IETF Logo Mail Archive

Re: [stir] Questions about stir-certificates

Richard Shockey <richard@shockey.us> Mon, 23 October 2017 18:54 UTC

Return-Path: <richard@shockey.us>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8087138A38 for <stir@ietfa.amsl.com>; Mon, 23 Oct 2017 11:54:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.7
X-Spam-Level:
X-Spam-Status: No, score=-4.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=shockey.us
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1R0mWDSvF-L for <stir@ietfa.amsl.com>; Mon, 23 Oct 2017 11:53:58 -0700 (PDT)
Received: from qproxy2.mail.unifiedlayer.com (qproxy2-pub.mail.unifiedlayer.com [69.89.16.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ABDF132055 for <stir@ietf.org>; Mon, 23 Oct 2017 11:53:58 -0700 (PDT)
Received: from cmgw4 (unknown [10.0.90.85]) by qproxy2.mail.unifiedlayer.com (Postfix) with ESMTP id 02AE6356EF for <stir@ietf.org>; Mon, 23 Oct 2017 12:53:58 -0600 (MDT)
Received: from box462.bluehost.com ([74.220.219.62]) by cmgw4 with id R6ou1w00N1MNPNq016oxdZ; Mon, 23 Oct 2017 12:48:58 -0600
X-Authority-Analysis: v=2.2 cv=JNNLi4Cb c=1 sm=1 tr=0 a=jTEj1adHphCQ5SwrTAOQMg==:117 a=jTEj1adHphCQ5SwrTAOQMg==:17 a=IkcTkHD0fZMA:10 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=02M-m0pO-4AA:10 a=jqBRFv0mrdUA:10 a=ZZnuYtJkoWoA:10 a=48vgC7mUAAAA:8 a=izV7ms69AAAA:8 a=w1VtefKfAAAA:8 a=E9wxQxLyAmEP0Ino9IsA:9 a=fDxZP-Tc80M-g4rY:21 a=69_WSeDY5tBHK06T:21 a=QEXdDO2ut3YA:10 a=w1C3t2QeGrPiZgrLijVG:22 a=xm8PXHvXF9WL09pmvKgj:22
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=shockey.us; s=default; h=Content-transfer-encoding:Content-type:Mime-version:In-Reply-To :References:Message-ID:CC:To:From:Subject:Date:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=6iJoPrs+Ld++48FjjAojvpIqko1GdWqUncymS5CZJEw=; b=Y47ojKVy6gARCXDtARJrTcKcFT /yDKkq5D+r2j4xkf2J2NX6V1c20yweKiAHtRNZGLX4xWDPoM97G0bqpvDquaIRDUu2uKzh2qvyYTW wWxgvCNAuf6QxFUZkdyjOOY9m;
Received: from pool-100-36-44-145.washdc.fios.verizon.net ([100.36.44.145]:58691 helo=[192.168.1.152]) by box462.bluehost.com with esmtpa (Exim 4.87) (envelope-from <richard@shockey.us>) id 1e6hmQ-000moC-6G; Mon, 23 Oct 2017 12:48:54 -0600
User-Agent: Microsoft-MacOutlook/f.27.0.171010
Date: Mon, 23 Oct 2017 14:48:52 -0400
From: Richard Shockey <richard@shockey.us>
To: "Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com>, Paul Kyzivat <pkyzivat@alum.mit.edu>, Chris Wendt <chris-ietf@chriswendt.net>
CC: "stir@ietf.org" <stir@ietf.org>
Message-ID: <7D3DAAC3-9C41-479F-BC6B-FD295F0050CC@shockey.us>
Thread-Topic: [stir] Questions about stir-certificates
References: <D60E0087.1EEE44%jon.peterson@neustar.biz> <CABkgnnV41djmwJ2A8WkLv1Qu_zxAKPb8EJnuoFS1Zeog3momyQ@mail.gmail.com> <6432f01322c74b1196075c4549f18a12@plswe13m04.ad.sprint.com> <4bbb6330-96e7-6317-cbae-07991075e776@alum.mit.edu> <171f91651e9e4a2eb7873fdbe1b9fcea@plswe13m04.ad.sprint.com> <4e1c72a3-4ae0-d424-8dfd-fff1c7049cdb@alum.mit.edu> <C0F0887C-F247-4B37-99DB-BF175943914C@chriswendt.net> <20d0f1d0-f4cc-2bed-b493-7cb4bfe746d1@alum.mit.edu> <B198E322-83DB-4507-AAAD-ABA071FDBF29@shockey.us> <d4fee7e927a7483d9f2a5fd30b161348@plswe13m04.ad.sprint.com>
In-Reply-To: <d4fee7e927a7483d9f2a5fd30b161348@plswe13m04.ad.sprint.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box462.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - shockey.us
X-BWhitelist: no
X-Source-IP: 100.36.44.145
X-Exim-ID: 1e6hmQ-000moC-6G
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: pool-100-36-44-145.washdc.fios.verizon.net ([192.168.1.152]) [100.36.44.145]:58691
X-Source-Auth: richard+shockey.us
X-Email-Count: 4
X-Source-Cap: c2hvY2tleXU7c2hvY2tleXU7Ym94NDYyLmJsdWVob3N0LmNvbQ==
X-Local-Domain: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/8kn5Lr29O-IR3MjhTnPJI52pIVs>
Subject: Re: [stir] Questions about stir-certificates
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2017 18:54:01 -0000


+1 .. I sat in those meetings with the FTC as did Martin Dolly and Chris Wendt. This is my point that the regulators do have ligitmate concerns but are willing to be helpful without being prescriptive.  As a additional note I also recently met with the FCC folks including brother Eric Burger and they had similar concerns.  

That said we will may see some further regulatory action in the 17-97 FCC docket within 90 days or so.  Right now the industry is digesting the implications of National Number Portability which is REALLY going to have a profound effect on US call routing. 

 

On 10/23/17, 2:37 PM, "stir on behalf of Gorman, Pierce A [CTO]" <stir-bounces@ietf.org on behalf of Pierce.Gorman@sprint.com> wrote:

    Paul,
    
    There's a letter from Janice Kopec at the Federal Trade Commission (filed as ATIS document "IPNNI-2017-00106R000.pdf") to Tom Goode, General Counsel for ATIS, where the FTC staff provided feedback and guidelines for developing SHAKEN/STIR Caller Validation Display that may provide helpful context around some of the remarks in the discussion.
    
    A few of the FTC comments were:
    
    * Design fallbacks (e.g., when technology fails or is not available for some users, how does the system react and what is communicated)
    
    * Warnings need to be accurate , or else users will get habituated and ignore them
    
    * What do full, partial, and gateway attestation translate to in plain language?
    
    * What are carriers able to vouch for with those data points, and with what level of confidence?  Need consistent interpretation of levels of validation.
    
    * How will carriers handle calls at each level of attestation, when calls fail attestation, and when attestation is absent?
    
    *Clearly differentiate between information about the caller ID and information about the content of the call.  Just because a call is authenticated doesn't mean the content of the call can be trusted.
    
    Remember that SHAKEN attestion doesn't provide anything with respect to call content and intent.  And, robocalling and spoofed caller ID are not illegal.  They're used by government agencies and charities too, not just bad actors.
    
    Call processing systems have a large variety of information presented to them from protocols designed by committees and interpeted by commercial programmers operating under challenging timelines and with limited resources.  Creating a stable consistent experience several millions of times a day will not be a quick achievement.  IMHO, application of SHAKEN/STIR will be permissive in the early stages, and really needs to be married to outboard analytics which look at things like network calling patterns and permit/deny lists in order to be able to render more reliable judgements to the network (or a client application) with respect to relative trustworthy-ness of a call attempt.
    
    -----Original Message-----
    From: Richard Shockey [mailto:richard@shockey.us]
    Sent: Monday, October 23, 2017 11:28 AM
    To: Paul Kyzivat <pkyzivat@alum.mit.edu>; Chris Wendt <chris-ietf@chriswendt.net>
    Cc: stir@ietf.org; Gorman, Pierce A [CTO] <Pierce.Gorman@sprint.com>
    Subject: Re: [stir] Questions about stir-certificates
    
    
    For suitably smart devices (e.g. mobile phones) I would hope that
        various apps and configuration options for those apps can provide the UI
        to users. Then app providers can compete on who does it better and users
        can choose. And these can evolve over time as the uptake on the signing
        increases. Maybe this is what you mean by Call Analytics apps.
    
        It would be bad if all of this gets locked up in the FCC regulatory regime.
    
    RS> Paul I don’t think this is going to get locked up in a FCC/FTC OFCOM CRTC like regime but the regulators do have legitimate concerns on consistency. The regulators have actually been quite helpful here. They are willing to eventually help with consumer education if the framework for display options is simple, and I also believe there are excellent opportunities for service providers to add value.   Sometimes choice is bad and confusing the consumer with different forms of UX could cause its own problems.  Its still early.
    
    
    
    
    ________________________________
    
    This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.
    _______________________________________________
    stir mailing list
    stir@ietf.org
    https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email