Re: [stir] Brief review of draft-ietf-stir-rfc4474bis-08
"Peterson, Jon" <jon.peterson@neustar.biz> Thu, 12 May 2016 04:59 UTC
Return-Path: <jon.peterson@neustar.biz>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA27E12D149 for <stir@ietfa.amsl.com>; Wed, 11 May 2016 21:59:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.601
X-Spam-Level:
X-Spam-Status: No, score=-102.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EzKcJjF4PaZn for <stir@ietfa.amsl.com>; Wed, 11 May 2016 21:59:11 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E15A312D13A for <stir@ietf.org>; Wed, 11 May 2016 21:59:10 -0700 (PDT)
Received: from pps.filterd (m0049401.ppops.net [127.0.0.1]) by m0049401.ppops.net-0018ba01. (8.16.0.17/8.16.0.17) with SMTP id u49ICa0J009837; Mon, 9 May 2016 14:19:52 -0400
Received: from stntexhc10.cis.neustar.com ([156.154.17.216]) by m0049401.ppops.net-0018ba01. with ESMTP id 22scpd4qbh-1 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NOT); Mon, 09 May 2016 14:19:52 -0400
Received: from STNTEXMB10.cis.neustar.com ([169.254.5.94]) by stntexhc10.cis.neustar.com ([169.254.4.235]) with mapi id 14.03.0279.002; Mon, 9 May 2016 14:19:52 -0400
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: Alan Ford <alan.ford@gmail.com>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] Brief review of draft-ietf-stir-rfc4474bis-08
Thread-Index: AQHRox/P+zsaKnVLN06sLYY3r9Lf2p+wxjSA
Date: Mon, 09 May 2016 18:19:52 +0000
Message-ID: <D3561D13.18AA1C%jon.peterson@neustar.biz>
References: <E5B79032-3EA5-4628-BB3F-8A02C8B90856@gmail.com>
In-Reply-To: <E5B79032-3EA5-4628-BB3F-8A02C8B90856@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
x-originating-ip: [10.96.12.151]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5307E479A91B494894ABB6ABC056C70B@neustar.biz>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-05-09_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1603290000 definitions=main-1605090262
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/ciA-rDE03cEOa9zyqjGBY7kn-84>
Subject: Re: [stir] Brief review of draft-ietf-stir-rfc4474bis-08
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2016 04:59:13 -0000
Thanks Alan, these are useful comments. I can try to clarify the language a bit about the authentication service. As RFC4474bis says (in language it inherits from RFC4474), we based the authentication service on the abstract "location service" concept in baseline RFC3261 which is similarly and intentionally vague in its relationship to any given SIP component. I am aware that some implementations of RFC4474bis are already decomposing the authentication service into a stub in the proxy that contacts a RESTful web service which in turn generates the PASSporT object and passes it back over HTTP to the proxy. I do want to make sure any language we add doesn't rule out implementations like that, which seem like useful ones. I have been hearing that we need to put in some clearer language about 438 and other response codes that are grandfathered in from RFC4474, in particular to explain how they might differ now. I think the semantics is largely the same, but there are a few issues: e.g., we don't want a response code status line for "Bad Identity-Info" when in fact the Identity-Info header has been deprecated in favor of the "info=" parameter. The next revision will clean those things up a bit. The issue of distributing private keys to virtual hosting systems and so forth is a known hard problem, and scoping the credential solely to SIP doesn't really give us much relief. I'm holding out for a general solution, possibly as a result of the LURK BoF we saw in Buenos Aires. Your smaller fixes I'll fix. Jon Peterson Neustar, Inc. On 4/30/16, 1:35 PM, "stir on behalf of Alan Ford" <stir-bounces@ietf.org on behalf of alan.ford@gmail.com> wrote: >Hi all, > >At IETF95, Robert suggested I should review draft-ietf-stir-rfc4474bis >from an implementer's point-of-view... So I have :) I was coming at this >completely fresh - I had never read any of the document before and had >very limited background on this topic... And I must first say it's a >really accessible document, very easy to follow and understand. I have >only a few very minor comments on clarity: > >- Section 4, it took me a while to realise that the authentication >service typically sat as a component of Alice's home SIP proxy. Whilst >obvious once a bit more context was available, I'd suggest adding a >sentence at the end of paragraph 5 (The proxy, ...) that reads something >like "The proxy then forwards the request under normal to Bob's domain". > >- Section 5.1, Step 4, paragraph 3... Similarly, just insert "at the >receiver" after "In some cases, a request sent through an authentication >service will be rejected by the verification service" - helps make the >process a little clearer. > >- Section 5.2, it is not clear if there should be anything different in >the 488 for no Identity header, and unsupported ppt? > >- Section 6.3, typo "bae64" > >- Section 6.3, "result of the JSON object construction process", would it >not be clearer to say "the PASSporT object" or similar? There is a clear >definition of "canon" in the last paragraph of Section 8 which could be >used earlier too. > >- Section 6.4, "URL of the form" ? Is form the right word for >content-type here? > >- Section 6.4 references "this registry" -> what registry? Maybe this >should reference IANA section? Also the ref to RFC7519 to define "RS256" >should probably occur here. > >- Section 7.2 - could the use of the key not in some way be restricted >purely for use with SIP Identity? Therefore removing issues with giving >it to a third-party service provider? > >- Section 12.1, paragraph 4: "The To helps" and "over the To" -> insert >"header" after "To" for clarity since it scans really strangely otherwise! > >Cheers, >Alan > >_______________________________________________ >stir mailing list >stir@ietf.org >https://www.ietf.org/mailman/listinfo/stir
- [stir] Brief review of draft-ietf-stir-rfc4474bis… Alan Ford
- Re: [stir] Brief review of draft-ietf-stir-rfc447… Eric Burger
- Re: [stir] Brief review of draft-ietf-stir-rfc447… Peterson, Jon