IETF Logo Mail Archive

Re: [stir] "iat" value to use during PASSPorT construction

"Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com> Fri, 20 July 2018 20:32 UTC

Return-Path: <Pierce.Gorman@sprint.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50D07130E04 for <stir@ietfa.amsl.com>; Fri, 20 Jul 2018 13:32:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.09
X-Spam-Level:
X-Spam-Status: No, score=0.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k7o0GzcB3SIH for <stir@ietfa.amsl.com>; Fri, 20 Jul 2018 13:32:34 -0700 (PDT)
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (mail-co1nam05on0715.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe50::715]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAAD1130DCC for <stir@ietf.org>; Fri, 20 Jul 2018 13:32:33 -0700 (PDT)
Received: from BY1PR0501CA0032.namprd05.prod.outlook.com (2a01:111:e400:4821::42) by DM5PR05MB3114.namprd05.prod.outlook.com (2603:10b6:3:c6::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.995.9; Fri, 20 Jul 2018 20:32:32 +0000
Received: from BN3NAM01FT010.eop-nam01.prod.protection.outlook.com (2a01:111:f400:7e41::201) by BY1PR0501CA0032.outlook.office365.com (2a01:111:e400:4821::42) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.995.9 via Frontend Transport; Fri, 20 Jul 2018 20:32:32 +0000
Authentication-Results: spf=pass (sender IP is 144.230.172.39) smtp.mailfrom=sprint.com; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=sprint.com;
Received-SPF: Pass (protection.outlook.com: domain of sprint.com designates 144.230.172.39 as permitted sender) receiver=protection.outlook.com; client-ip=144.230.172.39; helo=plsapdm3.corp.sprint.com;
Received: from plsapdm3.corp.sprint.com (144.230.172.39) by BN3NAM01FT010.mail.protection.outlook.com (10.152.66.245) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.952.17 via Frontend Transport; Fri, 20 Jul 2018 20:32:31 +0000
Received: from pps.filterd (plsapdm3.corp.sprint.com [127.0.0.1]) by plsapdm3.corp.sprint.com (8.16.0.21/8.16.0.21) with SMTP id w6KKO4Gw041076; Fri, 20 Jul 2018 15:32:31 -0500
Received: from plswe13m04.ad.sprint.com (plswe13m04.corp.sprint.com [144.229.214.23]) by plsapdm3.corp.sprint.com with ESMTP id 2k7eestg10-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 20 Jul 2018 15:32:31 -0500
Received: from PLSWE13M04.ad.sprint.com (2002:90e5:d617::90e5:d617) by plswe13m04.ad.sprint.com (2002:90e5:d617::90e5:d617) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 20 Jul 2018 15:32:30 -0500
Received: from PLSWE13M04.ad.sprint.com ([fe80::2c01:fcb8:e729:4a7a]) by plswe13m04.ad.sprint.com ([fe80::2c01:fcb8:e729:4a7a%24]) with mapi id 15.00.1367.000; Fri, 20 Jul 2018 15:32:30 -0500
From: "Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com>
To: "Asveren, Tolga" <tasveren@rbbn.com>, williw <wilhelm@wimmreuter.de>
CC: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] "iat" value to use during PASSPorT construction
Thread-Index: AQHUIFv02Z8nWzCv1kqJ873XQiB7CqSYeLqAgABhD4D//7P5cIAAVT2A//+snjA=
Date: Fri, 20 Jul 2018 20:32:29 +0000
Message-ID: <5a248e4afdfd418789a7da7aaf996cf8@plswe13m04.ad.sprint.com>
References: <CY4PR03MB3160EE4F4502CCF974B070CFA59C0@CY4PR03MB3160.namprd03.prod.outlook.com> <0C2B7B00-AB77-48E1-A666-F76A592DDC51@wimmreuter.de> <MWHPR03MB2815E6CDBA2DF7CD0D8E5BD0A5510@MWHPR03MB2815.namprd03.prod.outlook.com> <bcd76a29456e4456aab0a38d74d1f3ec@plswe13m04.ad.sprint.com> <MWHPR03MB2815AC2B559FC4C7B9772C9EA5510@MWHPR03MB2815.namprd03.prod.outlook.com> <2fcbf87cbbec4963a91eddf7d98133bf@plswe13m04.ad.sprint.com> <MWHPR03MB28158CBAF74A4A2C986783DBA5510@MWHPR03MB2815.namprd03.prod.outlook.com>
In-Reply-To: <MWHPR03MB28158CBAF74A4A2C986783DBA5510@MWHPR03MB2815.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.123.104.29]
Content-Type: multipart/alternative; boundary="_000_5a248e4afdfd418789a7da7aaf996cf8plswe13m04adsprintcom_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:144.230.172.39; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(136003)(396003)(39860400002)(346002)(376002)(2980300002)(438002)(199004)(189003)(110136005)(16586007)(6306002)(54896002)(236005)(6246003)(446003)(11346002)(8676002)(30436002)(426003)(106002)(53936002)(336012)(81166006)(76176011)(102836004)(606006)(81156014)(72206003)(14454004)(966005)(356003)(53546011)(33964004)(478600001)(2906002)(229853002)(7736002)(45080400002)(4326008)(486006)(86362001)(575784001)(316002)(7696005)(126002)(3846002)(106466001)(186003)(790700001)(6116002)(93886005)(26005)(4546004)(5660300001)(84326002)(24736004)(108616005)(97736004)(68736007)(5024004)(476003)(2900100001)(8936002)(14444005)(5250100002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB3114; H:plsapdm3.corp.sprint.com; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-Microsoft-Exchange-Diagnostics: 1; BN3NAM01FT010; 1:xBmUXfmQlhVixVN+mCWwD6GtykYJyT5FNQwGPLpzGa+pOupvwiioFVMxFO9WHzAwcJZum9NacT+rsV/vxcgr8nAFmcyd2eOl/xXSVxTHKGYU/lzBy8OYn2LXis/ZoN98
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 88927699-4210-487c-97de-08d5ee7feb3d
X-Microsoft-Antispam: UriScan:(18430343700868)(223705240517415); BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600053)(711020)(4608076)(2017052603328)(7153060)(7193020); SRVR:DM5PR05MB3114;
X-Microsoft-Exchange-Diagnostics: 1; DM5PR05MB3114; 3:EeSQV7pmj21sVVzUJDBdKD6x2QhjEVSWRjGx0YDfN873WO+0uWJDfzkw74cMsyFcf7vQ8hdEJwIaKiIYWznZQLqxipUc+7b1jL/EJlFMXAEFRyAvBmNwl4r7OECsy6s/azuWjRMj03qt4wKXKpD5nRy87rrZVUmQxRQGNqE/aijCFCRP08OjXVgYNrur7VdJIqYAJSMQGLNMK8+l6yuJHG8ucvM+mhPhiC4WZ1RLte54MpRThcZHrQ4rd6TBRzmtDR8uY1+RbEw4hZEeGkJK/k5g5n3Kuf599WMuwEw3X6mnRHGfUSIudWP0EzcNY3GEQhf7p0LLj72/UePkfIzAJSn7bvXZCwczRb0Z+sz8YMHOmqA+qBlppWHwMtTAp45ebeAiZeAh1lHd1nMkVmdwEof7vg2sOlLIBVCkRNxpq6zv4puowIdIU5BpD+hrBAnB; 25:W/0mx0xPmd8qF0UqxlKsttIIsDOJKBKv06ArMZ729omcPUEApKZ8gG1NfnmEFWTxNeNbvqwwvxri0PjAeAlA+TStFZB4d/sgAw7UYve3+uwtfoBh9m1/37/v6CvO4Tw0+IY+WgffkqLpKHjakWm0/Qy6E2IM6zesbgF+NwpMP6XOfief6ma8vxScrO3Z3SGbZd6RmAV0TJv6znbLk3q/DR9Uj3cFzyYuh51D/ks0+kd/ViZTJLYLpfoSgKHJUy0WjxYpJ5RAHFRAg30cW2mln8iATuuRWAWVxAqoltNye9PCbTlBt5Hchw1KEtfUb/f9OlG48sSwFaxFjsO7JKo0Zg==
X-MS-TrafficTypeDiagnostic: DM5PR05MB3114:
X-Microsoft-Exchange-Diagnostics: 1; DM5PR05MB3114; 31:qrjXAOyc7uNuCIw4lT89+DjrZckc3B9kynThRU1EosACkothxtp90yLS0UMO8Pue7E7Kgacwd1vTXM26q+O2B+9Xyf8yo4x7zcK0Ntw9QD5Swqp6M/vYeI5b8ia3LWvHFgfP/fTz341tkKe7xLCdo/mBjO66QyIhMqss6WcxU0OQwxn0eprjHM+BUHF/h2eQy4MAkk70gb+UUwEcMfs6LsnQFmInJkIk1jtM8RP6QJk=; 20:KNNDQOQ3SwurTECXCyGxc/eCugi6LaNOpPUA2R2eIPmCpxa48oW0NQFrUyWFAm3gjJjYFxbBXTqtrzObGwzy6CUl6nN5XNPchlunMpl69pTm9Yp6LfUgY2RJkXbrw31OKXhqgRqihDOqAPF1zqkim+upDwY4tGib90wJ+E6zhE1KXAilY+2yiBShXzz4SWsUmk0ZCFZ3POs5vOesESB4+CEK1O9j4fO1t50U+boxQnjZXuHeCYmYK/4iCgvaIWRVvTlNS9tUPQxVA3dBNNs7we/o6bNsbmhZFpd9BMb0Srr/t2XWP3GNg/8R5/xyeilZ5U6/0iI3SMxUAubMCHMGrUO5g5gCoHsgwZTLLRQgUrT0hSr2jHwgjft0UWUD2Nf5PrFB/fOjFvhsJ4h/EuBKTl3I7lpnmZTvG1Mwhr7LiqQgwWwvBsQ/0Dii+PlgCkj1PuiFy0/pXuytldwODcGqDIZBnIe2TfrOJdjNvSjqa4qHUne6y0oBi6rBjaT/CAJL
X-Microsoft-Antispam-PRVS: <DM5PR05MB3114BC8A22E4A32283D8193789510@DM5PR05MB3114.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(28532068793085)(18430343700868)(189930954265078)(223705240517415)(219752817060721)(21748063052155);
X-MS-Exchange-SenderADCheck: 1
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93004095)(20161123222025)(3002001)(3231311)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:DM5PR05MB3114; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB3114;
X-Microsoft-Exchange-Diagnostics: 1; DM5PR05MB3114; 4:Mmnw6gpM8j+6ORsjbsYob2H1POSA6xigK8HBges+RgaWGGgxvk0v2t6BLqr89hcsVwlbN5SJWF46GYnMjyIf0fDRLv++kS2IhWWn8+uUadr1E9bCSMvmuVK8xpZCQXTHFel1aj1tfRoYttrhSlgvTBgILrEaiWvK/Ozwt9GWAn9gyc4h5TzIvhjWlAbygfOiSIhq2Uf48EvOFwW6eX4wFNoyLbyT/L2oGdQpjpo12z8e+Y4Cnp5EoQg1XMhQA00msPY3PzP6TktrHmnkHdWTJsSeY9iJGYIOfFBe02rXIJntv8eSaUnoeCaEolJXngqcs9RH1QVHYcZquarR8UUsfkuvF7ZBhs9Pmv0u0av+xiEizl17Jk4Y8Q7oG5I4iJOm5q892PgutJGSyNAdbGRNbrIaq6niNUTJMNeUzSl/RPx2HoGQWsuhMpYvZae+7S6PesMAKBZWJlMzc79O4xiAdnJz02TpLME4rx16H0rsz3w=
X-Forefront-PRVS: 073966E86B
X-Microsoft-Exchange-Diagnostics: 1; DM5PR05MB3114; 23:UmXhwYIcj38TKq41oj2zVBUHShGd0gttCllr5YpJO/ezXrZOu5b1cpZ0wQC4Uq577UVylBxfRIMX9SxrEseDJuxnInx5+vS51VC++q69WhHs315JGhQSO4ubFbI50auLWkdaQBY3C9ceIgOwMRnBCQlJstOiytIVwLkajj5tXcBe30N6qHS5e2s1yvFBbLyDk7Z5unGqcuB0chGSBVOu3g5VP1aSHXzTIxyLn4m4t2dCOCZ7B3lFEjHv6Q+Dh9X43WZPorhVtVYOVP2YAU8wrY3DxEWc2/LECSfIhPPVJlzpnzXErnTXHYRrGKmTdH1IAVpPkzRnczIHanGc2fcbMpU2toUn1OqyM69DJ8tEGqM9E8RUG00Fmh6FHff791XSnBN/Wu/GA01NkMfHB1Prh1JzjlEoHVSSse+pYyXwp7j2QpKixAHVjwYzkmbTIJaw6L2YCifoZpt3UgaKoTR+JNJ1FBJZdlwojpl8QnST+2XVBGu3NTw6qQ7oct9v4zYCNycAiLsD1UrfMIka7KfQiVYSvpc+f7P25cVk3qn1t20aKBNFGs5abYYzNfg7YKawuanOuFzeFPPQW0h+ZaIIGNRtrOnhr8C8reuw+9VSXhzVUJXbF8gl7b8RvFyPXAqZPFtQwlrMwivRy7P2gsNUQ07hjfS3w2g7HjZb7TLJSawmjibXwNGu1iwnpPjoQgAcYt419m1BilIoA+I10wHZv0+woXiKDo9KNOJjD2rAN/kg2JnplBiMhbrGsYHm33IdpT/hEL7uFTK82c8gUzhQ1dUVo2XfK7wqzX5yrS9npc7ayLv+F0fLF2HXTsKgJV9CeO+1Aqw+hdOubeU2yOVZ6tNe67oVSyhCt1CebEKXr8O6MLC/QTOkVrnitR+GCmbPzUe6mrkWdje0zFrIkvQIHLuMqdbl6GxY/bADSfLCkWCMtaCxEnM3c22wKE+lzi2iluEBqyxvlP3V3QiBPkDL4I4Ys+mOGoD7kJ9SRtGfxsMlofxZDzOZ0i1zO5cSx2nk4gR8GoUtPK+z7BYgHI/U8aDdeR5Ob2BtuwyP1sA9CtE2UCSGHro1QL4heudU5fPF5MiU9CI4nlRyyB/aewiJrSLtV868aO0f3o0YVkCDMF0oQo11k29k9fzz9YGkeVB2NWoEWr1zPhXiC5KFHX4xjbu5DPZf8rTYWmrUNNSWzDRUoZykMcJKcaZIz4dzv3tNdAFvzTT4JzOhxPTyBO5CxF5uPoqRk2O9hsqdonHnF0ic7DltHlTMnHnQQ76mNIgdbvtcXWlD6lYmW4khsV06TQit99LsmGz9JN+LsmKc8y6wC10JbMbUirDLwQKDY23ipnF4eERhGSl+VArkHjfaZvRFyxkeS+wjBb2WDmzZm0eR8/DDgZYLAXsP8HT9jG/X5CJt6rQ+yPLAsLgAblhp4cCJyBXdkQCRl8ZKLyC3xtU=
X-Microsoft-Antispam-Message-Info: 3yjXFIG7F7BFDCC65skGBoEVJpua+Wh9k03U9Uz2NOi5yhG8ZH1z05VBnbcNd50qB+DYTcIt7fMcvo54AaCh885yKPKuU+gCuC66DM+YGy0dWTi+wAym7zIzNv2V2kkMRXNMKkDIOXkw/iAsoh8aZro7NHMm7yQrz1utgAxUGzQmcA+fmD/CTMcDHlG92mXYQAAFyIe67FiUjMG4gbLxCYFPZRm2HCTR7CC3AzXTy0Ro4HVf1nWn5BVSUaMQjclYh80GEy4fF+L2ljG04bVtbdWs+5IbdW5v/mwu7wYZaSY7BL6/sOiSyKfrfzgfbw4yURHNZLqvKVuiseJL2yQZrMcyQm7LtILlK9QRaunaymg=
X-Microsoft-Exchange-Diagnostics: 1; DM5PR05MB3114; 6:WpcH2Kt3WAkrP7Kb9550edh5YmnhOZAUyczW6TObyl24XHtUVRHo1x4fFEZ2JkNNgroDsT4UtWgmPL08rLdgAGPmaeMS6r7KqKLkHf1Y+G72BzGY4xrUSpdSikPe8nJtBX7udJjtVNuYvX3NYlmnJ9gPQOdTNRAfKapfyr+FqcR2FMQxWI/CbxhWdG4O0qVp4iJfnATZKaqbSRI9mrbtGDigtAhZM4bXT2E/TjGaijHkeTmj0Q/vNcGCLI2tDxE090HyccZEi7ryRrCKaFlyMTV6smynEkL61yOHVEXrWl0m3/shbAbCqdwfFy6+2gsJH8VPQiR1nzV9QT+rRVymStLm3XnkP0c6LNf0ahBsTAPKRrVfxj6lChYh77vhTosXHltVdgIFDdvibYTheOh+7dBBwIJqVaSq5YtBWW0SxjBWtw7+JGRFZD3NoJA9VFrLbGhp+bX6HiCy1HBsbAZg2w==; 5:U4fKd553EWyTZ5sbuTXBA33nGn8+9K5lcz17oxnEyLdzv0hM/OY4+dfU3Ngg0Rc/Ny1gF8JA1zxrH6qGL5tQDc1lvNq0iQCciahbnlLxi7d6iDZ0Qf7o6BMAicTLJYfAr7FW1i1CxchksfMvZd62EpQujoVV3XGgBLR+pQe9yk8=; 7:WWbjmOMx4TLnF7SetCmRSpCfy0nJuRxQfX2Imt0IuEKsXDOEvhcySZ3/Ec7lzkE1wGoRcUi3fo0hCSK5cLYcOizizf+DwExIQCmjJ7xU5ADfCrFyae/Bdjtty6lv6efp8I19hH3xy1fG6Yoo0mSqTTacyjoX9WXgruojYbsuKBN04DUur6lLkbWD8ZCb/4YULEwTOxb8zecLccVmd5VDV4zeT7Y/DLZ0Fl5XJ4gcL59m/lFiyoiKwE4sGxlbSzIJ
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: sprint.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2018 20:32:31.6014 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 88927699-4210-487c-97de-08d5ee7feb3d
X-MS-Exchange-CrossTenant-Id: 4f8bc0ac-bd78-4bf5-b55f-1b31301d9adf
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=4f8bc0ac-bd78-4bf5-b55f-1b31301d9adf; Ip=[144.230.172.39]; Helo=[plsapdm3.corp.sprint.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB3114
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/S8THWCAqYOmHk8_1f9raJB4j6AU>
Subject: Re: [stir] "iat" value to use during PASSPorT construction
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 20:32:41 -0000

None of which invalidates the concern Willi asked about.

I’m not saying there aren’t approaches available for dealing with signed and verified but still bad calls.  All I am saying is Willi is correct to be concerned because it happens today without the signatures.  What we’re discussing is constraints and limitations and those are worth identifying and acknowledging.

Pierce


From: Asveren, Tolga [mailto:tasveren@rbbn.com]
Sent: Friday, July 20, 2018 3:27 PM
To: Gorman, Pierce A [CTO] <Pierce.Gorman@sprint.com>; williw <wilhelm@wimmreuter.de>
Cc: stir@ietf.org
Subject: RE: [stir] "iat" value to use during PASSPorT construction

Again, there should be a policy to cover that, e.g. such organizations won’t be trusted anymore or at least not on the same level with others which did a good job on their end  as originating network. And probably some regulatory action can be taken based on complaints.

Thanks,
Tolga

From: Gorman, Pierce A [CTO] <Pierce.Gorman@sprint.com<mailto:Pierce.Gorman@sprint.com>>
Sent: Friday, July 20, 2018 4:24 PM
To: Asveren, Tolga <tasveren@rbbn.com<mailto:tasveren@rbbn.com>>; williw <wilhelm@wimmreuter.de<mailto:wilhelm@wimmreuter.de>>
Cc: stir@ietf.org<mailto:stir@ietf.org>
Subject: RE: [stir] "iat" value to use during PASSPorT construction

________________________________
NOTICE: This email was received from an EXTERNAL sender
________________________________

I think you missed my point.  There will be authoritatively signed calls with legitimate numbers from bad actors placing illegal or unwanted calls with bad intent.  Get enough of them and you can think of it as poisoning the well.

Pierce

From: Asveren, Tolga [mailto:tasveren@rbbn.com]
Sent: Friday, July 20, 2018 2:54 PM
To: Gorman, Pierce A [CTO] <Pierce.Gorman@sprint.com<mailto:Pierce.Gorman@sprint.com>>; williw <wilhelm@wimmreuter.de<mailto:wilhelm@wimmreuter.de>>
Cc: stir@ietf.org<mailto:stir@ietf.org>
Subject: RE: [stir] "iat" value to use during PASSPorT construction

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Not disagreeing with your points in general but:

I don’t think there is “protocol level” check possible whether a signature generated by an intermediary and verified successfully is created maliciously or not. This has to depend on policy. Depending on attestation level one may check whether signer is authoritative for  origin or whether it can be trusted for the particular attestation level without such a check. Whom to trust for which attestation level is really an operational/administrative decision and doesn’t have anything to do with protocol semantics AFAICS. But eventually, it may be “learned”, based on ratio of valid/spam/malicious/etc… calls signed by a certain organization.

Thanks,
Tolga

From: Gorman, Pierce A [CTO] <Pierce.Gorman@sprint.com<mailto:Pierce.Gorman@sprint.com>>
Sent: Friday, July 20, 2018 3:12 PM
To: Asveren, Tolga <tasveren@rbbn.com<mailto:tasveren@rbbn.com>>; williw <wilhelm@wimmreuter.de<mailto:wilhelm@wimmreuter.de>>
Cc: stir@ietf.org<mailto:stir@ietf.org>
Subject: RE: [stir] "iat" value to use during PASSPorT construction

________________________________
NOTICE: This email was received from an EXTERNAL sender
________________________________

Because of the large volume of porting and ported numbers I assume it is impractical (or at least undesirable) to validate in real-time that a number is “owned” by the originating carrier.  This also won’t work for the scenarios where the call is signed by a transit or gateway carrier (say for automated traceback).

It has been said many times that just as all unwanted and illegal robocalls do not use spoofed calling numbers, it should be assumed that bad actors will originate signed calls with bad intent.  Prepaid phones and ephemeral enterprise SIP trunks will be a good home for these kinds of calls.  And there are other scenarios as well.



From: Asveren, Tolga [mailto:tasveren@rbbn.com]
Sent: Friday, July 20, 2018 1:18 PM
To: williw <wilhelm@wimmreuter.de<mailto:wilhelm@wimmreuter.de>>
Cc: stir@ietf.org<mailto:stir@ietf.org>
Subject: Re: [stir] "iat" value to use during PASSPorT construction

I don’t think that is an issue as that signature is cryptographically valid doesn’t mean that is “completely fine”. It also should be checked that signing organization is authoritative for the claimed (and verified) origination.

Please consider that the scenario you mention is not related with “originating network signs only if the call leaves the network” policy. It can happen for any case: an intermediary (maybe with malicious intent) just can generate a valid signature for any call by using its own key; but then the above check I mentioned would detect that signer is not authoritative for the origination, i.e. signature is not generated by the originating network.

Thanks,
Tolga

From: stir <stir-bounces@ietf.org<mailto:stir-bounces@ietf.org>> On Behalf Of williw
Sent: Friday, July 20, 2018 11:15 AM
To: Asveren, Tolga <tasveren@rbbn.com<mailto:tasveren@rbbn.com>>
Cc: stir@ietf.org<mailto:stir@ietf.org>
Subject: Re: [stir] "iat" value to use during PASSPorT construction

________________________________
NOTICE: This email was received from an EXTERNAL sender
________________________________

Sorry, I unsuccessfully submitted my concern on jabber list during the meeting.
However, this could be valid in this and applies possibly other areas of stir as well.


My concern that came up while seeing the cat slides in meeting was the following:


Signing outbound / E-gres calls only.
This emulates the old PSTN paradigm and enables impersonation as we have it in SS7.
Without originating signatures this seems to be a big impersonation hole I assume.

In fact, operators will happily sign my robocalls and other malicious stuff.
And this will guarantee that my robocalls have a valid signature that will also be perfect for OOB signalling etc.

Is this concern valid?

Sorry this did not come through the scribe and to the mic.

Thanks

Willi

_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fstir&data=02%7C01%7Cpierce.gorman%40sprint.com%7C7bd5c71eb8c44aaea07308d5ee7a7e60%7C4f8bc0acbd784bf5b55f1b31301d9adf%7C0%7C0%7C636677132235044610&sdata=4xbcc%2BA815i2iwOqQnmym6xX3%2FI1%2Boe%2Fv%2Bj7rRXO%2FAo%3D&reserved=0>

________________________________

This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.

v2.23.0 | Report a Bug | By Email