IETF Logo Mail Archive

Re: [stir] Review of: draft-ietf-stir-passport-05

Dave Crocker <dhc@dcrocker.net> Fri, 29 July 2016 14:23 UTC

Return-Path: <dhc@dcrocker.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1CC412D6B5 for <stir@ietfa.amsl.com>; Fri, 29 Jul 2016 07:23:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.107
X-Spam-Level:
X-Spam-Status: No, score=-1.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MoAK1ehw8raI for <stir@ietfa.amsl.com>; Fri, 29 Jul 2016 07:23:27 -0700 (PDT)
Received: from simon.songbird.com (unknown [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26F6B12D0F1 for <stir@ietf.org>; Fri, 29 Jul 2016 07:23:27 -0700 (PDT)
Received: from [192.168.1.168] (76-218-8-128.lightspeed.sntcca.sbcglobal.net [76.218.8.128]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u6TEOAwt013031 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Fri, 29 Jul 2016 07:24:11 -0700
To: Eric Burger <eburger@standardstrack.com>
References: <07e0eb16-6758-cdf1-c571-1f1ed768e741@dcrocker.net> <F382AB89-E012-4CCC-B61B-0EC8A2FDF491@standardstrack.com>
From: Dave Crocker <dhc@dcrocker.net>
Organization: Brandenburg InternetWorking
Message-ID: <7cf45386-60a3-6b5e-de1a-a9ca2d9c1c01@dcrocker.net>
Date: Fri, 29 Jul 2016 07:23:19 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <F382AB89-E012-4CCC-B61B-0EC8A2FDF491@standardstrack.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/1d19ePQXh4aOULmv9pTRluAb5FU>
Cc: "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] Review of: draft-ietf-stir-passport-05
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: dcrocker@bbiw.net
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2016 14:23:28 -0000

Eric,

Thanks for the quick response.


On 7/29/2016 6:57 AM, Eric Burger wrote:>

> Dave - Thanks for the review. I agree with a lot of your meta points,
> most especially that a major revision during last call that makes
> some not insubstantial syntactic changes is unusual, to say the

FWIW there also were not insubstantial semantic changes, by my reading.


> Another thing that perhaps we need to put into the document suite
> relates to your comment about certificate management. In a normal,
> interoperable protocol one would have a single certificate management
> mechanism that everybody agrees to. The problem is the approach used
> for certificate management in the case of STIR/PASSporT is directly
> an embodiment of policy. Because the target audience for the protocol
> is (today) highly regulated with differing national policies and
> policy bodies, it is just not possible to mandate a particular
> certificate policy (i.e., your comment about key rollover and one I
> think you obliquely touched upon, what is the Subject of the key
> doing the signing).

You appear to be saying that the actual use of this for SIP is going to 
vary according to a wide variety of policies.

If this means a variety of independent services, that's fine, of course. 
  If this means a variety of services that are supposed to interoperate, 
it's not.

So forgive me, but how does that provide the end-to-end authentication 
service that is the primary goal of this working group and that will be 
credible?


> The WG is producing a straw proposal that would
> provide some semblance of a baseline, but it is not clear there will
> be more than one or two implementations of that policy.

cf, preceding question.


> All this said, I will also defend the document in that (admittedly
> with assistance from me and Chris Wendt) an undergraduate student
> coded a STIR authentication service and STIR validation service in
> under a year,

I've no doubt that someone could take this specification and produce 
code based on their reading of it.  People do that with incomplete 
specifications all the time.

The question is how much they had to fill in gaps and whether the next 
reader would fill in the same gaps in the same way and produce an 
interoperable implementation?

By my reading, that's a very low probability outcome...


d/

ps. (Just in case I missed text from you:  I don't see any comments from 
you in the remainder of your message.  Only a copy of the message I sent.)


-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net

v2.23.0 | Report a Bug | By Email