Re: [stir] Benjamin Kaduk's No Objection on draft-ietf-stir-rph-03: (with COMMENT)

"Das, Subir" <sdas@appcomsci.com> Fri, 20 April 2018 01:08 UTC

Return-Path: <sdas@appcomsci.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 257291270AB; Thu, 19 Apr 2018 18:08:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ImAU6twFAPAQ; Thu, 19 Apr 2018 18:08:43 -0700 (PDT)
Received: from thumper.appcomsci.com (thumper.appcomsci.com [205.132.0.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9E371270A7; Thu, 19 Apr 2018 18:08:42 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by thumper.appcomsci.com (Postfix) with ESMTP id 725336952DE; Thu, 19 Apr 2018 21:06:46 -0400 (EDT)
X-Virus-Scanned: by SpamTitan at appcomsci.com
Received: from thumper.appcomsci.com (localhost [127.0.0.1]) by thumper.appcomsci.com (Postfix) with ESMTP id 028516952D0; Thu, 19 Apr 2018 21:06:45 -0400 (EDT)
Received: from bambi.appcomsci.com (bambi.appcomsci.com [192.4.5.54]) by thumper.appcomsci.com (Postfix) with ESMTPS id CD85C69521B; Thu, 19 Apr 2018 21:06:45 -0400 (EDT)
Received: from brg-exmb1.ats.atsinnovate.com (exch.appcomsci.com [192.4.5.112]) by bambi.appcomsci.com (8.14.4/8.13.4) with ESMTP id w3K18ej5025263; Thu, 19 Apr 2018 21:08:40 -0400
Received: from RRC-ATS-EXMB2.ats.atsinnovate.com ([2002:c004:56a::c004:56a]) by brg-ats-exhb1.ats.atsinnovate.com ([fe80::fc05:b53:7f2b:84f9%18]) with mapi id 14.03.0389.001; Thu, 19 Apr 2018 21:08:40 -0400
From: "Das, Subir" <sdas@appcomsci.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-stir-rph@ietf.org" <draft-ietf-stir-rph@ietf.org>, Russ Housley <rhousley@vigilsec.com>, "stir-chairs@ietf.org" <stir-chairs@ietf.org>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: Benjamin Kaduk's No Objection on draft-ietf-stir-rph-03: (with COMMENT)
Thread-Index: AQHT14AKPiOjJFWsR0e2KEqxePTvUaQIWPCggAC49ID//8XjwA==
Date: Fri, 20 Apr 2018 01:08:38 +0000
Message-ID: <AAC987F0CC2C7845A9FBD8A36D52E12DCBD4738F@rrc-ats-exmb2.ats.atsinnovate.com>
References: <152410229195.28672.4848182467373812893.idtracker@ietfa.amsl.com> <AAC987F0CC2C7845A9FBD8A36D52E12DCBD4702D@rrc-ats-exmb2.ats.atsinnovate.com> <20180420003125.GC54168@kduck.kaduk.org>
In-Reply-To: <20180420003125.GC54168@kduck.kaduk.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.109.16.82]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/KuleJFJPbhFOrXAc99ZPo8fRbd8>
Subject: Re: [stir] Benjamin Kaduk's No Objection on draft-ietf-stir-rph-03: (with COMMENT)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2018 01:08:45 -0000

Benjamin,
Your suggested text regarding 7.2  is okay with me.   

I forgot to  answer one of your earlier comments. 

> As Ben notes, there are some stale references.  Please double-check the referred section numbers as well; in particular "Section 10.1 of [4474bis]" does not exist in the only February-2017 verions of that draft.

SD> Will check and update it accordingly. 

Thanks,
-Subir 

-----Original Message-----
From: Benjamin Kaduk <kaduk@mit.edu>; 
Sent: Thursday, April 19, 2018 8:31 PM
To: Das, Subir <sdas@appcomsci.com>;
Cc: The IESG <iesg@ietf.org>;; draft-ietf-stir-rph@ietf.org; Russ Housley <rhousley@vigilsec.com>;; stir-chairs@ietf.org; stir@ietf.org
Subject: Re: Benjamin Kaduk's No Objection on draft-ietf-stir-rph-03: (with COMMENT)

On Thu, Apr 19, 2018 at 06:16:47PM +0000, Das, Subir wrote:
> Hello Benjamin,
> Thanks for your review and comments. Please see the answers inline. 
> 
> Regards,
> -Subir
> 
> -----Original Message-----
> From: Benjamin Kaduk <kaduk@mit.edu>;
> Sent: Wednesday, April 18, 2018 9:45 PM
> To: The IESG <iesg@ietf.org>;
> Cc: draft-ietf-stir-rph@ietf.org; Russ Housley 
> <rhousley@vigilsec.com>;; stir-chairs@ietf.org; rhousley@vigilsec.com; 
> stir@ietf.org
> Subject: Benjamin Kaduk's No Objection on draft-ietf-stir-rph-03: 
> (with COMMENT)
> 
> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-stir-rph-03: No Objection
> 
> When responding, please keep the subject line intact and reply to all 
> email addresses included in the To and CC lines. (Feel free to cut 
> this introductory paragraph, however.)
> 
> 
> Please refer to 
> https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-stir-rph/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> I support Ben's discuss.
> 
> Thank you for working with the secdir reviewer to address those comments; I think it will really improve the document.
> 
> SD>Thanks. 
> 
> In a similar vein, I wonder if this document would be easier to read if it used less formal description terms for protocol elements that are currently referred to by using the actual protocol element (with quotes around the name).  For example, "SIP resource priority header" instead of "'Resource-Priority' header field", or "priority indicator" instead of "'namespace"."priority value"'.
> 
> SD> We can update like this but earlier recommendation was to be consistent with RFC 4412 and we followed that. 

Ah, I see.  (I will confess that the "namespace"."priority value"
was the one that confused me the most when I first saw it; 'Resource-Priority' header did not bother me too much.  But there is no need to change anything just on my personal experience.)

> I'm a little confused why the new registry created in Section 6.2 is tied to the "resource priority header" (rph) name, when the discussion in Section 5 has some potential envisioned use cases that are broader than resource priority.
> 
> SD> . You are correct that Section 5 leaves the possibility of adding new value but when defined, this will be a new  type and will be registered under the same ppt value 'rph'.   For use cases other than resource priority, a new 'ppt' needs to be defined.   We will make it clear in Section 5, 1st paragraph last sentence as follows:
> 
> " The specification of the "rph" claim could entail the optional presence of one or more such additional information fields applicable to 'Resource Priority'."

Okay, thanks.

> 
> As Ben notes, there are some stale references.  Please double-check the referred section numbers as well; in particular "Section 10.1 of [4474bis]" does not exist in the only February-2017 verions of that draft.
> 
> Section 7.2 uses "authority" in a couple of different senses; it might 
> be easier on the reader to refer to the authority (protocol
> participant) as being "authoritative for the content of [stuff] that it signs".
> 
> SD>  How about the following? 
> 
> The use of extension to PASSporT tokens with "ppt" value "rph"
> based on the validation of the digital signature and the associated 
> certificate requires consideration of the authentication, 
> authorization, and  reputation of the signer to attest to the identity 
> being asserted. The following considerations should be recognized when 
> using PASSporT extension with "ppt" value of "rph":
> 
> o A signer is only allowed to sign the content of a 'SIP 
> Resource-Priority’ header field for which it has the right authority.  
> The signer  that signs the token MUST have a secure method for 
> authentication of the end user or the device.

Maybe

Using extensions to PASSporT tokens with a "ppt" value of "rph"
requires knowledge of the authentication, authorization, and reputation of the signer to attest to the identity being asserted, including validating the digital signature and the associated certificate chain to a trust anchor, The following considerations should be recognized when using PASSporT extensions with a "ppt" value of "rph":

o A signer is only allowed to sign the content of a SIP 'Resource-Priority’ header field for which it has the proper authorization.  Before signing tokens, the signer MUST have a secure method for authentication of the end user or the device being granted a token.

-Benjamin