[stir] WG Last Call comments on stir-oob-04

[Russ Housley <housley@vigilsec.com>]

Document: draft-ietf-stir-oob-04.txt
Reviewer: Russ Housley
Review Date: 2019-04-17

Major:

Title page: As discussed on the mail list, please change the 
intended status to "Informational".

Section 11: To date, STIR certificates are only used to digital
signature.  This document suggests that the public key in the
certificate can also be used to provide confidentiality.  This
works if the public key is RSA, and the certificate has the
appropriate key usage bits set.  However, this does not work if
the public key is DSA, ECDSA, Ed25519, or several others.  I
am not asking for a major change to the document, but this
should be pointed out in the document.  And, Section 11 should
point out that finding the credential for the callee cannot
leverage the "x5u" claim in the PASSporT when the public key
can only be used for digital signature.


Minor:

Section 2: Please update the first paragraph to reference RFC 8174
in addition to RFC 2119, as follows: 

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.
   
Of course, also add a reference to RFC 8174.

The figure in Section 7.2 can be easily adjusted to fit the normal
margins.  Also, the example telephone numbers should use the 555
conventions.  I suggest:

   Alice                    Call Placement Service                  Bob
   --------------------------------------------------------------------

   Store PASSporT for 2.222.555.2222 -->

   Call from 1.111.555.1111 ------------------------------------------>


                                    <-------------- Request PASSporT(s)
                                                     for 2.222.555.2222

                                    Obtain Encrypted PASSporT -------->
                                    (2.222.555.2222, 1.111.555.1111)

                                              [Ring phone with callerid
                                                      = 1.111.555.1111]

Also, adjust the text to reference these example telephone numbers.

Likewise, please adjust the example telephone numbers in Section 9.

It should be equally easy to remove three spaces from the figure in
Section 7.4 to fit the normal margins.

Section 7.3: Please add a reference for TLS.  I assume you will use
[RFC8446].

Section 7.5: s/Sign(K_cps, K_temp))/Sign(K_cps, K_temp)/

Section 11: Please add a reference for OCSP.  I assume you will use
[RFC2560].

Section 14: I think it would be helpful to include pointers to
Sections 7.3 and 7.4 in the Security Considerations.


Nits:

Suggested spelling: s/CPSs/CPSes/  (Note: This spelling is used for
Certificate Practice Statements.)

Section 3: Please spell out the first use of "POTS".  As an alternative,
the sentence could be reworded to use PSTN, which has already been used
many times by this point in the document.

Sections 5.1 and 5.4: s/in the SIP world/in a SIP environment/

Section 5.4: s/back to the IP world/back to a SIP environment/

Section 5.4: s/returns to the IP world/returns to a SIP environment/

Section 5.5: s/a valid calls/a valid call/

Section 6.2: s/one that is valid/one or more that are valid/

Section 7.5: Please add an informative reference on blinded signatures.