[stir] Please review of the changes in draft-ietf-stir-certificates-12

Russ Housley <housley@vigilsec.com> Tue, 14 March 2017 19:58 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 66D0B129485 for <stir@ietfa.amsl.com>; Tue, 14 Mar 2017 12:58:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id GtxMr3eCkTjb for <stir@ietfa.amsl.com>; Tue, 14 Mar 2017 12:58:22 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F7F813145B for <stir@ietf.org>; Tue, 14 Mar 2017 12:58:19 -0700 (PDT)
Received: from localhost (localhost []) by mail.smeinc.net (Postfix) with ESMTP id 4A4E8300498 for <stir@ietf.org>; Tue, 14 Mar 2017 15:58:18 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([]) by localhost (mail.smeinc.net []) (amavisd-new, port 10026) with ESMTP id 4yRCRaeJSeuc for <stir@ietf.org>; Tue, 14 Mar 2017 15:58:16 -0400 (EDT)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net []) by mail.smeinc.net (Postfix) with ESMTPSA id B927430009D for <stir@ietf.org>; Tue, 14 Mar 2017 15:58:15 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Tue, 14 Mar 2017 15:58:15 -0400
References: <148944514304.20433.18401863740413392734@ietfa.amsl.com>
To: IETF STIR Mail List <stir@ietf.org>
In-Reply-To: <148944514304.20433.18401863740413392734@ietfa.amsl.com>
Message-Id: <E93F087A-CEA5-43B0-A37B-AC73B042CF17@vigilsec.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/DjF3JJmiD78yI_J8_dWuPRAvGa0>
Subject: [stir] Please review of the changes in draft-ietf-stir-certificates-12
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 19:58:32 -0000


> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Secure Telephone Identity Revisited of the IETF.
>        Title           : Secure Telephone Identity Credentials: Certificates
>        Authors         : Jon Peterson
>                          Sean Turner
> 	Filename        : draft-ietf-stir-certificates-12.txt
> 	Pages           : 20
> 	Date            : 2017-03-13
> Abstract:
>   In order to prevent the impersonation of telephone numbers on the
>   Internet, some kind of credential system needs to exist that
>   cryptographically asserts authority over telephone numbers.  This
>   document describes the use of certificates in establishing authority
>   over telephone numbers, as a component of a broader architecture for
>   managing telephone numbers as identities in protocols like SIP.

Section 8 was essentially rewritten to address the DISCUSS ballot position raised by Alexey, which said:

   Discuss (2016-11-01 for -11)

   I have one small issue that I would like to discuss before recommending approval of this document:

   Reading Section 8 I was unable to figure out what are "claim", "permitted" and "excluded" and what exact syntaxes they use. I think this is underspecified.
   You are probably missing some references, examples or both.

Part of the resolution was to simplify the constraint syntax by removing the excluded claim values.  This changes the limits that a certificate issuer might want to impose on a subordinate.

Also, Section 9 includes a small but significant change.  The SPID value in TNEntry was changed allow any service provider code, including OCNs and SPIDs.

Please review the new text in Section 8 and the change in Section 9.  Please make loud noises now if either of them causes any concern.