IETF Logo Mail Archive

Re: [stir] current draft charter

"DOLLY, MARTIN C" <md3135@att.com> Mon, 17 June 2013 00:31 UTC

Return-Path: <md3135@att.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAEC321F9DCE for <stir@ietfa.amsl.com>; Sun, 16 Jun 2013 17:31:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.499
X-Spam-Level:
X-Spam-Status: No, score=-6.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bEGeWzjV1LAS for <stir@ietfa.amsl.com>; Sun, 16 Jun 2013 17:31:28 -0700 (PDT)
Received: from nbfkord-smmo07.seg.att.com (nbfkord-smmo07.seg.att.com [209.65.160.93]) by ietfa.amsl.com (Postfix) with ESMTP id 5543721F9DCA for <stir@ietf.org>; Sun, 16 Jun 2013 17:31:28 -0700 (PDT)
Received: from unknown [144.160.20.146] (EHLO nbfkord-smmo07.seg.att.com) by nbfkord-smmo07.seg.att.com(mxl_mta-6.15.0-1) with ESMTP id 0e85eb15.62a21940.188076.00-551.510128.nbfkord-smmo07.seg.att.com (envelope-from <md3135@att.com>); Mon, 17 Jun 2013 00:31:28 +0000 (UTC)
X-MXL-Hash: 51be58e04c335d45-6ba4782684d603750a4fbfe02f60736565029a47
Received: from unknown [144.160.20.146] (EHLO mlpd194.enaf.sfdc.sbc.com) by nbfkord-smmo07.seg.att.com(mxl_mta-6.15.0-1) over TLS secured channel with ESMTP id bd85eb15.0.188062.00-472.510076.nbfkord-smmo07.seg.att.com (envelope-from <md3135@att.com>); Mon, 17 Jun 2013 00:31:27 +0000 (UTC)
X-MXL-Hash: 51be58df14518644-534a8ac012feed40a2eaa81c0348335289b103ca
Received: from enaf.sfdc.sbc.com (localhost.localdomain [127.0.0.1]) by mlpd194.enaf.sfdc.sbc.com (8.14.5/8.14.5) with ESMTP id r5H0VNiK011524; Sun, 16 Jun 2013 20:31:23 -0400
Received: from mlpi409.sfdc.sbc.com (mlpi409.sfdc.sbc.com [130.9.128.241]) by mlpd194.enaf.sfdc.sbc.com (8.14.5/8.14.5) with ESMTP id r5H0VDvm011451 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 16 Jun 2013 20:31:18 -0400
Received: from MISOUT7MSGHUB9B.ITServices.sbc.com (misout7msghub9b.itservices.sbc.com [144.151.223.72]) by mlpi409.sfdc.sbc.com (RSA Interceptor); Mon, 17 Jun 2013 00:31:01 GMT
Received: from MISOUT7MSGUSR9I.ITServices.sbc.com ([144.151.223.56]) by MISOUT7MSGHUB9B.ITServices.sbc.com ([144.151.223.72]) with mapi id 14.02.0342.003; Sun, 16 Jun 2013 20:31:08 -0400
From: "DOLLY, MARTIN C" <md3135@att.com>
To: "Peterson, Jon" <jon.peterson@neustar.biz>, Hadriel Kaplan <hadriel.kaplan@oracle.com>, "dcrocker@bbiw.net" <dcrocker@bbiw.net>
Thread-Topic: [stir] current draft charter
Thread-Index: AQHOaq/tPvBwdWSMpuU+7zbFbFufQ5k43nSAgABhe4D//8BOQIAATsaA//+++3A=
Date: Mon, 17 Jun 2013 00:31:07 +0000
Message-ID: <E42CCDDA6722744CB241677169E836560217E96C@MISOUT7MSGUSR9I.ITServices.sbc.com>
References: <E42CCDDA6722744CB241677169E836560217E823@MISOUT7MSGUSR9I.ITServices.sbc.com> <CDE3A3A8.210B0%jon.peterson@neustar.biz>
In-Reply-To: <CDE3A3A8.210B0%jon.peterson@neustar.biz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.175.93.250]
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2010122901)]
X-MAIL-FROM: <md3135@att.com>
X-SOURCE-IP: [144.160.20.146]
X-AnalysisOut: [v=2.0 cv=Geiga3rL c=1 sm=0 a=Qs8R1XBwmid1qBFB/a8mmA==:17 a]
X-AnalysisOut: [=BdHj8wnEcaQA:10 a=KIbchom90_cA:10 a=ofMgfj31e3cA:10 a=BLc]
X-AnalysisOut: [eEmwcHowA:10 a=-CRmgG0JhlAA:10 a=zQP7CpKOAAAA:8 a=XIqpo32R]
X-AnalysisOut: [AAAA:8 a=UIkZVOpWgVUA:10 a=hGBaWAWWAAAA:8 a=k7Ga1wGzAAAA:8]
X-AnalysisOut: [ a=48vgC7mUAAAA:8 a=P5wrnlEIAAAA:8 a=XhPe_T0AduQkn-Z1ZD4A:]
X-AnalysisOut: [9 a=jiObf9B0YAUA:10 a=ZEB4BVPQL1cA:10 a=K6OZBpTtl3cA:10 a=]
X-AnalysisOut: [fcAx7uNQz4EA:10 a=lZB815dzVvQA:10 a=nXjPMxIiGpsA:10 a=E4zm]
X-AnalysisOut: [qQJlaqnQWI_r:21 a=mlKXuA2ozBsubjRA:21]
Cc: "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] current draft charter
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stir>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jun 2013 00:31:35 -0000

So, we define a charter to a solution that we want to get at, versus in REALLITY need to solve... I am simple, so please explain...

-----Original Message-----
From: Peterson, Jon [mailto:jon.peterson@neustar.biz] 
Sent: Sunday, June 16, 2013 8:22 PM
To: DOLLY, MARTIN C; Hadriel Kaplan; dcrocker@bbiw.net
Cc: stir@ietf.org
Subject: Re: [stir] current draft charter


>[mcd] - the issue is not between trusted carriers, but rather traffic of
>the wholesale/enterprise.

I'm sure you're right, but from a technology perspective it's the
protocol-level trust itself that we can improve here.

>{mcd} - further the charter needs to focus on the violating parties.

Again, I think the IETF can only focusing on designing technology that
doesn't suffer from these problems. Violating parties will not exactly be
early adopters of protocols that constrain them, so we can't expect to
charter work that they will abide by. What we can do is try to make the
identity story better all around, so that violating parties are
marginalized.

But if there's something specific in the charter text you'd want to see
different to capture this, let me know.

Jon Peterson
Neustar, Inc.

>
>Regards,
>
>Martin
>
>-----Original Message-----
>From: stir-bounces@ietf.org [mailto:stir-bounces@ietf.org] On Behalf Of
>Peterson, Jon
>Sent: Sunday, June 16, 2013 7:28 PM
>To: Hadriel Kaplan; dcrocker@bbiw.net
>Cc: stir@ietf.org
>Subject: Re: [stir] current draft charter
>
>
>>
>>> RFC 4474 has been standards track for 7 years; that's a long time.
>>> 
>>> What is its level of operational deployment and use, so far?  If the
>>>answer is "not much", then it's not clear that automatically invoking
>>>its application here is as comforting or facilitative as one might wishŠ
>>
>>The answer is less than "not much"... more like "not at all".
>>I'd argue the reasons it has never been deployed are: (1) people didn't
>>believe there was an identity spoofing problem yet, (2) it only really
>>validates email-style identities such as alice@foo.com, not E.164
>>numbers, and (3) it's not deployable due to B2BUAs changing the fields it
>>would sign.
>
>I agree with those three reasons. I'd further say (1) is part of a broader
>trend in which the deployment community hasn't shown much interest in the
>security mechanisms available in SIP versus operating in effectively
>private environments. These identity spoofing concerns show a limitation
>of transitive trust in these private communities.
>
>>> If I understand the RFC 4474 model correctly, a validated Identity
>>>field has the semantics of asserting that the From field is valid.  So
>>>the assertion is not limited to the owner of the From field value.
>>>Correct?  While such a model is understandable, it dramatically
>>>increases the reputation-management complexity of the task.  I'm not
>>>aware of an extant service over the public Internet of similar
>>>complexity.
>
>We weren't exactly proposing a domain assurance council or something like
>that. The authorization decision was supposed to be checking the reference
>integrity of the domain in the From header field against the domain in the
>subjectAltName of the cert (provided the cert is valid and the root
>trusted): if there's a match, then this was signed for by the right
>entity, if not, then not. I'm not sure what you mean by "not limited to
>the owner of the From field value." In so far as the originating domain is
>the "owner," then only they can sign it, if that's the limitation you're
>concerned about.
>
>>> 
>>> Better still is that it's the entity making the assertion that tells
>>>the verifier where to look for verification information...  What's seems
>>>to be missing from the text in RFC 4474 is how the verifier can tell
>>>whether the credential is a valid authorization for use of the From
>>>field value. (If it wasn't clear before, now you can understand why I'm
>>>curious about the concrete details of this authentication service.)
>>I think the general idea was a DKIM-like model, so if the From field
>>value is 'bob@foo.com', then you check the cert it points you to is for
>>foo.com and signed by a CA you trust.  That works for email-style names
>>like that, because you can verify it's coming from foo.com, and foo.com
>>is the authority for a 'bob@foo.com' name. (Assuming all CAs you trust
>>are not compromised of course)
>
>Correct. The entity making the assertion tells the verifier where a cert
>can be fetched, in the case that the verifier doesn't already have a cert
>for the signer. Whether the cert is valid, or the CA itself is trusted by
>the verifier, is however a different and prior question.
>
>>The hard part comes with E.164 numbers, because even if they appear as
>>user@domain strings, like '+12125551212@foo.com', most SIP devices would
>>treat it as an E.164 number - and that means it's not scoped to foo.com
>>at all but rather a separate, global namespace that foo.com has no
>>natural authority for.  So with 4474 you'd have to believe foo.com is
>>authoritative for the number based on reputation alone - i.e., you have a
>>local list of domains you trust to claim E.164 numbers.  That would work
>>for a limited number of domain names, for example the domain names of the
>>major carriers within a country, but it would fall apart quickly if we
>>ever want Enterprises to sign, or international scenarios to work.
>
>Right. At the risk of waxing philosophical about it, I'd say that RFC4474
>took for granted the baseline assumption that RFC3263 would be how SIP
>requests were routed. If you assume SIP requests get routed by taking the
>domain portion of the request-URI and looking it up in the DNS to locate a
>SIP server, RFC4474 probably isn't a bad fit for what you do. If however
>SIP requests get routed based on the user portion of the Request-URI (like
>a TN) without reference to the DNS, then probably having a domain sign for
>identity won't be appropriate. JDR's I-D on rfc4474-concerns is pretty
>much all about that.
>
>>So one proposal so far is that there would be certs which identify the
>>E.164 numbers they're authoritative for (in a CN/SAN field for example),
>>and that cert would be signed by some CA (or chain leading to one) that
>>you trust.  If it's a chain rather than directly signed by a CA, then
>>it's not clear how one goes about retrieving the certs for the chain's
>>links, and doing so could cause unacceptable delay.  It also means we
>>need revocation checks for the chain.  And I'd argue the management
>>aspects for this thing would be just as difficult as anything else
>>proposed so far.
>
>Although I'm not the expert, my understanding is that there are various
>cert chain compression techniques that could be applicable here. I've
>squinted a bit at OCSP and other possible real-time revocation checks for
>this as well.
>
>The exact amount of tolerable delay is a very interesting dimension of
>this problem space. I suspect we have a considerable amount of time, given
>all the human expectations about both post-dial delay and the wait for
>someone to pick up after altering. I think it's enough time to perform
>some non-trivial operations.
>
>But I do agree that there's no such thing as a free lunch, and that
>implementing a credential system for telephone numbers, even just in a
>single nation state, is operationally complex. In my day job, we have a
>few different credentials today that carriers can use to interface with
>various NANPA/NPAC system, and some of them already have requirements
>similar to what we've discussed here, like delegation for example. I think
>if we go down this STIR path, at the end of the day we'll end up with a
>system that relies on many numbers aggregated behind a single credential,
>on signatures and validations being performed by network elements much
>more so than endpoints, and similar optimizations. Provided we can do this
>without making e2e security impracticable, I think we'll be on the right
>track.
>
>Jon Peterson
>Neustar, Inc.
>
>>-hadriel
>>
>
>_______________________________________________
>stir mailing list
>stir@ietf.org
>https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email