Re: WG Review: Secure Telephone Identity Revisited (stir)
Christopher Morrow <morrowc.lists@gmail.com> Wed, 21 August 2013 19:25 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8041B21F9FBF; Wed, 21 Aug 2013 12:25:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mjnt11DhmFEE; Wed, 21 Aug 2013 12:25:25 -0700 (PDT)
Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id 46F4621F9F9B; Wed, 21 Aug 2013 12:25:24 -0700 (PDT)
Received: by mail-la0-f50.google.com with SMTP id ek20so708958lab.9 for <multiple recipients>; Wed, 21 Aug 2013 12:25:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=eLfaQ8Qw2veCXkZpiocSiMBPt01SPwF59l3fETsfbsQ=; b=oQBPTXxW5ef6E0avS/HuuF5LyKr9MHJDcjFcyJTc9ZNet6jaVmL/z9oaTZIdqMcZpu np3laeXEwUnk01pETrN1OXklsbaY2Ao2cMhuDG1ReJWNQ0uIarPNYpqYVXo6QB8M7zO8 YrPZNP7QpBCrDER0ZQCvq61X3dezcNo9UefOFWPVj4zBegZXNNqOTNLI18wtov0SBraV FrigHAYJXAjj14WvoYKjLwwHWCw02i3Z9RU6zsJlHEsEpu11Fkv5TN0d9xPQrXTxnpWB rBU05lVC1Ck1IMyNlTxZ0YXAIsZEN4YOzPyUKTUv9GwtBRR2N7ptqHpL4Q0FwSI4EY9N rHTA==
MIME-Version: 1.0
X-Received: by 10.112.40.65 with SMTP id v1mr13051lbk.69.1377113120718; Wed, 21 Aug 2013 12:25:20 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.152.6.3 with HTTP; Wed, 21 Aug 2013 12:25:20 -0700 (PDT)
In-Reply-To: <CAL9jLaaOwB4UNmrgxrEOV=03n2CkQbECR3USUd258-xu_ehiJw@mail.gmail.com>
References: <20130821175202.24713.10458.idtracker@ietfa.amsl.com> <52150FD6.8010306@dcrocker.net> <CAL9jLaaOwB4UNmrgxrEOV=03n2CkQbECR3USUd258-xu_ehiJw@mail.gmail.com>
Date: Wed, 21 Aug 2013 15:25:20 -0400
X-Google-Sender-Auth: stUDZpaE4X1E-1nR0quMqttrwE8
Message-ID: <CAL9jLaZ_6w6XRPQ1G8sYC5JTPW3i3uqvaq-rx79Kta2Rwnqu_Q@mail.gmail.com>
Subject: Re: WG Review: Secure Telephone Identity Revisited (stir)
From: Christopher Morrow <morrowc.lists@gmail.com>
To: dcrocker@bbiw.net
Content-Type: text/plain; charset="ISO-8859-1"
Cc: ietf <ietf@ietf.org>, IESG IESG <iesg@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 19:25:30 -0000
+ iesg -iesg-secretary On Wed, Aug 21, 2013 at 3:18 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote: > On Wed, Aug 21, 2013 at 3:07 PM, Dave Crocker <dhc@dcrocker.net> wrote: >> The following mostly are points that I raised within the group's mailing >> list discussion, during charter development. In my view, they have not yet >> been adequately resolved: >> >> >> On 8/21/2013 10:52 AM, The IESG wrote: >>> >>> Please send your comments to the IESG mailing list (iesg >>> at ietf.org) by 2013-08-28. >> >> ... >>> >>> The STIR working group will specify Internet-based mechanisms that allow >>> verification of the calling party's authorization to use a particular >>> telephone number for an incoming call. >> >> >> "use a particular telephone number for an incoming call" has no obvious and > > it'd actually be kind of nice if the focus was NOT on the (us) > 10-digit "number", but instead on the 'identity' making the call. > There's a real chance to move beyond the '10-digit number' and to some > stronger, wider, richer sense of 'identity'... we should take that > opportunity and run with it. > >> unambiguous technical meaning. In fact, it seems to imply the meaning of >> "authorization to call a particular number". However of course that's not >> the intended meaning. Since this is the only text in this paragraph that >> says what the working group will /do/ it should make its statement with >> clarity and technical substance. >> >> That is, the charter needs to use a precise term for specifying the specific >> role of the number of interest. In earlier drafts, "caller id" was used. > > s/number/identity/ > >> The next sentence uses "source telephone number". Perhaps that is >> acceptable. > > no... focus on 'telephone number' is broken. Hell, it's not even > what's used in the phone system anyway... not really. > >>> Since it has become fairly easy >>> to present an incorrect source telephone number, a growing set of >>> problems have emerged over the last decade. As with email, the claimed >>> source identity of a SIP request is not verified, permitting unauthorized >> >> >> As a matter of form, I'll note the SIP's community's use of "identity" is >> what is called "identifier" in the identity community. >> >> ... >> >>> As its priority mechanism work item, the working group will specify a SIP >> >> >> Reference to work priority is only meaningful in the face of a list of tasks >> that will be considered simultaneously and what it means to give priority to >> one over another. Based on the lengthy mailing list discussion of in-band >> vs. out-of-band, it appears that the current charter is actually intended to >> support simultaneous work on alternative mechanisms, rather than pursuing >> them sequentially. >> >> This should be made explicit. If the requirement is to work on them >> sequentially, then state that. If the intent is to work on both approaches >> simultaneously, then say that. >> >> ... >> >> >>> In addition to its priority mechanism work item, the working group will >>> consider a mechanism for verification of the originator during session >>> establishment in an environment with one or more non-SIP hops, most >>> likely requiring an out-of-band authorization mechanism. However, the >>> in-band and the out-of-band mechanisms should share as much in common as >>> possible, especially the credentials. The in-band mechanism must be sent >>> to the IESG for approval and publication prior to the out-of-band >>> mechanism. >> >> >> "in-band and the out-of-band mechanisms should share as much in common as >> possible" >> >> This is the essential text that mandates working on both approaches >> simultaneously and makes the earliet assertion about priority moot. (Note >> how far down in the charter this is buried, yet how fundamental a >> requirement is establishes.) >> >> >> ... >> >>> Input to working group discussions shall include: >>> >> >> That's a lengthy list of documents. Why has it left out other documents >> discussed during charter development and clearly of continuing interest to >> the effort, namely: >> >> A proposal for Caller Identity in a DNS-based Entrusted Registry >> (CIDER) >> draft-kaplan-stir-cider-00 >> >> An Identity Key-based and Effective Signature for Origin-Unknown >> Types >> draft-kaplan-stir-ikes-out-00 >> >> >> d/ >> >> >> -- >> Dave Crocker >> Brandenburg InternetWorking >> bbiw.net
- Re: WG Review: Secure Telephone Identity Revisite… Dave Crocker
- Re: WG Review: Secure Telephone Identity Revisite… Christopher Morrow
- Re: WG Review: Secure Telephone Identity Revisite… Christopher Morrow
- Re: WG Review: Secure Telephone Identity Revisite… Hadriel Kaplan
- Re: WG Review: Secure Telephone Identity Revisite… Hannes Tschofenig
- Re: WG Review: Secure Telephone Identity Revisite… Cullen Jennings (fluffy)