Re: [stir] Comments on draft-singh-stir-rph-00
"DOLLY, MARTIN C" <md3135@att.com> Sat, 17 June 2017 12:35 UTC
Return-Path: <md3135@att.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAE9912948B for <stir@ietfa.amsl.com>; Sat, 17 Jun 2017 05:35:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.4
X-Spam-Level:
X-Spam-Status: No, score=-5.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEKo0DFvcZ4B for <stir@ietfa.amsl.com>; Sat, 17 Jun 2017 05:35:06 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C91AE129484 for <stir@ietf.org>; Sat, 17 Jun 2017 05:35:05 -0700 (PDT)
Received: from pps.filterd (m0049458.ppops.net [127.0.0.1]) by m0049458.ppops.net-00191d01. (8.16.0.17/8.16.0.17) with SMTP id v5HCZ2AT006823; Sat, 17 Jun 2017 08:35:02 -0400
Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0049458.ppops.net-00191d01. with ESMTP id 2b4yvjmh4t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 17 Jun 2017 08:35:02 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id v5HCYuKl030222; Sat, 17 Jun 2017 08:34:57 -0400
Received: from mlpi409.sfdc.sbc.com (mlpi409.sfdc.sbc.com [130.9.128.241]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id v5HCYgfb029936 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 17 Jun 2017 08:34:52 -0400
Received: from MISOUT7MSGHUBAF.ITServices.sbc.com (MISOUT7MSGHUBAF.itservices.sbc.com [130.9.129.150]) by mlpi409.sfdc.sbc.com (RSA Interceptor); Sat, 17 Jun 2017 12:34:24 GMT
Received: from MISOUT7MSGUSRDB.ITServices.sbc.com ([169.254.2.162]) by MISOUT7MSGHUBAF.ITServices.sbc.com ([130.9.129.150]) with mapi id 14.03.0319.002; Sat, 17 Jun 2017 08:34:24 -0400
From: "DOLLY, MARTIN C" <md3135@att.com>
To: Robert Sparks <rjsparks@nostrum.com>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] Comments on draft-singh-stir-rph-00
Thread-Index: AQHS5rPN76224DuwKEeKufTxMJvMcKIo+SPA
Date: Sat, 17 Jun 2017 12:34:23 +0000
Message-ID: <E42CCDDA6722744CB241677169E836564AE359E4@MISOUT7MSGUSRDB.ITServices.sbc.com>
References: <0afe3f1a-92f8-4010-69a8-355fd50c1da1@nostrum.com>
In-Reply-To: <0afe3f1a-92f8-4010-69a8-355fd50c1da1@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.70.193.184]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-06-17_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1706170233
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/ITtFkmJ0aq08gSXPW_RW579HDBk>
Subject: Re: [stir] Comments on draft-singh-stir-rph-00
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jun 2017 12:35:08 -0000
Robert,
1. ok, we'll change it to, {"auth":"ets.0"}
2. there is one authority or delegate-authority per claim
3. Correct, the compact form is not allowed with this extension, and we will add explicit wording
4. we will remove the bullet
5. This depends on the "namespace":
5a. Civil emergency (e.g., 911) is an example of use is once (on that emergency call
5b. NS/EP (ets, wps) on a per session request where the user's priority is static
5c. MCPTT, the user has a default priority level which can change dynamically based on the user's role changing (e.g., patrol person is the first at the scene of an incident, the user's priority level is elevated till the SWAT team arrives)
We can add clarifying text
Ok with NITs
We will submit an update prior to the Internet Draft submission cut-off
Thank you,
Martin
-----Original Message-----
From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Robert Sparks
Sent: Friday, June 16, 2017 11:18 AM
To: stir@ietf.org
Subject: [stir] Comments on draft-singh-stir-rph-00
1) I'm not sure why we need to the label "Resource-Priority" in
{"auth":"Resource-Priority: ets.0"}
Why isn't that simply
{"auth":"ets.0"}?
or
{"rp":"ets.0"}?
2) Clarify whether you are looking for the possibility that a different authority signs this claim or if you're always expecting this claim to be signed by the same authority as the base claims. If they can be different (and we're talking separate passports), some additional description of the verification logic is needed to help address cut-paste attacks.
3) In section 4.2, is the implication that the compact form of passport is not allowed when using this extension? If so, saying that explicitly would be better.
4) Could you say more about the first bullet in 7.2 - it's not clear it's salient to this particular spec?
5) (Minor thing, probably in the weeds) : Is there a use case in the real world now where a user gets an enhanced priority, but is only allowed to use it once? If so, this spec should call out that this mechanism doesn't restrict the user to one call. They can call as many times as they can send an INVITE within the acceptable iat window and have the assertions check out. There will be out-of-protocol consequences of course...
Nits:
The first paragraph of 7.1 has a sentence that doesn't parse starting at
"A uniqueness of the set"
Text two bullets look like they're repeating the base spec and probably
don't need to be here?
_______________________________________________
stir mailing list
stir@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_stir&d=DwICAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=G9v8uCSSQhCmpw7ItG0r2g&m=XslLKBdaGua2zf9xq7arYhp374YsWCx-g-JuBylCC5k&s=DbmdUmAxKEidNwKqvXCqfyimvTMFL7zNWrssCpdci6I&e=
- [stir] Comments on draft-singh-stir-rph-00 Robert Sparks
- Re: [stir] Comments on draft-singh-stir-rph-00 DOLLY, MARTIN C