Re: [stir] Editorial comments on sections 3 and 4 of draft-ietf-stir-passport-divert-02 [was: drafts for london]
"Peterson, Jon" <jon.peterson@team.neustar> Thu, 08 March 2018 15:52 UTC
Return-Path: <prvs=0605d584ef=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33891124207 for <stir@ietfa.amsl.com>; Thu, 8 Mar 2018 07:52:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vqMfdP_XiEa9 for <stir@ietfa.amsl.com>; Thu, 8 Mar 2018 07:52:44 -0800 (PST)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 501CA12702E for <stir@ietf.org>; Thu, 8 Mar 2018 07:52:44 -0800 (PST)
Received: from pps.filterd (m0078666.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w28FiXEn025573; Thu, 8 Mar 2018 10:52:41 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=selector1; bh=RoSx7iijq0sUV8XhLTZ01rrf1VgLouKgAnue4AoKP90=; b=JMEl+wYF1y9r6eaVlim63eWHB5JKCWj4dv7AIcKWABbNnhLmfV0RuF6sF6ouhyIY+bWh 9lcVhIqYQsW25OhSzlJHyqK3wUihLFY4gJ7H+uZRlHaiVGGFZdy0WzZ5Tw7jfro1rOQ4 fa93my9eUcO26f8v47y0u/dOxDI+6yRZiP6gS6XN6qFi+0s5QZDhvnoZM+NtWBRAG3xr gin734wtgXgZhK64tpG6bGj7/GI/NF6Redzim7Fta6xmymDECau8CCsZBdZ30LHWjFdq vI7BcXyHZK5gL6RZrU5XY7htPCanKSwR7Vb+zI1VEp8PF/0ysLpaxIsx63NjfRAo4noh hw==
Received: from stntexhc11.cis.neustar.com ([156.154.17.216]) by mx0a-0018ba01.pphosted.com with ESMTP id 2gfrpu8pfn-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 08 Mar 2018 10:52:41 -0500
Received: from STNTEXMB11.cis.neustar.com ([169.254.1.236]) by stntexhc11.cis.neustar.com ([::1]) with mapi id 14.03.0279.002; Thu, 8 Mar 2018 10:52:39 -0500
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Christer Holmberg <christer.holmberg@ericsson.com>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: Editorial comments on sections 3 and 4 of draft-ietf-stir-passport-divert-02 [was: drafts for london]
Thread-Index: AdO1leYBWf6vwV0+R0KzweYvSCipPgBRn8mA
Date: Thu, 08 Mar 2018 15:52:39 +0000
Message-ID: <D6C6958B.1FAAE7%jon.peterson@neustar.biz>
References: <7594FB04B1934943A5C02806D1A2204B6C1C59A6@ESESSMB109.ericsson.se>
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B6C1C59A6@ESESSMB109.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
x-originating-ip: [10.96.12.91]
Content-Type: multipart/alternative; boundary="_000_D6C6958B1FAAE7jonpetersonneustarbiz_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-08_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803080181
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/-YDgX1F6E_dCB1BluYxtkkJF_Lk>
Subject: Re: [stir] Editorial comments on sections 3 and 4 of draft-ietf-stir-passport-divert-02 [was: drafts for london]
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2018 15:52:46 -0000
Thanks for the notes Christer, this is getting down to the level of detailed review that we need. Q1: Throughout the document, you use different terminology for the claims. You at least use “claim”, “array”, “field”. I suggest to always use “claim”, i.e., “div” claim, “dest” claim etc. The fact that a claim might be an array is an encoding issue. I do kind of like reminding people that the contents of "dest" are an array. "field" I agree isn't very helpful though. There may still be a couple times in the document where I might want to continue referring to "dest" as an array. I'll try to keep that to a minimum. Q2: Throughout the document, you talk about “div” PASSporT, “div” PASSporT type, etc. Please don’t use the same name for the claim and the PASSPorT. Instead say something like “to the PASSporT carrying the “div” claim”, “the diversion PASSporT”, or something like that. I can do that: saying "'div' claim" and "diversion PASSporT." Q3: Throughout the document, the text talks about “original PASSPorT”. Since there might be (at least in theory) multiple incoming PASSPorTs you need to define what “original” means. Definitely the language needs to take into account that there can be multiple "original" PASSporTs. But I hesitate to just replace "original" with a synonym like "incoming." I'd like the language here to be generic enough to apply to in-band and out-of-band cases, so I don't want to define in terms like "found in the INVITE" or whatever. Terminology is tough here, I'll try to fix the language here up a bit. Q4: The text in Section 3 says: “A PASSporT claims object containing "div"” I don’t think we need to say “claims object”. It is enough to just talk about PASSPorT (you do that elsewhere). I do think it is useful sometimes to distinguish between the header and the claims, but I can avoid the specific construction "claims object" if people think it is confusing. "JOSE header" and "JWT claims set" seem to be the terms used in RFC7519. Q5: The text in Section 3 says: “These new PASSporT generated by retargeting entities MUST include the "div" PASSporT type,..” Please explicitly indicate which header field includes the “div” type (i.e., the “ppt”) While I don't think this is confusing in the text, no harm in saying that explicitly. Q6: The text in Section 3 says: “…for all PASSporTs using the "div" type the signature MUST be created with a credential with authority over the identity present in the "div" claim. So for the example above, where the original "dest" is "12155551213", the signer of the new PASSporT object MUST have authority over that telephone number,…” I think the text can be clarified in the following way: “…for all PASSporTs using the "div" type the signature MUST be created with a credential with authority over the identity present in the "div" claim, which means that the signer MUST have authority over the “dest” claim in the original PASSporT.” Because, I think this is a generic normative statement, not just a description of an example. Agreed it is a blunder to have a normative statement in an example. I think we still do want an example and a normative statement, I'll separate them out. Q7: The text in Section 4.1. says: “An authentication service only adds an Identity header field containing the "div" PASSporT type to an SIP request that already contains at least one Identity header field; it MUST NOT add a "div" request to an INVITE that contains no other Identity headers fields.” Is there a reason why you first say “SIP request” and then “INVITE”? Can’t the “it MUST NOT add…” part be removed? Agreed that "INVITE" there should be the more generic "request." The previous statement is not normative, though, so I'd hesitate to remove the normative statement entirely. Q8: In Section 4, when the new PASSPorT has been created and added to a SIP message, we need to clarify where the associated Identity header field is located in relation to other Identity header fields. Alt A: Identity: incoming_PASSPorT Identity: div_PASSPorT Alt B: Identity: div_PASSPorT Identity: incoming_PASSPorT Hmm. Do we think that intermediaries will always preserve the order of these headers? I guess we could order them in the hopes that they will. But again, I think we should provide a means that lets verification services look at the PASSporTs associated with a request and figure out how they are related. That discussion is how we ended up with nesting in the first place. Right now we only RECOMMEND that implementations use nesting for in-band, until we get some more input on the header size question, but we need to do something here to make it clear how PASSporTs are ordered. Maybe "iat" helps? A few possibilities. Thanks! Jon Peterson Neustar, Inc.
- [stir] Editorial comments on sections 3 and 4 of … Christer Holmberg
- Re: [stir] Editorial comments on sections 3 and 4… Peterson, Jon
- Re: [stir] Editorial comments on sections 3 and 4… Christer Holmberg