Re: [stir] I-D Action: draft-ietf-stir-certificates-13.txt

Tony Rutkowski <tony@yaanatech.com> Thu, 30 March 2017 12:37 UTC

Return-Path: <tony@yaanatech.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4A991296A3 for <stir@ietfa.amsl.com>; Thu, 30 Mar 2017 05:37:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9STINfDuYKNC for <stir@ietfa.amsl.com>; Thu, 30 Mar 2017 05:37:03 -0700 (PDT)
Received: from mil-admin2.yaanatech.net (38-110-174-11-static.dzbja.com [38.110.174.11]) by ietfa.amsl.com (Postfix) with ESMTP id 71C4312954A for <stir@ietf.org>; Thu, 30 Mar 2017 05:37:03 -0700 (PDT)
Received: from extmail1.yaanatech.com (12-12-158-76-static.dzbja.com [12.12.158.76]) by mil-admin2.yaanatech.net (Postfix) with ESMTP id 58FED1FC; Thu, 30 Mar 2017 12:37:03 +0000 (UTC)
Received: from [192.168.1.53] (pool-70-106-242-209.clppva.fios.verizon.net [70.106.242.209]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by extmail1.yaanatech.com (Postfix) with ESMTP id 6DF3558090; Thu, 30 Mar 2017 12:37:02 +0000 (UTC)
Reply-To: tony@yaanatech.com
References: <149065198337.30490.6512482120705975775@ietfa.amsl.com> <635a9167-e6d7-03e5-bc3c-f514d6502bdf@yaanatech.com> <DF9CA449-6415-4C62-97E8-77F9BE8E38B8@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
Cc: IETF STIR Mail List <stir@ietf.org>, "Zhao, Houlin" <houlin.zhao@itu.int>, "v.dolmatov@minsvyaz.ru" <v.dolmatov@minsvyaz.ru>, "Yang, Xiaoya" <xiaoya.yang@itu.int>
From: Tony Rutkowski <tony@yaanatech.com>
Organization: Yaana Technologies LLC
Message-ID: <8bf5b32a-4765-f20d-8933-0aed10c76f24@yaanatech.com>
Date: Thu, 30 Mar 2017 08:37:01 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <DF9CA449-6415-4C62-97E8-77F9BE8E38B8@vigilsec.com>
Content-Type: multipart/alternative; boundary="------------9FF0FEE50FCC2074FF549BC8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/GMmf33_hqxA77i2VMLj8j1KiHV4>
Subject: Re: [stir] I-D Action: draft-ietf-stir-certificates-13.txt
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 12:37:05 -0000

For consideration at today's IETF stir meeting.  I understand
that Mr. Dolmatov is at the meeting representing the ITU-T.

--tony

The internet draft specification 
<https://datatracker.ietf.org/doc/html/draft-ietf-stir-certificates> 
being considered here represents the IETF at its worst. In a foolhardy 
attempt to pander to an intractable FCC political problem, it hijacks a 
well-established ITU role and IPR that it seeks to impose as a “tech 
fix.” To boot, even after three years and 13 revisions, it remains 
unsuitable technically and operationally.

Indeed, the STIR group’s charter casts the misguided objective as a 
lamentation <https://datatracker.ietf.org/wg/stir/charter/>. It opines 
that if only all the world's telephone number allocating authorities 
issued digital certificates along with the numbers to the service 
providers receiving them, that were then used to authenticate and route 
traffic to end users, spoofed calls would end, robocalls would be 
mitigated, and the world would be a better place. It is a great 
altruistic academic idea that may play as techno-babble in alt-truth 
Washington, but it isn't even feasible except in highly controlled local 
environments.

Furthermore, the telephone number system, the provider identifier 
system, the means of allocation, and the establishment of authority are 
within the remit of the ITU and its Member States. The provisions are 
well established in international, regional, and domestic law and 
standards. Registration authorities exist to implement those 
provisions.It is also all their IPR.  The IETF cannot just take what it 
wishes and publish some new scheme it believes is a fix to the world's 
techno-social ills.

What has been cobbled together here is the technological equivalent of a 
Frankenstein creation with the TN Lists by Reference scheme in the 
draft, id-ad-stirTNList, nothing more than an amusing “wish list.”The 
actual “authoritative” references for telephone numbers and service 
providers and the related bindings that exist under ITU provisions are 
simply ignored.

Lastly, there are potential adverse consequences in addition to all of 
the above concerns. There are collateral vulnerabilities and impacts to 
other telephony infrastructure requirements that are far outside the 
narrow technical remit and competence of the IETF.There are also adverse 
consequences for the IETF itself.This will not play well within the ITU 
and its Member States which are being collectively hijacked. Indeed, the 
IETF as an Art. 50/CV231 member of ITU-T, has an obligation to 
collaborate with them when the ITU has similar work ensuing there. It 
may not even play well at industry venues like the CA/B Forum which if 
this kind of scheme were to go forward, could have been outsourced by 
the ITU-T there.And then there is the culpability of the IETF leadership 
if potential litigation were to ensue when a provider’s traffic gets 
blocked using this specification.

Any one of these factors should provide a basis for rejecting this 
Internet Draft.