IETF Logo Mail Archive

Re: [stir] current draft charter - ENUM and databases

"Peterson, Jon" <jon.peterson@neustar.biz> Mon, 17 June 2013 07:07 UTC

Return-Path: <jon.peterson@neustar.biz>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D81921F9AAB for <stir@ietfa.amsl.com>; Mon, 17 Jun 2013 00:07:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.244
X-Spam-Level:
X-Spam-Status: No, score=-106.244 tagged_above=-999 required=5 tests=[AWL=-0.245, BAYES_00=-2.599, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lB6sgfEzby5d for <stir@ietfa.amsl.com>; Mon, 17 Jun 2013 00:07:41 -0700 (PDT)
Received: from neustar.com (mx2.neustar.com [156.154.25.104]) by ietfa.amsl.com (Postfix) with ESMTP id DD0AC21F9AA1 for <stir@ietf.org>; Mon, 17 Jun 2013 00:07:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.biz; s=neustarbiz; t=1371452801; x=1685861982; q=dns/txt; h=From:Subject:Date:Message-ID:Content-Language: Content-Type:Content-ID:Content-Transfer-Encoding; bh=BxgdiQjoA0 Rvw1FwiwYlgGBI8uFJ7EKSggISjsll81w=; b=YufRUtgAj6/KFnKfgd9TDudvPd pg/Ww3BUP45cy6sya5F67Sd97VAj2hOzmsFT2hwAZTqVX35Zig80a6eBKtFQ==
Received: from ([10.31.58.69]) by chihiron2.nc.neustar.com with ESMTP with TLS id J041123125.21045721; Mon, 17 Jun 2013 03:06:40 -0400
Received: from stntexmb12.cis.neustar.com ([169.254.2.76]) by stntexhc10.cis.neustar.com ([169.254.4.66]) with mapi id 14.02.0342.003; Mon, 17 Jun 2013 03:07:25 -0400
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: Hadriel Kaplan <hadriel.kaplan@oracle.com>, Henning Schulzrinne <hgs@cs.columbia.edu>
Thread-Topic: [stir] current draft charter - ENUM and databases
Thread-Index: AQHOaJxVI+SntM7IA0Gg0AdKCtvNaJk3aKkAgAG9EACAAJEAgP//mGKA
Date: Mon, 17 Jun 2013 07:07:23 +0000
Message-ID: <CDE40112.214EA%jon.peterson@neustar.biz>
In-Reply-To: <62BC978C-4C84-42CB-B1ED-C71209956B33@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.4.130416
x-originating-ip: [192.168.128.73]
x-ems-proccessed: R64IxjzeHPwwd+efoj3ZcA==
x-ems-stamp: ctwVTxaHZiMg5VSYdiyPpA==
Content-Type: text/plain; charset="us-ascii"
Content-ID: <7FD03B64C79925438DB8E402642744D5@neustar.biz>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] current draft charter - ENUM and databases
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stir>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jun 2013 07:07:46 -0000

I think the advantages below, with the exception of 4, would be true of
any golden root we created for whatever protocol, be it HTTP or something
else. I'm sure I could define an HTTP golden root such that the
verification service could synthesize the proper fetch request from the
URI in the From with an Identity-Info, one that updated in real time so
you never needed to worry about revocation, one for which there was only
one CA, and which you could locally cache (well, okay, 5 does conflict a
bit with 2). 

Also, all of the (snipped) concerns you raised about access control,
middlemen, charging, etc are just as likely to arise for DNS as for any
other proposal.

Now that much said, I'm not convinced HTTP is the end-all-be-all for
Identity-Info. I had high hopes for CID when RFC4474 was written. But more
seriously, I don't think we should rule out DNS as an access method for
credentials at this stage. Even if we were just copying public keys out of
certs from a cert store into the appropriate node of the DNS, and totally
duplicating effort, if that helped adoption for some use cases it would
probably be worth it. Maybe some of Henning's "convenience" databases
could take this form.

Jon Peterson
Neustar, Inc.

>The advantages of using the DNS as the repository for the cert data,
>instead of giving an HTTP URL in a header to get a cert from, are:
>1) There's no header needed for carrying a URL.
>2) There's no need to worry about revocation, because the instant a
>number changes ownership, the DNS entry of its cert changes.
>3) There're far fewer potential CAs to have to trust - ideally only one
>per country-code, the same one that's authoritative for its country-code
>branch of the DNS tree; and we'd be using DNSSEC so its cert is in the
>DNS, and it's the signer of its entries.  In fact you might be able to
>just have the raw public key in the DNS instead of the whole cert,
>because the rest of the DNSSEC-provided info is redundant with the stuff
>in a cert for this use-case.
>4) It's generally faster, and with tighter client control for
>retransmit/timeout because it's UDP.
>5) For bigger carriers, they can have local DNS servers with copies of
>the frequently accessed data (e.g., local nation E.164s) that their
>verification systems can query.
>
>-hadriel
>
>_______________________________________________
>stir mailing list
>stir@ietf.org
>https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email