[stir] certificates: short-lived or status

"Peterson, Jon" <jon.peterson@neustar.biz> Wed, 15 March 2017 20:33 UTC

Return-Path: <prvs=8247a75729=jon.peterson@neustar.biz>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 22D5E13182C for <stir@ietfa.amsl.com>; Wed, 15 Mar 2017 13:33:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=neustar.biz
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id nz1t8jqwC-6w for <stir@ietfa.amsl.com>; Wed, 15 Mar 2017 13:33:12 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A4F1131825 for <stir@ietf.org>; Wed, 15 Mar 2017 13:33:12 -0700 (PDT)
Received: from pps.filterd (m0078666.ppops.net []) by mx0a-0018ba01.pphosted.com ( with SMTP id v2FKWukx006634 for <stir@ietf.org>; Wed, 15 Mar 2017 16:33:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.biz; h=from : to : subject : date : message-id : content-type : mime-version; s=neustar-biz; bh=5hGnmpr0nbn6HWBT3Cb/QO4CwHZ3W7GMrDDP1KCAW/w=; b=ox8+Oqw7zjHsiHRo+IEOzWo5l2MgKsbslCaRwI3xd1jtjgcBGHAoh6kO4jHbo7i60hvK g1lGHlx1F6OCWeriihx9Y2eD94mAmW3I6ajODjinxOFT7sDXhiUWXQwq0NK4U5FBSNmM Ral5Jx2Oj4tYqMMxDMPGxHWXyoRykh5adexgZc3ifhrDqnxPY35RAF0Bm70PXG+ThZsZ B77LNZwviXzH+Pfy07UHKB/b3VU0AOsFy1XxPpsSony03IdI6jt6lbgWUlckcGjWG59H kDzssP5x7hN1n+fl7wda/6GbVRFIB8Lnh3cAxdVRUyAbt0cZlvnLV2tUF9xIrFUvAqhM wQ==
Received: from stntexhc12.cis.neustar.com ([]) by mx0a-0018ba01.pphosted.com with ESMTP id 296nkwu0dv-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT) for <stir@ietf.org>; Wed, 15 Mar 2017 16:33:10 -0400
Received: from STNTEXMB10.cis.neustar.com ([]) by stntexhc12.cis.neustar.com ([::1]) with mapi id 14.03.0279.002; Wed, 15 Mar 2017 16:33:08 -0400
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: certificates: short-lived or status
Thread-Index: AQHSnctbi7EH6QLy1UiB0YY1LIRSQA==
Date: Wed, 15 Mar 2017 20:33:08 +0000
Message-ID: <D45861BA.1C7D28%jon.peterson@neustar.biz>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_D45861BA1C7D28jonpetersonneustarbiz_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-15_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703150154
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/NRnsM0AqNkF9olDArj9YHdfH0HI>
Subject: [stir] certificates: short-lived or status
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 20:33:14 -0000

In reaction to the IESG review, and as well, to our own general sense that we're still not ready to mandate any particular direction, we ended up pulling the real-time status check of OCSP out of the last version of stir-certificates. Figuring out how we want to manage certificate freshness, especially in light of certificates assigned to telephone numbers, is probably the last bit about the core STIR work, before we go on to extensions and so forth, that we need to tackle.

I'd like to spend some meeting time talking about two approaches, as well as any better ideas anybody comes up with for this. The first is roughly what was in the stir-certificates document previously, which is now captured in:


The other is an approach based on short-lived certificates, which would likely rely on ACME or something similar. I've mocked up a discussion draft for that:


... though it is still fairly content-free at the moment.

I think reviewing what we've done with stir-certs and these two approaches warrants some face-time discussion. Thoughts here on the list beforehand are welcome too.


Jon Peterson
Neustar, Inc.