[stir] Pay Attention (was Re: Robert Wilton's No Objection on draft-ietf-stir-enhance-rfc8226-03: (with COMMENT))

Robert Sparks <rjsparks@nostrum.com> Mon, 28 June 2021 19:16 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8EC13A09E0 for <stir@ietfa.amsl.com>; Mon, 28 Jun 2021 12:16:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.079
X-Spam-Level:
X-Spam-Status: No, score=-2.079 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNr9_7IovXEB for <stir@ietfa.amsl.com>; Mon, 28 Jun 2021 12:16:31 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 988853A09E7 for <stir@ietf.org>; Mon, 28 Jun 2021 12:16:31 -0700 (PDT)
Received: from unformal.localdomain ([47.186.34.206]) (authenticated bits=0) by nostrum.com (8.16.1/8.16.1) with ESMTPSA id 15SJGTiH083520 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for <stir@ietf.org>; Mon, 28 Jun 2021 14:16:29 -0500 (CDT) (envelope-from rjsparks@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1624907789; bh=YGTu1xidp6Qokt7fc3b4OZndfjsgJBqRnSb5/FTNqpc=; h=Subject:To:References:From:Date:In-Reply-To; b=Rcr23070EdX+j9JoflRSHB/ihQTDWo9roViogmoDjwWWSZeNVaxvhHKxa4gAyBG0m XhFnCMZiPZqAXJkIHXEMvaaUEpt7Nml0AwVFnDBjjpoNGi5gMgiy12gKmYc7Sk4G8s iCegOJWdR9pSwKH4cBPkaNU4weXzad8Ujim1fLjk=
X-Authentication-Warning: raven.nostrum.com: Host [47.186.34.206] claimed to be unformal.localdomain
To: IETF STIR Mail List <stir@ietf.org>
References: <162487263632.15104.7075847684500025031@ietfa.amsl.com> <A65B0F2A-AAF4-4FC8-87A7-3A40144CEBBB@vigilsec.com>
From: Robert Sparks <rjsparks@nostrum.com>
Message-ID: <4bb5eba6-ddc8-e441-972e-52415f49a65c@nostrum.com>
Date: Mon, 28 Jun 2021 14:16:23 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <A65B0F2A-AAF4-4FC8-87A7-3A40144CEBBB@vigilsec.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/0Ngf4SRv1M6dtxYC7Gioya0_MaM>
Subject: [stir] Pay Attention (was Re: Robert Wilton's No Objection on draft-ietf-stir-enhance-rfc8226-03: (with COMMENT))
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jun 2021 19:16:37 -0000

STIR WG - There's a small bit of normative text that is going into this 
document based on IESG discussion - you've already seen it on list, but 
I've copied it here for your convenience. I want to make sure you don't 
miss it (fwiw, I'm fine with it). If anyone has problems with it, reply 
very soon.

RjS

On 6/28/21 1:30 PM, Russ Housley wrote:
> Rob:
>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> Hi,
>>
>> Thanks for the document, despite not being my area of expertise I found it easy
>> to read and understand.
>>
>> A couple of minor comments:
>>
>> (1) Like Erik, when reading section 4, I was wondering whether it would be
>> helpful to have an example that included both mustInclude and permittedValues.
>> But of course, I note that you effectively do that in section 5.
> I hope the change proposed to resolve Erik's comment is also sufficient to resolve your comment.
>
>> (2) In the security section, it states:
>>
>>    Certificate issuers should not include an entry in mustExclude for
>>    the "rcdi" claim for a certificate that will be used with the
>>    PASSporT Extension for Rich Call Data defined in
>>    [I-D.ietf-stir-passport-rcd].  Excluding this claim would prevent the
>>    integrity protection mechanism from working properly.
>>
>> I was wondering whether it would be helpful to include this as RFC 2119 SHOULD
>> NOT in 3, or perhaps have a forward reference from the section 3 description of
>> mustExclude to the "rcdi" consideration in the security section.
> Sure:
>
>     Certificate issuers SHOULD NOT include an entry in mustExclude for
>     the "rcdi" claim for a certificate that will be used with the
>     PASSporT Extension for Rich Call Data defined in
>     [I-D.ietf-stir-passport-rcd].  Excluding this claim would prevent the
>     integrity protection mechanism from working properly.
>
> Russ
>