Re: [stir] Kathleen Moriarty's No Objection on draft-ietf-stir-certificates-11: (with COMMENT)

Sean Turner <> Thu, 03 November 2016 01:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 723781297BE for <>; Wed, 2 Nov 2016 18:02:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zuw4uOAQCrTJ for <>; Wed, 2 Nov 2016 18:02:01 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 242F31297FE for <>; Wed, 2 Nov 2016 18:01:56 -0700 (PDT)
Received: by with SMTP id t79so70430131wmt.0 for <>; Wed, 02 Nov 2016 18:01:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+aEfiWalQ39k8FNkrx410Gg2il/8u3cK2x7z5JVUoV8=; b=FU7b5LQoEs9zHQeADq5/leuXugUaOO5x+OhqXx2xrvrp/UyXB0UjSoWWk6We9Bmfae 0kgMfz9Q/L7IZmvSfOFiFbR/EHWuMt7l4rtn6XGT94eTROXR0fiBgLmih+/FFN+ekogD /IqmVHCsJFPqb5H+jDpGmoMEWrKBqZW39FzD0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+aEfiWalQ39k8FNkrx410Gg2il/8u3cK2x7z5JVUoV8=; b=CukhMNdVK4Co34AcZUCPGx3oGxJsM9iRYxadJuPg1W7Maic2/rFGHBk9Fk70lLTHbi WlINf5MKYhAiywq28Fg7BH8Or7Df5NxL4NRgbUoAkIr+ndNqKMJUUSleLsLkbpMYG9zv pGKSYuMXtn8VFE+KMRgKmZZNtcf/eqzpzamt7NZzYCMJQYrd4hAxTQqjdagtGRYPHVWw +HsDEuAscTl3uncQ60wIOuwby3jX4wq9q7FXTwWSl5pZLXc/4dGi3JCC9M0IxjkVpoeH cPz8Vl2O5bntfwUYYWCi41zZRODZl4VqQY38QvBowngTHu6NVK3RNoAPei4g+xMOJRdE KpFA==
X-Gm-Message-State: ABUngvcUh2MuCZXuJTlejqEaExv9d+L9Lw6aw6ZFlTxSV9F8aH6OS9FPZCagkH8eqeUomQ==
X-Received: by with SMTP id c126mr5719661wmh.110.1478134914629; Wed, 02 Nov 2016 18:01:54 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id xq9sm5597761wjb.35.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 02 Nov 2016 18:01:53 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Sean Turner <>
In-Reply-To: <>
Date: Wed, 02 Nov 2016 21:01:43 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Kathleen Moriarty <>
X-Mailer: Apple Mail (2.3124)
Archived-At: <>
Cc:,, The IESG <>,, Robert Sparks <>
Subject: Re: [stir] Kathleen Moriarty's No Objection on draft-ietf-stir-certificates-11: (with COMMENT)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Nov 2016 01:02:02 -0000

On Nov 02, 2016, at 14:46, Kathleen Moriarty <> wrote:
> Kathleen Moriarty has entered the following ballot position for
> draft-ietf-stir-certificates-11: No Objection
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> Please refer to
> for more information about IESG DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> Introduction: nit,
>   Robocallers use impersonation as a means
>   of obscuring identity; while robocallers can, in the ordinary PSTN,
>   block (that is, withhold) their caller identity, callees are less
>   likely to pick up calls from blocked identities, and therefore
>   appearing to calling from some number, any number, is preferable.
> s/appearing to calling/appearing to call/
> Section 10.2.1:
> I'm wondering why SHA-1 is described as follows instaed of
> discouraged/not allowed ...
> o  There is no requirement to support SHA-1, RSA with SHA-1, or DSA
>      with SHA-1.

This is really kind of a heads up/observation for implementers.  We didn’t think it necessary to fight the SHA-1 die-die-die fight to get this draft published.  In other words, this bullet could safely be dropped if it turns into a thing.

> I don't see any references to RFCs that update RFC5280, like RFC6818.  It
> would be good to include these when 5280 is used for revocation methods
> mentioned.  6818 is for CRLs.

There’s only one RFC that updates 5280 - 6818 ;)  I guess this gets down to your philosophy on the updates header.  YMMV, but if an RFC updates a previous one then referring to the updated RFC really ought to pull in the all the updates because it’s expected that all implementations of the original RFC also implemented the updates.  Adding the additional references would be the cautious thing to do but I’m thinking it shouldn’t be required that we do that.  Also note we 2119-recommend OCSP :)