rfced] FYI - We have updated the expansion of MMS as follows to
>>>   match more common use in recent RFCs.  Please let us know any
>>>   objections:
>>> 
>>> Original:
>>> multimedia message system (MMS)
>>> 
>>> Current:
>>> Multimedia Messaging Service (MMS)
>>> -->
>>> 
>>> 
>>> 6) <!--[rfced] How may we update this text for clarity?  We do not see
>>>   "profiles" in RFC 8226.  (Note that we have made the change from
>>>   "profiles defines" to "profiles define" pending more
>>>   information).
>>> 
>>> Original:
>>> The [RFC8226] STIR certificate profiles defines...
>>> 
>>> Perhaps:
>>> "Secure Telephone Identity Credentials: Certificates" [RFC8226] defines...
>>> 
>>> Or perhaps:
>>> The STIR certificate profiles defined in [RFC8226]...
>>> -->
>>> 
>>> 
>>> 7) <!--[rfced] This sentence describes a lot of things being "contain"ed.
>>>   Might a rephrase benefit the reader?  If so, please let us know
>>>   how we may update.
>>> 
>>> Original:
>>> As the "orig" and "dest" field of PASSporTs may contain URIs
>>> containing SIP URIs without telephone numbers, the STIR for messaging
>>> mechanism contained in this specification is not inherently
>>> restricted to the use of telephone numbers.
>>> 
>>> 
>>> 
>>> -->
>>> 
>>> 
>>> 8) <!--[rfced] May we update the following to avoid awkward hyphenation?
>>> 
>>> Original:
>>> This specification offers no guidance on certification authorities who
>>> are appropriate to sign for non-telephone number "orig" values.
>>> 
>>> Perhaps:
>>> This specification offers no guidance on certification authorities who
>>> are appropriate to sign for "orig" values that are not for use with
>>> telephone numbers.
>>> 
>>> -->
>>> 
>>> 
>>> 9) <!--[rfced] Please note the following about the IANA Considerations
>>>   and IANA-related text in the document:
>>> 
>>> a) Please note that we have changed IESG to be IETF for the Change
>>> Controller of the "msgi" registration at
>>> https://www.iana.org/assignments/jwt/jwt.xhtml.  This is in accordance
>>> with the following note we received from IANA:
>>> 
>>> "Note: in accordance with recent practice, the change controller for
>>> this registration has been changed from the IESG to the IETF."
>>> 
>>> b) We have cut the URL to the registry mentioned in Section 6.2 to
>>> match Section 6.1.  Please let us know any objections.
>>> 
>>> c) We have removed the quote marks as they do not appear in the
>>> corresponding registries.
>>> 
>>> -->
>>> 
>>> 
>>> 10) <!-- [rfced] We have added RFC 4648 as an Informative Reference. Please let us know if it should be Normative instead.
>>> 
>>> Original: 
>>> The subsequent characters in the claim value are the base64 encoded
>>> [RFC4648] digest of a canonicalized and concatenated string or binary data
>>> based MIME body of the message. -->
>>> 
>>> 
>>> 11) <!--[rfced] We had the following questions related to terminology use
>>>   throughout the document:
>>> 
>>> a) We note the use of the following similar terms:
>>> 
>>> SIP Identity header
>>> Identity header
>>> Identity
>>> identity
>>> 
>>> Please review these instances and let us know if any updates are
>>> necessary for clarity (e.g., should all "Identity header"s be called
>>> "SIP Identity header"s).
>>> 
>>> b) We see both:
>>> 
>>> "orig" field
>>> "orig" values
>>> 
>>> Should the latter be made "orig" field values?
>>> 
>>> c) We see the following uses of "baseline":
>>> 
>>> i) At a high level, baseline PASSporT [RFC8225] claims provide similar
>>> value to...
>>> 
>>> ii) Current usage of baseline [RFC8224] Identity is largely confined to
>>> INVITE requests that initiate telephone calls.
>>> 
>>> iii) Per baseline [RFC8224], this specifications leaves it to local policy
>>> to determine how messages are handled after verification succeeds or
>>> fails.
>>> 
>>> For i), we see the use of "baseline claims" in RFC 8225, so we would
>>> simply suggest moving the citation tag as follows:
>>> 
>>> Perhaps:
>>> At a high level, baseline PASSporT claims (see [RFC8225]) provide similar
>>> value to...
>>> 
>>> For ii), we note that "baseline Identity" is not mentioned in RFC
>>> 8224.  Please review this text and let us know how to update.
>>> 
>>> For iii), we see RFC 8225 referred to as "the baseline PASSporT
>>> specification" in RFC 8224.  Please review this text and let us know
>>> how to update.
>>> 
>>> Perhaps:
>>> Per the guidance in the baseline PASSporT specification [RFC8225], this
>>> specification leaves it to local policy to determine how messages
>>> are handled after verification succeeds or fails.
>>> 
>>> d) We see both PASSporT Type and PASSporT type.  We updated to use the
>>> lowercase "type" throughout.  Please let us know any objections.
>>> 
>>> -->
>>> 
>>> 
>>> 12) <!-- [rfced] Please review the "Inclusive Language" portion of the
>>>   online Style Guide
>>>   <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
>>>   and let us know if any changes are needed.
>>> 
>>> For example, please consider whether the following should be updated:
>>> 
>>> 
>>> ...authorized to use the calling party number (or, for native SIP cases,...
>>> 
>>> 
>>> In addition, please consider whether "tradition" should be updated for
>>> clarity.  While the NIST website
>>> <https://www.nist.gov/nist-research-library/nist-technical-series-publications-author-instructions#table1>
>>> indicates that this term is potentially biased, it is also ambiguous.
>>> "Tradition" is a subjective term, as it is not the same for everyone.
>>> 
>>> 
>>> ...value to number-based messaging as they do to traditional
>>> telephone...
>>> 
>>> ...treatment that differs from traditional delivery expectations of
>>> SIP...
>>> 
>>> ...the traditional telephone network and those based on
>>> over-the-top...
>>> -->
>>> 
>>> 
>>> Thank you.
>>> 
>>> RFC Editor/kf/mf
>>> 
>>> *****IMPORTANT*****
>>> 
>>> Updated 2023/09/08
>>> 
>>> RFC Author(s):
>>> --------------
>>> 
>>> Instructions for Completing AUTH48
>>> 
>>> Your document has now entered AUTH48.  Once it has been reviewed and 
>>> approved by you and all coauthors, it will be published as an RFC.  
>>> If an author is no longer available, there are several remedies 
>>> available as listed in the FAQ (https://www.rfc-editor.org/faq/).
>>> 
>>> You and you coauthors are responsible for engaging other parties 
>>> (e.g., Contributors or Working Group) as necessary before providing 
>>> your approval.
>>> 
>>> Planning your review 
>>> ---------------------
>>> 
>>> Please review the following aspects of your document:
>>> 
>>> *  RFC Editor questions
>>> 
>>> Please review and resolve any questions raised by the RFC Editor 
>>> that have been included in the XML file as comments marked as 
>>> follows:
>>> 
>>> <!-- [rfced] ... -->
>>> 
>>> These questions will also be sent in a subsequent email.
>>> 
>>> *  Changes submitted by coauthors 
>>> 
>>> Please ensure that you review any changes submitted by your 
>>> coauthors.  We assume that if you do not speak up that you 
>>> agree to changes submitted by your coauthors.
>>> 
>>> *  Content 
>>> 
>>> Please review the full content of the document, as this cannot 
>>> change once the RFC is published.  Please pay particular attention to:
>>> - IANA considerations updates (if applicable)
>>> - contact information
>>> - references
>>> 
>>> *  Copyright notices and legends
>>> 
>>> Please review the copyright notice and legends as defined in
>>> RFC 5378 and the Trust Legal Provisions 
>>> (TLP – https://trustee.ietf.org/license-info/).
>>> 
>>> *  Semantic markup
>>> 
>>> Please review the markup in the XML file to ensure that elements of  
>>> content are correctly tagged.  For example, ensure that <sourcecode> 
>>> and <artwork> are set correctly.  See details at 
>>> <https://authors.ietf.org/rfcxml-vocabulary>.
>>> 
>>> *  Formatted output
>>> 
>>> Please review the PDF, HTML, and TXT files to ensure that the 
>>> formatted output, as generated from the markup in the XML file, is 
>>> reasonable.  Please note that the TXT will have formatting 
>>> limitations compared to the PDF and HTML.
>>> 
>>> 
>>> Submitting changes
>>> ------------------
>>> 
>>> To submit changes, please reply to this email using ‘REPLY ALL’ as all 
>>> the parties CCed on this message need to see your changes. The parties 
>>> include:
>>> 
>>> *  your coauthors
>>> 
>>> *  rfc-editor@rfc-editor.org (the RPC team)
>>> 
>>> *  other document participants, depending on the stream (e.g., 
>>>    IETF Stream participants are your working group chairs, the 
>>>    responsible ADs, and the document shepherd).
>>> 
>>> *  auth48archive@rfc-editor.org, which is a new archival mailing list 
>>>    to preserve AUTH48 conversations; it is not an active discussion 
>>>    list:
>>> 
>>>   *  More info:
>>>      https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc
>>> 
>>>   *  The archive itself:
>>>      https://mailarchive.ietf.org/arch/browse/auth48archive/
>>> 
>>>   *  Note: If only absolutely necessary, you may temporarily opt out 
>>>      of the archiving of messages (e.g., to discuss a sensitive matter).
>>>      If needed, please add a note at the top of the message that you 
>>>      have dropped the address. When the discussion is concluded, 
>>>      auth48archive@rfc-editor.org will be re-added to the CC list and 
>>>      its addition will be noted at the top of the message. 
>>> 
>>> You may submit your changes in one of two ways:
>>> 
>>> An update to the provided XML file
>>> — OR —
>>> An explicit list of changes in this format
>>> 
>>> Section # (or indicate Global)
>>> 
>>> OLD:
>>> old text
>>> 
>>> NEW:
>>> new text
>>> 
>>> You do not need to reply with both an updated XML file and an explicit 
>>> list of changes, as either form is sufficient.
>>> 
>>> We will ask a stream manager to review and approve any changes that seem
>>> beyond editorial in nature, e.g., addition of new text, deletion of text, 
>>> and technical changes.  Information about stream managers can be found in 
>>> the FAQ.  Editorial changes do not require approval from a stream manager.
>>> 
>>> 
>>> Approving for publication
>>> --------------------------
>>> 
>>> To approve your RFC for publication, please reply to this email stating
>>> that you approve this RFC for publication.  Please use ‘REPLY ALL’,
>>> as all the parties CCed on this message need to see your approval.
>>> 
>>> 
>>> Files 
>>> -----
>>> 
>>> The files are available here:
>>> https://www.rfc-editor.org/authors/rfc9475.xml
>>> https://www.rfc-editor.org/authors/rfc9475.html
>>> https://www.rfc-editor.org/authors/rfc9475.pdf
>>> https://www.rfc-editor.org/authors/rfc9475.txt
>>> 
>>> Diff file of the text:
>>> https://www.rfc-editor.org/authors/rfc9475-diff.html
>>> https://www.rfc-editor.org/authors/rfc9475-rfcdiff.html (side by side)
>>> 
>>> Diff of the XML: 
>>> https://www.rfc-editor.org/authors/rfc9475-xmldiff1.html
>>> 
>>> The following files are provided to facilitate creation of your own 
>>> diff files of the XML.  
>>> 
>>> Initial XMLv3 created using XMLv2 as input:
>>> https://www.rfc-editor.org/authors/rfc9475.original.v2v3.xml 
>>> 
>>> XMLv3 file that is a best effort to capture v3-related format updates 
>>> only: 
>>> https://www.rfc-editor.org/authors/rfc9475.form.xml
>>> 
>>> 
>>> Tracking progress
>>> -----------------
>>> 
>>> The details of the AUTH48 status of your document are here:
>>> https://www.rfc-editor.org/auth48/rfc9475
>>> 
>>> Please let us know if you have any questions.  
>>> 
>>> Thank you for your cooperation,
>>> 
>>> RFC Editor
>>> 
>>> --------------------------------------
>>> RFC9475 (draft-ietf-stir-messaging-08)
>>> 
>>> Title            : Messaging Use Cases and Extensions for STIR
>>> Author(s)        : J. Peterson, C. Wendt
>>> WG Chair(s)      : Ben Campbell, Robert Sparks, Russ Housley
>>> Area Director(s) : Murray Kucherawy, Francesca Palombini
>>> 
>>> 
>> 
>