Re: [stir] I-D Action: draft-ietf-stir-certificates-13.txt

Tony Rutkowski <tony@yaanatech.com> Tue, 28 March 2017 14:01 UTC

Return-Path: <tony@yaanatech.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7269129528; Tue, 28 Mar 2017 07:01:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztFEqteGDNPI; Tue, 28 Mar 2017 07:01:56 -0700 (PDT)
Received: from mil-admin1.yaanatech.net (38-110-174-3-static.dzbja.com [38.110.174.3]) by ietfa.amsl.com (Postfix) with ESMTP id 174D1128ACA; Tue, 28 Mar 2017 07:01:56 -0700 (PDT)
Received: from extmail1.yaanatech.com (12-12-158-76-static.dzbja.com [12.12.158.76]) by mil-admin1.yaanatech.net (Postfix) with ESMTP id D4FC8146; Tue, 28 Mar 2017 14:01:55 +0000 (UTC)
Received: from [192.168.1.53] (pool-70-106-242-209.clppva.fios.verizon.net [70.106.242.209]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by extmail1.yaanatech.com (Postfix) with ESMTP id 5E6C758090; Tue, 28 Mar 2017 14:01:55 +0000 (UTC)
Reply-To: tony@yaanatech.com
References: <149065198337.30490.6512482120705975775@ietfa.amsl.com>
To: internet-drafts@ietf.org, i-d-announce@ietf.org
Cc: stir@ietf.org, tsbdir@itu.int, jie.zhang@itu.int
From: Tony Rutkowski <tony@yaanatech.com>
Organization: Yaana Technologies LLC
Message-ID: <c28c2d24-917e-9895-9cb3-466402193669@yaanatech.com>
Date: Tue, 28 Mar 2017 10:01:54 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <149065198337.30490.6512482120705975775@ietfa.amsl.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/KdhxXnNPc5oYWDcgy9wSCOg5-N8>
Subject: Re: [stir] I-D Action: draft-ietf-stir-certificates-13.txt
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 14:01:59 -0000

This draft is getting better.  However inquiring minds
would raise some substantive concerns about the construct
of authority over telephone numbers.

Perhaps the most significant one is the failure to cite
E.164 and related international standards as authoritative -
even though the purpose of the ID is "establishing authority
over telephone numbers."   Similarly, the chain of authority
described in section 5 is not accurate.  The identifiers are
those of the ITU and its Members pursuant to treaty
provisions, and then delegated to those Members (or in
a few cases to provider registrants directly) who in turn
delegate the administration to some entity, e.g., the NANPA.

For the U.S., the State Dept delegates the authority to the FCC
which in turn delegates it to NANPA.  Indeed, the U.S. Court of
Appeals decision a few days ago, is especially relevant here,
as it established the authority of the Commission to enable
E.164 numbers being allocated directly to VoIP providers.  See

https://www.cadc.uscourts.gov/internet/opinions.nsf/30E3C0768DB6D78C852580ED004F9935/$file/15-1497-1667619.pdf

See also, https://apps.fcc.gov/edocs_public/attachmatch/FCC-15-70A1_Rcd.pdf

On the other side of the "authority" binding, it is also
ICCs (ITU Carrier Codes) pursuant to M.1400 that are
the identifiers.  Here also in the U.S., the authority is
the U.S. State Dept which allocates it to the FCC which
in turn allocates it to NECA.  NECA is directed by the
FCC to use ATIS-0300251.  (The spec itself is not
authoritative.  It is simply informative for expressing
an identifier applicable for the U.S.)

As presently constructed, this draft seems to create its
own scheme for establishing and expressing authority
for E.164 numbers that is contrary to well established
legal and regulatory requirements domestically, regionally,
and internationally - creating its own Service Provider
Code out of thin air.  It also gives the appearance that
the IETF here is acting unilaterally as some kind of job
shop for a one-off local U.S. implementation rather
than acting as an international body.  Perhaps the ITU's
TSB and Study Group 2 can be helpful here.

--tony


On 27-Mar-17 5:59 PM, internet-drafts@ietf.org wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Secure Telephone Identity Revisited of the IETF.
>
>          Title           : Secure Telephone Identity Credentials: Certificates
>          Authors         : Jon Peterson
>                            Sean Turner
> 	Filename        : draft-ietf-stir-certificates-13.txt
> 	Pages           : 20
> 	Date            : 2017-03-27
>
> Abstract:
>     In order to prevent the impersonation of telephone numbers on the
>     Internet, some kind of credential system needs to exist that
>     cryptographically asserts authority over telephone numbers.  This
>     document describes the use of certificates in establishing authority
>     over telephone numbers, as a component of a broader architecture for
>     managing telephone numbers as identities in protocols like SIP.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-stir-certificates/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-stir-certificates-13
> https://datatracker.ietf.org/doc/html/draft-ietf-stir-certificates-13
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-stir-certificates-13
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir