IETF Logo Mail Archive

Re: [stir] current draft charter - ENUM and databases

"Wendt, Chris" <Chris_Wendt@cable.comcast.com> Tue, 18 June 2013 18:03 UTC

Return-Path: <chris_wendt@cable.comcast.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04C2621F961F for <stir@ietfa.amsl.com>; Tue, 18 Jun 2013 11:03:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.231
X-Spam-Level:
X-Spam-Status: No, score=-5.231 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HOST_EQ_MODEMCABLE=1.368, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ozvfhKNApoG4 for <stir@ietfa.amsl.com>; Tue, 18 Jun 2013 11:03:26 -0700 (PDT)
Received: from cable.comcast.com (copdcavout01.cable.comcast.com [76.96.32.253]) by ietfa.amsl.com (Postfix) with ESMTP id 160AB21F9AB2 for <stir@ietf.org>; Tue, 18 Jun 2013 11:03:26 -0700 (PDT)
Received: from ([24.40.56.114]) by copdcavout01.cable.comcast.com with ESMTP id C7WM3M1.77966906; Tue, 18 Jun 2013 12:01:42 -0600
Received: from PACDCEXMB01.cable.comcast.com ([169.254.1.49]) by PACDCEXHUB01.cable.comcast.com ([fe80::84e8:95f3:f13b:169e%12]) with mapi id 14.02.0318.001; Tue, 18 Jun 2013 14:02:12 -0400
From: "Wendt, Chris" <Chris_Wendt@cable.comcast.com>
To: Hadriel Kaplan <hadriel.kaplan@oracle.com>
Thread-Topic: [stir] current draft charter - ENUM and databases
Thread-Index: AQHObE30wSlmpMZitUyhAdakrHC3YQ==
Date: Tue, 18 Jun 2013 18:02:11 +0000
Message-ID: <1E0475FDD84F0C42A9F46570BB946FD941224375@PACDCEXMB01.cable.comcast.com>
References: <CDE4E69C.21E90%jon.peterson@neustar.biz> <8C77C05D-6ED2-4429-BF1C-72082F4ADE76@oracle.com>
In-Reply-To: <8C77C05D-6ED2-4429-BF1C-72082F4ADE76@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [68.87.16.247]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <14054BFC2A7815409EBC7603F543D74E@cable.comcast.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "stir@ietf.org" <stir@ietf.org>, "Peterson, Jon" <jon.peterson@neustar.biz>, Henning Schulzrinne <hgs@cs.columbia.edu>
Subject: Re: [stir] current draft charter - ENUM and databases
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stir>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jun 2013 18:03:31 -0000

+1 
We are very much on-board with the direction of this discussion, DNS lookup is the way we would lean given vendor support for DNS/ENUM vs. HTTP.  I think there is also something to say for keeping a limited scope of DNS as a good thing, vs. the infinite extensibility of HTTP.

Does the current draft charter include this general direction as in scope?


On Jun 18, 2013, at 1:36 PM, Hadriel Kaplan <hadriel.kaplan@oracle.com> wrote:

> 
> On Jun 17, 2013, at 8:47 PM, "Peterson, Jon" <jon.peterson@neustar.biz> wrote:
> 
>> 
>> Definitely I agree that there needs to be a root here, at least at the
>> national level. A few people have commented that working from the national
>> level makes more sense than trying to delegate something globally from on
>> high. Choosing that scope could make it harder to guarantee your vision of
>> a tariff-free identity, admittedly. I've name-dropped LoST a couple times
>> here as a place to look for inspiration, perhaps.
> 
> I read LoST a long time ago, and skimmed it again today, but I don't get any inspiration relative to STIR.  What dots am I supposed to be connecting?
> No need for a long explanation, just some hints would be good. :)
> 
> 
>> But at the end of the day I was also envisioning that this revisited
>> identity system would still work for regular domain names per RFC4474, and
>> that we'd probably even keep CID as an option for Identity-Info (or its
>> successor). So I was anticipating there'd be diversity in the means by
>> which credentials could be indicated by Identity-Info, and that having a
>> "root" wouldn't be exclusive in that there are identifiers other than
>> telephone numbers in the system too.
> 
> Right, so I was thinking about that too, if we were to use a DNS-based approach (or anything with a derived URL).
> 
> I think that's still possible even for email-style names.  For example, when receiving a request from 'alice@foo.com' we could do a DNS lookup for '_cid.foo.com' or some such pre-defined naming scheme, to get the caller-id cert for 'foo.com'; or the RR for that DNS key could redirect us to somewhere else if need be.  Or we could do an HTTP automatically for 'http://foo.com/cid', or even 'http://foo.com/cid/ldkjhlashl' where the last part is a hash of the username.
> 
> Or if we want the signer to be able to specify different certs for different requests, we support including a small token that gets appended to the automatic DNS or URL scheme for cert retrieval.  For example up to a 16-character token.  The only reason to limit its size would be to possibly get it (along with the signature and other info) through PSTN links in a UUI or whatever, but if we don't care about that for the email-style name cases then we could continue using the Identity-Info header for that case.  I recognize the nice property of Identity-Info giving the URL was the cert could be hosted somewhere else, separate from the From's domain.
> 
> 
>> So again, to the question of how golden the root is, I at least pictured a
>> national-level root for telephone number identity that would, if at all
>> possible, eliminate the problem of multiple trust anchors issuing
>> credentials for the same identity.
> 
> Right so I think we're all on the same page for that then. :)
> 
> 
>> Just like the same cert could be
>> included by CID or referred to by HTTP, though, I imagine there could be
>> more than one protocol for getting at those credentials.
> 
> I'm ok with specifying multiple protocols for accessing it - I mean that'll probably happen anyway (my company's products support half a dozen different ones to access routing DBs, for example) - but I think there needs to be one that's mandatory-to-implement, to get interoperability.  Even if we believe *only* carriers will be the ones to query for STIR certs, many carriers buy products from multiple vendors they need to interoperate.  Even the ones that buy the SIP-based equipment from only one vendor, often get the databases (or access to a separately managed one) from someone else.
> 
> 
>> As for whether or not we need NPAC-style databases - agreed that here we
>> don't need most of the data that's in them (like, LRNs aren't obviously
>> material to solving our problem), but the authority structures they
>> reflect are absolutely integral to this. Ultimately, STIR proposes only to
>> project onto the Internet the authority over numbers that is today
>> administered in those databases.
> 
> Yup.  As I said, it would help a heck of a lot to get this into the NPAC-type databases. :)
> 
> -hadriel
> 
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email