IETF Logo Mail Archive

Re: [stir] New draft draft-rosenberg-stir-callback-00

Jonathan Rosenberg <jdrosen@jdrosen.net> Fri, 02 March 2018 21:52 UTC

Return-Path: <jdrosen@jdrosen.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8E83124239 for <stir@ietfa.amsl.com>; Fri, 2 Mar 2018 13:52:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.789
X-Spam-Level:
X-Spam-Status: No, score=-1.789 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=jdrosen.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lbY8eWX7tlEo for <stir@ietfa.amsl.com>; Fri, 2 Mar 2018 13:52:46 -0800 (PST)
Received: from ecbiz193.inmotionhosting.com (ecbiz193.inmotionhosting.com [69.174.52.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5D5912025C for <stir@ietf.org>; Fri, 2 Mar 2018 13:52:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=jdrosen.net ; s=default; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:References: In-Reply-To:MIME-Version:Sender:Reply-To:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=McBffC8BkWk1bbTkJJ4ZJYQpCMQxBeS97s0ynTJlFVw=; b=Pr8pLpFYvRK7aMuEYOF6xSy5f7 RtjA69d8tE2jVfdNfWy3g45inZkuU3Q8HmLI+oGTRoGOfPiFELRuY12BkVfm3g0ik6LZOYlq5dHa0 PXFoR0Uj12dLY0U6UlhL/a83qcO31xVvh33lNqZf35Enu3RFEJgaPNXkRDmyAHEkK5BM6pNKJ1M33 xNaWlQaaVduyCwDj5E8i02nlEeXRmfvPn3y1hAbUR1wvY6uOmI2g+iqgtSePDDj522zLuvQDhXa5P 0dNeBZMIwON/YymHp5AE68pof1GViyI+dr64obgU9ldZCLKhL+1UNqQ2YkSC9R29TrsdTGUxo57AC Q8J0trIA==;
Received: from mail-oi0-f53.google.com ([209.85.218.53]:35712) by ecbiz193.inmotionhosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89_1) (envelope-from <jdrosen@jdrosen.net>) id 1ersbS-003WO7-7n for stir@ietf.org; Fri, 02 Mar 2018 16:52:45 -0500
Received: by mail-oi0-f53.google.com with SMTP id x10so8103413oig.2 for <stir@ietf.org>; Fri, 02 Mar 2018 13:52:34 -0800 (PST)
X-Gm-Message-State: APf1xPBjTjtuq3rty35LE39PhntxstOHc7kSscjQ1FJIDk+8jA3gWbKs IncTCROJ0JCt2ElR0JzLgduSP6AASgu0hRtKU8E=
X-Google-Smtp-Source: AG47ELvWjUlsXEZcnP8YrPX2KE8DNesQ9bcf5pQsLFu6/wK86O6YjbiZQC/Vv+dtKf9aczQn41lBu8lOkd8gkK4gisg=
X-Received: by 10.202.12.69 with SMTP id i5mr4779998oiy.62.1520027553759; Fri, 02 Mar 2018 13:52:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.74.190.6 with HTTP; Fri, 2 Mar 2018 13:52:33 -0800 (PST)
In-Reply-To: <D6BEC6D8.1F70D3%jon.peterson@neustar.biz>
References: <D6BEC6D8.1F70D3%jon.peterson@neustar.biz>
From: Jonathan Rosenberg <jdrosen@jdrosen.net>
Date: Fri, 02 Mar 2018 16:52:33 -0500
X-Gmail-Original-Message-ID: <CA+23+fFAUpQ8UwgzJM4XU6dKY4VuijOdtfdCrn2oAHC8wyV6cg@mail.gmail.com>
Message-ID: <CA+23+fFAUpQ8UwgzJM4XU6dKY4VuijOdtfdCrn2oAHC8wyV6cg@mail.gmail.com>
To: "Peterson, Jon" <jon.peterson@team.neustar>
Cc: Jonathan Rosenberg <jdrosen@jdrosen.net>, "stir@ietf.org" <stir@ietf.org>
Content-Type: multipart/alternative; boundary="089e082488506409be056674fe86"
X-OutGoing-Spam-Status: No, score=-0.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ecbiz193.inmotionhosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - jdrosen.net
X-Get-Message-Sender-Via: ecbiz193.inmotionhosting.com: authenticated_id: jdrosen+jdrosen.net/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: ecbiz193.inmotionhosting.com: jdrosen@jdrosen.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/8cNagCeT5mBXmquNoAyxugC9eyg>
Subject: Re: [stir] New draft draft-rosenberg-stir-callback-00
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Mar 2018 21:52:49 -0000

Good to be here Jon. Frankly, I got so tired of multiple robocalls each
day, I woke up one morning and decided to do something about it. That, in
addition to feeling some personal accountability for the problem for not
having baked in a solution into SIP at the outset.

You are of course correct that one could in fact take just the SIP aspect
of this draft, and emit it from the CA to rather than have it be
distributed amongst agents. Though that is a lower bar still for deployment
than an ENUM-style process, I think its still quite a high bar for a CA in
terms of the accountability that it entails. The CA still becomes
accountable for holding an accurate and authoritative database of numbers
for (presumably) a very large number of users, for keeping it up to date,
for handling corrections should an error get made (which invariably it will
for some reason), for deciding how to price such a service, for dealing
with whatever local regulations their lawyers think they may be signing up
for by being in the telco business. Since, regardless of how this database
gets populate, they are in the telco business because they sell a telco
database.

Distributing the work distributes the accountability, and places it in the
first party (the entity that consumes it) rather than the third party (with
someone else). That is a dramatic difference.

-Jonathan R.


On Fri, Mar 2, 2018 at 12:56 PM, Peterson, Jon <jon.peterson@team.neustar>
wrote:

>
> Well nice of you to join us here, finally!
>
> So broadly, we have long needed some kind of proof-of-possession test for
> calling party numbers to help expedite STIR deployment. We've sketched out
> various approaches like doing that with SMS return-routability tests (see
> section 4.2 of draft-ietf-acme-telephone, say), and having a SIP-level way
> to do such a test definitely seems like a valid approach. I don't recall
> that we've considered a kind of "callback on first use" (COFU?) approach to
> this before. It has some good properties.
>
> I guess the one comment I'd make about the overall direction though is
> that up until now, I've been envisioning staging these proof-of-possession
> tests within ACME. In other words, propping up a boulder implementation
> that would challenge with some kind of routability test to establish
> effective proof of control of a number in order to get you an 8226
> individual-TN cert. Practically speaking, that ACME challenge could use
> stir-callback pretty much as your draft describes it. I don't think
> deploying an ACME CA to do this faces anything like the practical hurdles
> that faced public ENUM, say. It's something anyone could do tomorrow (if
> the necessary elements supported stir-callback tomorrow).
>
> I suppose, speaking to the example in the stir-callback Overview section,
> that requiring Bob's call agent to maintain a "validation cache" that maps
> calling party numbers to public keys serves a similar purpose to having a
> CA that effectively attests that calling party numbers are associated with
> certificates. The question is whether that mapping database is better
> staged in one or more ACME-style CAs or in every call agent that
> participates in this architecture. Off the top of my head it doesn't seem
> easier to be from an implementation or deployment standpoint to stage this
> in the call agents. And doing this in a way that gives you an 8226 cert -
> even a self-signed one - would I think have a more realistic incremental
> deployment path toward the long-term STIR architecture.
>
> So definitely support having this capability, I think there are choices to
> make about exactly how to approach it, and we should discuss in London. We
> need this, so I'm happy to see some energy around it.
>
> Jon Peterson
> Neustar, Inc.
>
> From: stir <stir-bounces@ietf.org> on behalf of Jonathan Rosenberg <
> jdrosen@jdrosen.net>
> Date: Thursday, March 1, 2018 at 6:14 PM
> To: "stir@ietf.org" <stir@ietf.org>
> Subject: [stir] New draft draft-rosenberg-stir-callback-00
>
> Hey all - been a while :)
>
> Cullen and I wrote up a concept for using STIR with self-signed or domain
> based certs, and then handling number validation with an in-band callback.
> We think its a promising approach to accelerate STIR deployments, since it
> allows them to happen without the cert infrastructure being in place.
>
> https://www.ietf.org/id/draft-rosenberg-stir-callback-00.txt
>
> Comments welcome.
>
> -Jonathan R.
>
> --
> Jonathan Rosenberg, Ph.D.
> jdrosen@jdrosen.net
> http://www.jdrosen.net
>
>


-- 
Jonathan Rosenberg, Ph.D.
jdrosen@jdrosen.net
http://www.jdrosen.net

v2.23.0 | Report a Bug | By Email