IETF Logo Mail Archive

Re: [stir] [Technical Errata Reported] RFC8224 (6519)

Marc Petit-Huguenin <marc@petit-huguenin.org> Wed, 07 April 2021 22:03 UTC

Return-Path: <marc@petit-huguenin.org>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F4D53A2B77 for <stir@ietfa.amsl.com>; Wed, 7 Apr 2021 15:03:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhxLoB9W9l9z for <stir@ietfa.amsl.com>; Wed, 7 Apr 2021 15:03:10 -0700 (PDT)
Received: from implementers.org (implementers.org [92.243.22.217]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 507893A2B76 for <stir@ietf.org>; Wed, 7 Apr 2021 15:03:09 -0700 (PDT)
Received: from [IPv6:2601:648:8400:8e7d:d250:99ff:fedf:93cd] (unknown [IPv6:2601:648:8400:8e7d:d250:99ff:fedf:93cd]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "Marc Petit-Huguenin", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 1F324AE255; Thu, 8 Apr 2021 00:03:05 +0200 (CEST)
To: Roman Shpount <roman@telurix.com>
Cc: Christer Holmberg <christer.holmberg@ericsson.com>, "fluffy@cisco.com" <fluffy@cisco.com>, "ekr@rtfm.com" <ekr@rtfm.com>, "jon.peterson@neustar.biz" <jon.peterson@neustar.biz>, "housley@vigilsec.com" <housley@vigilsec.com>, "stir@ietf.org" <stir@ietf.org>, "superuser@gmail.com" <superuser@gmail.com>, "chris-ietf@chriswendt.net" <chris-ietf@chriswendt.net>, "rjsparks@nostrum.com" <rjsparks@nostrum.com>, Francesca Palombini <francesca.palombini@ericsson.com>, RFC Errata System <rfc-editor@rfc-editor.org>
References: <20210406052047.50377F4079F@rfc-editor.org> <AM0PR07MB38602368B3ED807C9969F8DD93759@AM0PR07MB3860.eurprd07.prod.outlook.com> <CAD5OKxtinuycq+QHamaPx9OJYY6ZTe8-Ki-7HdrHzR4sR_RTiw@mail.gmail.com> <c75e736f-58c4-0783-b37b-6be20231ecad@petit-huguenin.org> <CAD5OKxvdwE9E-GSaUYLUJRU-Z3A2tCGstcJq=mVh=BGEJR70gg@mail.gmail.com> <b0c290dd-04ae-b593-c284-2bbdb7b18430@petit-huguenin.org> <CAD5OKxs0tXhmCMO5LPbNETf1wfyw6MuZfaSSzh=hGmyzdagWKA@mail.gmail.com>
From: Marc Petit-Huguenin <marc@petit-huguenin.org>
Message-ID: <0e0bb2a8-1945-ae3b-cd6b-81fc299856ba@petit-huguenin.org>
Date: Wed, 07 Apr 2021 15:03:03 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <CAD5OKxs0tXhmCMO5LPbNETf1wfyw6MuZfaSSzh=hGmyzdagWKA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/btA8A0AeVaGI1JfZNgQ8DzFhLYg>
X-Mailman-Approved-At: Thu, 08 Apr 2021 08:24:20 -0700
Subject: Re: [stir] [Technical Errata Reported] RFC8224 (6519)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Apr 2021 22:03:16 -0000

On the subject of origid, we could have used the local part of a Session-ID instead (RFC 7989), which would have been far more useful, IMO.

On 4/7/21 2:51 PM, Roman Shpount wrote:
> If we were to fix things, I would suggest making the Date header optional
> and putting "iat" in the Identity header instead. This, together with
> putting attest and origid claims in Identity extension params, would allow
> using compact digest and cutting a few hundred bytes out of the INVITE. As
> things stand right now, all INVITE messages with shaken extension are over
> the UDP MTU, causing major breakage in telephone networks as they are being
> deployed.
> _____________
> Roman Shpount
> 
> 
> On Wed, Apr 7, 2021 at 5:18 PM Marc Petit-Huguenin <marc@petit-huguenin.org>
> wrote:
> 
>> On 4/7/21 2:06 PM, Roman Shpount wrote:
>>> All the registered Personal Assertion Tokens are tokens:
>>> https://www.iana.org/assignments/passport/passport.xhtml.
>>>
>>> There is nothing in RFC8225 that limits the ppt header parameter's value,
>>> so to be compatible, ident-type = "ppt" EQUAL (token / quoted-string) is
>>> correct. This, however, does not reflect the decision to always put
>> quotes
>>> around the ppt value from IETF 101.
>>>
>>> If this were up to me, I would say that the original ABNF is correct and
>>> all the other documents and implementation which put quotes around the
>> ppt
>>> value are wrong. After all, these quotes serve no purpose except using
>>> extra two bytes. Furthermore, there is no reason the use anything except
>>> tokens to identify PASSporT Extensions.
>>
>> I agree.
>>
>>>
>>> I would also like to point out that the definition of info parameter is
>>> also problematic since it is not a valid generic-param:
>>> ident-info = "info" EQUAL ident-info-uri
>>> ident-info-uri = LAQUOT absoluteURI RAQUOT
>>>
>>> A quoted-string should have been used for the info, not the LAQUOT
>>> absoluteURI RAQUOT.
>>
>> Good point.
>>
>> There is also the issue that an Identity header should have supported the
>> use of repetition using COMMA, now the we can have multiple Identity
>> headers in a message.  Here we have to make it an exception, must like for
>> the various authorization headers.
>>
>>>
>>> I assume it is too late to fix either of these things.
>>> _____________
>>> Roman Shpount
>>>
>>>
>>> On Wed, Apr 7, 2021 at 3:25 PM Marc Petit-Huguenin <
>> marc@petit-huguenin.org>
>>> wrote:
>>>
>>>> Hi Roman,
>>>>
>>>> On 4/7/21 9:18 AM, Roman Shpount wrote:
>>>>> Hi Christer,
>>>>>
>>>>> This is exactly the issue. ATIS documents and other RFCs like rfc8946
>> use
>>>>> ppt with a quoted token.
>>>>
>>>> Shouldn't the ABNF now be, to be compatible with non-SHAKEN
>>>> implementations, this:
>>>>
>>>> ident-type = "ppt" EQUAL (token / quoted-string)
>>>>
>>>>>
>>>>> Also, according to IETF 101 STIR notes (which you took), the ppt
>>>>> token value should always be quoted. I am not sure why it needed to be
>>>>> quoted (I think this is wrong), but that was the decision.
>>>>> _____________
>>>>> Roman Shpount
>>>>>
>>>>>
>>>>> On Wed, Apr 7, 2021 at 11:23 AM Christer Holmberg <
>>>>> christer.holmberg@ericsson.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have not been involved in the discussions, so my apologies for
>> asking
>>>>>> something that have been discussed already, but what is the reason for
>>>> the
>>>>>> change? If you anyway are only going to allow "token" characters, why
>>>> the
>>>>>> quotes? Is the only reason to align with how the parameter is used in
>>>> other
>>>>>> specs?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Christer
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: stir <stir-bounces@ietf.org> On Behalf Of RFC Errata System
>>>>>> Sent: tiistai 6. huhtikuuta 2021 8.21
>>>>>> To: jon.peterson@neustar.biz; fluffy@cisco.com; ekr@rtfm.com;
>>>>>> chris-ietf@chriswendt.net; superuser@gmail.com; Francesca Palombini <
>>>>>> francesca.palombini@ericsson.com>; rjsparks@nostrum.com;
>>>>>> housley@vigilsec.com
>>>>>> Cc: stir@ietf.org; roman@telurix.com; rfc-editor@rfc-editor.org
>>>>>> Subject: [stir] [Technical Errata Reported] RFC8224 (6519)
>>>>>>
>>>>>> The following errata report has been submitted for RFC8224,
>>>> "Authenticated
>>>>>> Identity Management in the Session Initiation Protocol (SIP)".
>>>>>>
>>>>>> --------------------------------------
>>>>>> You may review the report below and at:
>>>>>>
>>>>>>
>>>>
>> https://protect2.fireeye.com/v1/url?k=ac0542ba-f39e7bbf-ac050221-86959e472243-713aff0f88c18be4&q=1&e=6be2f688-f156-4c8b-953f-2bec6cf24d76&u=https%3A%2F%2Fwww.rfc-editor.org%2Ferrata%2Feid6519
>>>>>>
>>>>>> --------------------------------------
>>>>>> Type: Technical
>>>>>> Reported by: Roman Shpount <roman@telurix.com>
>>>>>>
>>>>>> Section: 4
>>>>>>
>>>>>> Original Text
>>>>>> -------------
>>>>>> ident-type = "ppt" EQUAL token
>>>>>>
>>>>>> Corrected Text
>>>>>> --------------
>>>>>> ident-type = "ppt" EQUAL DQUOTE token DQUOTE
>>>>>>
>>>>>> Notes
>>>>>> -----
>>>>>> Based on IETF 101 STIR notes ptr= values should always be quoted.
>> Also,
>>>>>> ATIS-1000074 is using double quotes around ppt value.
>>>>>>
>>>>>> Instructions:
>>>>>> -------------
>>>>>> This erratum is currently posted as "Reported". If necessary, please
>> use
>>>>>> "Reply All" to discuss whether it should be verified or rejected.
>> When a
>>>>>> decision is reached, the verifying party can log in to change the
>> status
>>>>>> and edit the report, if necessary.
>>>>>>
>>>>>> --------------------------------------
>>>>>> RFC8224 (draft-ietf-stir-rfc4474bis-16)
>>>>>> --------------------------------------
>>>>>> Title               : Authenticated Identity Management in the Session
>>>>>> Initiation Protocol (SIP)
>>>>>> Publication Date    : February 2018
>>>>>> Author(s)           : J. Peterson, C. Jennings, E. Rescorla, C. Wendt
>>>>>> Category            : PROPOSED STANDARD
>>>>>> Source              : Secure Telephone Identity Revisited
>>>>>> Area                : Applications and Real-Time
>>>>>> Stream              : IETF
>>>>>> Verifying Party     : IESG
>>>>>>
>>
>> --
>> Marc Petit-Huguenin
>> Email: marc@petit-huguenin.org
>> Blog: https://marc.petit-huguenin.org
>> Profile: https://www.linkedin.com/in/petithug
>>
> 


-- 
Marc Petit-Huguenin
Email: marc@petit-huguenin.org
Blog: https://marc.petit-huguenin.org
Profile: https://www.linkedin.com/in/petithug

v2.23.0 | Report a Bug | By Email