IETF Logo Mail Archive

Re: [stir] AD Evaluation: draft-ietf-stir-passport-rcd

"Murray S. Kucherawy" <superuser@gmail.com> Wed, 28 September 2022 07:16 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 988D2C1522DF for <stir@ietfa.amsl.com>; Wed, 28 Sep 2022 00:16:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyqXR5K5Mte0 for <stir@ietfa.amsl.com>; Wed, 28 Sep 2022 00:16:16 -0700 (PDT)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F13FAC1522D7 for <stir@ietf.org>; Wed, 28 Sep 2022 00:16:15 -0700 (PDT)
Received: by mail-ed1-x535.google.com with SMTP id e18so16109013edj.3 for <stir@ietf.org>; Wed, 28 Sep 2022 00:16:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=wT4ru7ct1LHdImilj4ncN80F8+VCIP6ZDE5Krgg0Czk=; b=oWWb/UEaxmyWPt5dDyJZ2nglx0h+b1NdlqBYpYgvtWw+wNC44koFyXl7F6+6GsqnIZ kGMxJkG1nxS/zmSNKBQl7KrpLKpGIKnrnjUpn/X7WL2tpeupwhLY1O2ly90G2sqpZkq4 OtbQtta37aWJhdnv5IrSTMY/g7Nl8nZUyDIDo9bPhBqFeJsh5U+32BDP2DkPcD/J9vHh fCEjjNMqLHZ3qFtSzz7sDMp8YIO9+j6lNqi4PxwfFQO71Xn+7vvnYHwj1a54eIEw8kcs t0dZIXPc79iOdG9qLmK4WGcG86CmeDQS2Ss0ciHOaDrw+CZR4JP0PhtXiYhCs+vrjbLA iDLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=wT4ru7ct1LHdImilj4ncN80F8+VCIP6ZDE5Krgg0Czk=; b=NujIEEN5w9B8clIVgKTfQ5oV1dntmJUjggKoEwaX1oiV4+aWWPPB68vPNmOWYnZhl5 DX8XKEIq0aFnudLRSS8FHIvI2o6pvlTcw0L+BnlT07LENHdjo1E5JN9lC88ttsnHQqM4 X6dPVZ64ppcoGIiDNMTMoD0+zffUppYahqbgPFXBSwVuXpBn9QpQnf8Iqh2u2cIqL2p1 mlGQgq2xQNQH62+24g0QRhQgsUTet1/T+Kl6Q+boPvTsgMBxHCLql+jCytm5oFIPhdLB fnFBdFDxx/V8a6fT47b1PmIubXuc9nXvpUiQSzBkiUhNfOv7+LwoqiQu2N95E0HGtBlf tnwA==
X-Gm-Message-State: ACrzQf3g1IjpiFjwpp2EJNa/DVs/mhwW9Zl8dtX01K3wYsIwGrz5y+Lu SCLNfxZ/co+xPOVIbFo/j5GxB2XNj0BtGvB10ssutOKf
X-Google-Smtp-Source: AMsMyM6G0W0HqR/ozalLi4oqkTS99vO1m51RSolD4teF7vgKhUu+GFL2hXu+3I7P5L3XLAM+zUkrP2ZY4Gk+Qkuc6rI=
X-Received: by 2002:a05:6402:1c0e:b0:457:4f32:fcd5 with SMTP id ck14-20020a0564021c0e00b004574f32fcd5mr13490309edb.75.1664349374329; Wed, 28 Sep 2022 00:16:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwZaKc20eNus1wSj_-Zjys9prm1+55Ergtr=QDNi3G-sZg@mail.gmail.com> <22207E7F-87E9-41F1-B08E-5745F07353B5@chriswendt.net> <CAL0qLwZpMY+Far0skD9K4hnBMcp=DmxPwR+pSzWNTY8dxXYf4g@mail.gmail.com> <018401d8d27b$9fa65c80$def31580$@numeracle.com> <A26DC532-D4E0-41A2-8B35-822262AF2E62@chriswendt.net> <021001d8d291$786426f0$692c74d0$@numeracle.com>
In-Reply-To: <021001d8d291$786426f0$692c74d0$@numeracle.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Wed, 28 Sep 2022 00:16:03 -0700
Message-ID: <CAL0qLwYw-yTdVOkQ6zkFihG4-8OD-0HueEheCuS9FS3z7niUmQ@mail.gmail.com>
To: pierce@numeracle.com
Cc: Chris Wendt <chris-ietf@chriswendt.net>, IETF STIR Mail List <stir@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003d3b0b05e9b789fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/WYnj5d5Xa0c_FkN3YJq_UlevBII>
Subject: Re: [stir] AD Evaluation: draft-ietf-stir-passport-rcd
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2022 07:16:20 -0000

Thanks, that's the discussion I wanted to have.  I'll send it off to Last
Call.

On Tue, Sep 27, 2022 at 9:52 AM <pierce@numeracle.com> wrote:

> You are correct, I did mean security considerations, Section 18 (not
> 8.1).  Nice catch.  And as you say “out-of-scope” language is already there.
>
>
>
>
>
> *From:* Chris Wendt <chris-ietf@chriswendt.net>
> *Sent:* Tuesday, September 27, 2022 11:35 AM
> *To:* <pierce@numeracle.com> <pierce@numeracle.com>
> *Cc:* Murray S. Kucherawy <superuser@gmail.com>; IETF STIR Mail List <
> stir@ietf.org>
> *Subject:* Re: [stir] AD Evaluation: draft-ietf-stir-passport-rcd
>
>
>
> I agree Pierce, the first paragraph of the security considerations section
> does have text to say that content validation/vetting policies are out of
> scope specifically.
>
>
>
> -Chris
>
>
>
> On Sep 27, 2022, at 8:15 AM, pierce@numeracle.com wrote:
>
>
>
> IMHO, validation of content in icn, crn, nam, etc., is outside the scope
> of the RCD specification.  Perhaps that should be (part of) the message in
> Section 8.1?
>
>
>
> Pierce
>
>
>
> *From:* stir <stir-bounces@ietf.org> *On Behalf Of *Murray S. Kucherawy
> *Sent:* Monday, September 26, 2022 10:36 PM
> *To:* Chris Wendt <chris-ietf@chriswendt.net>
> *Cc:* IETF STIR Mail List <stir@ietf.org>
> *Subject:* Re: [stir] AD Evaluation: draft-ietf-stir-passport-rcd
>
>
>
> On Mon, Sep 26, 2022 at 2:21 PM Chris Wendt <chris-ietf@chriswendt.net>
> wrote:
>
> > How do we know that the reason placed in a "crn" claim is true?  Could
> this be abused?  If so, should this be called out in Section 13 or 18 (or
> somewhere else)?
>
> Section 8.1 was intended to address this use of constraints if the signer
> is “non-authoritative”.  The general concept is that RCD information should
> be vetted by trusted participants in the eco-system.  “crn” is a claim that
> i think we conceptually provide a bit more latitude with just because call
> reason may more generally be a more dynamic field, but there is nothing in
> the specification that doesn’t allow for an eco-system using this
> specification to mandate the use of constraints.  This is a balance we have
> needed to support for most of the specs to allow for flexibility depending
> on use of the specs.
>
>
>
> I'm not sure I follow.  The question I'm asking is: Is there anything
> stopping me from giving a false reason in a "crn" claim?  Could I, for
> instance, claim the call is an emergency of some type and thus get you to
> answer when I'm actually just going to try to sell you something?  If
> that's a risk, I think that should be explicit; it would be enough to say
> that there's no validation for what's in the "crn" claim (and couldn't
> possibly be).
>
>
>
> [...]
>
> > For that matter, would ABNF be useful here?
>
> Likely would but we haven’t included it in other relevant specs, i would
> hate to add at last minute.
>
>
>
> I don't mind waiting if it's worth doing.  :-)
>
>
>
> Thanks for the rest, looks good.
>
>
>
> -MSK
>
>
>

v2.23.0 | Report a Bug | By Email