[secdir] SECDIR Review of draft-ietf-sipcore-callinfo-spam-04
Chris Lonvick <lonvick.ietf@gmail.com> Tue, 10 September 2019 22:29 UTC
Return-Path: <lonvick.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC12C120019; Tue, 10 Sep 2019 15:29:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LrGQb7Dd3C4H; Tue, 10 Sep 2019 15:29:26 -0700 (PDT)
Received: from mail-ot1-x334.google.com (mail-ot1-x334.google.com [IPv6:2607:f8b0:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED83D12003F; Tue, 10 Sep 2019 15:29:25 -0700 (PDT)
Received: by mail-ot1-x334.google.com with SMTP id z26so11358805oto.1; Tue, 10 Sep 2019 15:29:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-language; bh=kSYEgKxH0dkr/7o/N+xMugd7TdAycmcOvgl1ulpKDHA=; b=mwYIzwFhJMHHMWaFDB3t2n36/ZJzv6mfl7OiFxcfXDPFbRdgdRpl3T696rxwodk2p+ WJDGuliymd6gBe1QMRmOVJ6LiMCNTa/ATeGB4l7FDs6VgMPjPfRkUw4oBxaV/Nw2Wn4F yHwNZrNBWc0zjmNctNNoxWAoSr1EkSLRVM3beNig96XLsvB2aSV0uo0ncy4IMzajuHxW 9+OF1Fl/3a3ZUPdBJX3kxm787ZmAavQvZ89c11VFKyCSYQg25fKJdjLJDikD+PwSYf4m 2LJJJwUVfJGVo3r8X8XsCKAUcS3F3pUC57Gdh3K8uSWIt8qlm+pKRvDh0th1vhuTnLpC DCfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language; bh=kSYEgKxH0dkr/7o/N+xMugd7TdAycmcOvgl1ulpKDHA=; b=BZhYCM1Q19fIhEOU9DmKDOrU5RQ/MuR6mf5XMsZHH4V47UER9Unm2NA0uSoDX0LHdQ gDJCq6YiJBILRYX8WHrRzKGn0bORkUKX88GsX2WJU3GsS4sNWx960G95+mG4lgU+DIF7 cHcAeEzp//poF1Q5TlwPSmHMz0Ft7bZJc0l7OlFuKpHPSjFPLNm2luR3K+OANb4tVb0L IU/ziV6jWYc7kgxrA4mPew8R4Q9sdpmW3uyD9JWWCTBE88HDiaA3XUwYSGJb1nQKzYYm w3BE6fu+A+4S3gVyBQM/GuIi5a8BxXghDMrjUnGUwXqN/O/f1p8U4vnSQJiV+Aiw8d3j YdHQ==
X-Gm-Message-State: APjAAAULGO5ME6cDQhtq8i496ORjsxDrBgRWnTAzxAC4WXnRnTISgweP Lb39xTK6TXFmrb2vpNCsC95431Is
X-Google-Smtp-Source: APXvYqxCXtfOySObqrd5+fbRjPEBiDsHLdsgNZz/Sjq5mIdjUFtoGiG97gKvU0+XR6OPX000+IQs9A==
X-Received: by 2002:a9d:7d91:: with SMTP id j17mr2201745otn.120.1568154565165; Tue, 10 Sep 2019 15:29:25 -0700 (PDT)
Received: from Chriss-Air.attlocal.net ([2600:1700:12b0:adf0:9c5c:5907:e6b6:cc58]) by smtp.googlemail.com with ESMTPSA id r2sm6606497oia.0.2019.09.10.15.29.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Sep 2019 15:29:24 -0700 (PDT)
To: draft-ietf-sipcore-callinfo-spam@ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
From: Chris Lonvick <lonvick.ietf@gmail.com>
Message-ID: <0cc5e268-26c4-b3b6-c39a-3d99d595ca85@gmail.com>
Date: Tue, 10 Sep 2019 17:29:24 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------E3AC2F2253B433EE480F8B20"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ZBVdAEMibtOghU1VaVW880oY7aU>
Subject: [secdir] SECDIR Review of draft-ietf-sipcore-callinfo-spam-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2019 22:29:28 -0000
Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with nits. Overall, the document is well written and, as I disregard yet another call from a number that's suspiciously very like my own number, will probably be very useful. Nit 1 - The next to last paragraph of the Security Considerations section says that "a UAS SHOULD NOT trust the information in the "Call-Info" header field unless the SIP session between the entity inserting the header field and the UAS is protected by TLS [RFC8446]." Perhaps it would be more appropriate to include a qualification that a certificate offered by the entity must be authenticated. This would prevent rogue entities with self-signed certificates from attempting to insert a header field. Or perhaps there are more appropriate measures in SIP to prevent that. (I'm just not altogether that familiar with SIP to say.) Nit 2 - (Very minor typo nits): In the last paragraph in the Security Considerations section "mislead" should be "misled"; "only be added calls" should be "only be added to calls". Best regards, Chris
- [secdir] SECDIR Review of draft-ietf-sipcore-call… Chris Lonvick