[stir] Setting Direction for the STIR WG Last Call

[Russ Housley <housley@vigilsec.com>]

It is not fun for a WG Chair to take a vacation and then return to find that WG Last Call discussion has escalated from a straight forward document review to accusations of bad acts on the list.  Well, that is where I find myself, so I’d like to take a step back and try to focus this energy in a productive direction.  First, I think that recounting a bit of history may be helpful.

Well before the STIR BOF, there was consensus that the solution needed two parts.  First, there needed to be a digital signature that covered the claimed source telephone number and some other things to prevent replay.  Second, there needed to be credentials to provide the public key to validate that signature.

During the STIR WG chartering discussion we talked about where that signature might be carried.  We got direction from the Area Director that we should focus on in-band mechanisms before looking at out-of-band mechanisms.  The STIR WG charter gives direction:

   As its priority mechanism work item, the working group will specify a 
   SIP header-based mechanism for verification that the originator of a SIP 
   session is authorized to use the claimed source telephone number, where 
   the session is established with SIP end to end.

The WG decided that a replacement to RFC 4474 was the best way to accomplish this, and the first WG draft on that topic was adopted in June 2014.

Before the STIR BOF, there was discussion about the type of credential that would best scale to represent the telephone number space.  The WG recognized that using certificates for the credential meant that some aspects of the public key infrastructure associated would need to be left to the regulators in each country.  This is a political reality associated with telephone numbers.  This was discussed and understood.  See the hum results regarding credential format at IETF 90 in July 2014:

   https://www.ietf.org/proceedings/90/minutes/minutes-90-stir

The WG decided on certificates for the credential format, and the first WG draft on that topic was adopted in October 2014.

In most of 2015, the WG was making slow progress.  Frankly, I was a bit frustrated; with these fundamental decisions behind us, we could have made faster progress.  But then, we saw renewed energy starting in the Summer of 2015.  One recent example of this can been seen in the blog post from last month by FCC Chairman Wheeler:

   https://www.fcc.gov/news-events/blog/2016/07/22/cutting-robocalls

As part of the renewed energy, there was a suggestion to use the signature format specified by the JOSE WG instead of a bespoke design.  The result was PASSporT, and the first WG draft on that topic was adopted in February 2016.

Now, all three of these documents are in WG Last Call.  It seems that some of the fundamental decisions that were made almost two years ago are being called into question.  If there is a technical problem, let’s identify it and fix it.  If there is a lack of clarity, let’s fix that too.  However, WG Last Call is not the time to revisit each decision that brought the WG to this point.

If you are the author of a review that raises a large technical problem, I ask you to provide a concise description of the problem in a message of its own.  I am trying to separate the discussion of any such problems from the resolution of other document comments.

I ask the authors of each document to review the comments that have been posted and offer a way forward.

Thanks,
Russ