[stir] WG last call comments on stir-oob-04
Mary Barnes <mary.ietf.barnes@gmail.com> Thu, 18 April 2019 21:02 UTC
Return-Path: <mary.ietf.barnes@gmail.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BECA8120404 for <stir@ietfa.amsl.com>; Thu, 18 Apr 2019 14:02:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WVTE3S3-x-hd for <stir@ietfa.amsl.com>; Thu, 18 Apr 2019 14:02:03 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A362120126 for <stir@ietf.org>; Thu, 18 Apr 2019 14:02:02 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id k18so2603153lfj.13 for <stir@ietf.org>; Thu, 18 Apr 2019 14:02:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=z28n4GeX2R4rpsELUusULQsCFO48E8uoJMD3EI4JLN4=; b=WUruST/syoEYmuk3m7eQP9w4aYJBFViYAjZQWRXPLP463xeiee2sRDkcgFd3QthbWc meqq13Uc7D4Vp/mYGjH92RJJDjwOCZztAMuOLmFYweTB9nXWsxNKT3JJDbYZQ92EQjg6 fzqbsPSfRWpdvgqSkMk87FICuLA1+VOJMMdw56EplAsa1TtzrU8+Bv3ArbPkDnEayR4l S2+pcEQcVYMuccF4DYQt37DvNMz0ae2yK6dh2HnQxM2Xuk+4YPXPjjmi4hm3V2x5yyVt xkggFhJ9KjXOxnoj8FnMknsW8SNkoN21DL0BqN45VeHdfHqQTOJLI4tN0xh80ftib82b tkrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=z28n4GeX2R4rpsELUusULQsCFO48E8uoJMD3EI4JLN4=; b=qAo5eTvRPJEtQLyn9EkrfXQ0Hw2WmuvbW6/T1smtuRec5idztqoz5snE1rvWOX0gVt wF1YgVA/DD6BuvFIHhsOcqDSZgk3Weauj12Uj9Hf5UMN2wM6zaiqZ7Fq9q4YiYWq8v3K UN4Tuy7f83Js0wWTmJ+k/EGMhiPa0kwQKeM2ujdAfQHUnaYjY0z+KTHLKtPgJV6/ARQ9 5I0SCF8joUYiiTAk9u3TQYt+LXYkCD8JDK0puItc+iV7yRaYMnLWtdBo8PQPKO4TGLpB LmYau3Hkv2srGPNSmlkIjtXJmaKSZiOXHSZRw2bcJTy9J0iGULcurUVHhaRWRq5DzH4c hD6w==
X-Gm-Message-State: APjAAAVtH5qDvGcG6pMqjeGhTRPjOTIqDf3+RaDhsJCa6IzVFpBkl+1S tE/z5KtNte7qgsri3Jyh8V/tDajW7Ly1gUeflvUovcli
X-Google-Smtp-Source: APXvYqxOC9opOrT6Az9tsbbY/zF4Gok3oLXiK+vQXiROjCjUfGh0lRreMlVSgN515/3rkqkiiQ58lU1nurj0xu0CKLs=
X-Received: by 2002:a19:e30b:: with SMTP id a11mr141244lfh.4.1555621320552; Thu, 18 Apr 2019 14:02:00 -0700 (PDT)
MIME-Version: 1.0
From: Mary Barnes <mary.ietf.barnes@gmail.com>
Date: Thu, 18 Apr 2019 16:01:49 -0500
Message-ID: <CAHBDyN5W_+dj_2o9ZeafLmJw=8LanR5DcnBz+85YTDppRaz51A@mail.gmail.com>
To: "stir@ietf.org Mail List" <stir@ietf.org>
Cc: Jon Peterson <jon.peterson@neustar.biz>, Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="0000000000003776550586d4503e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/FlWHv0I-zKtV4qpFc0bx7l7qzww>
Subject: [stir] WG last call comments on stir-oob-04
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2019 21:02:13 -0000
I think the document is not quite ready to progress and needs some minor changes, as also reflected by Russ' and Eric's reviews. I've responded inline to their review point(s) where I had similar concerns, rather than introduce yet again. I have also tried to not duplicate comments, but don't guarantee I didn't since I started my review prior to their posts. Regards, Mary. Minor comments: ---------------------- - General: per Eric's comments, there is still a lot of work to do to get this completed or even to get a simple profile specified. It might be very helpful somewhere to summarize the gaps that must be addressed. And, it should clearly state that this document doesn't provide a complete solution but rather identifies building blocks and gaps required to realize a solution. Maybe something like this added at the end of the introduction: "This document provides the operating environments in which this out-of-band STIR mechanism is intended to operate. It provides use cases and provides a description of the components and a solution architecture. It describes the storage and retrieval of PASSporTs in the CPS within this context. Gaps that must be addressed in a solution are also identified." - Section 1, 2nd paragraph. Is it really "most" calls that still traverse the PSTN? I would think "a number of" might be a better way to say that. - Section 5.2. I don't quite understand the premise in that first paragraph. Are there 2 simultaneous calls and once it hits the gateway it gets dropped? - Section 7.5, last paragraph. It seems to me that the recommendation for the amount of time to store a PASSporT should have some relation to the time chosen for verifying "iat" values in the PASSporT. Maybe change "for more than sixty seconds." to "something like "no longer than a value that might be selected for the verification service policy for freshness of the "iat" value as described in [RFC 8224]." As I recall, there was a conscious choice made to not put a specific value on that time in 8224 and I can't see why we wouldn't want to do the same here. Editorial nits: ----------------- - Section 1, 3rd sentence: I found this wording awkward, so I suggest the following change: OLD: For example, [RFC8224] defines an Identity header of SIP requests capable of carrying a PASSporT [RFC8225] object in SIP as a means ... NEW: For example, [RFC8224] defines a SIP Identity header field capable of carrying PASSporT [RFC8225] objects in SIP requests as a means ... - Section 4, 3rd paragraph. I think a list with numbers is more readable than this plain list. and strictly speaking an "or" at the end of item 1 is more accurate since I think you're describing two options. - Section 5.3, 1st paragraph: "it will immediate drop" -> "it will immediately drop" - Section 5.4, last paragraph: " perhaps the destination endpoints queries" -> "perhaps the destination endpoint queries" - Section 6.1, 3rd paragraph: "the most obviously way" -> "the most obvious way" - Section 6.2, 3rd paragraph: "will need decrypt" -> "will need to decrypt" - Section 7.3 Again, I think a numbered list is a better way to annotate those two points. - Section 7.5. Ditto Russ' comment on reference to "blind signature" - The reference to the VIPR overview spec isn't to the most recent version. It should be draft-jennings-vipr-overview (and as I've said a number of times, I think it would be good to actually publish that one)
- [stir] WG last call comments on stir-oob-04 Mary Barnes
- Re: [stir] WG last call comments on stir-oob-04 Peterson, Jon