Re: [stir] current draft charter
"Peterson, Jon" <jon.peterson@neustar.biz> Fri, 14 June 2013 01:58 UTC
Return-Path: <jon.peterson@neustar.biz>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E03121F9B06 for <stir@ietfa.amsl.com>; Thu, 13 Jun 2013 18:58:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.511
X-Spam-Level:
X-Spam-Status: No, score=-106.511 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eeRF02E42EtN for <stir@ietfa.amsl.com>; Thu, 13 Jun 2013 18:58:54 -0700 (PDT)
Received: from neustar.com (smartmail.neustar.com [156.154.25.104]) by ietfa.amsl.com (Postfix) with ESMTP id 4892221F9AFE for <stir@ietf.org>; Thu, 13 Jun 2013 18:58:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.biz; s=neustarbiz; t=1371175021; x=1684528095; q=dns/txt; h=From:Subject:Date:Message-ID:Content-Language: Content-Type:Content-ID:Content-Transfer-Encoding; bh=1u5O5kt69/ nrgUXy64Lx60Weq3FdxeA9jZxSc5O5pcY=; b=ZEUUGkbexpOVsYcBtOvAm584JL W/zxtj7NQ/k7vb6rJyH3bjUXDO8LxIPsZbS67xJqJMaEuGSZRUQ06rCuhf0g==
Received: from ([10.31.58.71]) by chihiron1.nc.neustar.com with ESMTP with TLS id J041123128.19514342; Thu, 13 Jun 2013 21:57:00 -0400
Received: from STNTEXCHCASHT04.cis.neustar.com (10.31.15.156) by stntexhc12.cis.neustar.com (10.31.58.71) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 13 Jun 2013 21:58:45 -0400
Received: from stntexmb12.cis.neustar.com ([169.254.2.76]) by STNTEXCHCASHT04.cis.neustar.com ([::1]) with mapi id 14.02.0247.003; Thu, 13 Jun 2013 21:58:43 -0400
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: "dcrocker@bbiw.net" <dcrocker@bbiw.net>
Thread-Topic: [stir] current draft charter
Thread-Index: AQHOZwiVGT8OWD09JUqSfli80C7Gm5kxkloA//+WdYCAAPljAIAAcu6AgAADDoD//5sjgIAAm7yAgAAQaYCAAADrAP//j/IAABs/tYAADWnTgAAZGt+A///GjoA=
Date: Fri, 14 Jun 2013 01:58:42 +0000
Message-ID: <CDDFBB7C.1F827%jon.peterson@neustar.biz>
In-Reply-To: <51BA468F.5020105@dcrocker.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.4.130416
x-originating-ip: [192.168.128.117]
x-ems-proccessed: R64IxjzeHPwwd+efoj3ZcA==
x-ems-stamp: oMOI2wWnEzgsbQDUmfUXIA==
Content-Type: text/plain; charset="us-ascii"
Content-ID: <52C9941E481D024EA6C0CAF4B142DBCA@neustar.biz>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] current draft charter
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stir>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2013 01:58:58 -0000
Inline below. On 6/13/13 3:24 PM, "Dave Crocker" <dhc2@dcrocker.net> wrote: >Jon, et al, > > >On 6/13/2013 10:25 AM, Peterson, Jon wrote: >> On 6/12/13 9:01 PM, "Dave Crocker" <dhc2@dcrocker.net> wrote: >> >>> On 6/12/2013 3:01 PM, Peterson, Jon wrote: >>>> But we don't even have to be asking ourselves about the relevance of >>>> public ENUM to the proposed work here in STIR unless we want to try to >>>> base everything on keying in the public DNS for telephone numbers. >>>>There >>>> are other models for this that don't have the liabilities I described >>>> above, anyway. Keying in private DNS is more viable, for example. I >>>> think >>>> a PKI is more viable. >>> >>> >>> Other models? >> >> I just meant for example private DNS, or PKI, as it says up there. > >1. The functional description that's been offered said that validation >is to be permitted by entities such as callee-side enterprises and even >callee UAs. That precludes any sort of private service. Whatever >parameters must be obtained outside of the SIP headers -- such as public >keys -- they need to be publicly accessible. Potentially, yes, callee-side enterprises and even callee UAs would be able to validate. The original RFC4474 model describes an abstract "verification service" function that can be performed either by an intermediary or an endpoint. I've been assuming we'd retain that architecture. The RFC4474 model also has the concept that a URI is carried alongside the signature, in a separate header called Identity-Info, to designate the credential that was used to generate the signature. So yes, any verification service needs to be able to resolve that URI, so it must be public in at least that sense (and the verification service must trust whatever trust anchor generated the credential on the other side of that URI too). IF we were to transpose this to a DNS-like model, presumably the Identity-Info header or its successor would be extended in some fashion to allow it to designate that the DNS should be consulted. >2. From one of your earlier notes, I gather that by "PKI" you mean the >bushy (multi-root) system that operates for SSL/TLS web services? You >appear to be using PKI to mean a specific, integrated, operating >credential service, so I would like to be clear about which specific one >you mean; the one used by the Web seems to be it? I mean a system that resembles that "bushy" system, yes. I imagine it could encompass multiple roots. The secure-origins-ps document does however contain some text to the effect that it would be real nice if we could avoid having different roots claiming authority over the same name, though, given what the consequences of that have been for web PKI. And by PKI I here I'm not sure I mean any specific, integrated, operating credential service as such, though certainly one that would use technical components familiar to anyone who was familiar with web PKI. > >>> Is there a written description of the integrated query service that you >>> folks are considering, in terms of design, administration and >>>operation? >> >> I wasn't talking about some kind of integrated query service, I was >> talking about where the keys should live. So, written descriptions would >> be CP/CPS sorts of things, if that's what you mean here? > >I suspect you mean more than where they live, since they aren't much use >if they can't be retrieved, and in fact retrieved publicly. Right, no, as I said above I was assuming something like Identity-Info from RFC4474 would be available to facilitate retrieval. >By "query service" I meant the term generically as a mechanism that >askes for something and gets it. I didn't want to imply or constrain any >details about the form of the request or what was returned; merely that >it's in the service of performing validation. Sure, as specified in RFC4474, https or even cid (to designate a multipart MIME body attached to the request) are examples of how the credential fetch would happen. It is definitely in the scope of proposed work to expand those options. >Since the intent here is to develop a global validation service for >SIP-based calls and since such a service will need to obtain some types >of information to permit validation, it will need a mechanism for >retrieving whatever that information is. That's all I meant by query >service. Sure, agreed, we're on the same page. >While yes, one can imagine designing a service that permits packaging >everything in-line with the SIP data, it's clear that that won't be >sufficient, based on one or more of the documents -- and much of the >message postings -- for this topic. Hence, it needs a query service of >some sort. Gotcha. >>> It would help to also hear where such a design has already been >>> successfully deployed. >> >> Do you think that is an issue for CAs/PKIs? Certainly they have some >>rough > >The PKI service used for the web has the advantage of existing and being >heavily used. A base of experience is goodness, when considering >out-sourcing a component of a new service. Whether its characteristics >suffice for the current project, I don't know. Some times, rough edges >cut thing and bleed them dry. Like I said, I'd hope we could benefit from some of the operational lessons of web PKI while still retaining the tried and true technologies that have succeeded here. > >> edges, which is why we see the DNS (through DANE) potentially playing a > >Ah yes, the great promise of DANE. I'm sure it will yet deliver, as >have all of the other promising efforts in the IETF. Oh, no, this one >really will. No, honest, it will. And I hope I'm serious. >That's not a criticism of DANE. It's an attempt to raise a flag about >relying on it. > >One of the classic errors in a new project is creating a critical >dependency on a parallel, independent project. Sometimes it's >necessary, but it's always extremely risky. Extremely. Always. I want to make an allowance for DANE, especially where it can help with greenfield SIP URIs rather than telephone numbers (e.g. Which cert should I trust for sip:jon@example.com?). I do have some sense of the state of DANE adoption, and I've certainly heard pushback from browser vendors and others about its mid-term prospects. But DANE wouldn't play a role in our story about how credentials are managed for TNs unless of course we assume some ENUM-like TN hierarchy in the DNS is a part of this key management solution. >> role in their future. Or maybe it will be more like the SSL Observatory >>or > >The 'maybe' -- and equivalent phrasings that you've used -- point up >something that I've become confused about. What I was told (rather >forcefully offline) is that there is a solution already formulated. >However what's been put forward on the list so far sounds more like some >ideas, at least some of which are not yet close to being solid. Um. In so far as there is IETF work already formulated, as far as I know it's what's captured in the various drafts under discussion. I would say you can judge for yourself how baked those ideas are. We have two proposed areas of IETF work, one on providing a better in-band identity indication in SIP, and another (more ambitious) effort to work on an out-of-band solution. Both have some dependency on credentials which capture authority over telephone numbers. The degree to which those credentials are a subject of IETF work is less obvious to me. Let's assume we're talking about a PKI, for the moment. In the web world, we have RFCs that talk about how you need to process certs to make web security work, what information needs to be in them and where it lives, and that is all clearly IETF work. But we don't have RFCs that constrain the set of CAs to any particular vendor(s) or that overly prescribe their operational environment, like how a CA enrolls customers or sorts them into levels of assurance, say. So right now in the proposed charter there is a placeholder for a document that would cover the sorts of things about the key management system that would be in the scope of the IETF, to foster interoperability of signers and verifiers. I think we'd need to know more about where we're going before I could tell you in more detail what the document would contain. So yeah, a lot of things are not solid at this stage. >If there is in fact a concrete, detailed design already in hand, that >attends to relevant security, privacy, scaling, deployment, >administration and operations issues, let's hear it. For what part of the work? But I guess whichever part you mean, I don't think having a document with that level of detail in hand is necessary to charter this proposed work or to set a direction for it. If we assume the two main key management options here are something like the DNS (public or private, with or without DNSSEC/DANE) and something like a web PKI, I think both are fairly well understood in the dimensions you describe here. I would be hesitant to explore options where that didn't seem to be case. Jon Peterson Neustar, Inc. >d/ > > >-- >Dave Crocker >Brandenburg InternetWorking >bbiw.net
- [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter Stephen Farrell
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter philippe.fouquart
- Re: [stir] current draft charter Wilhelm Wimmreuter
- Re: [stir] current draft charter Stephen Farrell
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter Henning Schulzrinne
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter Dan York
- Re: [stir] current draft charter Hadriel Kaplan
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter Brian Rosen
- Re: [stir] current draft charter Hadriel Kaplan
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter Hadriel Kaplan
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter Hadriel Kaplan
- Re: [stir] current draft charter Dan York
- Re: [stir] current draft charter Wendt, Chris
- Re: [stir] current draft charter Brian Rosen
- Re: [stir] current draft charter - ENUM and datab… Richard Shockey
- Re: [stir] current draft charter Hadriel Kaplan
- Re: [stir] current draft charter Wendt, Chris
- Re: [stir] current draft charter Richard Shockey
- Re: [stir] current draft charter Brian Rosen
- Re: [stir] current draft charter Richard Shockey
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter Richard Shockey
- Re: [stir] current draft charter Brian Rosen
- Re: [stir] current draft charter Richard Shockey
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter - ENUM and datab… Henning Schulzrinne
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter Hadriel Kaplan
- Re: [stir] current draft charter - ENUM and datab… Hadriel Kaplan
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter Hadriel Kaplan
- Re: [stir] current draft charter DOLLY, MARTIN C
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter - ENUM and datab… Henning Schulzrinne
- Re: [stir] current draft charter Henning Schulzrinne
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter DOLLY, MARTIN C
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter DOLLY, MARTIN C
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter - ENUM and datab… Hadriel Kaplan
- Re: [stir] current draft charter Hadriel Kaplan
- Re: [stir] current draft charter Hadriel Kaplan
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter - ENUM and datab… Peterson, Jon
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter - ENUM and datab… Henning Schulzrinne
- Re: [stir] current draft charter Henning Schulzrinne
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter Michael Hammer
- Re: [stir] current draft charter Richard Shockey
- Re: [stir] current draft charter Richard Shockey
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter Hadriel Kaplan
- Re: [stir] current draft charter Dave Crocker
- [stir] Nature vs. nurture -- semantics vs. encodi… Dave Crocker
- Re: [stir] current draft charter Dan York
- Re: [stir] current draft charter Michael Hammer
- Re: [stir] current draft charter - ENUM and datab… Hadriel Kaplan
- [stir] Not just "called party" - Re: current draf… Dan York
- Re: [stir] current draft charter Hadriel Kaplan
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] current draft charter Michael Hammer
- Re: [stir] current draft charter Peterson, Jon
- Re: [stir] Not just "called party" - Re: current … Michael Hammer
- Re: [stir] current draft charter - ENUM and datab… Richard Shockey
- Re: [stir] current draft charter DOLLY, MARTIN C
- Re: [stir] current draft charter Michael Hammer
- Re: [stir] current draft charter - ENUM and datab… Hadriel Kaplan
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] Not just "called party" - Re: current … Peterson, Jon
- Re: [stir] current draft charter Hadriel Kaplan
- Re: [stir] current draft charter - ENUM and datab… Peterson, Jon
- Re: [stir] current draft charter - ENUM and datab… Michael Hammer
- Re: [stir] Not just "called party" - Re: current … Hadriel Kaplan
- Re: [stir] current draft charter Dan York
- Re: [stir] current draft charter Michael Hammer
- Re: [stir] current draft charter Paul Kyzivat
- Re: [stir] Not just "called party" - Re: current … Dan York
- Re: [stir] current draft charter - ENUM and datab… Hadriel Kaplan
- Re: [stir] current draft charter - ENUM and datab… Richard Shockey
- Re: [stir] current draft charter Hadriel Kaplan
- Re: [stir] current draft charter - ENUM and datab… Peterson, Jon
- Re: [stir] Not just "called party" - Re: current … Henning Schulzrinne
- Re: [stir] current draft charter - ENUM and datab… Henning Schulzrinne
- Re: [stir] current draft charter - ENUM and datab… Henning Schulzrinne
- Re: [stir] current draft charter Henning Schulzrinne
- Re: [stir] current draft charter - ENUM and datab… Henning Schulzrinne
- Re: [stir] current draft charter philippe.fouquart
- Re: [stir] current draft charter - ENUM and datab… Richard Shockey
- Re: [stir] current draft charter Richard Shockey
- Re: [stir] current draft charter Dave Crocker
- Re: [stir] current draft charter Michael Hammer
- Re: [stir] current draft charter Richard Barnes
- Re: [stir] current draft charter - ENUM and datab… Dave Crocker
- Re: [stir] current draft charter philippe.fouquart
- Re: [stir] current draft charter philippe.fouquart
- Re: [stir] current draft charter - ENUM and datab… Hadriel Kaplan
- Re: [stir] current draft charter - ENUM and datab… Brian Rosen
- Re: [stir] current draft charter - ENUM and datab… Wendt, Chris
- Re: [stir] current draft charter - ENUM and datab… Michael Hammer
- Re: [stir] current draft charter - ENUM and datab… Hadriel Kaplan
- Re: [stir] current draft charter - ENUM and datab… Peterson, Jon
- Re: [stir] current draft charter - ENUM and datab… Dave Crocker
- Re: [stir] current draft charter - ENUM and datab… Richard Shockey
- Re: [stir] current draft charter - ENUM and datab… Peterson, Jon
- Re: [stir] current draft charter - ENUM and datab… Henning Schulzrinne
- Re: [stir] current draft charter - ENUM and datab… Lee, Yiu
- Re: [stir] current draft charter - ENUM and datab… Michael Hammer
- Re: [stir] current draft charter - ENUM and datab… Dave Crocker
- Re: [stir] current draft charter - ENUM and datab… Lee, Yiu
- Re: [stir] current draft charter - ENUM and datab… Hadriel Kaplan
- Re: [stir] current draft charter - ENUM and datab… Lee, Yiu
- Re: [stir] current draft charter - ENUM and datab… Hadriel Kaplan
- Re: [stir] current draft charter - ENUM and datab… Wendt, Chris
- Re: [stir] current draft charter - ENUM and datab… Peterson, Jon
- Re: [stir] current draft charter - ENUM and datab… Lee, Yiu
- Re: [stir] current draft charter Wilhelm Wimmreuter