IETF Logo Mail Archive

Re: [stir] [Technical Errata Reported] RFC8224 (6519)

Roman Shpount <roman@telurix.com> Wed, 07 April 2021 21:52 UTC

Return-Path: <roman@telurix.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 694393A2B08 for <stir@ietfa.amsl.com>; Wed, 7 Apr 2021 14:52:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GrhHb1gotjrS for <stir@ietfa.amsl.com>; Wed, 7 Apr 2021 14:52:06 -0700 (PDT)
Received: from mail-oo1-xc31.google.com (mail-oo1-xc31.google.com [IPv6:2607:f8b0:4864:20::c31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01F763A2B03 for <stir@ietf.org>; Wed, 7 Apr 2021 14:52:05 -0700 (PDT)
Received: by mail-oo1-xc31.google.com with SMTP id i25-20020a4aa1190000b02901bbd9429832so21728ool.0 for <stir@ietf.org>; Wed, 07 Apr 2021 14:52:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=czCIaYomH5p6Li3MLNsSd1/ArZGdK7tlXlPbbnP0y4U=; b=HimnqUhLf/hnJcpDPS6nRF2xgRMtjHllAVc3VA999/YsmQNb4+AmzXRSclVw575c0B kj1nnYU+MQo+dOQMWMwnm+xK9+4dnwDSyn3SXhDjKfuocaE/nigMRaQL7ClKoExtV5Y3 eLM2kVa6Rrh/5TgxdRf+AqwU3KA1nYH6NKQIzoJb2bEWpRKXcEaLHKg3SuUthB2vVe58 Epu1bYFdgAKPg84tSgN3uyfSPlhIMHrti5o3GWPZwuUrjhmv4i6TcbnAlYhX704jUhaO aZYBqCAdxeQTDi5qlTrtK6c0dDlL1SDCI1WGFCfD5/I4LfwVBb3wveLfAPqTazrhLl0R 2gQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=czCIaYomH5p6Li3MLNsSd1/ArZGdK7tlXlPbbnP0y4U=; b=tlojG98XDyjElr5JARo++ZPjZK4RPTOm2zNoR54oux0/b9Lm9M5xqq4QTsh360iBdT zPvnwoNL6R3ziI3i9LZq9H5wk5HTRnLS+xpg1zJdHBLN7KMMASkGCrCmpSs5Jr+g2Xpk AzgioKv7WUpF5w9TVewMa6faAW0dSNVP9Crnigv8/SO6rSaFqsjJUsrXdf1Fi7RoIFu1 xlZJDeJASDntTxnwN5IaSZUcBDGsR/BEHgIPPX1VzLGamYCyMARmBzPTcyudZyg6aO4X Jz7wQ3CNNVjqmjcGVR9KA3kKpN0m65A+X9D+NXmnIEkTFzIfhZ4zFRbwu0GCTPr89j7o lBwg==
X-Gm-Message-State: AOAM531uhcWV7Nq0fNE8co8SL9cqFlsaaUiFH7WfxV8UhSX0qy6U6L17 N/mfT0kaafeU68VM+js7HQUBEV2HdTAMdQ==
X-Google-Smtp-Source: ABdhPJw8LzTUR5QWTwJW9uQqgKqnhQgbJa+DcBrBbm30fk62nKd6jUKoqHm92E8BD45fcNEvMuR2pw==
X-Received: by 2002:a4a:4843:: with SMTP id p64mr4579456ooa.9.1617832324260; Wed, 07 Apr 2021 14:52:04 -0700 (PDT)
Received: from mail-ot1-f53.google.com (mail-ot1-f53.google.com. [209.85.210.53]) by smtp.gmail.com with ESMTPSA id c7sm4970709oot.42.2021.04.07.14.52.03 for <stir@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 07 Apr 2021 14:52:03 -0700 (PDT)
Received: by mail-ot1-f53.google.com with SMTP id g8-20020a9d6c480000b02901b65ca2432cso308872otq.3 for <stir@ietf.org>; Wed, 07 Apr 2021 14:52:03 -0700 (PDT)
X-Received: by 2002:a9d:f06:: with SMTP id 6mr4630800ott.13.1617832323211; Wed, 07 Apr 2021 14:52:03 -0700 (PDT)
MIME-Version: 1.0
References: <20210406052047.50377F4079F@rfc-editor.org> <AM0PR07MB38602368B3ED807C9969F8DD93759@AM0PR07MB3860.eurprd07.prod.outlook.com> <CAD5OKxtinuycq+QHamaPx9OJYY6ZTe8-Ki-7HdrHzR4sR_RTiw@mail.gmail.com> <c75e736f-58c4-0783-b37b-6be20231ecad@petit-huguenin.org> <CAD5OKxvdwE9E-GSaUYLUJRU-Z3A2tCGstcJq=mVh=BGEJR70gg@mail.gmail.com> <b0c290dd-04ae-b593-c284-2bbdb7b18430@petit-huguenin.org>
In-Reply-To: <b0c290dd-04ae-b593-c284-2bbdb7b18430@petit-huguenin.org>
From: Roman Shpount <roman@telurix.com>
Date: Wed, 07 Apr 2021 17:51:51 -0400
X-Gmail-Original-Message-ID: <CAD5OKxs0tXhmCMO5LPbNETf1wfyw6MuZfaSSzh=hGmyzdagWKA@mail.gmail.com>
Message-ID: <CAD5OKxs0tXhmCMO5LPbNETf1wfyw6MuZfaSSzh=hGmyzdagWKA@mail.gmail.com>
To: Marc Petit-Huguenin <marc@petit-huguenin.org>
Cc: Christer Holmberg <christer.holmberg@ericsson.com>, "fluffy@cisco.com" <fluffy@cisco.com>, "ekr@rtfm.com" <ekr@rtfm.com>, "jon.peterson@neustar.biz" <jon.peterson@neustar.biz>, "housley@vigilsec.com" <housley@vigilsec.com>, "stir@ietf.org" <stir@ietf.org>, "superuser@gmail.com" <superuser@gmail.com>, "chris-ietf@chriswendt.net" <chris-ietf@chriswendt.net>, "rjsparks@nostrum.com" <rjsparks@nostrum.com>, Francesca Palombini <francesca.palombini@ericsson.com>, RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: multipart/alternative; boundary="000000000000ee674505bf68f093"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/TtY1D8qgI9klfw2cFA_UnAHKeRk>
X-Mailman-Approved-At: Thu, 08 Apr 2021 08:24:20 -0700
Subject: Re: [stir] [Technical Errata Reported] RFC8224 (6519)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Apr 2021 21:52:11 -0000

If we were to fix things, I would suggest making the Date header optional
and putting "iat" in the Identity header instead. This, together with
putting attest and origid claims in Identity extension params, would allow
using compact digest and cutting a few hundred bytes out of the INVITE. As
things stand right now, all INVITE messages with shaken extension are over
the UDP MTU, causing major breakage in telephone networks as they are being
deployed.
_____________
Roman Shpount


On Wed, Apr 7, 2021 at 5:18 PM Marc Petit-Huguenin <marc@petit-huguenin.org>
wrote:

> On 4/7/21 2:06 PM, Roman Shpount wrote:
> > All the registered Personal Assertion Tokens are tokens:
> > https://www.iana.org/assignments/passport/passport.xhtml.
> >
> > There is nothing in RFC8225 that limits the ppt header parameter's value,
> > so to be compatible, ident-type = "ppt" EQUAL (token / quoted-string) is
> > correct. This, however, does not reflect the decision to always put
> quotes
> > around the ppt value from IETF 101.
> >
> > If this were up to me, I would say that the original ABNF is correct and
> > all the other documents and implementation which put quotes around the
> ppt
> > value are wrong. After all, these quotes serve no purpose except using
> > extra two bytes. Furthermore, there is no reason the use anything except
> > tokens to identify PASSporT Extensions.
>
> I agree.
>
> >
> > I would also like to point out that the definition of info parameter is
> > also problematic since it is not a valid generic-param:
> > ident-info = "info" EQUAL ident-info-uri
> > ident-info-uri = LAQUOT absoluteURI RAQUOT
> >
> > A quoted-string should have been used for the info, not the LAQUOT
> > absoluteURI RAQUOT.
>
> Good point.
>
> There is also the issue that an Identity header should have supported the
> use of repetition using COMMA, now the we can have multiple Identity
> headers in a message.  Here we have to make it an exception, must like for
> the various authorization headers.
>
> >
> > I assume it is too late to fix either of these things.
> > _____________
> > Roman Shpount
> >
> >
> > On Wed, Apr 7, 2021 at 3:25 PM Marc Petit-Huguenin <
> marc@petit-huguenin.org>
> > wrote:
> >
> >> Hi Roman,
> >>
> >> On 4/7/21 9:18 AM, Roman Shpount wrote:
> >>> Hi Christer,
> >>>
> >>> This is exactly the issue. ATIS documents and other RFCs like rfc8946
> use
> >>> ppt with a quoted token.
> >>
> >> Shouldn't the ABNF now be, to be compatible with non-SHAKEN
> >> implementations, this:
> >>
> >> ident-type = "ppt" EQUAL (token / quoted-string)
> >>
> >>>
> >>> Also, according to IETF 101 STIR notes (which you took), the ppt
> >>> token value should always be quoted. I am not sure why it needed to be
> >>> quoted (I think this is wrong), but that was the decision.
> >>> _____________
> >>> Roman Shpount
> >>>
> >>>
> >>> On Wed, Apr 7, 2021 at 11:23 AM Christer Holmberg <
> >>> christer.holmberg@ericsson.com> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> I have not been involved in the discussions, so my apologies for
> asking
> >>>> something that have been discussed already, but what is the reason for
> >> the
> >>>> change? If you anyway are only going to allow "token" characters, why
> >> the
> >>>> quotes? Is the only reason to align with how the parameter is used in
> >> other
> >>>> specs?
> >>>>
> >>>> Regards,
> >>>>
> >>>> Christer
> >>>>
> >>>>
> >>>> -----Original Message-----
> >>>> From: stir <stir-bounces@ietf.org> On Behalf Of RFC Errata System
> >>>> Sent: tiistai 6. huhtikuuta 2021 8.21
> >>>> To: jon.peterson@neustar.biz; fluffy@cisco.com; ekr@rtfm.com;
> >>>> chris-ietf@chriswendt.net; superuser@gmail.com; Francesca Palombini <
> >>>> francesca.palombini@ericsson.com>; rjsparks@nostrum.com;
> >>>> housley@vigilsec.com
> >>>> Cc: stir@ietf.org; roman@telurix.com; rfc-editor@rfc-editor.org
> >>>> Subject: [stir] [Technical Errata Reported] RFC8224 (6519)
> >>>>
> >>>> The following errata report has been submitted for RFC8224,
> >> "Authenticated
> >>>> Identity Management in the Session Initiation Protocol (SIP)".
> >>>>
> >>>> --------------------------------------
> >>>> You may review the report below and at:
> >>>>
> >>>>
> >>
> https://protect2.fireeye.com/v1/url?k=ac0542ba-f39e7bbf-ac050221-86959e472243-713aff0f88c18be4&q=1&e=6be2f688-f156-4c8b-953f-2bec6cf24d76&u=https%3A%2F%2Fwww.rfc-editor.org%2Ferrata%2Feid6519
> >>>>
> >>>> --------------------------------------
> >>>> Type: Technical
> >>>> Reported by: Roman Shpount <roman@telurix.com>
> >>>>
> >>>> Section: 4
> >>>>
> >>>> Original Text
> >>>> -------------
> >>>> ident-type = "ppt" EQUAL token
> >>>>
> >>>> Corrected Text
> >>>> --------------
> >>>> ident-type = "ppt" EQUAL DQUOTE token DQUOTE
> >>>>
> >>>> Notes
> >>>> -----
> >>>> Based on IETF 101 STIR notes ptr= values should always be quoted.
> Also,
> >>>> ATIS-1000074 is using double quotes around ppt value.
> >>>>
> >>>> Instructions:
> >>>> -------------
> >>>> This erratum is currently posted as "Reported". If necessary, please
> use
> >>>> "Reply All" to discuss whether it should be verified or rejected.
> When a
> >>>> decision is reached, the verifying party can log in to change the
> status
> >>>> and edit the report, if necessary.
> >>>>
> >>>> --------------------------------------
> >>>> RFC8224 (draft-ietf-stir-rfc4474bis-16)
> >>>> --------------------------------------
> >>>> Title               : Authenticated Identity Management in the Session
> >>>> Initiation Protocol (SIP)
> >>>> Publication Date    : February 2018
> >>>> Author(s)           : J. Peterson, C. Jennings, E. Rescorla, C. Wendt
> >>>> Category            : PROPOSED STANDARD
> >>>> Source              : Secure Telephone Identity Revisited
> >>>> Area                : Applications and Real-Time
> >>>> Stream              : IETF
> >>>> Verifying Party     : IESG
> >>>>
>
> --
> Marc Petit-Huguenin
> Email: marc@petit-huguenin.org
> Blog: https://marc.petit-huguenin.org
> Profile: https://www.linkedin.com/in/petithug
>

v2.23.0 | Report a Bug | By Email