Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
Dave Crocker <dhc@dcrocker.net> Mon, 08 August 2016 22:19 UTC
Return-Path: <dhc@dcrocker.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A67E612D0CB for <stir@ietfa.amsl.com>; Mon, 8 Aug 2016 15:19:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=dcrocker.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lqy06Hy7cgKs for <stir@ietfa.amsl.com>; Mon, 8 Aug 2016 15:19:12 -0700 (PDT)
Received: from simon.songbird.com (unknown [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C140312B02C for <stir@ietf.org>; Mon, 8 Aug 2016 15:19:12 -0700 (PDT)
Received: from [192.168.1.168] (76-218-8-128.lightspeed.sntcca.sbcglobal.net [76.218.8.128]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u78MJ8Sq027491 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Mon, 8 Aug 2016 15:19:09 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dcrocker.net; s=default; t=1470694749; bh=VeNlcvCCtyCxWhIuTFF/hkxs9Ut6pMjvh98Cwh1NHv0=; h=Subject:To:References:Cc:From:Reply-To:Date:In-Reply-To:From; b=ixE1TM5ptTzC/kT+AOeT9BCle1RsLvbV3GgEcMyrg9Dq9MSuua9CeJXeYG0By0w8h CW0ZdLpL20MQHr22x5yQg0kHSrqJ/IdvzVmRUUuvZfntykjgJ4fgsJsnoYWxh0gV5p HqzjAXX5E5IXFKv37BGxd9IaXdJ6ZVPpXxcjyQLk=
To: "Peterson, Jon" <jon.peterson@neustar.biz>, Christer Holmberg <christer.holmberg@ericsson.com>
References: <07e0eb16-6758-cdf1-c571-1f1ed768e741@dcrocker.net> <D3C152B2.1A69BA%jon.peterson@neustar.biz> <b096b541-c8af-9617-c9d7-5a1beb5230e8@dcrocker.net> <D3C16040.1A6A09%jon.peterson@neustar.biz> <d66d91f0-9ea2-6295-e749-e48ea37b4892@dcrocker.net> <cfd714ce-6145-1b60-aca2-ae702a8c133d@dcrocker.net> <7594FB04B1934943A5C02806D1A2204B4771FF73@ESESSMB209.ericsson.se> <5fdf4ad3-1528-3d79-6bdb-b5eb350e5c2a@alum.mit.edu> <dbb24381-55fd-fa64-d32b-fcc50265ccab@dcrocker.net> <7594FB04B1934943A5C02806D1A2204B47723C55@ESESSMB209.ericsson.se> <503738d8-c166-dfc1-d153-338d56b844c1@dcrocker.net> <7594FB04B1934943A5C02806D1A2204B4BBB1D69@ESESSMB208.ericsson.se> <51D45AE5-67D2-4120-BCA2-7BFC845E2126@neustar.biz> <fe9c9960-55f3-1187-f093-9adf13aaf841@dcrocker.net> <D3CE482C.1A6E69%jon.peterson@neustar.biz>
From: Dave Crocker <dhc@dcrocker.net>
Organization: Brandenburg InternetWorking
Message-ID: <01df1722-2cb0-d238-dcb4-df101a657820@dcrocker.net>
Date: Mon, 08 Aug 2016 15:18:42 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <D3CE482C.1A6E69%jon.peterson@neustar.biz>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/Dd4Iu1LEhB0cAozeQOtHrfF43GU>
Cc: "stir@ietf.org" <stir@ietf.org>, Paul Kyzivat <pkyzivat@alum.mit.edu>
Subject: Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: dcrocker@bbiw.net
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2016 22:19:13 -0000
On 8/8/2016 2:44 PM, Peterson, Jon wrote: > > PASSporT is indeed an object format in its own individual specification, > if that's what you mean by the "level of indirection". I consider it a It's not. It's more than that. The small thread that eventually produced your note was debating support for format processing and whether it was a requirement for a verifying entity to support the syntax. The conclusion was that it does. My point, however, is that you note makes clear there is an entire semantic engine embodied in Passport that is independent of SIP and independent of 4474bis. That engine needs care and feeding, just like any other networking service. Think carefully about the language you used: "... bare minimum" set of headers and claims that are mandatory for PASSporT. Ultimately, the question of what headers and claims are mandatory in PASSporT is a stir-passport question...will populate those mandatory components of a PASSporT object...Extensions may propose additional claims..." That's an entity that is more than just a format. > point of architectural modularity. Yes, and it's appealing. I /like/ modularization too. That's why it has taken be awhile to appreciate how much downside this particular modularization is introducing. If there were a variety of specifications that used and benefited from all that generality, it might be defensible. But the specifications in front of us today merely show added complexity, making concrete analysis challenging. At that, it's pretty clear that the specifications in front of us are still significantly incomplete. That is, they are insufficient for developing a working caller-id authentication service. The working group agreed to organize > the work this way because we did not want to tie STIR too closely to any > particular using protocol (such as SIP). I understand the motivation. Really I do. But after 3 years, SIP is all you've got and even that isn't complete. The actual job that needs to be > done here is mitigating the threats defined in our charter and threat > model, which are not specific to SIP. That phrasing is common in the email anti-abuse community too. Threats (attacks) are what motivate the work, and so threats are what everybody focuses on. However the underlying nature of the current solution path in fact is not to 'prevent' misbehavior, but rather to have a way of detecting valid behavior. That is, rather than a focus on MIStrust, authentication focuses on Trust... of the identifier. (The actor associated with the identifier might not be a good actor, but assessing that is a separate matter.) Again: It seeks to validate something, rather than to find things that aren't valid. Those sound obviously related but in fact they require entirely different operational modes. Consequently, I'll claim that the working group task isn't really to mitigate threats but to create a basis for trusting a caller-id, and I'll claim that that difference in wording has fundamental import. That the mechanism for doing this is resistant to those threats is merely an enticing distraction, because nothing in this work is going to stop that folk from creating false caller-ids. Really. Consider that point a bit... Over 90% of email traffic across the open Internet is still spam. However the mail that comes in with SPF and/or DKIM protection constitutes a clean channel of authorized identifiers. Mail coming through that channel can be handled differently that mail coming through the messy, unauthenticated channel. (And for folk who know something of the way actual filtering engines work, yes, I'm being simplistic.) Even though we've repeatedly > explained to you that this independence from SIP was the motivation for > adopting PASSporT, it still does not seem to be sinking in, as you keep > saying things below about how the role of PASSporT is SIP-specific. Actually, I've been careful to distinguish theory from fact. I said that the actual /use/ is for SIP. After 3 years, there are no other specifications than for SIP. And even that is incomplete. > Although you seem to feel that this modularity is for some reason a matter > of impossible complexity, the working group, as far as I can tell, is Marshall Rose once noted that with enough thrust, even pigs can fly. So I've been careful not to say or imply anything quite as absolute as 'impossible'. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Paul Kyzivat
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Tony Rutkowski
- [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Christer Holmberg
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… DOLLY, MARTIN C
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Brian Rosen
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Brian Rosen
- [stir] Setting Direction for the STIR WG Last Call Russ Housley
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Richard Shockey
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Paul Kyzivat
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- [stir] JWT/JSON (was - Re: Review of: draft-ietf-… Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Richard Shockey
- Re: [stir] Review of: draft-ietf-stir-passport-05 Victor Pascual
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Richard Shockey
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Burger
- [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Robocall Strike Force Dave Crocker
- Re: [stir] Robocall Strike Force Dave Crocker
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Paul Kyzivat
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Eric Rescorla
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Eric Rescorla
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Michael Hammer
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] Review of: draft-ietf-stir-passport-05 Alex Bobotek
- Re: [stir] Review of: draft-ietf-stir-passport-05 Stephen Farrell
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt