Re: [dispatch] CNIT and Modern Charter

[Henning Schulzrinne <Henning.Schulzrinne@fcc.gov>]

There seem to be two cases:

(1) The originator of the call also provides the "CNAM" information, e.g., based on their customer information.

(2) A third party provides the CNAM information (e.g., a licensing entity or Dun & Bradstreet) that essentially says "I certify that the phone number 212 555 1234 belongs to Citibank")

Thus, there are two questions:

(1) What information should be carried?

(2) How does the cryptographic binding work? 


For example, would it make sense to have two 4474bis signatures, to address case #2? Or should there be a separate signature that simply asserts the phone number to name binding, but it's not tied to the call itself.

________________________________________
From: cnit [cnit-bounces@ietf.org] on behalf of Richard Shockey [richard@shockey.us]
Sent: Tuesday, March 10, 2015 2:57 PM
To: Chris Wendt
Cc: Cullen Jennings; cnit@ietf.org; dispatch@ietf.org; modern@ietf.org
Subject: Re: [cnit] [dispatch] CNIT and Modern Charter

Exactly.  If the IETF is going to remain responsible for core SIP
protocols and signaling its our job to properly define these mechanisms.
There is reason to believe if we don’t do this it will be done for us.
There were two bills in the US Congress about this last year and who knows
what elsewhere.

IMHO the in band model is clearly the first use case. That alone would
help a great deal.





On 3/10/15, 2:37 PM, "Chris Wendt" <chris-ietf@chriswendt.net> wrote:

>I agree that this would be useful just from the standpoint that if
>service providers are going to implement in-band signing of caller-id,
>would quite make sense to provide a better payload for delivering
>additional and/or more useful calling party information along with
>signing it as well.
>
>-Chris
>
>> On Mar 9, 2015, at 3:18 PM, Richard Shockey <richard@shockey.us> wrote:
>>
>>
>> The first order issue is properly defining what this looks like in SIP
>>and
>> where in the headers it should reside. There is ample evidence that any
>> number of other SDO are looking at this and without some proper
>> standardization there will be no interoperability at all especially even
>> for STIR validation data at the CUA and IMHO doing nothing is not a
>>viable
>> option. The basic FROM and PAI usage is not helpful.
>>
>> We are all aware of how smart phones work. This is principally about
>> sessions that would originate outside a select number of phone book
>> entries and some display of whether that information has been validated
>> though we donąt have to define policy at this stage and frankly I donąt
>> think the IETF should try any more than it could try and establish the
>> business model for how this would deploy.
>>
>> The purpose here is simply adding more information about who originated
>> the session so the called party has more information than they currently
>> have.  We already have enough bad actors as it is impersonating tax
>> authorities, banks, health care professionals and other governmental
>> entities. The purpose is to try and bound those problems to a manageable
>> level.  There is no silver bullet here.
>>
>> I would appreciate any suggestions on charter text if you have them.
>>
>>
>>
>> ‹
>> Richard Shockey
>> Shockey Consulting LLC
>> Chairman of the Board SIP Forum
>> www.shockey.us
>> www.sipforum.org
>> richard<at>shockey.us
>> Skype-Linkedin-Facebook rshockey101
>> PSTN +1 703-593-2683
>>
>>
>>
>>
>>
>> On 3/9/15, 11:10 AM, "Cullen Jennings" <fluffy@cisco.com> wrote:
>>
>>>
>>> On the particular CNAM like topic ...
>>>
>>> I'm not keen on moving forward with something like this unless we can
>>> show the trust and human factors issues is an engineering problem not a
>>> research problem. We have seen the difficulty with human readable names
>>> in SPAM. Particularly when using UTF-8, how do we stop bad actor
>>>getting
>>> names that look the same as someone they wish to impersonate? Who will
>>> validate the names and issue some sort of trust token that says I can
>>>use
>>> "Cullen Jennings" or whatever. Who else can use that name and what
>>>about
>>> names visually similar to it.
>>>
>>> On the flip side we are seeing most smart phones take the incoming
>>>phone
>>> number, and look it up the personal address book of the user and
>>>display
>>> the name that the user of the smartphone assigned. We are seeing
>>> enterprise phones that do a similar things using the users  social
>>> networks as well as personal address book.
>>>
>>> What would be bad is phone display a display name that some how claimed
>>> to be trustable but was not. That would be worse that the current
>>> situation. Perhaps people have a good way to solve this in mind but I'm
>>> not seeing that that is.
>>>
>>> Cullen (with my individual contribute hat on of course)
>>>
>>>
>>>
>>>> On Feb 25, 2015, at 10:05 AM, Richard Shockey <richard@shockey.us>
>>>> wrote:
>>>>
>>>>
>>>> Thanks Martin .. This is my very raw first cut at a charter. Its
>>>> hopefully simple and straight forward.
>>>>
>>>> Send me any edits etc.
>>>>
>>>> *****
>>>>
>>>> CNIT Charter [Calling Name Identity Trust]
>>>>
>>>> WG Chairs TBD:
>>>>
>>>> Calling Name Delivery [CNAM] is a string of up to 15 ASCII Characters
>>>> of information associated with a specific E.164 calling party number
>>>>in
>>>> the Public Switched Telephone Network [PSTN].  In the PSTN this data
>>>>is
>>>> sent by the originating network only at the specific request of the
>>>> terminating network via a SS7 Transaction Application Part [TCAP]
>>>> response message.  In the Session Initiation Protocol [SIP] this
>>>> information can be inserted into the FROM: part of the originating
>>>> INVITE message or by other means.
>>>>
>>>> As with the originating source telephone number, this data can be
>>>> altered in transit creating a variety of malicious abuses similar to
>>>>the
>>>> ones identified by the IETF STIR working group.
>>>>
>>>> The purpose of the CNIT working group will be to define a data
>>>> structure, a new SIP header or repurpose an existing SIP header to
>>>>carry
>>>> an advanced form of CNAM as well as information from a STIR Validation
>>>> Authority.  The purpose of this work is to present to the SIP called
>>>> party trusted information from the calling party in order that the
>>>> called party make a more reasoned and informed judgment on whether to
>>>> accept the INVITE or not.
>>>>
>>>> The working group will not invalidate any existing SIP mechanism for
>>>> anonymous calling.
>>>>
>>>> The working group will, to the best of its ability, reuse existing
>>>>IETF
>>>> protocols.
>>>>
>>>> Full Internationalization of the Calling Name Identity Trust data
>>>> object(s) is a requirement.
>>>>
>>>> The working group will closely work with the IETF STIR working group
>>>>
>>>> The working group will immediately liaison with 3GPP SA-1 in order to
>>>> coordinate efforts.
>>>>
>>>> The working group will coordinate with National Numbering Authorities
>>>> and National Regulatory Authorities as needed.
>>>>
>>>> The working group will deliver the flowing.
>>>>
>>>> €  A problem statement and requirements detailing the current
>>>>deployment
>>>> environment and situations that motivate work on Calling Name Identity
>>>> Trust.
>>>> €  Define either a new SIP header or document a repurpose of an SIP
>>>> existing header for Calling Name Identify Trust data
>>>> €  Define a data model for the Calling Name Identity Trust object (s)
>>>> which may include various forms of multimedia data
>>>> €  Deliver an analysis of privacy implications of the proposed Calling
>>>> Name Identity Trust mechanism.
>>>>
>>>>
>>>> Milestones:
>>>>
>>>>
>>>> ‹
>>>> Richard Shockey
>>>> Shockey Consulting LLC
>>>> Chairman of the Board SIP Forum
>>>> www.shockey.us
>>>> www.sipforum.org
>>>> richard<at>shockey.us
>>>> Skype-Linkedin-Facebook rshockey101
>>>> PSTN +1 703-593-2683
>>>>
>>>>
>>>> From: "DOLLY, MARTIN C" <md3135@att.com>
>>>> Date: Tuesday, February 24, 2015 at 9:02 PM
>>>> To: Richard Shockey <richard@shockey.us>
>>>> Cc: "Holmes, David W [CTO]" <David.Holmes@sprint.com>,
>>>> "dispatch@ietf.org" <dispatch@ietf.org>, "modern@ietf.org"
>>>> <modern@ietf.org>, "Peterson, Jon" <jon.peterson@neustar.biz>
>>>> Subject: Re: [Modern] [dispatch] draft charter
>>>>
>>>> I support Richard on this
>>>>
>>>> Martin Dolly
>>>> Lead Member of Technical Staff
>>>> Core & Gov't/Regulatory Standards
>>>> AT&T Standards and
>>>> Industry Alliances
>>>> +1-609-903-3390
>>>> Sent from my iPhone
>>>>
>>>> On Feb 24, 2015, at 6:36 PM, Richard Shockey <richard@shockey.us>
>>>>wrote:
>>>>
>>>>>
>>>>> Excellent points David.
>>>>>
>>>>> My concern here is charter overreach. I really want to keep
>>>>>CNAM+/CNIT
>>>>> out of this.  IMHO that is a very separate and highly focused effort
>>>>>to
>>>>> define both the modification of the SIP headers necessary to support
>>>>> some enhanced calling party identification and a very limited effort
>>>>>to
>>>>> define the object and or the STIR validation data.
>>>>>
>>>>> Iąm violently opposed to łend world hunger˛ WGąs.
>>>>>
>>>>> If registries can be used fine but I certainly want to see how this
>>>>> can be accomplished in bi lateral agreements between consenting
>>>>>service
>>>>> providers and work with CUA vendors on how the data is displayed aka
>>>>> Apple, Samsung, Microsoft in the context of a formal liaison with
>>>>>3GPP.
>>>>> Certainly the relevance of CNAM+/CNIT in enterprise and residential
>>>>> access markets is important but we all know łMoney is the answer what
>>>>> is the  question ..˛
>>>>>
>>>>> Iąve asked for time in Dispatch to look at the CNAM/CNIT issue and
>>>>> report on the JTF on NNI. As you well know we have made considerable
>>>>> progress.
>>>>>
>>>>> Last week I gave a talk on this to a panel that included many of our
>>>>> friends among the national regulators.
>>>>>
>>>>> http://apps.fcc.gov/ecfs/document/view?id=60001033217
>>>>>
>>>>>
>>>>>
>>>>> From: "Holmes, David W [CTO]" <David.Holmes@sprint.com>
>>>>> Date: Tuesday, February 24, 2015 at 5:06 PM
>>>>> To: "Peterson, Jon" <jon.peterson@neustar.biz>, "modern@ietf.org"
>>>>> <modern@ietf.org>
>>>>> Subject: Re: [Modern] draft charter
>>>>>
>>>>> Jon,
>>>>>
>>>>> Thank you for the work in assembling this draft of the charter for
>>>>> MODERN.
>>>>>
>>>>> We would like to suggest some minor clarifications to the bullets
>>>>> describing the deliverables, to align them with the statement
>>>>>regarding
>>>>> flexibility to support the needs of different regulatory regimes, &
>>>>> thus to ensure that if quoted alone they are not taken out of
>>>>>context;
>>>>> i.e. the group product will be the protocols to support the
>>>>>allocation
>>>>> etc. activities, & it would not attempt to define the allocation
>>>>> processes.  We also would like the charter to note the relevant work
>>>>> that has already been performed by both IETF & the ATIS/SIP Forum
>>>>>JTF,
>>>>> & incorporate that into the output from the MODERN WG as appropriate.
>>>>> These changes/additions are have been added to your text inline
>>>>>below.
>>>>>
>>>>> We are hoping that the MODERN session at IETF#92 will have remote
>>>>> access, to allow participation by those of us that cannot attend in
>>>>> person due to other commitments that week.
>>>>>
>>>>> Regards,
>>>>>
>>>>> David/Sprint
>>>>>
>>>>>
>>>>>______________________________________________________________________
>>>>>__
>>>>> ______
>>>>>
>>>>> From: Modern [mailto:modern-bounces@ietf.org] On Behalf Of Peterson,
>>>>> Jon
>>>>> Sent: Wednesday, February 11, 2015 9:19 AM
>>>>> To: modern@ietf.org
>>>>> Subject: [Modern] draft charter
>>>>>
>>>>>
>>>>> At the Dallas IETF meeting in March, we'd like to get together and
>>>>> talk about what a working group for MODERN might look like. As an
>>>>> initial input to the discussion, a few of us have put together a
>>>>> proposed charter. While the TeRQ work was positively evaluated in the
>>>>> DISPATCH process, we feel this is broader enough in scope to warrant
>>>>> its own BoF.
>>>>>
>>>>> Comments are welcome, this is just a starting point.
>>>>>
>>>>> ------
>>>>>
>>>>> Modern charter text:
>>>>>
>>>>> The MODERN working group will define a set of Internet-based
>>>>> mechanisms for the purposes of managing and resolving telephone
>>>>>numbers
>>>>> (TNs) in an IP environment.  Existing mechanisms for these purposes
>>>>> face obsolescence as the voice communications infrastructure evolves
>>>>>to
>>>>> IP technology and new applications for TNs become possible.  The
>>>>> traditional model of a TN having an association to a single service
>>>>> provider and a single application is breaking down.  Its use as a
>>>>> network locator is going away, but its use as an identifier for an
>>>>> individual or an organization will remain for some time. Devices,
>>>>> applications, and network tools increasingly need to manage TNs,
>>>>> including requesting and acquiring TN delegations from authorities.
>>>>>
>>>>> The working group will define a framework for the roles and functions
>>>>> involved in managing and resolving TNs in an IP environment. This
>>>>> includes a protocol mechanism for acquiring TNs, which will provide
>>>>>an
>>>>> enrollment process for the individuals and entities that use and
>>>>>manage
>>>>> TNs. TNs may either be managed in a hierarchical tree, or in a
>>>>> distributed peer-to-peer architecture.  Privacy of the enrollment
>>>>>data
>>>>> and security of the resource will be primary considerations.
>>>>>
>>>>> Additionally, the working group will deliver a protocol mechanism for
>>>>> resolving TNs which will allow entities such as service providers,
>>>>> devices, and applications to access data related to TNs, possibly
>>>>> including caller name data (CNAM).  Maintaining reliability, real
>>>>>time
>>>>> application performance, security and privacy are primary
>>>>> considerations.  The working group will take into consideration
>>>>> existing IETF work including ENUM, SPEERMINT, STIR, and DRINKS.
>>>>>
>>>>> The work of this group is limited to specifying a solution for TNs
>>>>>and
>>>>> covers any service that can be addressed using a TN.  Expanding the
>>>>> work to other identifiers is out of scope.  Solutions and mechanisms
>>>>> created by the working group will be flexible enough to accommodate
>>>>> different policies, e.g., by different regulatory agencies.
>>>>>
>>>>> The work group will deliver the following:
>>>>>
>>>>> -          An architecture overview document that includes high level
>>>>> requirements and security/privacy considerationsbuilt on the work of
>>>>> IETF & the ATIS/SIP Forum JTF, that included:
>>>>> o   Call routing architecture
>>>>> o   Inter-carrier NNI
>>>>> o   Cryptographically-enabled Anti-spoofing (STIR)
>>>>> o   Enhanced Calling Name (CNIT/CNAM)
>>>>> -          A document describing the protocols to support enrollment
>>>>> processes for existing and new TNs including any modifications to
>>>>> metadata related to those TNs
>>>>> -          A document describing protocol mechanisms for accessing
>>>>> contact information associated with enrollments
>>>>> -          A document describing protocol mechanisms for resolving
>>>>> information related to TNs
>>>>>
>>>>> -
>>>>>
>>>>>
>>>>> This e-mail may contain Sprint proprietary information intended for
>>>>> the sole use of the recipient(s). Any use by others is prohibited. If
>>>>> you are not the intended recipient, please contact the sender and
>>>>> delete all copies of the message.
>>>>> _______________________________________________ Modern mailing list
>>>>> Modern@ietf.org https://www.ietf.org/mailman/listinfo/modern
>>>>> _______________________________________________
>>>>> dispatch mailing list
>>>>> dispatch@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/dispatch
>>>> _______________________________________________ Modern mailing list
>>>> Modern@ietf.org
>>>>
>>>>https://www.ietf.org/mailman/listinfo/modern___________________________
>>>>__
>>>> __________________
>>>> dispatch mailing list
>>>> dispatch@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dispatch
>>>
>>> _______________________________________________
>>> dispatch mailing list
>>> dispatch@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dispatch
>>
>>
>> _______________________________________________
>> dispatch mailing list
>> dispatch@ietf.org
>> https://www.ietf.org/mailman/listinfo/dispatch
>


_______________________________________________
cnit mailing list
cnit@ietf.org
https://www.ietf.org/mailman/listinfo/cnit