Re: [stir] New draft draft-rosenberg-stir-callback-00
"Peterson, Jon" <jon.peterson@team.neustar> Fri, 02 March 2018 17:56 UTC
Return-Path: <prvs=0599aac512=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1112A12DA1D for <stir@ietfa.amsl.com>; Fri, 2 Mar 2018 09:56:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TxykLYq7tL4o for <stir@ietfa.amsl.com>; Fri, 2 Mar 2018 09:56:20 -0800 (PST)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6F6412D96C for <stir@ietf.org>; Fri, 2 Mar 2018 09:56:20 -0800 (PST)
Received: from pps.filterd (m0049401.ppops.net [127.0.0.1]) by mx0b-0018ba01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w22Hqnut032020; Fri, 2 Mar 2018 12:56:20 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : subject : date : message-id : content-type : mime-version; s=selector1; bh=tCdak7WcIKN61mdE/IxyBbXFJi5TLjY4jI1uQf7gEjo=; b=QQxMLO2F/xzluP+2v6cVR33Cvohe8vhi+sOEom4g1DIbk1wRFtynF8HPi+NAm81hX7rC ChbUuB+Cnu2KNADd/N2dHG5ZjthsaKndXuKIY1KX/MuXKEOoRC6M2OtaKjZE0tvo0dy2 LY21Z0TdRHNDTCikM3wPdKKvmDtEJHR305kTyIRViy23GRRHgBkbQn0u0K6QDLL3A1JR 9BkNuUpsVBHite3YmC+ZdCFf5TXiGl9FaewDZjyiA/jupfJayBxxx+aUmjEgSuSXcyGQ pYpAuD1CbnudCgZPpMgNCLI3K51Bm0oI2xxzy7RsAU+JshuoAnytN4jX6kDmkdsz0QW0 rg==
Received: from stntexhc10.cis.neustar.com ([156.154.17.216]) by mx0b-0018ba01.pphosted.com with ESMTP id 2gf7vagbru-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 02 Mar 2018 12:56:19 -0500
Received: from STNTEXMB11.cis.neustar.com ([169.254.1.236]) by stntexhc10.cis.neustar.com ([10.31.58.69]) with mapi id 14.03.0279.002; Fri, 2 Mar 2018 12:56:18 -0500
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Jonathan Rosenberg <jdrosen@jdrosen.net>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] New draft draft-rosenberg-stir-callback-00
Thread-Index: AQHTsk/DYZ2w7GlmlkqN0S1MTkIqWg==
Date: Fri, 02 Mar 2018 17:56:18 +0000
Message-ID: <D6BEC6D8.1F70D3%jon.peterson@neustar.biz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
x-originating-ip: [10.96.12.153]
Content-Type: multipart/alternative; boundary="_000_D6BEC6D81F70D3jonpetersonneustarbiz_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-02_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803020212
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/ClL1jRLnvWQ97fvBe2u4oIl636M>
Subject: Re: [stir] New draft draft-rosenberg-stir-callback-00
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Mar 2018 17:56:23 -0000
Well nice of you to join us here, finally! So broadly, we have long needed some kind of proof-of-possession test for calling party numbers to help expedite STIR deployment. We've sketched out various approaches like doing that with SMS return-routability tests (see section 4.2 of draft-ietf-acme-telephone, say), and having a SIP-level way to do such a test definitely seems like a valid approach. I don't recall that we've considered a kind of "callback on first use" (COFU?) approach to this before. It has some good properties. I guess the one comment I'd make about the overall direction though is that up until now, I've been envisioning staging these proof-of-possession tests within ACME. In other words, propping up a boulder implementation that would challenge with some kind of routability test to establish effective proof of control of a number in order to get you an 8226 individual-TN cert. Practically speaking, that ACME challenge could use stir-callback pretty much as your draft describes it. I don't think deploying an ACME CA to do this faces anything like the practical hurdles that faced public ENUM, say. It's something anyone could do tomorrow (if the necessary elements supported stir-callback tomorrow). I suppose, speaking to the example in the stir-callback Overview section, that requiring Bob's call agent to maintain a "validation cache" that maps calling party numbers to public keys serves a similar purpose to having a CA that effectively attests that calling party numbers are associated with certificates. The question is whether that mapping database is better staged in one or more ACME-style CAs or in every call agent that participates in this architecture. Off the top of my head it doesn't seem easier to be from an implementation or deployment standpoint to stage this in the call agents. And doing this in a way that gives you an 8226 cert - even a self-signed one - would I think have a more realistic incremental deployment path toward the long-term STIR architecture. So definitely support having this capability, I think there are choices to make about exactly how to approach it, and we should discuss in London. We need this, so I'm happy to see some energy around it. Jon Peterson Neustar, Inc. From: stir <stir-bounces@ietf.org<mailto:stir-bounces@ietf.org>> on behalf of Jonathan Rosenberg <jdrosen@jdrosen.net<mailto:jdrosen@jdrosen.net>> Date: Thursday, March 1, 2018 at 6:14 PM To: "stir@ietf.org<mailto:stir@ietf.org>" <stir@ietf.org<mailto:stir@ietf.org>> Subject: [stir] New draft draft-rosenberg-stir-callback-00 Hey all - been a while :) Cullen and I wrote up a concept for using STIR with self-signed or domain based certs, and then handling number validation with an in-band callback. We think its a promising approach to accelerate STIR deployments, since it allows them to happen without the cert infrastructure being in place. https://www.ietf.org/id/draft-rosenberg-stir-callback-00.txt Comments welcome. -Jonathan R. -- Jonathan Rosenberg, Ph.D. jdrosen@jdrosen.net<mailto:jdrosen@jdrosen.net> http://www.jdrosen.net
- [stir] New draft draft-rosenberg-stir-callback-00 Jonathan Rosenberg
- Re: [stir] New draft draft-rosenberg-stir-callbac… Peterson, Jon
- Re: [stir] New draft draft-rosenberg-stir-callbac… Jonathan Rosenberg
- Re: [stir] New draft draft-rosenberg-stir-callbac… David Frankel
- Re: [stir] New draft draft-rosenberg-stir-callbac… Cullen Jennings (fluffy)
- Re: [stir] New draft draft-rosenberg-stir-callbac… David Frankel
- Re: [stir] New draft draft-rosenberg-stir-callbac… Gorman, Pierce A [CTO]
- Re: [stir] New draft draft-rosenberg-stir-callbac… Peterson, Jon