Re: [stir] Roman Danyliw's Discuss on draft-ietf-stir-passport-divert-08: (with DISCUSS and COMMENT)
"Peterson, Jon" <jon.peterson@team.neustar> Mon, 13 July 2020 14:42 UTC
Return-Path: <prvs=8463aa7b49=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 813F93A126A; Mon, 13 Jul 2020 07:42:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar header.b=GKkrOnh4; dkim=pass (1024-bit key) header.d=neustar.onmicrosoft.com header.b=astdnJPb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3PARnIE-UdHJ; Mon, 13 Jul 2020 07:42:02 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F01083A125E; Mon, 13 Jul 2020 07:42:01 -0700 (PDT)
Received: from pps.filterd (m0078668.ppops.net [127.0.0.1]) by mx0b-0018ba01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06DEWUMP008845; Mon, 13 Jul 2020 10:41:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=team-neustar; bh=2XEwmWEyOl/qYanQc3U7VXCxSiRqmLc20r9BYt3UAT8=; b=GKkrOnh4GVt9eD/yXe49eQNe/AtVEGXGKqaj+d0yhnlaC1pCNfHpkSJlMH/CjaCrZjmh 8qxC0xFrieMagqbhNZpKOQVtgiMzjq+YcHprv1VLzWnyWlMmdQ1FQEw76ZDH8DfWcnJ5 K/G6GIBa2uOqTl4ld+6SKrN06LJjJ4RAs7KCA7YgVNMtGt1XdkOnJ3ywPUNeFZdjrHe4 6RiUC4cRUUjGdyDw8GCX4O8DpJtnNGtZ/amYNilCBmM5JLB2m8tIBRx8FNmW0oaBUaJK rGjSpKP0atjzwak805DlA5UGxYNWeq1kocjDyJrFPp506m73D+W8go8NTBiXit2bWWOg 7g==
Received: from nam04-bn3-obe.outbound.protection.outlook.com (mail-bn3nam04lp2052.outbound.protection.outlook.com [104.47.46.52]) by mx0b-0018ba01.pphosted.com with ESMTP id 327yu7csxy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 13 Jul 2020 10:41:58 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UdR/eW94Std6N9qa7ez0Gv5LUzaUBkMFCeh6DYYIJgLIxWsYX6YkvOfLI/IetIHxDJOc4pluD9h4YoTYb2XJzOLvw+G3nrO8UPT0BE/so1m6rmNBrt/pxf/kthEd5/DhxnhAkJaGkx4ctyp6ANmzOjWDtzEX+AC0N/z9sjTMbzXOnBqitbPazILEEoGgCa+Bq1GubpbEzFoudCsXPRyrkd4Qq3VdwpFXJcxEjkPoIhrrw7HKAJWzgU7R+oznaSx2NFDP1jzQAxV0DkgIM9LpzNhHjtUoJHJiLzzc0unrjkiOg5gV/UBjmQYTVBD5NJkCjvNdc1hRIaMWgo0aFqAViQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2XEwmWEyOl/qYanQc3U7VXCxSiRqmLc20r9BYt3UAT8=; b=lWcgvpfUgjDXhTBCsMg1fYyiGhvZMEY7tfuuXQdlNREU6gjG0YfMk5suMd4H73xxVyjYcRsM2W90dVOFl5exk3lBu2izjXbcllGRh2P2vG+LK5DklOWXwmD9b16HT4u8+2s1AVFKh1GJxSTcYX1Vae6/u/JgHzRncrMFP5jrpt/mn5kS/yVbJ+wkVuPilEcF1LhmGNrH6UBdo5qm8/sbA4fL264SKW5D3q3r8xRFvuT2H8mMy7o02piKcVvO1kWLm4Tp9+pSPaoO4kGIGZcyYf3cPQGal6Lj8DMUcyqvH524wwd8FUPBD+eOuDkHcjwzkKwwfwEFfktjwjpjy3+BQQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.neustar; dmarc=pass action=none header.from=team.neustar; dkim=pass header.d=team.neustar; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.onmicrosoft.com; s=selector1-neustar-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2XEwmWEyOl/qYanQc3U7VXCxSiRqmLc20r9BYt3UAT8=; b=astdnJPbvXf8PGI0uB8gd20hQ3vyUk5DpUIyxfdtsBU8i3oonKL+iu0ScsioG5gs4QuxqpKCEuKWsYPhkVTSTCgeLsLl4eEQfzOpFf39KM8eMKjLNkznfAPPhYUXhRy9PXiaqmBaERStIs4kMGmJjo0yB5eJvK9IzCiDnTwEso0=
Received: from BY5PR17MB3569.namprd17.prod.outlook.com (2603:10b6:a03:1b9::20) by BYAPR17MB2936.namprd17.prod.outlook.com (2603:10b6:a03:f1::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.24; Mon, 13 Jul 2020 14:41:57 +0000
Received: from BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::503b:2ce0:8d8b:6b15]) by BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::503b:2ce0:8d8b:6b15%5]) with mapi id 15.20.3174.025; Mon, 13 Jul 2020 14:41:57 +0000
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-stir-passport-divert@ietf.org" <draft-ietf-stir-passport-divert@ietf.org>, "stir-chairs@ietf.org" <stir-chairs@ietf.org>, "stir@ietf.org" <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-stir-passport-divert-08: (with DISCUSS and COMMENT)
Thread-Index: AQHWDROzQ4rLFGadBUmiB+nphvW6J6iBpTSA
Date: Mon, 13 Jul 2020 14:41:56 +0000
Message-ID: <905688A3-7259-4AE3-8AF5-22102A1FF1B6@team.neustar>
References: <158628812675.31223.5976532284560812662@ietfa.amsl.com>
In-Reply-To: <158628812675.31223.5976532284560812662@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.17.200615
authentication-results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=team.neustar;
x-originating-ip: [2600:1700:2ec0:8108::a]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cd5dc680-4788-405f-2dca-08d8273ae4b6
x-ms-traffictypediagnostic: BYAPR17MB2936:
x-microsoft-antispam-prvs: <BYAPR17MB2936D77782A7795A508B837AE2600@BYAPR17MB2936.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: OFoacjr3o26sGnxWqFXRVf7D7Y3hEy2kd88d549tvFRc6Xv4zZ03rVhIPwInOEuSCovrooHz0n9z8/9l5fTeKhM+0Ust0kbBcH9pGC8YCVXBsST7GvM6A/LinONsJ8W3pp/P076fPVEPpYYJoxTrAhl8EKjMDcHMjnp7fQAMbkXKFwhAUPfo1F3lS2f8rsB8bn7CjaeoomsrGbJiTjNmdgBzANEY3MqTa1L8ubHkhOW5yRACnxPFBH/Q2NghSr6Ie4YxxSclKI+nziOMYxGOjOmOXurJw9+ZxlwwFT1a7DOxpmgeDy/RjdM+IFDYK25C+QLPo+hAx8+bkW9gC3SOQYysXdr8MugIheJQwowryZywNjFszYZbRygezc7RRCw2
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR17MB3569.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(396003)(39860400002)(376002)(136003)(346002)(33656002)(66446008)(64756008)(66556008)(66476007)(66946007)(76116006)(6512007)(186003)(71200400001)(6506007)(2906002)(86362001)(8936002)(6486002)(316002)(110136005)(54906003)(478600001)(5660300002)(83380400001)(4326008)(2616005)(8676002)(46492007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: DB6K5xDhWukHi8Lyg/GKc+OuRCrKckG9sYvQb74c4ybzRqhO5IpkWVG+25tnjscTmpHAjPqNdnfm+RVGJ5W6c1cQzyEpOVWdmyH0gfXgs9WQpDL4FnDoCUWDd9KhP4jHk4k+coqmAqFYzjA/nRh/KWJUMO5ttnNQGZoLc5MBxAt6WBGyHI8v5SIjO3QgllB42Dm4E3i/ZDojPv1wGUNExVgKmXq62mROIkLEjk/0EjRBZj7plsemv/MnwW2VUqYTQcTH+ZMwbpsa4AW1hGkyW/HKZspHUNJdXy7MD/ObcpOEnbendWXmdpxH2vKCxCm8RXoug8T8Ts/pB7DeX4ww4xFgNY4KEDejVKi3M7HNh1XOQWTwtAAyek9NnEwMPhsfByoc6WSsdvaTeiYjeb00uz1W3N1j9SWbN/87Vuwa34vq8WFqYYMel61IZzOhEIPE29geOPfmL5XnV4uHurzDvCdrXc/qpQr8YpcX5YDvp9P5ElQNA0JqwwyDS8QKLHhzvpTyJtcSOBIwYvY9/qGjeQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <BBB4C2AE88A2DC4783A905C79B945A58@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: team.neustar
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR17MB3569.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cd5dc680-4788-405f-2dca-08d8273ae4b6
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2020 14:41:57.0746 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 73a2bbc1-f307-47c4-8f94-5f379c68bc30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OQjk8hKCt1NJyfrwA+YtYknLlJLdMj1NotSsnvmg4TKUoKwCRTx0nzVkkRK3+uWK1R/VLcCp2AM2s88kOM9XcfIibUk+8NPf9v2TTBxHO88=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR17MB2936
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-13_14:2020-07-13, 2020-07-13 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1011 priorityscore=1501 suspectscore=0 mlxlogscore=773 phishscore=0 bulkscore=0 impostorscore=0 lowpriorityscore=0 adultscore=0 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007130109
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/QprHdov4fU4nTcl-9X-jhPaZSvo>
Subject: Re: [stir] Roman Danyliw's Discuss on draft-ietf-stir-passport-divert-08: (with DISCUSS and COMMENT)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 14:42:04 -0000
Hi Roman,
Thanks for the notes on this; sorry for taking a while to get around to them.
Roman Danyliw has entered the following ballot position for
draft-ietf-stir-passport-divert-08: Discuss
----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------
Section 5. The text notes that procedures for the authentication and
verification service for the “div-o” claim will be “left to future work”. Can
the rational for this deferral be explained. Creating an interoperable
solution without this guidance seem challenging as it would be crucial guidance
on processing this newly introduced claim.
This -08 text mostly resulted from a process matter. To get into the document history a bit, when we moved stir-oob off the Standards Track to an Informational in the late stages of its development, we still wanted "div" to be future-proof when/if standards-track work based on the OOB framework rolled around (like for example the new OOB servprovider draft in STIR). Our solution was to uplevel: to specify "div-o" as something not specifically coupled to OOB, but instead as a general mechanism that could be used by OOB or other protocols that might prefer to use nested "div-o" style PASSporTs. That isn't an entirely cynical move, as we anticipate that protocols other than SIP will use the PASSporT mechanism, and might want to use the nested approach of "div-o".
I think within those constraints, I can thread the needle with some useful text about the non-SIP AS/VS behavior associated with the creation of "div-o" PASSporTs in a way that makes no explicit reference to OOB as such, but would apply equally if say XMPP or RTCWeb or some similar mechanism wanted to make use of PASSporT and nested "div". I've added some text to this effect, which I hope is sufficient - let me know if it isn't.
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
Please respond to Phillip Hallam-Baker SECDIR review (thanks Phillip!)
Done.
** Section 4.1. Per “Provided that these PASSporTs share the same "orig" and
"dest" values, the retargeting entity's authentication service SHOULD generate
only one "div" PASSporT”, why not MUST here? What’s the corner case?
One corner case I can imagine is where diverts from special-use PASSporTs need to be signed with a certificate issued by a one-off trust anchor. Say, due to the government policy constraints of the "rph" header or something similar, you need to sign a "div" for its PASSporT with a different credential than you would use to sign a "div" for ordinary carrier calls. Not a common case, but, I don't want to close the door on it.
** Section 4.2. Per “However, note that in some use cases, including certain
ways that blind transfer is implemented, it is possible that an established
call will be retargeted long after it has originally been placed, and
verification services may want to allow a longer window for the freshness of
the innermost PASSporT if the call is transferred from a trusted party.”, are
there any recommendations or bounds that can be placed on the duration of this
“longer window of freshness”?
Unfortunately, not ones that are immensely useful - maybe like 3 hours? Attended transfer services can be triggered any time into a call - if you've ever gone through escalation with a bank company customer service line, you've probably experienced multiple such transfers during a single call which begins with you being on hold for 45 minutes, and you can easily spend ten minutes talking to one agent before you end up on the line with another. I think the "trusted party" portion here is the significant bit - that relying parties should only accept these kinds of stale PASSporTs within a closed circle of trust. Still, calls don't last for like a week, so there must be some upper bound here. I can put in 3 hours as a soft recommendation, I guess, if it helps...
** Editorial Nit:
-- Section 3. Typo. s/identifiier/identifier/
Fixed. Thanks!
Jon Peterson
Neustar, Inc.
- [stir] Roman Danyliw's Discuss on draft-ietf-stir… Roman Danyliw via Datatracker
- Re: [stir] Roman Danyliw's Discuss on draft-ietf-… Peterson, Jon
- Re: [stir] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw