Re: [stir] Pay Attention (was Re: Robert Wilton's No Objection on draft-ietf-stir-enhance-rfc8226-03: (with COMMENT))

Chris Wendt <chris-ietf@chriswendt.net> Mon, 28 June 2021 19:57 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C7A63A0D0F for <stir@ietfa.amsl.com>; Mon, 28 Jun 2021 12:57:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aKTpOQtqBrB4 for <stir@ietfa.amsl.com>; Mon, 28 Jun 2021 12:57:34 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DE5F3A0D17 for <stir@ietf.org>; Mon, 28 Jun 2021 12:57:33 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id v10so3819554qto.1 for <stir@ietf.org>; Mon, 28 Jun 2021 12:57:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=mcMsNSjn56Qlab6Z1+YnDxDkQ1aVLM1mMexdJ6SSzG0=; b=zQht3BHcqz+PSTCr85CCzdvWJDsDWtjkeq6h2fPrMzYbLy3LJgZSgQpuBrZZr/vqmb 9SxPkSsAX/8b7ss2bJ4KBV3EpaRc5IrfVgBswro6Y53eU204GBvOuYQUYrAJdALcH4V0 gj4RmsfNPOJ1/FQQiQRUll5T0Ijha1RpPqK3fESbKKnLkPxwDEh9bzfC5aY0G5lNtg9m WD2po8rhVGHq5/taorn6EIU4H4g1UPnb0IN+Ah+th+U/9/Vnbqse5QcP0NpA3Fz/wkxn HehWyzHD93iOPH4MBX9zpjyut6Agg6b4BxWkQ2R5h0zvALLVZ6DUszos3+I6pNihucVF 7olA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=mcMsNSjn56Qlab6Z1+YnDxDkQ1aVLM1mMexdJ6SSzG0=; b=nzU0oNWO+N9jb3eGD+FTXDa6HYGNZ07PWJM25YDhDyGsV0w4eYr64iAASPCOJ4I25Z w9tIR3iEVX9EQnCMraq7kVRv76hbLig2aLfQ2zJkrcmdpq14YLGQBnEYVbay5JgjTLrW F+LEY0RfvmYEZSDVwJN9Bgv5+Y3fVfYjpD6nQO7kJASpg1OL95YlSa3cTr10YLwBAxAj skfSjRBtvlyuyamAJ/785hi2d9+KhyS/U4L7AXsp7LaON+nKTniRITIj+hgbA3x34lbj bGsm0Hr31D2zy8amQUieSCS6UTUtuXwznXFRSp6bvbYkQlbxwJoKUouxMy3dNInhRqtx hpew==
X-Gm-Message-State: AOAM533cuN/RNML6GoYP87bN5Ra/bXkgZSNryAu9GIBNzXi3yIVSeom6 B8TQqjvY5u4QsKPg4AAvxVKD5Q==
X-Google-Smtp-Source: ABdhPJyqsjmr+Av5yZoobdpuyhZWs6H9ZLC0XIYyEknle2QZlRVHp50oX+AYkJ481zrAT55ta6/18w==
X-Received: by 2002:ac8:6bd6:: with SMTP id b22mr276752qtt.99.1624910252046; Mon, 28 Jun 2021 12:57:32 -0700 (PDT)
Received: from smtpclient.apple (c-69-242-46-71.hsd1.pa.comcast.net. [69.242.46.71]) by smtp.gmail.com with ESMTPSA id i3sm8447281qtp.2.2021.06.28.12.57.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 28 Jun 2021 12:57:31 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
From: Chris Wendt <chris-ietf@chriswendt.net>
In-Reply-To: <4bb5eba6-ddc8-e441-972e-52415f49a65c@nostrum.com>
Date: Mon, 28 Jun 2021 15:57:26 -0400
Cc: IETF STIR Mail List <stir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E83195CC-5702-4BE3-8AF4-9583CFC0F51E@chriswendt.net>
References: <162487263632.15104.7075847684500025031@ietfa.amsl.com> <A65B0F2A-AAF4-4FC8-87A7-3A40144CEBBB@vigilsec.com> <4bb5eba6-ddc8-e441-972e-52415f49a65c@nostrum.com>
To: Robert Sparks <rjsparks@nostrum.com>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/LmGt0h5StFlQV8p0sleE6g-6jmI>
Subject: Re: [stir] Pay Attention (was Re: Robert Wilton's No Objection on draft-ietf-stir-enhance-rfc8226-03: (with COMMENT))
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jun 2021 19:57:39 -0000

Thanks Robert, I also have no issue that language.

-Chris

> On Jun 28, 2021, at 3:16 PM, Robert Sparks <rjsparks@nostrum.com> wrote:
> 
> STIR WG - There's a small bit of normative text that is going into this document based on IESG discussion - you've already seen it on list, but I've copied it here for your convenience. I want to make sure you don't miss it (fwiw, I'm fine with it). If anyone has problems with it, reply very soon.
> 
> RjS
> 
> On 6/28/21 1:30 PM, Russ Housley wrote:
>> Rob:
>> 
>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
>>> 
>>> Hi,
>>> 
>>> Thanks for the document, despite not being my area of expertise I found it easy
>>> to read and understand.
>>> 
>>> A couple of minor comments:
>>> 
>>> (1) Like Erik, when reading section 4, I was wondering whether it would be
>>> helpful to have an example that included both mustInclude and permittedValues.
>>> But of course, I note that you effectively do that in section 5.
>> I hope the change proposed to resolve Erik's comment is also sufficient to resolve your comment.
>> 
>>> (2) In the security section, it states:
>>> 
>>>   Certificate issuers should not include an entry in mustExclude for
>>>   the "rcdi" claim for a certificate that will be used with the
>>>   PASSporT Extension for Rich Call Data defined in
>>>   [I-D.ietf-stir-passport-rcd].  Excluding this claim would prevent the
>>>   integrity protection mechanism from working properly.
>>> 
>>> I was wondering whether it would be helpful to include this as RFC 2119 SHOULD
>>> NOT in 3, or perhaps have a forward reference from the section 3 description of
>>> mustExclude to the "rcdi" consideration in the security section.
>> Sure:
>> 
>>    Certificate issuers SHOULD NOT include an entry in mustExclude for
>>    the "rcdi" claim for a certificate that will be used with the
>>    PASSporT Extension for Rich Call Data defined in
>>    [I-D.ietf-stir-passport-rcd].  Excluding this claim would prevent the
>>    integrity protection mechanism from working properly.
>> 
>> Russ
>> 
> 
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir