Re: [stir] WG Last Call for draft-ietf-stir-rph-emergency-services-02

Brian Rosen <br@brianrosen.net> Tue, 18 August 2020 21:46 UTC

Return-Path: <br@brianrosen.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B29A3A0DD3 for <stir@ietfa.amsl.com>; Tue, 18 Aug 2020 14:46:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brianrosen-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9QDCNC7Uxn8u for <stir@ietfa.amsl.com>; Tue, 18 Aug 2020 14:46:00 -0700 (PDT)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB5043A0DC8 for <stir@ietf.org>; Tue, 18 Aug 2020 14:45:59 -0700 (PDT)
Received: by mail-il1-x12c.google.com with SMTP id p18so15142830ilm.7 for <stir@ietf.org>; Tue, 18 Aug 2020 14:45:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brianrosen-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HXfOWbPspfHmOO04Ss4YLW3Af8lUcTwe2dsjl6zBfsE=; b=GS2Nds98Ng9yK8QOyd3DsemKB5xmj7zZqE8K+pe/Z1CuAcE+DOeU8lDVIZXt9wW7Hb lXh3RIFkqjbY/ZRDQubYd4m4xfjR8amDQvmYXHLD7lAabCSxcPqjrDHjDnDLLxAdeGkU 6d+oS4D67NVKrSB81o1xQ81TvU1+tVTvW9WgmTROZ/DX0znZndVSSZ2YBr/lHpMLfBuM my+dcLugBRjpMTIciIrtmTbUAnL2/X9Ym4/GNZOYJ5Rp5yAdM34FFaqWThjhB8Lpk31s HrJcF5/52cazUxkiZZBThFF7JXcgiH8LeRHLSVPS6yKR6F8Y4fJ42o6Y4FnJpp91ow7p T6Qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HXfOWbPspfHmOO04Ss4YLW3Af8lUcTwe2dsjl6zBfsE=; b=dlQP53l2fQAa+ZJp4WFYLmRwrO335I/8YAzmyizILn0JlLdo0Ix4MSNjhQKBxbxsZR hwwDOspch2+NIJuImFHXN49XHKGx6lx3SPDtZQMU7oBnvqH1XsLjsr3dbv5T3Qw4h470 tUIPyV86vWoJYHVdsMUMP6MWFi8p4810DVhd1g0tEIEhmMjMdrfnuzWJg5I+Xluki6gm 6tI9DQTzVkcailnjJCfmzMRi85JJF3pOh7kKsgwy3FFmHQ6RIgNCupb0x4qZbMqXL9wq iMhQp0BNEVrVoBPowsg+oGhQE3BKVcM6FG2n0exlpbmj54gC742KiSVAb0LBxqFY6GVj kZKg==
X-Gm-Message-State: AOAM531jpdOxS3IS9x/vLSAVKlFoCXLNrHaHgi6BubDMwSMDo69NuJho KBT6DNDW5FPcnDxXIoPlAiNK3jvCzPpkLjZ9
X-Google-Smtp-Source: ABdhPJzDv9oLjK6A6/rNRDo+0r7mL3jLWDwb6FS1YgWrz4HOH1yqMOA1OB8ofc7PSrWFb79TYuFnqw==
X-Received: by 2002:a05:6e02:de5:: with SMTP id m5mr19365787ilj.85.1597787159167; Tue, 18 Aug 2020 14:45:59 -0700 (PDT)
Received: from brians-mbp-2871.lan (dynamic-acs-24-154-119-158.zoominternet.net. [24.154.119.158]) by smtp.gmail.com with ESMTPSA id c76sm12622423ill.63.2020.08.18.14.45.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Aug 2020 14:45:58 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Brian Rosen <br@brianrosen.net>
In-Reply-To: <16089772-528A-462E-B3CF-AAAC6C3A8F2A@vigilsec.com>
Date: Tue, 18 Aug 2020 17:45:57 -0400
Cc: IETF STIR Mail List <stir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1D18963E-CD70-4B23-99DA-67D5E0071107@brianrosen.net>
References: <8372C576-08B7-41C4-B021-38622BABAD25@vigilsec.com> <919FC584-18AF-4419-B174-B9FB37B6439D@vigilsec.com> <16089772-528A-462E-B3CF-AAAC6C3A8F2A@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/GsQ76bBIE04aaKBJ-sDnPQGMzCY>
Subject: Re: [stir] WG Last Call for draft-ietf-stir-rph-emergency-services-02
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 21:46:02 -0000

See my reply to Jack for more info.

For an emergency call, we are protecting the use of rph with the esnet namespace to be limited to emergency calls.  So the signer checks From as usual, and checks Request URI to see that it is urn:service:sos, and if so, checks rph to see that it is esnet.1 SIP Priority is not used with emergency calls.  It could modify rph if it wanted to and then sign, or refuse to put in the claim.

For a call back, the signer has to know that the calling entity is an allowed authority (or it may be that the authority signs its own calls).  That permits SIP Priority to use the call back marking.  rph must be esnet.0 or get modified as above to get the claim.

> On Aug 17, 2020, at 10:36 AM, Russ Housley <housley@vigilsec.com> wrote:
> 
> I am confused by the last sentence of the Introduction (Section 1).  It says:
> 
>   In addition, the PASSPorT claims and values defined in
>   this document are intended for use in environments where there are
>   means to verify that the signer of the SIP 'Resource-Priority' and
>   'Priority' header fields is authoritative.
> 
> The signer signs the PASSPorT.  The PASSPorT includes claims, and each claim has a value.  By construction, the values are expected to match the SIP 'Resource-Priority' header field and the SIP 'Priority' header field.  Is this saying that the PASSPorT must be authoritative for these claims if they are present?
> 
> 
> In Section 3.1, I expected a MUST statement that says what appears in the value of the "ESorig" value.  It says what MUST appear on other claims around the "rph" claim, but it only gives an example of a value that matches an SIP 'Resource-Priority' header field.
> 
> 
> Likewise in Section 3.2, I expected a MUST statement that says what appears in the value of the "EScallback" value.  It says what MUST appear on other claims around the "rph" claim, but it only gives an example of a value that matches an SIP 'Resource-Priority' header field.
> 
> 
> In Section 3.2, I believe that the last paragraph applies to both the "ESorig" value and the "EScallback" value, so it probably belongs in Section 3 or a separate subsection.
> 
> 
> Section 4 says:
> 
>   Therefore, we define a new claim key as part of the "rph" PASSporT, ...
> 
> I think it would be more clear to say:
> 
>   Therefore, we define a new claim key to be used in a PASSporT that includes "rph" claim, ...
> 
> 
> Section 6 should use RFC 2119 wording:
> 
>   The use of the compact form of PASSporT is not specified in this
>   document.   Use of the compact form of PASSporT is NOT
>   RECOMMENDED for a PASSporT that includes a "rph" claim.
> 
> 
> I think that the Security Considerations (Section 8) should say someting about the consequences of a PASSPorT that includes the "rph" or "sph" claim that is signed by a party that is not authoritative for the SIP 'Resource-Priority' header field and the SIP 'Priority' header field.
> 
> Russ
> (No Hats)
> 
> 
>> On Jul 31, 2020, at 11:29 AM, Russ Housley <housley@vigilsec.com> wrote:
>> 
>> 
>> This is the STIR WG Last Call for "Assertion Values for a Resource Priority Header Claim and a SIP Priority Header Claim in Support of Emergency Services Networks” <draft-ietf-stir-rph-emergency-services-02>.  Please review the document and send your comments to the STIR WG mail list by 22 August 2020.
>> 
>> https://datatracker.ietf.org/doc/draft-ietf-stir-rph-emergency-services/
>> 
>> Thanks,
>> Robert & Russ
> 
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir