IETF Logo Mail Archive

Re: [stir] Validating TN authority together with number portability

Chris Wendt <chris-ietf@chriswendt.net> Wed, 16 August 2017 12:27 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16C7D1326B0 for <stir@ietfa.amsl.com>; Wed, 16 Aug 2017 05:27:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id syydde7ZbaCB for <stir@ietfa.amsl.com>; Wed, 16 Aug 2017 05:27:39 -0700 (PDT)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1A46132697 for <stir@ietf.org>; Wed, 16 Aug 2017 05:27:38 -0700 (PDT)
Received: by mail-qk0-x22b.google.com with SMTP id o124so10400680qke.3 for <stir@ietf.org>; Wed, 16 Aug 2017 05:27:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=xqu9XXGoOP7eObExuaNZC0fksniO2/4j1LHfJneO954=; b=QPAC+pN8jRaavfCC7LO8zL4HI46i4celtxGWtaHTKc2PRfcVtaksdKZ2fmckqe39sE QLkxFW/mtPZk7km8Pc8mx1GhrfCSVl+OGHYpttgeCLksCIzcWtmWqN470PrWvnzgibyi 8QTsggVaJt90KrZe1QlvOxP6BYaI1KM9zJJxG190JWLLdCpGAcr6xLJl3T0MopZUO+Jt 3GNqNlTtlWa+vDzKLimxOOBF5DwLKrFYLM7sxGOezHuHv2bZoNNRWSLg3gfueMhP+KU2 I4O92pOJUrJgnq4SKfOMLad4vYVCbn5mwmfXyxtqi1yzVOKOFcCiThCXDR3xrcWYM+eZ F6fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=xqu9XXGoOP7eObExuaNZC0fksniO2/4j1LHfJneO954=; b=J+x7qFcXrQz1cFV+DuNMaaVitUTxGGDzLP2irM1CtyrOM1rT6/uUvn2CHHj/Vzi4XV SWrXmFPau+9M1g182nIIf3XIuogTFTXlUIq0mt+jTFJqF3OdT8H9qGTlZMSR4iUJGpCT NxC5PM9jfAwCwo7Kf5mqcqXpPGxyuzOQwhdZN8Iw+cPZKmUBn5Zz556d5UaXcw2gW4bD dohcQx4tFQvs4nXfcPDqVnFNbvnH3euzEiWddjYwXOrTnB3xCPXUjzwez8lYrjPvItXQ /fxDC5afyHIbrxJOo5QE+L9sQ/BRPW5ld0veHDwDCC3IzddfA2wR573c7lKzt4+5eS0o +H6g==
X-Gm-Message-State: AHYfb5hMDGToXl1YukPNZaPlGYOwc26KSwEDGb1UDQ2nK/pVMb4y69nA BK2WZq4eUmOs4aoM
X-Received: by 10.55.79.9 with SMTP id d9mr1978068qkb.335.1502886457835; Wed, 16 Aug 2017 05:27:37 -0700 (PDT)
Received: from ?IPv6:2601:41:c101:1475:3d0a:48c3:4873:9732? ([2601:41:c101:1475:3d0a:48c3:4873:9732]) by smtp.gmail.com with ESMTPSA id z1sm480024qtz.1.2017.08.16.05.27.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Aug 2017 05:27:36 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <391A1CF8-4CED-4ECF-92EF-FA988B4881C4@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3A2B44FE-4556-491F-85C6-83E23E63D699"
Mime-Version: 1.0 (Mac OS X Mail 11.0 \(3445.1.3\))
Date: Wed, 16 Aug 2017 08:27:35 -0400
In-Reply-To: <DB5PR07MB1127A3D6068F833DC04C9A06C7820@DB5PR07MB1127.eurprd07.prod.outlook.com>
Cc: "stir@ietf.org" <stir@ietf.org>
To: Julio Martinez-Minguito <julio.martinez-minguito@ericsson.com>
References: <DB5PR07MB1127A3D6068F833DC04C9A06C7820@DB5PR07MB1127.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.1.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/L2At6A4HndH6C22w0N5ZBWjmO2E>
Subject: Re: [stir] Validating TN authority together with number portability
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 12:27:41 -0000

I think you would just cover this scenario with two different certificates with the two smaller ranges.

That said, for North America the SHAKEN approach is not to use certificates for number blocks, so not sure if you looking at a generic solution or not.

> On Aug 16, 2017, at 5:21 AM, Julio Martinez-Minguito <julio.martinez-minguito@ericsson.com> wrote:
> 
> Hi,
>  
> The current drafts for RFC4474bis and certificates describe how to validate that a telephone number is owned by the operator signing the calling Identity. A TNAuthorizationList may be included in the certificate listing the numbers the operator is authoritative for.
>  
> However, I see some issues handling this together with number portability which need to be clarified.
> Subscribers will be ported in and out quite frequently, making the information in the certificates obsolete. To keep up the pace with the number portability, the operators certificates would have to be updated frequently. Should the certificates have short validity times? E.g. 1 week, or even shorter?
>  
> Instead of having the TN information in the certificate and need to update it constantly, it would be more appropriate to have a trusted server connected to the national Number Portability DB (to update the information) to which the verifiers can connect and retrieve the authority information. Each verifier could retrieve the TN lists for operators and refresh the list daily, without needing to re-issue operator certificates, so it would be updated with the latest portability.
>  
> About how to represent the TN lists, e.g. if an operator owns the range 555-xxxx, with the current definitions it will be easy to describe:
> TelephoneNumberRange ::= SEQUENCE {
>       start TelephoneNumber = 5550000,
>       count INTEGER (2..MAX) = 10000
>       }
>  
> Now, if number 555-6789 moves to another operator we have to represent with:
> ({start = 5550000, count = 6789}, {start = 5556790, count = 3210})
>  
> As more numbers are moved out from the range, this representation format will get messy and difficult to manage.
>  
> To handle NP it would be easier to keep the original range, and include a list of excluded numbers which have been ported out, e.g.:
>  
> TelephoneNumberRange ::= SEQUENCE {
>       start TelephoneNumber,
>       count INTEGER (2..MAX),
>       excludedNumbers SEQUENCE SIZE (1..MAX) OF TNEntry
>       }
>  
>  
> Is this a feasible solution? Is it too late to handle now due to the current state?
> _______________________________________________
> stir mailing list
> stir@ietf.org <mailto:stir@ietf.org>
> https://www.ietf.org/mailman/listinfo/stir <https://www.ietf.org/mailman/listinfo/stir>

v2.23.0 | Report a Bug | By Email