IETF Logo Mail Archive

Re: [stir] Questions about stir-certificates

"Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com> Fri, 20 October 2017 16:25 UTC

Return-Path: <pierce.gorman@sprint.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 609E113331E for <stir@ietfa.amsl.com>; Fri, 20 Oct 2017 09:25:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.909
X-Spam-Level:
X-Spam-Status: No, score=-2.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jburL3Z3yM-5 for <stir@ietfa.amsl.com>; Fri, 20 Oct 2017 09:25:55 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0102.outbound.protection.outlook.com [104.47.37.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0CEE12421A for <stir@ietf.org>; Fri, 20 Oct 2017 09:25:54 -0700 (PDT)
Received: from SN4PR0501CA0043.namprd05.prod.outlook.com (10.167.112.148) by MWHPR05MB3599.namprd05.prod.outlook.com (10.174.250.166) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.156.4; Fri, 20 Oct 2017 16:25:52 +0000
Received: from BN3NAM01FT024.eop-nam01.prod.protection.outlook.com (2a01:111:f400:7e41::204) by SN4PR0501CA0043.outlook.office365.com (2603:10b6:803:41::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.156.3 via Frontend Transport; Fri, 20 Oct 2017 16:25:52 +0000
Received-SPF: Pass (protection.outlook.com: domain of sprint.com designates 144.230.172.39 as permitted sender) receiver=protection.outlook.com; client-ip=144.230.172.39; helo=plsapdm3.corp.sprint.com;
Received: from plsapdm3.corp.sprint.com (144.230.172.39) by BN3NAM01FT024.mail.protection.outlook.com (10.152.67.94) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.77.10 via Frontend Transport; Fri, 20 Oct 2017 16:25:51 +0000
Received: from pps.filterd (plsapdm3.corp.sprint.com [127.0.0.1]) by plsapdm3.corp.sprint.com (8.16.0.21/8.16.0.21) with SMTP id v9KFxxLg028031; Fri, 20 Oct 2017 11:25:51 -0500
Received: from prewe13m03.ad.sprint.com (prewe13m03.corp.sprint.com [144.226.128.22]) by plsapdm3.corp.sprint.com with ESMTP id 2dkfuajvad-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 20 Oct 2017 11:25:51 -0500
Received: from PLSWE13M04.ad.sprint.com (144.229.214.23) by PREWE13M03.ad.sprint.com (144.226.128.22) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Fri, 20 Oct 2017 12:25:49 -0400
Received: from PLSWE13M04.ad.sprint.com ([fe80::2c01:fcb8:e729:4a7a]) by plswe13m04.ad.sprint.com ([fe80::2c01:fcb8:e729:4a7a%24]) with mapi id 15.00.1293.002; Fri, 20 Oct 2017 11:25:49 -0500
From: "Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com>
To: David Bryan <dbryan@ethernot.org>, Chris Wendt <chris-ietf@chriswendt.net>
CC: Sean Turner <sean@sn3rd.com>, "stir@ietf.org" <stir@ietf.org>, Martin Thomson <martin.thomson@gmail.com>, "Peterson, Jon" <jon.peterson@team.neustar>
Thread-Topic: [stir] Questions about stir-certificates
Thread-Index: AQHTSTpVoMtE8aZexUWHseJtpp6pN6Ls68Ag
Date: Fri, 20 Oct 2017 16:25:48 +0000
Message-ID: <0b167ef6aabb40248995761d2e9eda01@plswe13m04.ad.sprint.com>
References: <D60E0087.1EEE44%jon.peterson@neustar.biz> <B85D8FB0-7814-4046-B667-1A47302CDEB0@chriswendt.net> <CADqQgCTUG8aV4e4wcyNVrZErbus0yiFYPjF_jNhxnnzySA_NnQ@mail.gmail.com>
In-Reply-To: <CADqQgCTUG8aV4e4wcyNVrZErbus0yiFYPjF_jNhxnnzySA_NnQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.214.116.46]
Content-Type: multipart/alternative; boundary="_000_0b167ef6aabb40248995761d2e9eda01plswe13m04adsprintcom_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:144.230.172.39; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(376002)(346002)(39860400002)(2980300002)(438002)(51444003)(199003)(24454002)(189002)(5660300001)(2950100002)(108616004)(53936002)(6246003)(4546004)(2900100001)(966005)(478600001)(229853002)(54896002)(106002)(7696004)(6306002)(8676002)(81156014)(236005)(512874002)(14454004)(54356999)(76176999)(50986999)(8936002)(7736002)(106466001)(356003)(2906002)(561944003)(84326002)(53546010)(790700001)(102836003)(606006)(33646002)(6116002)(54906003)(189998001)(39060400002)(16586007)(30436002)(24736003)(110136005)(97736004)(316002)(86362001)(5250100002)(3846002)(4326008)(81166006)(68736007); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR05MB3599; H:plsapdm3.corp.sprint.com; FPR:; SPF:Pass; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BN3NAM01FT024; 1:jhJj3xiiNcnSkmtcYYFasYis+g6HwNihHJ5wOrjlYu+u5oMj3AUYds9JiDcNmsfxmSbCmK8Uyv3GpJKC1Au6cYUQssImacLaIQABp4ZC4oOzjA4WhYuYmUpFnTKMB5Ls
X-MS-Office365-Filtering-Correlation-Id: d1473094-c418-4370-7098-08d517d73b1d
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(8251501002)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603229); SRVR:MWHPR05MB3599;
X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB3599; 3:0Ji0YhyBSi+QFP1joJmx88jxA1WqihFAcSMdBqxgq6UqDdoBRkcPIP9Z+m3740QispWRgl6Bz2C6a3BgA7Meml2JxjQSBwP0lHIHEo/Vx1J37p/G9jekZyqIH8IjAPRZNt/XtrBTmLdfncc3B05FAkQxQENnfRR45pMJHW9Tv8hLV8kSoz36RqmaUNRJEXvTheHtLxuhOydE6UDj7SgHQYzE98u9IX82r92e3b7BZUltRGIHe1IqlagkmA5vcgz0ubZHMOUag+kD83D4UoUgkbZE6Z8fIhPduGVW0xX/Sp9/Q0S0R2B84S6RLsTtsn0dXV3Ed8CDsJNvD5i4U1IvRCLwAzWXwRwX//SI2xm80Ac=; 25:MvJ21UOSeoxPAeX9QEOay66/BSNoWpKCFSJE3yy1jb5jkpvgbAhaTBA5xuldD0RMOhIZOfOB/qyRcJeLbjvsJtnHMbRDFcj1tTI3iuBHmim4gg33HrK0tiApla2efRJjJJecnnt8XGL4mpKb9NrZq6VRBKb38Bqd39LgQpsVDo+WrlO3yeQK0nGz3UqX09Lj9q1KbBeuhSwwtzsAPhzgZVr8uHEU9qnuXjPkoJTS+zXguzWQal9idj3VJeZ6YGmUCwJ5a9ZVVbS7UpjA/tMUdGmw7zy1jTgsTlPwlR1xcuGg9kZdCzxX6gzhrMVuYHxBiHdjrzxO1D5Vdbq0baz8dw==
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MWHPR05MB3599:
X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB3599; 31:SGtjWCby+90LRX0m2uTBOcUYi2ox0bYTBD0XbrYqJ0MP4gA61I8oIfUccfUKQB1xkEcJiw0dnpm3JMsb2LfgI+Cyfn89HrYLJLdsJwLaC9UrqkRmiGme3Qw8qRwqaVCrQyi5x1GVvd/DzKpR4w1tDQUlPJpwys8HPRAIKgdW6bDLjSiubwEjLFfTMZm/R3idnvaF0erkP+nIrTlgpJtfP7XjA7N8WxkC2rsjVYrVryE=; 20:uJQehfzqUzaceCF0bTTENJujja4fopHIegvavtGEgn+FYgZVSxj+QMAP0uxrirUcykspt5T8+CMfJrQzRICS2QRYL6ztp4pP5q98jftcE0sjNXWlwVJcGBewPN8fAsfD7IGjpmubyS6C/A6U5jZcLeMY++pMqzK37ISnH9tpaaN7SOMkombgfmDmWNTeSiUjE5P15QJsmTxFbF69uMzJv9e5LJ/r+szs+v3L8gZs6ONTDp4G1eSXkd25clFM23DqjpdeShxNEetQohB/J8rxaoNEc87OXWqNDgsuscRPe7uRiCe2TCCD71LtbiWMmK8BCekRev9Q7GBcaEC+qg4gulHaXZFLkvQxe/rZMF5H1sca+ODuoPyeOCUtFuSMbKTvyLpJ5j4mBhc9c2RfTALyTp8LOvo1T44du9Me4HN9YxwIzifcwPkusuxIGMiTTj4e5ugEEzsyhiMZPhrWbvCMDOR+r+P6PBylz3NtAZMT62rm16Ps7/ROSo+AErFJylpW
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(278428928389397)(21748063052155);
X-Microsoft-Antispam-PRVS: <MWHPR05MB35990A469DFF29A3E07BA35489430@MWHPR05MB3599.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3002001)(3231020)(100000703101)(100105400095)(10201501046)(93006095)(93004095)(6055026)(6041248)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123555025)(20161123560025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:MWHPR05MB3599; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:MWHPR05MB3599;
X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB3599; 4:F8I9qihz1eo2g3FeVgc8HGYpLmskaPfFsUeO9rSjunBbeL/a9yWDQVl/bB3WejjtPC4TrTPNrY7vs0Hx/EcmMObIND0JjPwBCntHSz50cxv366IPhBwlvOTw7db5uEhcGhmTo7v2zGsyYnVEbmdJtB8QmifCrDbqJC1JcVTB43u0zT7WI2XVUARrwclRRt++FgI33rjEYSOqEYN3ei8uAGXpgb1TIP5sSa0o38lI/JlgsMJmCg+796TVPE8mVHMf4YY4ocDCjMOSHPaDhkh4VMIRBF9uu2wtpEkSa7qLMziheXBQClY+XC7+nRZ/zT1kTbElopDZCLimhqcaPv2CVfFq6etU+93uBz4lSi29ayj4NFjx6nKnSazLVU1z2hs5
X-Forefront-PRVS: 0466CA5A45
X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB3599; 23:shOOTk+627xB+bTPjoh2Lr0uZ/ITQF7pVk1Fl7w1LAoHh77oCSIj2zS6CbffR6Z9HP4uwG/d11JKh7U4v6iloRrlkwM+B27YuCRc0yyZC7W8Yfnib2rZcC8te4XnmWF8p31K8RaI1jkRyu3/SQOZ/QgmPNZG2GHA3clPgHs+t8sOTH/7wbVHTeh1dnHn3TmX72kj6ZTXOWLhC32AZeK5oo2FH3KbsH9slz2o0yIH+A0f0IiPEfEpdP3ujBRvEcdiyPkO5tHsLhOFpYx3bJSzZYZzCmwF5eimJh1xaJ1U7ZYsxZ9iHDkIISuKIohkp2xvdLN4SP+wLWAGByvq0rnTs7RMK5tlRfvGw++z9OLBsrxDurZ8P+5TIz3fnJA9CxRks+LvGH0e0RbXp0Br5LoBAW7HNKNqjYEwFFjV+V+u2VaV5BsPi0YKXMiczphklhhggCAAe8VCC/xizx90WhQ/D52RV6C9N9qXuXS7zGAu2weU0MXW0LIiRZh3Xok531jJBz3kqgZQ/SDu5cnO3wFwu7rICpouypuXweaWamq2NAe6j8awMVCQGdtChr1yqB3fNJbk4RmbVz7V/7JULTjpO97HBFeoSw2MFMbqBrGLdLiTZkFs4LBbgnWcS2soNzbNASD+Mh+oAWmkKK+I+D4oMNnqLSRQ7GXjI3pi2BvPiErPLhpTtVz1cVz/xUthPg0SQwEtzLnhriXW5BspIrj/7iKKrGE44YwZ0ARmRb4sLCuu0Lt9QxX4k3nQOSSXbeajZ3s3jlfgBY60eD0dXBdbah5OuHB+lB/26/v+OZyypzfMOXgy8Up+Oiz78ZlFOI1KkDvcaEsIPFeBzOHbLtr2nmtqoEJFuvLuuMC9sUbWf0B0ncpzgZBrP5XqMQnSg9dCXA3ja8qZao50uDsrnV68aOJ9H1eK/0dEh7SajVrFXyACj2rivTS3L4QoV3rZ0plMyxVCU3DPIv+QoCO6UycIK7BvEaETCo18o3DkRYHU/B93oBXqvkO0ZyXyLVwTNw02QI3bYTZJ4oc8BKt09iaWYLZhvJGdzu9RZEO4x7dRumgTNjzPkx75efLDJf/U79upap+B65wuNmuxoNEIejfgdEU2M9+jbaWPcohPA56ne+7DZdoppKP+iuSbwjTSqRkoh4hSfn6aM3fjNuteH67YgIPagi6t1ek62u9ilBK4dIuqbKod1l/f9KuBki37mdrSQ+RakEsWc5iL13qT60KP0+enYD0vJQo+23awpQe1hOZjdAFmNjMswrI+Tos9II4jiXDiwaWDATJmz3N/HTX31wm3CIpskk7oV/eqmPWGfvVGkU0E1aPouay9MW9DrVLBq3l8CBgemZVN9UKc9IKh0Q==
X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB3599; 6:IiGTtB5HonL60VZ5VYssmmJOzI/m7yM5kki28URF84dg+yNs/xSYZF4k7ZqOkaE5PqXnmmeohXcOueP5e1fc8MSzREEH6ZTm4MHdIgBNtW2tzZ+kngOgJCbBHJe0KxUuXvPwiWWSOr14z/i2UcWQRlc6zi0J83CXGzx+xBS5u+sbO7gM4yK+msHgmnlLmh4bDKtNCYQAsFJZXZHBBfOU39fTg02dIUyLWHbp0csFEegkDQAXLQEidr30V2b8H3Flowg5uZSksnwbLdLBf+4bKP1QErG+MrzneXMgC6IPNsd5z7Wp8dSa8hR9aGUVC6J5LIkGHGTgyH14iDex4sfM2g==; 5:zbMgzLCv48OQsKoNRNZw5RvOuc/zgyElHHhe5o+voS8dVoJm3ixI6S9Jus9jh+bLLWnzZP8Z/h7Vz5wzyutC5uMD7UKzdobuoSPsOgKYtcVZqs3VOkltykpQF33DVc4xLhn6HZPQ1Gusa2rJh6b9cw==; 24:snU4dc4iSKC/l5q0qTLo3Y5FSnNc8BWRZjnxzhvRcyfKFFUrTc4W+Rl/W+k6wdoT8zkpRXV4pwvXhcBwGV2DRz72p7orskLuxh9rqvushHk=; 7:6/ATh9FMV/UXZaooVwZS5wV44b16ppWawjLCQahu6qygPaww2XtfireEpQGPr8VLEdygu7vJs7morzRHBVt3hWQA7a1cj3DkqcLEGMvK3OPOLR2NtTsRXG6pwpJZufuYR/V0nSv06P8ZUrtiaA/FWtz2vxzOv1ypjUZblQJ8qKozh6yOEt0OfsdexduD8l1B08RoVwtG/UXC6LOvS3+j3vwW7uyxuk/Q70XNs/E/IgU=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: sprint.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Oct 2017 16:25:51.7954 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d1473094-c418-4370-7098-08d517d73b1d
X-MS-Exchange-CrossTenant-Id: 4f8bc0ac-bd78-4bf5-b55f-1b31301d9adf
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=4f8bc0ac-bd78-4bf5-b55f-1b31301d9adf; Ip=[144.230.172.39]; Helo=[plsapdm3.corp.sprint.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR05MB3599
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/Q0dfvwFWiWFgHtAAaqEcUS85YzY>
Subject: Re: [stir] Questions about stir-certificates
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2017 16:25:58 -0000

David,

Chris Wendt proposed a Telephone Number Proof-of-Possession (TN PoP) architecture based on STIR/SHAKEN which I think can address your use case.  I also think your proposal of SPC delegation can work but would be as a commercial agreement and out-of-scope as regards protocol (but not policy?) work.  (It would also be my preference if I was operating a subordinate SP.)


From: David Bryan [mailto:dbryan@ethernot.org]
Sent: Thursday, October 19, 2017 4:57 PM
To: Chris Wendt <chris-ietf@chriswendt.net>
Cc: Sean Turner <sean@sn3rd.com>; stir@ietf.org; Martin Thomson <martin.thomson@gmail.com>; Peterson, Jon <jon.peterson@team.neustar>
Subject: Re: [stir] Questions about stir-certificates

Forgive me if I am off base here
and this use case is covered elsewhere (and if so, a kindly pointer appreciated). I've been following this group since the early days but not as actively as I used to follow such IETF matters, so I certainly may have missed something...

With respect to Jon's comment on delegation:

There are definitely large real deployments I am currently aware of of where large VoIP or regional providers (call this A) no longer "own" their numbers - they are owned by a large termination provider (call this B), are leased, and PSTN connectivity is still provided by that termination provider (B), who presumably "owns" the number from a STIR perspective.

In this case, however, these prividers (A) are large enough to peer directly with carriers for delivery. Some (many) calls from the VoIP provider's users' (A) bypass the termination provider (B, who is authoritative for the number) entirely if they are delivered, say directly from a caller on A' s network to a caller on a third network C with which A has such a direct peering relationship.

Given B is the authoritative owner of the number, despite A being the actual provider the customer's device authenticates with etc., I was under the impression the SPC delegation was how this would be handled. Provider A would sign using the delgated SPC from B after verifying the identity of the caller, and deliver that to C.

If there is no other way to do this, there are a large number if VoIP providers who will have a big issue. Just a further case, I think to argue we definitely need SPC delegation.

The only other way I see is the national authority knowing who leases from whom and issuing certs accordingly, but that seems ugly to say the least.

Is the case I mentioned one SPC delegation is intended to solve or is there another mechanism in mind?

On Oct 19, 2017 12:57 PM, "Chris Wendt" <chris-ietf@chriswendt.net<mailto:chris-ietf@chriswendt.net>> wrote:
From IPNNI Task Force point of view we have two general use cases we are looking at covering for now.

First is the pure SHAKEN mechanism which includes only a SPC to identify the service provider that is attesting to the telephone identity.

Second one we are looking at, but not completely defined yet is a SPC + TN or SPC + TNblock certificate which can be used for delegation or proof of possession use cases where the service provider that manages the telephone number both identifies themselves with SPC and the telephone identities in the certificate.

So i would like to make sure we keep the ability to have SPC and TN or TNblock as an array in TNAuthList.

> On Oct 19, 2017, at 12:17 PM, Peterson, Jon <jon.peterson@team.neustar<mailto:jon.peterson@team.neustar>> wrote:
>
>
> So as Sean Turner and I have been dotting the last I's and crossing the
> last T's in auth48 *cough* for stir-certs we did want to make sure we
> didn't neglect the things Martin talks about below, including pretty
> fundamental questions about how we structure the TNAuthList and what
> properties that structure can support, like delegation. Before slipping in
> any last minute changes that might be surprising, we wanted to run this by
> the group.
>
>> The first question is whether this delegation makes any sense for
>> service provider codes.  A service provider that signs a subordinate
>> (such as an enterprise that operates a PBX) is hardly going to allow
>> that subordinate to use their service provider code.  In light of
>> that, it seems like subjectAltName is entirely appropriate place to
>> put a service provider code.
>
> I think the use case for SPC delegation is probably not the enterprise
> case. A service bureau case makes more sense. We've also entertained cases
> where a large carrier, say, might have authority over multiple SPCs in one
> cert, but might want to delegate to some part of its own network a
> certificate for just one of those SPCs. I've also dimly envisioned, if
> this all takes off, use cases for selectively delegating applications
> associated with an SPC for a particular service, probably to a service
> bureau: like, Company A is doing the SMS for SPC 6166.
>
>> I really don't think that it's a great design choice to bundle service
>> provider codes with telephone numbers as TNAuthList does currently.
>> It seems arbitrary.  I'll concede that this might seem partly an
>> aesthetic objection, but the two are entirely different things with
>> different rules.  Given that the authority to sign for a telephone
>> number is most often a consequence of being a particular service
>> provider (and having a valid code) rather than a direct and
>> independent authority.
>
> That last point is rather what persuaded me at least that the two are
> coupled. I might even say that for verification purposes an SPC is just
> shorthand for a set telephone numbers that the SPC covers.
>
>> It's also unclear to me whether a certificate that includes AIA for
>> telephone numbers also effectively constrains subordinates to comply
>> with that set.
>
> I hope it does, yes. We can make sure the document does say that.
>
>> The document doesn't say.  On the assumption that it
>> does, what happens when the resource identified in the AIA changes?
>
> This is supposed to be a feature, believe it or not. If the resource
> behind the AIA changes, the scope of the certificate changes. Part of
> resolving the chain of authority in this model would be dereferencing any
> such AIA's, yes, and making sure it still holds.
>
>> There's a possibility that changes in the referenced resource could
>> invalidate subordinates.  Doesn't this put AIA on the critical path?
>
> That last point is probably better for Sean to speak to than me.
>
>> The draft is unclear on how uniqueness is managed for service provider
>> codes, or even if uniqueness is a requirement.  Is this a property of
>> the certification path in that a trust anchor will be connected to a
>> particular country prefix (or set thereof), or is there something more
>> concrete?
>
> The SPC as specified is admittedly a blank check we're writing at this
> point, but I think that's about where we are in deployment. The early
> adopters of this are North American carriers, there are already bodies who
> allocate codes for such carriers. I don't think the IETF is the right
> place to do that or to try to figure out how those identifiers should be
> internationally allocated or what should happen when signed messages pass
> into places where other sorts of SPCs might be in use. What's there now is
> good enough to let people kick the tires and get some experience; it will
> give national and international bodies enough leeway to define what they
> want for it, and we can point to that later.
>
>> How does one add `count` to a number containing "*" or "#"?
>
> Don't get wrong: I won't pretend that every possible corner case involving
> "*" and "#" has been given adequate consideration. They are there in the
> syntax to cover a very small number of paranoid forward-compatibility use
> cases of the "To" header field, mostly ones that in turn will use the
> proposed "divert" extension. (For example, I'm dialing *69. That goes to a
> server that is going to retarget the call to the last party who called me.
> How should that retargeting server sign the "divert"?) I don't think count
> will be practically relevant to those cases, which will would have to use
> specialized certs anyway. I know we don't have all that fully specified,
> but kind of like SPC, we're trying to leave a bit of wiggle room in the
> syntax not to close doors on possibilities.
>
>> Does the addition of `count` treat the `start` as an integer?
>> What does a `count` of 0 mean?
>
> I believe a count of '0' is disallowed.
>
>> How do I express that all numbers in the +1 prefix are covered?
>
> If it were up to me, probably, I wouldn't want the NANPA to publish a cert
> with authority for +1, but instead, for the valid set of 10,000 blocks
> (done with "count") that cover the allocated +1NPANXX's. But to your
> bigger question...
>
>> (The NANP is perhaps a bad example, try finding solid
>> information on the numbering plan for +257).  Did the working group
>> consider a number prefix in addition to the range, to allow for saying
>> "+1..." as a single rule?
>
> I went back and forth a lot between count versus prefix a couple years
> ago, and honestly neither is perfect. Count can least theoretically do
> things prefix can't; but doing some that are ugly to do with count can be
> done very elegantly with prefix. Maybe the best thing for us to do is at
> least leave the door open in the syntax to specify another way to do
> number ranges? I think for our current purposes count is probably okay,
> but I wouldn't object to adding wiggle room so we could specify other
> options in the future.
>
>> Why does JWTClaimName use IA5String rather than UTF8String?  If you
>> need constraints on valid characters, prose is a better choice.  RFC
>> 7519 permits any Unicode string by not constraining the format of the
>> name.
>
> We discussed this quite a bit with the IESG in terms of consistency across
> the three drafts, and I think what we have in the post-auth48 versions
> should be okay. We just want to make sure that the claim names and the
> syntax of the JWTClaimNames are the same - practically speaking I don't
> think we're going to see things in the claim names outside the IA5 range,
> so I don't think it's a problem as such.
>
> Jon Peterson
> Neustar, Inc.
>
> _______________________________________________
> stir mailing list
> stir@ietf.org<mailto:stir@ietf.org>
> https://www.ietf.org/mailman/listinfo/stir

_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir


________________________________

This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.

v2.23.0 | Report a Bug | By Email