Re: [stir] current draft charter

[Hadriel Kaplan <hadriel.kaplan@oracle.com>]

On Jun 17, 2013, at 12:04 PM, Michael Hammer <michael.hammer@yaanatech.com> wrote:

> First point:  This is about E.164 number delegation and proof of ownership.
> So, I find much of the discussion that seems to rely on DNS structure or
> Domain name structuring to be a distraction.
> How you prove proof of ownership of a domain is a separate, albeit twin
> problem.
> But, I think that is out of scope.  I do not believe the answer here is to
> ask my evil twin if he owns the E.164.


There've been a bunch of emails so you've probably missed it, or maybe it wasn't made clear, but the idea behind the DNS proposal is to use reverse-number dotted notation for the E.164.  So an E.164 of '+16035551212' becomes the domain name '2.1.2.1.5.5.5.3.0.6.1.cid.arpa'.

The authority for .cid.arpa is the ITU, and they delegate the country-codes within it to the national number admins for each country (ie, exactly what they do for E.164 numbers).  At that point each nation decides what they want to do, whether to have their whole country-code number tree under one admin authority, or to have it split up.

Oh, and this would all use DNSSEC, which might mean we don't even need to store full certs in this tree, but can just store public keys. (because the DNSSEC info is the same as would be in the certs)


> Second point:  The delegation of E.164 numbers down the tree inextricable
> defines who owns the number, 
> so any collection of certs into an authoritative repository MUST follow the
> same path back up, or you lose sight of that ownership.
> E.164 is already the hierarchy, so no second hierarchy is needed.

Right, and the DNS proposal follows the E.164 ownership hierarchy.


> The recipient of a number block or an individual number may need to receive
> the private key, 
> else the carrier signs and inserts the signature on the path out from that
> user.

No, the recipient of the number block creates their own private/public key pair, and upload the public key to the DNS admin for their E.164 number.  In the DNS it gets signed by the number authority.  So the number authority (ie the DNS) never knows the private key - only the actual user of the private key does.



> (Note, still need to determine how many bytes constitute the signature such
> that it fits into an existing SS7 parameter.
> Perhaps the answer is to include an indicator in SS7 that the gateway to SIP
> must perform the signature outbound.
> But, that may limit this to a single hop, else need to trust follow-on SS7
> networks to sign properly, but that may be acceptable.)

If we can use a SS7 param, I believe the Identity signature can fit - if I'm doing my math right, it's 128 bytes binary (or 172 bytes if base64 encoded ascii).
You'd need to include some other info as well to make this work, but I'm pretty sure we could fit it all in the 255 bytes of an ISUP param.  Unless we have to include a URL, in which case all bets are off.

-hadriel