Re: [stir] Editorial comments on sections 3 and 4 of draft-ietf-stir-passport-divert-02 [was: drafts for london]
Christer Holmberg <christer.holmberg@ericsson.com> Thu, 08 March 2018 19:05 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B551812711D for <stir@ietfa.amsl.com>; Thu, 8 Mar 2018 11:05:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.321
X-Spam-Level:
X-Spam-Status: No, score=-4.321 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LsGWE0fgQlgC for <stir@ietfa.amsl.com>; Thu, 8 Mar 2018 11:05:35 -0800 (PST)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CEBA127076 for <stir@ietf.org>; Thu, 8 Mar 2018 11:05:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1520535933; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=e4vPFiWi1wm4/sZewGrrathY3lhqCEascFNY5HPkjok=; b=d96/ktPCz/Bs4vaSyRrYTmFiSBZ+KAa6V8IUqsApJbZP+QrtPTMTczG7B/ZoJaG6 NnkEJFvsrHIaj17L8ScWQ3bG7fkBJiG4ZV2yqnb5gcL8+q7Ib7UiL7yzCswBTOKu 9bsIFGZ0KRsxObeu0EFDPFNSBB8YtKOAYBFZKf3ld6Y=;
X-AuditID: c1b4fb3a-728f89c0000067b4-90-5aa1897dffa0
Received: from ESESSHC021.ericsson.se (Unknown_Domain [153.88.183.81]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id 61.48.26548.D7981AA5; Thu, 8 Mar 2018 20:05:33 +0100 (CET)
Received: from ESESSMB109.ericsson.se ([169.254.9.82]) by ESESSHC021.ericsson.se ([153.88.183.81]) with mapi id 14.03.0352.000; Thu, 8 Mar 2018 20:04:45 +0100
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Peterson, Jon" <jon.peterson@team.neustar>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: Editorial comments on sections 3 and 4 of draft-ietf-stir-passport-divert-02 [was: drafts for london]
Thread-Index: AdO1leYBWf6vwV0+R0KzweYvSCipPgBRn8mAAAsJWAA=
Date: Thu, 08 Mar 2018 19:04:45 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B6C1CBA0C@ESESSMB109.ericsson.se>
References: <7594FB04B1934943A5C02806D1A2204B6C1C59A6@ESESSMB109.ericsson.se> <D6C6958B.1FAAE7%jon.peterson@neustar.biz>
In-Reply-To: <D6C6958B.1FAAE7%jon.peterson@neustar.biz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.165]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrPLMWRmVeSWpSXmKPExsUyM2J7oG5t58Iog6tXTS02P1vDZLF87TYm ByaPJUt+Mnm83jCHPYApissmJTUnsyy1SN8ugSvj1cpX7AXTzCoe/JnK2sD4WauLkZNDQsBE 4svENWxdjFwcQgKHGSUWdG+BchYxSrx8foG5i5GDg03AQqL7nzZIg4hAkMTc3/3sILawQInE pnkH2CHipRJ7bx9kgbCtJP7/bGEEsVkEVCRefN7IBmLzCvhKLP2zhwVkpJBAlUTjYmeQMKeA uUTTlnOsIDajgJjE91NrmEBsZgFxiVtP5jNB3CkgsWTPeWYIW1Ti5eN/rBC2ksSsWxuh6vUk bkydwgZha0ssW/iaGWKtoMTJmU9YJjCKzEIydhaSlllIWmYhaVnAyLKKUbQ4tbg4N93ISC+1 KDO5uDg/Ty8vtWQTIzAaDm75bbWD8eBzx0OMAhyMSjy869oWRgmxJpYVV+YeYpTgYFYS4e3N BgrxpiRWVqUW5ccXleakFh9ilOZgURLndUqziBISSE8sSc1OTS1ILYLJMnFwSjUwrrJ4rrFd ZEt/bIDUg5fGB+vW/fZ+3FRb0N6m/8fTbm19t++hUwEMS3wiDosc3H5KXMw1YX3A97c7S7ut S71FypQ2GlRZiFTnfk1fKBG92Gzf5QW9roXf9LZvPSvl79Qa67c6+fz0azZaoQeyHl2o550c sWPDO6cI2arprExfdR/3icUyrfqlxFKckWioxVxUnAgAhSbshYICAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/MKRIGkDsxi41GMc9_ccJVbNQsXY>
Subject: Re: [stir] Editorial comments on sections 3 and 4 of draft-ietf-stir-passport-divert-02 [was: drafts for london]
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2018 19:05:38 -0000
Hi Jon, Please see inline. Q1: >>Throughout the document, you use different terminology for the claims. You at least use "claim", "array", "field". >> >>I suggest to always use "claim", i.e., "div" claim, "dest" claim etc. >> >>The fact that a claim might be an array is an encoding issue. > > I do kind of like reminding people that the contents of "dest" are an array. "field" I agree isn't very helpful though. There > may still be a couple times in the document where I might want to continue referring to "dest" as an array. I'll try to keep > that to a minimum. My suggestion would be to use "dest" claim, but somewhere point out that it is an array. --- Q2: >> Throughout the document, you talk about "div" PASSporT, "div" PASSporT type, etc. >> >> Please don't use the same name for the claim and the PASSPorT. Instead say something like "to the PASSporT >> carrying the "div" claim", "the diversion PASSporT", or something like that. > > I can do that: saying "'div' claim" and "diversion PASSporT." Sounds good :) --- Q3: >> Throughout the document, the text talks about "original PASSPorT". >> >> Since there might be (at least in theory) multiple incoming PASSPorTs you need to define what "original" means. > > Definitely the language needs to take into account that there can be multiple "original" PASSporTs. But I hesitate to just > replace "original" with a synonym like "incoming." I'd like the language here to be generic enough to apply to in-band > and out-of-band cases, so I don't want to define in terms like "found in the INVITE" or whatever. Terminology is tough > here, I'll try to fix the language here up a bit. My suggestion is not to replace "original" with "incoming". The issue is that, if there are multiple incoming PASSporTs, which of them is the "original". I do agree that we sould not talk about INVITEs etc in Section 3 (we can define the SIP specific details in Section 4). --- Q4: >> The text in Section 3 says: >> >> "A PASSporT claims object containing "div"" >> >> I don't think we need to say "claims object". It is enough to just talk about PASSPorT (you do that elsewhere). > > I do think it is useful sometimes to distinguish between the header and the claims, but I can avoid the specific > construction "claims object" if people think it is confusing. "JOSE header" and "JWT claims set" seem to be the terms used in RFC7519. Yes. If you need to be explicit of whether you refer to the header or the claims, we can use those words. But, in general, if are e.g., talking about a claim, you don't need to say that it is the "JWT claims set". That is defined in the base PASSporT specification. --- Q5: >> The text in Section 3 says: >> >> "These new PASSporT generated by retargeting entities MUST include the "div" PASSporT type,.." >> >> Please explicitly indicate which header field includes the "div" type (i.e., the "ppt") > > While I don't think this is confusing in the text, no harm in saying that explicitly. Alternatively, based on Q2, you can say "new diversion PASSporT generated by the retargeting entities...". Then it is implicit that the type is "div", because that is specified elsewhere. --- Q6: >> The text in Section 3 says: >> >> ".for all PASSporTs using the "div" type the >> signature MUST be created with a credential with authority over the >> identity present in the "div" claim. So for the example above, where >> the original "dest" is "12155551213", the signer of the new PASSporT >> object MUST have authority over that telephone number,." >> >> I think the text can be clarified in the following way: >> >> ".for all PASSporTs using the "div" type the >> signature MUST be created with a credential with authority over the >> identity present in the "div" claim, which means that the signer MUST >> have authority over the "dest" claim in the original PASSporT." >> >> Because, I think this is a generic normative statement, not just a description of an example. > > Agreed it is a blunder to have a normative statement in an example. I think we still do want an example > and a normative statement, I'll separate them out. Thanks! --- Q7: >> The text in Section 4.1. says: >> >> "An authentication service only adds an Identity header field >> containing the "div" PASSporT type to an SIP request that already >> contains at least one Identity header field; it MUST NOT add a "div" >> request to an INVITE that contains no other Identity headers fields." >> >> Is there a reason why you first say "SIP request" and then "INVITE"? Can't the "it MUST NOT add." part be removed? > > Agreed that "INVITE" there should be the more generic "request." The previous statement is not normative, though, so I'd hesitate > to remove the normative statement entirely. Ok. --- Q8: >> In Section 4, when the new PASSPorT has been created and added to a SIP message, we need to clarify where the >> associated Identity header field is located in relation to other Identity header fields. >> >> Alt A: >> >> Identity: incoming_PASSPorT >> Identity: div_PASSPorT >> >> Alt B: >> >> Identity: div_PASSPorT >> Identity: incoming_PASSPorT > > Hmm. Do we think that intermediaries will always preserve the order of these headers? > I guess we could order them in the hopes that they will. But again, I think we should provide a means that lets verification > services look at the PASSporTs associated with a request and figure out how they are related. That discussion is how we ended > up with nesting in the first place. Right now we only RECOMMEND that implementations use nesting for in-band, until we get > some more input on the header size question, but we need to do something here to make it clear how PASSporTs are ordered. > Maybe "iat" helps? A few possibilities. My assumption has been that the order MUST be preserved (similar to Record-Route, Route etc), but that we need to specify where new Identity header fields are placed in relation to the existing headers. Because, if we at some point come up with a use-case where the order matters, we could end up with problem. Regarding nesting, if there are multiple incoming Identity header fields, the text needs to be clear which of them (or all of them) are nested, and how it is done. The text currently says that the "original" PASSporT is nested, so I assume this is related to my question on which PASSporT (if multiple) "original" refers to. Regards, Christer
- [stir] Editorial comments on sections 3 and 4 of … Christer Holmberg
- Re: [stir] Editorial comments on sections 3 and 4… Peterson, Jon
- Re: [stir] Editorial comments on sections 3 and 4… Christer Holmberg