Re: [stir] AD Review: draft-ietf-stir-passport-divert
"Peterson, Jon" <jon.peterson@team.neustar> Mon, 04 November 2019 22:07 UTC
Return-Path: <prvs=02119b51df=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37285120154; Mon, 4 Nov 2019 14:07:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wnr6gqI4JcRQ; Mon, 4 Nov 2019 14:07:23 -0800 (PST)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 095431200C4; Mon, 4 Nov 2019 14:07:22 -0800 (PST)
Received: from pps.filterd (m0078668.ppops.net [127.0.0.1]) by mx0b-0018ba01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xA4M4okF028680; Mon, 4 Nov 2019 17:07:22 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=team-neustar; bh=WeRAXDSrkbfN6lUrNLfyQeFu1xyhPgoIAPTIis2k1QA=; b=rRB24c5vJ6S6nUn3FeogifYg9lOk0i9mSd+kJCnuUnV0dLgc5/bx1aYYp3wfvgnBvneG agMiiJ4uejFjDIqBr4em6cJfSDaNSUtLAY3ybPZCsTCj5Dylm7QExRGFjYhdXD+l1vuT 19ywkBA5fG0Ui/zyNAVIzXZKnj0eGd9vq7GOlkaZXhuw5878EReAsEWiu5YGz3AGVOHP kvkuG3VGiRCEptqtvVgIdkAhYEKyLZF2ieL0DKqGdgzPw3DaNWZS6912+WeNlxcPYnOA WdCcIs5U/t4McSekn2mR12NH6qIhvlsds1hXqNyotkc1qWfr832F00DELt+bg/sCWbXX BA==
Received: from stntexhc12.cis.neustar.com ([156.154.17.216]) by mx0b-0018ba01.pphosted.com with ESMTP id 2w14kkvd2u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 04 Nov 2019 17:07:22 -0500
Received: from STNTEXMB101.cis.neustar.com ([fe80::a831:d3b4:fb4e:e45b]) by stntexhc12.cis.neustar.com ([::1]) with mapi id 14.03.0439.000; Mon, 4 Nov 2019 17:07:02 -0500
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Adam Roach <adam@nostrum.com>, "draft-ietf-stir-passport-divert.all@ietf.org" <draft-ietf-stir-passport-divert.all@ietf.org>
CC: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: AD Review: draft-ietf-stir-passport-divert
Thread-Index: AQHVgs2G2NKMFYba+EqFrbVC/m6m5qd7ohSA
Date: Mon, 04 Nov 2019 22:07:02 +0000
Message-ID: <52DE2B0B-4C03-46E7-8335-778CA80C6DE2@team.neustar>
References: <12e57a54-927c-a768-34ac-b1055bff88f6@nostrum.com>
In-Reply-To: <12e57a54-927c-a768-34ac-b1055bff88f6@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.c.190715
x-originating-ip: [10.96.12.66]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A772D869B07C1F42BB6BF98F717142C4@neustar.biz>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-11-04_12:2019-11-04,2019-11-04 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/6jVd0JOqo-KH6OphjZbOeu56IMM>
Subject: Re: [stir] AD Review: draft-ietf-stir-passport-divert
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 22:07:25 -0000
Hey Adam,
I do apologize, I did know the examples in here were broken when we sent out the last version, and I promised the chairs I'd patch them, but hadn't gotten around to it. The examples in the new version were generated by our implementation, I did check them against jwt.io, so hopefully everything is in order now. Also, the "div" example that showed the value of the object as an array has been fixed; that was just hasty pasting on my part.
In addition to your welcome nits and clarity fixes (which are in the new version), you found a couple other good substantive ones here...
§3:
> A "div" PASSporT claims set is populated with elements drawn from the
> PASSporT(s) received for a call by the retargeting entity: at a high
> level, the original identifier for the called party in the "dest"
> array will become the "div" claim in the new PASSporT. If the "dest"
> array of the original PASSporT contains multiple identifiers, the
> retargeting entity MUST select only one them to occupy the "div"
> field in the new PASSporT...
This is confusing, for a couple of reasons. While the language in RFC 8225
gets objects and arrays mixed up (and I need to file an errata on this), the
intention is clear enough to implement. However, the preceding text is
actually
ambiguous due to the confusion between "array" and "object".
I did try to repair this ambiguity where the text was careless about "object", "value" and "array", and included an example showing how you select just one value from any "dest" array to be the one you are redirecting from.
§4.1:
> Furthermore note that a request may also be retargeted a
> second time, at which point the subsequent retargeting entity SHOULD
> generate one "div" PASSporT for each previous "div" PASSporT in the
> request. This can create multiple chains of "div" PASSporTs in a
> single request, which complicates the procedures that need to be
> performed at verification services.
Read literally, this doesn't just create multiple chains; it creates
a exponential explosion of Identity header fields. Consider a request
that contains two non-"div" Identity header fields that gets redirected
four times.
This is a good catch. I put in some text to clarify that on each redirection there is one "div" PASSporT per baseline non-div PASSporT that does not have a common "orig" and "dest". Well, I put it better than that in the text. Hopefully it's clear now, let me know if it isn't.
Thanks again,
Jon Peterson
Neustar, inc.
- [stir] AD Review: draft-ietf-stir-passport-divert Adam Roach
- Re: [stir] AD Review: draft-ietf-stir-passport-di… Peterson, Jon
- Re: [stir] AD Review: draft-ietf-stir-passport-di… Adam Roach