IETF Logo Mail Archive

Re: [stir] WGLC: draft-ietf-stir-passport-rcd-09

Chris Wendt <chris-ietf@chriswendt.net> Fri, 08 July 2022 15:03 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69B0EC14F607 for <stir@ietfa.amsl.com>; Fri, 8 Jul 2022 08:03:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pWF4ynJI4EOb for <stir@ietfa.amsl.com>; Fri, 8 Jul 2022 08:03:39 -0700 (PDT)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C2A0C14CF0E for <stir@ietf.org>; Fri, 8 Jul 2022 08:03:02 -0700 (PDT)
Received: by mail-qk1-x72d.google.com with SMTP id x11so557041qki.1 for <stir@ietf.org>; Fri, 08 Jul 2022 08:03:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20210112.gappssmtp.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=qAz/sWWSRqDAryvCNqarXy2X3vUSbVf+/HDCfYOfz9E=; b=e2y/UYtVHKpMMEANZv0iyegnayTi6SIlXbNpZGhlrK0dLn9nrgt+TOvc/Iq9SZ+ki3 P3gTnFi3FMJjp8Iklm2lr1p6hoY0EQEVuy7jQDSp23dSFc1N10+764iw2E1cAXVC6PjT /VYbjtxX61PjixFuglk9kGaDiNm1bIdQ2S3Y++dxUElJcPpMd/ZjnbPMxsWoF2i9xhwy JAuzgHt/yyqJ9sO0Cdml5sTxfLlWnYWpidXYDAUg2Pjlzz0lZbpcjpyWUql2keMmy4CN 2cchYtlDugpl1bml1KRXwerrelP5rzpBTFtX9+mcEtn9Oq1Bc1fibJ/YS66+5M66BfgM CA3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=qAz/sWWSRqDAryvCNqarXy2X3vUSbVf+/HDCfYOfz9E=; b=58W/vDXo48q7bLCqDa9EoQ6bxC4Di7fxQq07HBxACELruZe0fFBCuKxdVvOlbbFEOg lONdhZO1UWw3xAPXO7oDFgG/9V0ip2/SyYdgvLAMH9IiKV2u3NgETfC1pVlwaj27PyKT 1cnr5vyQqsH47783mk8Ku1PzUjfqD3OkMdmO9hIz7UyncI8/YU6mwEqLo/KaGK0/QejR IIULWpOfJb8jRuQS8mmaW+FpzKQ3m+bv5ueftNNX0Avc1WcuNuPgBw25Zc35w4g7bChg 29PFoMxb03/+UOaApiThb4qOu0NRCXP6oYcLjhLkSv5CVCjlObv6UGPffzZwJu8FPGrc h32g==
X-Gm-Message-State: AJIora8sbCksHIWF40MiRQLBWJt0O7HSTIrZj/JkN7pdOCbkfnMG/W44 IIjQ58FCqjEkMN/5XhLU/NLUTg==
X-Google-Smtp-Source: AGRyM1tCStiJz/U6dGdjc3yZAAN1Nij1EDAJ4hPG48f2nd5taGZZLxrBEGqe0WvRn4IzQJOBXk6Cgg==
X-Received: by 2002:a05:620a:a81:b0:6b2:510f:6343 with SMTP id v1-20020a05620a0a8100b006b2510f6343mr2630618qkg.718.1657292579292; Fri, 08 Jul 2022 08:02:59 -0700 (PDT)
Received: from smtpclient.apple ([65.217.203.171]) by smtp.gmail.com with ESMTPSA id m14-20020a05620a24ce00b006af59e9ddeasm28484582qkn.18.2022.07.08.08.02.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Jul 2022 08:02:58 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: Chris Wendt <chris-ietf@chriswendt.net>
In-Reply-To: <HE1PR07MB444116FFAF16D3D621C940A993D89@HE1PR07MB4441.eurprd07.prod.outlook.com>
Date: Fri, 08 Jul 2022 11:02:57 -0400
Cc: IETF STIR Mail List <stir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6EFB639E-AB85-4B45-AF75-467FA7EE2173@chriswendt.net>
References: <PAXPR83MB05352B8463984E8C1FE44B9C88CA9@PAXPR83MB0535.EURPRD83.prod.outlook.com> <DFF4A5DA-27E2-4160-82EB-5F9320D60869@chriswendt.net> <HE1PR07MB444116FFAF16D3D621C940A993D89@HE1PR07MB4441.eurprd07.prod.outlook.com>
To: Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/5nuPx_wRqOsDJg4iMTCO1IXq94E>
Subject: Re: [stir] WGLC: draft-ietf-stir-passport-rcd-09
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2022 15:03:41 -0000

Hi Christer,

Thanks for your detailed editorial review.

Comments inline:

> On May 27, 2022, at 6:57 AM, Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org> wrote:
> 
> Hi,
> 
> I took a look at the draft.
> 
> My first comment is that I really think it could need a proper editorial review.
> 
> I will comment on some of the things I found, mostly focusing on the generic parts of the document.
> 
> GENERAL:
> -------------
> 
> Q1: Please use consistent terminology. As a simple example, please use either "this document" or "this specification". The same goes for "specifies" and "documents". 
> 

I did clean this up and make it more consistent, i used “document" to refer to the document itself, but kept specifications when referring to other specifications.

> 
> Q2: The document tries to be protocol agnostic. Still, in most cases the procedures are SIP specific, referring to SIP header fields, parameters etc. In some cases there is text like "or something similar in other protocols", but in some cases there is not. Similar to the comment I gave on the messaging draft, is there a reason why this draft cannot be scoped to SIP?
> 

We absolutely do not want to limit this specification to SIP, i did review the document and make sure that there isn’t any implication other than some of the SIP examples and SIP specific issues that this is the case.

> 
> ABSTRACT:
> ---------------
> 
> Q3: I think the Abstract is too long. The first half would be enough, in my opinion. The rest is too detailed and should go elsewhere.
> 
Agree, and i did simplify and remove unnecessary detail.

> 
> Q4:
> 
> The text says:
> 
>   "The JSON element defined for this purpose, Rich Call Data (RCD), is an extensible object
>   defined to either be used as part of STIR or with SIP Call-Info..."
> 
> How is this used with SIP Call-Info? When reading draft-ietf-sipcore-callinfo-rcd, the only thing I can find is a string
> value that saying things like "For your ears only". I assume the JSON object will be stringified and added as a Call-Info call-reason value, so
> it would be nice to have some examples of that.

I agree that wasn’t clear, but to the point of your comment in Q3, i just deleted it.

> 
> 
> SECTION 1:
> ---------------
> 
> Q5:
> 
> The text says:
> 
> "The STIR problem statement [RFC7340] declared securing the display name
> of callers outside of STIR's initial scope, so baseline STIR provides
> no features for caller name."
> 
> I assume this applies to most/all extensions, so I am not sure it needs to be stated. At least the second part after the comma could be removed, in my opinion.

Agree, removed after comma.

> 
> 
> Q6:
> 
> The text says:
> 
>   "As such, the baseline use-case for this document extends PASSporT to
>   provide cryptographic protection for the "display-name" field of SIP
>   requests as well as further "rich call data" (RCD) about the caller,
>   which includes the contents of the Call-Info header field or other
>   data structures that can be added to the PASSporT."
> 
> What does "the use-case for this document extends" mean? I think what you want to say is that "based on some use-case, this document extends".

Agree, replaced text.

> 
> 
> Q7:
> 
> The text says:
> 
>   "This document furthermore specifies a third-party profile..."
> 
> What is this "third-party profile"? I assume this has something to do with Section 12, but it is not very clear.
> 

Yes, i reworded as follows: "This document furthermore documents third-party use-cases that would allow external third-party authorities to convey rich information associated with a calling number via a "rcd" PASSporT that asserts the third-party as the source of the Rich Call Data information."

> 
> Q8:
> 
> The text says:
> 
> "This specification documents an optional mechanism for PASSporT and the associated STIR procedures
>  which extend PASSporT objects to protect additional elements conveying richer information:"
> 
> This sentence is difficult to read. I think it is enough to say that the document defines a PASSporT extension, and the
> associated STIR procedures, to protect...

Agree, replaced.

> 
> 
> Q9:
> 
> The text says:
> 
> "information that is intended to be rendered to assist a called party in determining whether to accept or
>  trust incoming communications."
> 
> I think core PASSporT already contains information (e.g., the phone number) that is intended to be rendered, so perhaps talking about "additional information".

Agree, replaced with the following: "additional information that is intended to be rendered to assist a called party in determining whether to accept or trust incoming communications”

> 
> Also, not all information will be rendered as such. For example, I assume URLs will normally not be rendered, but rather the information (pictures etc) that can be
> fetched using the URLs.

Correct, URLs point to content that will be retrieved.  But ultimately if the URL content is retrieved the intension i assume would be to render (or display) it to the end-user on the end-user device.

> 
> 
> SECTION 3:
> ---------------
> 
> Q10:
> 
> The text says:
> 
>   "The main intended use of the signing of Rich Call Data (RCD) using
>   STIR within SIP [RFC8224] or more generally as a PASSporT extension
>   [RFC8225] is for the entity that originates a call, either directly
>   the caller themselves, if they are authoritative, or a service
>   provider or third-party service that may be authoritative over the
>   rich call data on behalf of the caller."
> 
> I can't parse this 6 line sentence. The main intended use seems to be many things...

Agree, i replaced this entire paragraph with the following: "This document defines Rich Call Data (RCD) which is a PASSporT extension {{RFC8225}} that defines an extensible claim for asserting information about the call beyond the telephone number. This includes information such as more detailed information about the calling party or calling number being presented or the purpose of the call. There are many use-cases that will be described in this document around the entities responsible for the signing and integrity of this information whether it is the entity that originates a call or a service provider acting on behalf of a caller or use-cases where third-party services may be authoritative over the rich call data on behalf of the caller."

> 
> 
> Q11:
> 
> The text says:
> 
>   "Additionally, in relation to the description of the specific
>   communications event itself (versus the identity description in
>   previous paragraph), [I-D.ietf-sipcore-callinfo-rcd] also describes a
>   "call-reason" parameter intended for description of the intent or
>   reason for a particular call.  A new PASSporT claim "crn", or call
>   reason, can contain the string or object that describes the intent of
>   the call."
> 
> What is means by "object"? When I read [I-D.ietf-sipcore-callinfo-rcd] I can only see human readable string values in the call-reason examples.
> 

Agree, Jack also had same comment and i did fix it to just be a string.

> 
> SECTION 9:
> ---------------
> 
> Q12:
> 
> The text says:
> 
>   "Either or both the "rcd" or "crn" claims may appear in any PASSporT claims object as optional elements."
> 
> Is it within the scope of this document to define what other PASSporT claims can contain?

This is essentially stating a property of JSON, JWTs and PASSporTs more generally, you can include any JSON key value pairs, it’s up to the recipient to know how to use that key value pair.

I think the relevant bit is paired with the next sentence that if you want the PASSporT to be a “rcd” PASSporT, it MUST include either/both “rcd” and “crn” claims.  But the first sentence just says that the use of claims defined in this document don’t mandate that the PASSporT is “rcd”.


> 
> 
> SECTION 10.1:
> -------------------
> 
> Q13:
> 
>   "For re-construction of the "nam" claim the string for the display-name in the From header field."
> 
> What if there is no From header field?
> 
> This is an example of my general comment about whether the document should be scoped to SIP.

I did try to address this corresponding to my response in Q1


> 
> ---
> 
> Regards,
> 
> Christer
> 
> 
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email