IETF Logo Mail Archive

Re: [stir] AD Evaluation: draft-ietf-stir-passport-rcd

Chris Wendt <chris-ietf@chriswendt.net> Mon, 26 September 2022 21:21 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 906C2C14CE2C for <stir@ietfa.amsl.com>; Mon, 26 Sep 2022 14:21:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rj1p-QhdKCNM for <stir@ietfa.amsl.com>; Mon, 26 Sep 2022 14:21:42 -0700 (PDT)
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B87F5C14CE35 for <stir@ietf.org>; Mon, 26 Sep 2022 14:21:18 -0700 (PDT)
Received: by mail-il1-x130.google.com with SMTP id l4so4213690ilq.3 for <stir@ietf.org>; Mon, 26 Sep 2022 14:21:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20210112.gappssmtp.com; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date; bh=C7J+w+P9X6/lip6UCrOysCtE14HpM0aFrs4eX0p3ZoU=; b=omsq46+O04S9O3TqwKVugH5xGudKqbApJ+CMoOWFKYNtK4FHFB2BGv9pRN1P5AfJy7 ztDDX6pCF5aTcP5W3RZomYLSOJOG9Wyyu/ARl/WvF61YmHXiyI0Y1cUZmumLdSANgU5j PFYexxDkrSqZ42b5vNRSzU3W1b5pgF1aqCQJM83hQIEs2xunWS6AA3ZSCkGyP/2O+EN4 URUpWxuKRzWqHs65mzI+4LqTFemzvgvCL2JajXZQHwLKHxURwhVvMD7ukotaGQG2VGcz R+qFhgO0v9+TRjl7oL+Tm0ADGDYBJgHVgw+JZ4ybDXcLlLvH93ZDQBFcMH6cWMug12u+ IgEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=C7J+w+P9X6/lip6UCrOysCtE14HpM0aFrs4eX0p3ZoU=; b=znZshyKhpAszChYPRIaZ2OLqNB2UT+aVojPKP55ChySC1DpVnZ4YGHb67ygY3ncvJv WTFMDCFYydfxSLWdheYm+GPgMyizuKjYaaLxFHJhVe8U1hqOHwSQm0iW2v6tBUnUfu3R Dn6LPwSDsSRQ6+8+QF+lOjQFzjeMIa2TCZ2CDbYelnEZQq0putiOzf+YXzlfNuga2fpf ZJY76ev2d9kvb9ytm9+5gbfABNrKN670ALdPjAbUhmC5x3zzPVYIo9NHFCZoi0sxB7Zr n4t1adH0nkRG0zmnV21y3JP9V10e6IzvwQicZOOsaqNbUwOyY5YFTbMeb0gSR3CV1eJq gzaA==
X-Gm-Message-State: ACrzQf2JncjUzjj/xIJwm3DSylP6+TaoFJgDJnL1vjXUgtr790Jn685u hnfydqcE/mhtJk+sRhLMi9bQww==
X-Google-Smtp-Source: AMsMyM5dxSNmhbyMy3GKPnD191/HY7jxQ8f+8Jv3M8fMb/bOkRKu058VrUSKENq9e82Wy7yxY8XPJQ==
X-Received: by 2002:a92:b744:0:b0:2f6:19e9:ac89 with SMTP id c4-20020a92b744000000b002f619e9ac89mr11055126ilm.69.1664227277694; Mon, 26 Sep 2022 14:21:17 -0700 (PDT)
Received: from smtpclient.apple ([65.157.103.142]) by smtp.gmail.com with ESMTPSA id o16-20020a02a1d0000000b0035aab2f1ab1sm7189184jah.134.2022.09.26.14.21.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Sep 2022 14:21:17 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Chris Wendt <chris-ietf@chriswendt.net>
In-Reply-To: <CAL0qLwZaKc20eNus1wSj_-Zjys9prm1+55Ergtr=QDNi3G-sZg@mail.gmail.com>
Date: Mon, 26 Sep 2022 15:21:18 -0600
Cc: IETF STIR Mail List <stir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <22207E7F-87E9-41F1-B08E-5745F07353B5@chriswendt.net>
References: <CAL0qLwZaKc20eNus1wSj_-Zjys9prm1+55Ergtr=QDNi3G-sZg@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/EJ5V0CdtL8ugaBOIw-DwQwd440E>
Subject: Re: [stir] AD Evaluation: draft-ietf-stir-passport-rcd
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2022 21:21:44 -0000

Hi Murray,

Many thanks for the review, comments inline, i have submitted a new 21 version of draft with specific fixes:

> On Sep 25, 2022, at 11:39 PM, Murray S. Kucherawy <superuser@gmail.com> wrote:
> 
> Hi all, here are my review comments for this document.  Thanks for the work put into it.
> 
> -MSK
> 
> General:
> 
> I found several places where "indexes" was used instead of "indices".

Fixed

> 
> How do we know that the reason placed in a "crn" claim is true?  Could this be abused?  If so, should this be called out in Section 13 or 18 (or somewhere else)?

Section 8.1 was intended to address this use of constraints if the signer is “non-authoritative”.  The general concept is that RCD information should be vetted by trusted participants in the eco-system.  “crn” is a claim that i think we conceptually provide a bit more latitude with just because call reason may more generally be a more dynamic field, but there is nothing in the specification that doesn’t allow for an eco-system using this specification to mandate the use of constraints.  This is a balance we have needed to support for most of the specs to allow for flexibility depending on use of the specs.

> 
> Section 1:
> 
> The last sentence of the third paragraph, namely "However, both are ..., and therefore is ...", is a bit hard for me to parse.

Yes, rewrote to this simpler statement: "In this document, we utilize the STIR framework to more generally extend the assertion of an extensible set of identity information not limited to but including calling name."

> 
> In the fourth paragraph, "In" has been reduced to "n".

Fixed

> 
> Section 3:
> 
> * The last sentence of the first paragraph could use some commas, usually right before each "or".

Fixed

> 
> * "P-Asserted-ID" should be "P-Asserted-Identity".

Fixed

> 
> Section 4:
> 
> * "Often there is policy and restrictions ..." -- s/is/are/

Fixed

> 
> * "(Auth represents authoritative in this table)" -- I suggest quoting "Auth" and "authoritative", and adding a period after "table".

Fixed

> 
> Section 5.1.3:
> 
> * "... the call-info header field ..." -- s/call-info/Call-Info/

Fixed

> 
> Section 6:
> 
> The last paragraph describes the syntax of the values in this claim.  It says there is a delimiter in the value, namely a "minus" character.  I know what that means but I've never heard that character identified that way; it's usually "dash" or "hyphen".  In this era of Unicode, might it be better to identify it as ASCII 45?

Fixed

> 
> For that matter, would ABNF be useful here?

Likely would but we haven’t included it in other relevant specs, i would hate to add at last minute.

> 
> Section 8.1:
> 
> The "must" in here probably needs to be a "MUST".

Fixed

> 
> Section 13:
> 
> * "Even in first party cases, this admits of some complexity: ..." -- I don't understand the part after the comma; should "of" be dropped?

Yes, this was likely copy and paste error or something, Fixed by removing "this admits of some complexity: "

> 
> Section 14.1:
> 
> "Identity header" should be "Identity header field" (at least two instances).

Fixed

> 
> Section 14.2:
> 
> The "SHOULD" presents an implementer with a choice, but includes no guidance about how to make that choice.  I suggest adding some, or reconsidering whether SHOULD is appropriate here.

I did change this to a MUST, i think in the specific context of compact form procedures a MUST level is appropriate.

> 
> Section 17.2:
> 
> There isn't a registry called "PASSporT Types".  I only see "Personal Assertion Token (PASSporT) Extensions" and "PASSporT Resource Priority Header (rph) Types".  Which one are we modifying here?

Fixed

> 
> Section 17.3:
> 
> This should say that the new registry should be added to the "Personal Assertion Token (PASSporT)" group.

Fixed

> 
> A "Specification Required" registry will require nomination of one or more Designated Experts.  Do you have anyone to nominate?  Moreover, Section 4.6 of BCP 26 says you should provide guidance to the DE to be applied to new registrations once the registry is created.  That seems to be missing here.

Added and Fixed

> 
> You should also specify explicitly that new registrations consist only of a name and a reference document.

Fixed

> 
> Section 18:
> 
> I can't parse the first sentence of this section.

Rewrote this paragraph:
The process of signing information contained in a RCD PASSporT, whether its identities, alternate identities, images, logos, physical addresses, or otherwise should follow some vetting process in which an authoritative entity should follow an appropriate consistent policy defined and governed by the eco-system using RCD and the STIR framework. This can be of many forms, depending on the setup and constraints of the policy requirements of the eco-system and is therefore out-of-scope of this document. However, the general chain of trust that signers of RCD PASSporT are either directly authoritative or have been delegated authority through certificates using JWT Claim Constraints and integrity mechanisms defined in this and related documents is critical to maintain the integrity of the eco-system utilizing this and other STIR related specifications.

> 
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email