Re: [stir] Thoughts on draft-ietf-stir-cert-delegation-00
"Peterson, Jon" <jon.peterson@team.neustar> Mon, 22 July 2019 11:03 UTC
Return-Path: <prvs=6106e8f477=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 741131200C1 for <stir@ietfa.amsl.com>; Mon, 22 Jul 2019 04:03:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXGgV4eaiY5n for <stir@ietfa.amsl.com>; Mon, 22 Jul 2019 04:03:33 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 483C0120058 for <stir@ietf.org>; Mon, 22 Jul 2019 04:03:33 -0700 (PDT)
Received: from pps.filterd (m0049401.ppops.net [127.0.0.1]) by mx0b-0018ba01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x6MB3Vpm022177; Mon, 22 Jul 2019 07:03:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=team-neustar; bh=Oe7Gr+ei6jCJYvRRZPwe+wEUjdkp3UDDFl8vgYLs8mA=; b=PHGUAwAPAg6hRNMbbFTbZ1iMfreAyLjUddiGI328kkzpjdgbbc02h9MP8Di1edNSHV83 1aI6+tAU4VM2kb2JDPoaqJ75uRVKcbRuWtlmGLGPfMCWxoFc0QvP3yBIYGxdQ6w+q/Bs msQHRw5nH/SnBsv7E71WgBKU9A+n/gsb/eYEAwKp4e3wtLSoOcI6XCaVb5h1HEVE3rhI apnNWXjQ/3aqqHwoVapEcMEF469N3xraOAz32FKVQzBI9bQVMJfWCBqY1MFkGxq71d7Z 1wj5xG9b4+6VUICrso+v4AxVeyAVeA8hYHQAp+T7PCP7GR6SPwykgXftiraBjvaIEJ5K LQ==
Received: from stntexhc11.cis.neustar.com ([156.154.17.216]) by mx0b-0018ba01.pphosted.com with ESMTP id 2tv0c2bw6u-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 22 Jul 2019 07:03:31 -0400
Received: from STNTEXMB101.cis.neustar.com ([fe80::a831:d3b4:fb4e:e45b]) by stntexhc11.cis.neustar.com ([::1]) with mapi id 14.03.0439.000; Mon, 22 Jul 2019 07:03:30 -0400
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Eric Burger <eburger@standardstrack.com>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] Thoughts on draft-ietf-stir-cert-delegation-00
Thread-Index: AQHVQAnKIn8358TDfUKXMpDU3vIS7qbWR9AA
Date: Mon, 22 Jul 2019 11:03:29 +0000
Message-ID: <42058E00-D315-4F80-A639-22D584B5C4FD@team.neustar>
References: <7C374987-D354-4E74-9DC3-647A3C322750@standardstrack.com>
In-Reply-To: <7C374987-D354-4E74-9DC3-647A3C322750@standardstrack.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.b.190609
x-originating-ip: [10.96.12.145]
Content-Type: multipart/alternative; boundary="_000_42058E00D3154F80A63922D584B5C4FDteamneustar_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:5.22.84,1.0.8 definitions=2019-07-22_09:2019-07-22,2019-07-22 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 spamscore=0 malwarescore=0 priorityscore=1501 lowpriorityscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 adultscore=0 clxscore=1011 impostorscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1904300001 definitions=main-1907220132
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/MfrpztYF0XiuecXFJDGnLWoDDSA>
Subject: Re: [stir] Thoughts on draft-ietf-stir-cert-delegation-00
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 11:03:35 -0000
Thanks for the notes Eric, Section 4: Will SHAKEN certificates carry a TNAuthList? If not, we are in academic exercise land. If so, we are good. If not, should we be? If we should, is it practical? My understanding is that SHAKEN uses RFC8226 certificates, and RFC8226 certificates contain an object called a “TNAuthList”, which may be populated by SPCs, TNs, or both. So strictly, I think the answer to your question is yes. But more to the point… The last three paragraphs imply to me that this is a fancy way of saying in the U.S. context the PA will allow the CA to issue signing certificates to enterprises. Is this interpretation correct? We’re just doing the low-level protocol plumbing here, but that is certainly a way that SHAKEN could adopt this tool. The main SHAKEN design choice there is whether it is up to carriers or the PA to authorize delegation. If so, does that not dramatically simplify things? An enterprise gets a signing certificate. They sign their Identity header. Since they are not a CSP entitled to put traffic on the public network, their CSP will also sign with something like the opt mechanism. Mission accomplished? Sure, I’ve heard it suggested that in SHAKEN environments the outbound CSP would add its own “B” attestation Identity header for traceback purposes or what have you. Remember, a B attestation from a trusted CSP over a signed Identity is going to get much better treatment than an A attestation from The Grace L. Ferguson Robocalling and Storm Door Company<https://www.amazon.com/Grace-Ferguson-Airline-Storm-Hungry/dp/B00122NVAQ>. Section 5: Is the verification of the scope of the validation certificate in real-time, or can it be done administratively off-line? Really this is the subject of the very last paragraph of 4.1. I do think it’s possible to make scope validation a largely offline process, and it’s probably undesirable to require the verification service to have to do network dips related to scope validations in real time while it’s trying to figure out if it wants to alert a the called party. I also think there’s value in being able to audit delegate certificates offline by inspecting a certificate repository. There could be operating environments where scope validation could be combined with some other dip done at the terminating side, though, where the cost wouldn’t be onerous. Section 8, last paragraph of p. 7: I thought RFC 2119 does not apply to non-protocol thingies, like being the protocol police and attempting to enforce a totally non-protocol policy. As such, having an RFC 3514 evil bit in the CA seems a bit odd. As the TBD offers, I’d suggest not going there. Yeah, as the TBD suggests, I’m not entirely sold on that idea – but in a SHAKEN-like environment, where a policy function oversees CA practices to a degree that might actually constitute protocol policing, I might think this is a more realistic approach than usual. Jon Peterson Neustar, Inc.
- [stir] Thoughts on draft-ietf-stir-cert-delegatio… Eric Burger
- Re: [stir] Thoughts on draft-ietf-stir-cert-deleg… Peterson, Jon