Re: [Gen-art] Genart last call review of draft-ietf-stir-passport-shaken-04

Chris Wendt <> Sun, 04 November 2018 12:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9FAB11200D7 for <>; Sun, 4 Nov 2018 04:55:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KCKfdcyiAaIu for <>; Sun, 4 Nov 2018 04:55:24 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 47A4E127332 for <>; Sun, 4 Nov 2018 04:55:22 -0800 (PST)
Received: by with SMTP id e22-v6so3098110pfn.8 for <>; Sun, 04 Nov 2018 04:55:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=v5E+wxqgPXszN8irqo42hOyb5syHQ7h0DGqGjjxOuqc=; b=MPJAgqUT2FJvg3nK0OIH5suO+wlr/DSCMr4gkvPl/fw2QeXo69/Z1eJvFUaiQ0+0xl uuXWSHPfL+eNZUYvaZ2NtrTmg42ctOgXN/VTW/wd84c5jWevdlz/aqFEhS3EFhT+R8rs fnq0fnLQ2jc3WrqYQ7yZ8dh/lplfPXna6IImn46gnesLKYqi6VRzJzXayQ45wuc8oQ3a iXiS5YA/TrUyVAlvfU6E63u9eGbAcRNDLWz648XqwhNtx+lqlEXGfZcw3BaTY1AIVvYd 0ikHQ/pXCsm4TvDGcFC8Kig8XjM0ATd3ukqGH6AgwxZHeDhSJQNoeFWfLUJYSoCIAZRO 1ssQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=v5E+wxqgPXszN8irqo42hOyb5syHQ7h0DGqGjjxOuqc=; b=G5i/rlVRgacgmBgTuq4GU/zS28lhtj5H2xLY9YBch4DfpIrMcFLCf9YgWW1RIpxIoA p3q1YbA5Xait1+F5LbHo8hHJNN8Pnc05Ib6paZ0ZWaWwJNyIZcCutyJlb1cgYq0B0Ill FQmsXfiHSa9L2aG6xC/fbj6NvnEJt+KP6QsrFQEzFHhljiYH6rwM3bcRMbhUVitzJnAV IzKIzyG+nkst/6WEtSIYMJFpq9QATd7kw6zKfNDDfkPjudjI+US6VcYxvPHzvUtN3uC4 8Rircz4EwZS07E8RPYnqpLhJVxrd/NcdR0UUR0DvkJhNUtQ5XoKYKHL3eO6ZpGr7fz7D em8A==
X-Gm-Message-State: AGRZ1gLF7qJDAMTjsUbdNlBHuBqwZ5tYKrQ3GhM5L+JsUe1Dz+wkLiAZ CXbCh40bYcf2HWwCwY010Kw3X681+SwS4Q==
X-Google-Smtp-Source: AJdET5eq9dlkauee0KdlrUpM7Jem0vAyeE6GiXhq0vqV6ujFyF39IX+3bAyBZUtT1CDUK6SkY+mGNg==
X-Received: by 2002:a62:2ec3:: with SMTP id u186-v6mr18419105pfu.189.1541336121790; Sun, 04 Nov 2018 04:55:21 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id b16-v6sm42593232pgl.66.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 04 Nov 2018 04:55:20 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
From: Chris Wendt <>
In-Reply-To: <>
Date: Sun, 4 Nov 2018 07:55:16 -0500
Cc:,, " Mail List" <>,
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Francesca Palombini <>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-stir-passport-shaken-04
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 04 Nov 2018 12:55:27 -0000

Thank Francesca for the review.  Comments inline.

> On Nov 2, 2018, at 12:14 PM, Francesca Palombini <>; wrote:
> Reviewer: Francesca Palombini
> Review result: Ready with Issues
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
> For more information, please see the FAQ at
> <>;.
> Document: draft-ietf-stir-passport-shaken-04
> Reviewer: Francesca Palombini
> Review Date: 2018-11-02
> IETF LC End Date: 2018-11-02
> IESG Telechat date: Not scheduled for a telechat
> Summary: This draft is on the right track but has open issues, described in the
> review.
> Major issues:
> * This draft defines the new claim "origid" for the Personal Attestation Token
> used in the SHAKEN framework, but does not give any privacy considerations
> about it and its use. [RFC6973] suggests that the privacy considerations of
> IETF protocols be documented. As required by [RFC7258], work on IETF protocols
> needs to consider the effects of pervasive monitoring and mitigate them when
> possible. I don't know SHAKEN well enough to comment on privacy issues on that,
> but this draft, as part of the IETF work, should have privacy considerations,
> particularly considering the "origid" claim.

Here is my proposed privacy consideration section, looking for any comments if this addresses things properly given the nature of SIP privacy in general.

Privacy Considerations 

As detailed in {{RFC3261}} Section 26 as well as {{RFC3323}}, SIP as a protocol inherently carries identifying information of both the initiator or 'caller' as well as the terminating party or 'callee'. 'origid', as defined in SHAKEN {{ATIS-1000074}} and described in this document is intended to be an opaque and unique identifier that is used by an originating telephone service provider to trace and identify where within their network (e.g. from a gateway or a particular service within their network) the call was initiated, so that either bad actors that may be either trying to illegitamately spoof identities or making fraudulent calls can be identified and likely stopped or held responsibiliy for the fraudulent activities.  While the opaqueness of the 'origid' identifier is intended to keep any direct or implied information regarding the origination of a set of calls that may have the same 'origid' to a minimum, it should be recognized that potential patterns whether intended or not may be able to be discovered.

> Minor issues:
> * Section 4: the term "verified association" is not defined in this document,
> nor in [RFC8225], nor in the SHAKEN spec referenced. Is there a way to clarify
> what is meant by it? It could be a reference.

I’ve included a new terminology text as follows to address above comment and comment below:

   In addition, the following terms are used in this document:

   o  Verified association: is typically defined as an authenticated
      relationship with a device that initiated a call, for example, a
      subscriber account with a specific SIM card or set of SIP

   o  PASSporT: Defined in [RFC8225] is a JSON Web Token defined
      specifically for securing the identity of an initiator of personal
      communication.  This document defines a specific extension to

> Nits/editorial comments:
> * Terminology: I would have appreciated a short sentence mentioning [RFC8225]
> in the Terminology section.

see above

> * Section 9: [RFC8224] appears without link.


> * Acknowledgements: "The authors would like
>   acknowledge the work of the ATIS/SIP Forum IP-NNI Task Force to
>   develop the concepts behind this document." -> The authors would like to
>   acknowledge …

> I do not repeat nits and editorials reported by Adam Roach in his review of
> this version of the document (11-19-2018,
> )

I have addressed these issues and plan to submit with list consensus on above text.