IETF Logo Mail Archive

Re: [stir] Call For Adoption of draft-peterson-stir-servprovider-oob

Piotr Gregor <piotr@signalwire.com> Mon, 22 March 2021 18:15 UTC

Return-Path: <piotr@signalwire.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 880733A1025 for <stir@ietfa.amsl.com>; Mon, 22 Mar 2021 11:15:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.302
X-Spam-Level:
X-Spam-Status: No, score=0.302 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_NOVOWEL=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=signalwire.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IJfR0mZbspFC for <stir@ietfa.amsl.com>; Mon, 22 Mar 2021 11:15:13 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61E4E3A1022 for <stir@ietf.org>; Mon, 22 Mar 2021 11:15:13 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id b16so20533503eds.7 for <stir@ietf.org>; Mon, 22 Mar 2021 11:15:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=signalwire.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6fLUh6+0GCOoV9tMoa0JlMre4pkITOjmsTq6fmT+oqA=; b=Gh3dUGEbLZ1iUe9EL8X146ZRIKXSdnTxyd+Xvr3AvSO57Q95By41Xo7+KKAgPC3kW+ MTEv0DbX7SXbcBQIgrGIjqtf2hhtpJJFsyo9CqJpvuqgYKR1P1beoCGNvPOhF40n6rjj 57UGrN6144qCIn4I30qo3MhryHCs28L6dia6k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6fLUh6+0GCOoV9tMoa0JlMre4pkITOjmsTq6fmT+oqA=; b=SbnHa+GESRdpEekKDmoScu1L4IZn3vXd6TR4qyqaH/tMgF2QFCOdE+WWTWOQtdj6+p +2onIZCoXPhFFfwV9YfzrAU78iqqEj+txhLRtNr+bfoYPERiEEjWv7KgG4Lh93vBRUxQ Q7EmM3xj8v/r8ZRU+gbc3E7lj15QXTqWJx4sJ140us1dhsReh77ZxWhocpzXGen5Jsq0 EAYC3J6IvO3zXpvBmBCgqhui+5omDETj6lIGrID92G0gJ6krWV3GbpLuZSKo8+8n6Yzv k6/x1NYQynIJB5E6YIEqQYFy/st4HX26a5X7J5SSZcM2e2HoCfs7WD+D67ja5+73BYYH SLxg==
X-Gm-Message-State: AOAM532lgSfnfr2ygZC82LxnGX76G7EFBBguNdpFjfYFi/sVv3x/XA+T erTSfa+E4bHictE637gbM79IZrUo7rO3u18iTOBhN7c47M96CY5FQIv5J80khfY/se/7R5Wlo0h JqVZ/oz8OGQ+KDg==
X-Google-Smtp-Source: ABdhPJxzmUY+u4Oxs9RoFFlWxMGLqh5YJQOWnGK2TTznWMu/M9KEuFVrP+ABduIUcyerCrErthbzLZpLsh2wMqqXmjw=
X-Received: by 2002:a05:6402:1691:: with SMTP id a17mr908752edv.336.1616436911242; Mon, 22 Mar 2021 11:15:11 -0700 (PDT)
MIME-Version: 1.0
References: <157429966624.922.6336772483106473689.idtracker@ietfa.amsl.com> <41B1930A-2631-47D3-8693-62363B9C5639@vigilsec.com> <C118221E-19F7-4CA6-A2E6-17249380843D@vigilsec.com> <B0B39AC9-F885-4B4D-8729-423C629F6EDC@vigilsec.com> <CA+LnPOeacavNJxQwGh+AX3YF_RW-ruLUL6DiSxpAx1LQrkjf=w@mail.gmail.com> <CA+LnPOf0OFmEgk3bvyyLFFLyie9BnZGqYSkchucUDr4X2wQSwA@mail.gmail.com> <1BFB6605-8327-418A-B764-01EC75976328@team.neustar>
In-Reply-To: <1BFB6605-8327-418A-B764-01EC75976328@team.neustar>
From: Piotr Gregor <piotr@signalwire.com>
Date: Mon, 22 Mar 2021 18:14:35 +0000
Message-ID: <CA+LnPOe9QBNs7uf0+_qmuzSEB3QtkHheBZb1JaomiushjfAudA@mail.gmail.com>
To: "Peterson, Jon" <jon.peterson@team.neustar>
Cc: Russ Housley <housley@vigilsec.com>, IETF STIR Mail List <stir@ietf.org>, "ekr@rtfm.com" <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="000000000000e5915805be240b74"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/YmFHwhPGhR6VP64i3eMmJlHcyFE>
Subject: Re: [stir] Call For Adoption of draft-peterson-stir-servprovider-oob
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 18:15:19 -0000

Hi,

In chapter 4 (Advertising CPS) the draft (
https://www.ietf.org/archive/id/draft-ietf-stir-servprovider-oob-01.txt)
says:

   An alternative to CPS advertisements that may be usable in some
   environments is adding a field to STIR [RFC8226] certificates
   identifying the CPS URI issued to individual service providers.  As
   these certificates are themselves signed by a CA, and contain their
   own TNAuthList, the URI would be bound securely to the proper
   telephone network identifiers.  As STIR assumes a community of
   relying parties who trust these credentials, this method perhaps best
   mirrors the trust model required to allow a CPS to authorize
PASSporT submission and retrieval.

It would be quite natural to embed CPS info in provider certificate, but
there is a problem with this: it will work only if the originator of a call
(PASSporT creator) already knows what is the certificate of destination (or
knows where to find it).
This will not be an option if you do not have yet the certificate of the
destination (unless there is other spec wich standardises the certificate
location?).
Maybe it would be a good idea to add a comment on that or elaborate this
section a bit.

regards,
Piotr

On Sun, Sep 27, 2020 at 11:31 PM Peterson, Jon <jon.peterson@team.neustar>
wrote:

>
>
> Thanks for the heads-up, and yes, this has been repaired in the AUTH 48
> process for stir-oob.
>
>
>
> Jon Peterson
>
> Neustar, Inc.
>
>
>
> *From: *Piotr Gregor <piotr@signalwire.com>
> *Date: *Monday, August 24, 2020 at 5:09 PM
> *To: *Russ Housley <housley@vigilsec.com>
> *Cc: *IETF STIR Mail List <stir@ietf.org>, "Peterson, Jon"
> <jon.peterson@team.neustar>, Eric Rescorla <ekr@rtfm.com>
> *Subject: *Re: [stir] Call For Adoption of
> draft-peterson-stir-servprovider-oob
>
>
>
> I believe there is an error in draft-ietf-stir-oob-07, here in section 9
> it is said that call originates for destination 2.222.555.2222
>
> but then 2.222.222.2222 appears in places I highlighted:
>
>
> 9
> <https://urldefense.com/v3/__https:/tools.ietf.org/html/draft-ietf-stir-oob-07*section-9__;Iw!!N14HnBHF!qGWhl_lldmfxuAhX9SKZInSk2i34niQESzkNmAFSMCHw3jkCsoxihluS9UpnvdTjMWlRsw$>.
> Example HTTPS Interface to the CPS
>
>
>
> (...)
>
>    Assume that an authentication service has created the following
>
>    PASSporT for a call to the telephone number 2.222.555.2222
>
> (...)
>
>    Through some discovery mechanism (see Section 10 <https://urldefense.com/v3/__https:/tools.ietf.org/html/draft-ietf-stir-oob-07*section-10__;Iw!!N14HnBHF!qGWhl_lldmfxuAhX9SKZInSk2i34niQESzkNmAFSMCHw3jkCsoxihluS9UpnvdQ2wNRsUA$>), the authentication
>
>    service discovers the network location of a web service that acts as
>
>    the CPS for 2.222.555.2222.
>
> (...)
>
>    Having concluded the numbered steps in Section 8.1 <https://urldefense.com/v3/__https:/tools.ietf.org/html/draft-ietf-stir-oob-07*section-8.1__;Iw!!N14HnBHF!qGWhl_lldmfxuAhX9SKZInSk2i34niQESzkNmAFSMCHw3jkCsoxihluS9UpnvdSkY1ufcw$>, including
>
>    acquiring any token (per Section 6.1 <https://urldefense.com/v3/__https:/tools.ietf.org/html/draft-ietf-stir-oob-07*section-6.1__;Iw!!N14HnBHF!qGWhl_lldmfxuAhX9SKZInSk2i34niQESzkNmAFSMCHw3jkCsoxihluS9UpnvdTPr31zLw$>) needed to store the PASSporT at
>
>    the CPS, the authentication service then stores the encrypted
>
>    PASSporT:
>
>
>
>
>
>
>
> Rescorla & Peterson    Expires September 10, 2020              [Page 20]
>
> ------------------------------
>
>   <https://urldefense.com/v3/__https:/tools.ietf.org/html/draft-ietf-stir-oob-07*page-21__;Iw!!N14HnBHF!qGWhl_lldmfxuAhX9SKZInSk2i34niQESzkNmAFSMCHw3jkCsoxihluS9UpnvdR0UBsvaQ$>
>
> Internet-Draft              STIR Out-of-Band                  March 2020
>
>
>
>
>
>       POST /cps/2.222.555.2222/ppts HTTP/1.1
>
>       Host: cps.example.com <https://urldefense.com/v3/__http:/cps.example.com__;!!N14HnBHF!qGWhl_lldmfxuAhX9SKZInSk2i34niQESzkNmAFSMCHw3jkCsoxihluS9UpnvdTqcnHCLg$>
>
> (...)
>
>
>
>    The web service assigns a new location for this encrypted PASSporT in
>
>    the collection, returning a 201 OK with the location of
>
>    /cps/2.222.222.2222/ppts/ppt1.
>
> ^^^^^^^^^^^^^^^^^^^^^^
>
> ->>>>>>>>>>>>> should be /cps/2.222.555.2222/ppts/ppt1
>
>
>
>
>
> Now the authentication service can
>
>    place the call, which may be signaled by various protocols.  Once the
>
>    call arrives at the terminating side, a verification service contacts
>
>    its CPS to ask for the set of incoming calls for its telephone number
>
>    (2.222.222.2222).
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ->>>>>>>>>>>>> should be 2.222.555.2222
>
>
>
>
>
>       GET /cps/2.222.555.2222/ppts
>
>       Host: cps.example.com <https://urldefense.com/v3/__http:/cps.example.com__;!!N14HnBHF!qGWhl_lldmfxuAhX9SKZInSk2i34niQESzkNmAFSMCHw3jkCsoxihluS9UpnvdTqcnHCLg$>
>
>
>
>    This returns to the verification service a list of the PASSporTs
>
>    currently in the collection, which currently consists of only
>
>    /cps/2.222.222.2222/ppts/ppt1.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ->>>>>>>>>>>>> should be /cps/2.222.555.2222/ppts/ppt1
>
>
>
>   The verification service then sends a
>
>    new GET for /cps/2.222.555.2222/ppts/ppt1/ which yields:
>
> (...)
>
>
>
> cheers,
>
> Piotr
>
>
>

-- 
Piotr Gregor
Software Engineer
piotr@signalwire.com
+44 01256 597 470

-- 
  *|*  Ask me about SignalWire Work <https://signalwire.com/products/work>, 
our new digital office alternative.

v2.23.0 | Report a Bug | By Email