Re: [stir] WG Last Call for draft-ietf-stir-rph-emergency-services-02

Russ Housley <housley@vigilsec.com> Mon, 17 August 2020 14:36 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F2F93A166E for <stir@ietfa.amsl.com>; Mon, 17 Aug 2020 07:36:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dy2AKSj5Nyo2 for <stir@ietfa.amsl.com>; Mon, 17 Aug 2020 07:36:54 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 109E33A1664 for <stir@ietf.org>; Mon, 17 Aug 2020 07:36:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 82042300B75 for <stir@ietf.org>; Mon, 17 Aug 2020 10:36:50 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 1zjBmmVVAM9F for <stir@ietf.org>; Mon, 17 Aug 2020 10:36:49 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id EF763300AA4 for <stir@ietf.org>; Mon, 17 Aug 2020 10:36:48 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.15\))
Date: Mon, 17 Aug 2020 10:36:49 -0400
References: <8372C576-08B7-41C4-B021-38622BABAD25@vigilsec.com> <919FC584-18AF-4419-B174-B9FB37B6439D@vigilsec.com>
To: IETF STIR Mail List <stir@ietf.org>
In-Reply-To: <919FC584-18AF-4419-B174-B9FB37B6439D@vigilsec.com>
Message-Id: <16089772-528A-462E-B3CF-AAAC6C3A8F2A@vigilsec.com>
X-Mailer: Apple Mail (2.3445.104.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/-W0widyStdOinMCeHUral7i8DQ0>
Subject: Re: [stir] WG Last Call for draft-ietf-stir-rph-emergency-services-02
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2020 14:36:56 -0000

I am confused by the last sentence of the Introduction (Section 1).  It says:

   In addition, the PASSPorT claims and values defined in
   this document are intended for use in environments where there are
   means to verify that the signer of the SIP 'Resource-Priority' and
   'Priority' header fields is authoritative.

The signer signs the PASSPorT.  The PASSPorT includes claims, and each claim has a value.  By construction, the values are expected to match the SIP 'Resource-Priority' header field and the SIP 'Priority' header field.  Is this saying that the PASSPorT must be authoritative for these claims if they are present?


In Section 3.1, I expected a MUST statement that says what appears in the value of the "ESorig" value.  It says what MUST appear on other claims around the "rph" claim, but it only gives an example of a value that matches an SIP 'Resource-Priority' header field.


Likewise in Section 3.2, I expected a MUST statement that says what appears in the value of the "EScallback" value.  It says what MUST appear on other claims around the "rph" claim, but it only gives an example of a value that matches an SIP 'Resource-Priority' header field.


In Section 3.2, I believe that the last paragraph applies to both the "ESorig" value and the "EScallback" value, so it probably belongs in Section 3 or a separate subsection.


Section 4 says:

   Therefore, we define a new claim key as part of the "rph" PASSporT, ...

I think it would be more clear to say:

   Therefore, we define a new claim key to be used in a PASSporT that includes "rph" claim, ...


Section 6 should use RFC 2119 wording:

   The use of the compact form of PASSporT is not specified in this
   document.   Use of the compact form of PASSporT is NOT
   RECOMMENDED for a PASSporT that includes a "rph" claim.


I think that the Security Considerations (Section 8) should say someting about the consequences of a PASSPorT that includes the "rph" or "sph" claim that is signed by a party that is not authoritative for the SIP 'Resource-Priority' header field and the SIP 'Priority' header field.

Russ
(No Hats)


> On Jul 31, 2020, at 11:29 AM, Russ Housley <housley@vigilsec.com> wrote:
> 
> 
> This is the STIR WG Last Call for "Assertion Values for a Resource Priority Header Claim and a SIP Priority Header Claim in Support of Emergency Services Networks” <draft-ietf-stir-rph-emergency-services-02>.  Please review the document and send your comments to the STIR WG mail list by 22 August 2020.
> 
> https://datatracker.ietf.org/doc/draft-ietf-stir-rph-emergency-services/
> 
> Thanks,
> Robert & Russ