Re: [stir] WG Review: Secure Telephone Identity Revisited (stir)
Christopher Morrow <morrowc.lists@gmail.com> Wed, 21 August 2013 19:18 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C008021F9BD0; Wed, 21 Aug 2013 12:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ap2ejhNv0mDs; Wed, 21 Aug 2013 12:18:24 -0700 (PDT)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) by ietfa.amsl.com (Postfix) with ESMTP id B687F21F9F3D; Wed, 21 Aug 2013 12:18:19 -0700 (PDT)
Received: by mail-lb0-f181.google.com with SMTP id u12so691123lbd.26 for <multiple recipients>; Wed, 21 Aug 2013 12:18:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=vDOd/6qrES4yp1m05LXxJwQfPfOip0VzcJzHpI/5jAw=; b=wFn5T2wGHe2GD3NLUc8swW3FZuolcFkdUTkXKqz5o2VaWIC8f3vbNuXFyB85SQN0/e 0xGDjAKOjaeBK+dlrsfbYEj8ETUM/2cCvPSWBNkw7TIpvqPkgyHOBVKP4xf3T8E9hqXA 97T/s8q+ilDpC7gzPkng4XayfyhTeDdd/53SR4KI3Kdug52lyINT/NMy2uUg12mCIimX ePcfdUHvCSGyTN85nGWx7A34wcNDZ5+Fbz96Am/Sy/rD5rJfIRfNw9JKWmSZD75Vg6P0 1HkvwiJipjcVny2AAgFIVrqHwEBonwvkHK8xrNmk4AkfuWUdO4p6AKthdjsOCamMQ3gh 9kqg==
MIME-Version: 1.0
X-Received: by 10.112.57.49 with SMTP id f17mr8405809lbq.26.1377112698637; Wed, 21 Aug 2013 12:18:18 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.152.6.3 with HTTP; Wed, 21 Aug 2013 12:18:18 -0700 (PDT)
In-Reply-To: <52150FD6.8010306@dcrocker.net>
References: <20130821175202.24713.10458.idtracker@ietfa.amsl.com> <52150FD6.8010306@dcrocker.net>
Date: Wed, 21 Aug 2013 15:18:18 -0400
X-Google-Sender-Auth: NXYYWtq26JbHbgTJaot5rRuEZLE
Message-ID: <CAL9jLaaOwB4UNmrgxrEOV=03n2CkQbECR3USUd258-xu_ehiJw@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: dcrocker@bbiw.net
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Tue, 27 Aug 2013 08:39:21 -0700
Cc: stir WG <stir@ietf.org>, The IESG <iesg-secretary@ietf.org>, ietf <ietf@ietf.org>
Subject: Re: [stir] WG Review: Secure Telephone Identity Revisited (stir)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stir>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 19:18:24 -0000
On Wed, Aug 21, 2013 at 3:07 PM, Dave Crocker <dhc@dcrocker.net> wrote: > The following mostly are points that I raised within the group's mailing > list discussion, during charter development. In my view, they have not yet > been adequately resolved: > > > On 8/21/2013 10:52 AM, The IESG wrote: >> >> Please send your comments to the IESG mailing list (iesg >> at ietf.org) by 2013-08-28. > > ... >> >> The STIR working group will specify Internet-based mechanisms that allow >> verification of the calling party's authorization to use a particular >> telephone number for an incoming call. > > > "use a particular telephone number for an incoming call" has no obvious and it'd actually be kind of nice if the focus was NOT on the (us) 10-digit "number", but instead on the 'identity' making the call. There's a real chance to move beyond the '10-digit number' and to some stronger, wider, richer sense of 'identity'... we should take that opportunity and run with it. > unambiguous technical meaning. In fact, it seems to imply the meaning of > "authorization to call a particular number". However of course that's not > the intended meaning. Since this is the only text in this paragraph that > says what the working group will /do/ it should make its statement with > clarity and technical substance. > > That is, the charter needs to use a precise term for specifying the specific > role of the number of interest. In earlier drafts, "caller id" was used. s/number/identity/ > The next sentence uses "source telephone number". Perhaps that is > acceptable. no... focus on 'telephone number' is broken. Hell, it's not even what's used in the phone system anyway... not really. >> Since it has become fairly easy >> to present an incorrect source telephone number, a growing set of >> problems have emerged over the last decade. As with email, the claimed >> source identity of a SIP request is not verified, permitting unauthorized > > > As a matter of form, I'll note the SIP's community's use of "identity" is > what is called "identifier" in the identity community. > > ... > >> As its priority mechanism work item, the working group will specify a SIP > > > Reference to work priority is only meaningful in the face of a list of tasks > that will be considered simultaneously and what it means to give priority to > one over another. Based on the lengthy mailing list discussion of in-band > vs. out-of-band, it appears that the current charter is actually intended to > support simultaneous work on alternative mechanisms, rather than pursuing > them sequentially. > > This should be made explicit. If the requirement is to work on them > sequentially, then state that. If the intent is to work on both approaches > simultaneously, then say that. > > ... > > >> In addition to its priority mechanism work item, the working group will >> consider a mechanism for verification of the originator during session >> establishment in an environment with one or more non-SIP hops, most >> likely requiring an out-of-band authorization mechanism. However, the >> in-band and the out-of-band mechanisms should share as much in common as >> possible, especially the credentials. The in-band mechanism must be sent >> to the IESG for approval and publication prior to the out-of-band >> mechanism. > > > "in-band and the out-of-band mechanisms should share as much in common as > possible" > > This is the essential text that mandates working on both approaches > simultaneously and makes the earliet assertion about priority moot. (Note > how far down in the charter this is buried, yet how fundamental a > requirement is establishes.) > > > ... > >> Input to working group discussions shall include: >> > > That's a lengthy list of documents. Why has it left out other documents > discussed during charter development and clearly of continuing interest to > the effort, namely: > > A proposal for Caller Identity in a DNS-based Entrusted Registry > (CIDER) > draft-kaplan-stir-cider-00 > > An Identity Key-based and Effective Signature for Origin-Unknown > Types > draft-kaplan-stir-ikes-out-00 > > > d/ > > > -- > Dave Crocker > Brandenburg InternetWorking > bbiw.net
- Re: [stir] WG Review: Secure Telephone Identity R… Dave Crocker
- Re: [stir] WG Review: Secure Telephone Identity R… Hadriel Kaplan
- Re: [stir] WG Review: Secure Telephone Identity R… Cullen Jennings (fluffy)
- [stir] WG Review: Secure Telephone Identity Revis… The IESG
- Re: [stir] WG Review: Secure Telephone Identity R… Christopher Morrow