IETF Logo Mail Archive

Re: [stir] WGLC Review of draft-ietf-stir-messaging-02

"Peterson, Jon" <jon.peterson@team.neustar> Mon, 25 July 2022 19:04 UTC

Return-Path: <prvs=2205c7f97b=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12E79C13CCF1 for <stir@ietfa.amsl.com>; Mon, 25 Jul 2022 12:04:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar header.b=Gl/Z/UD/; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=neustar.onmicrosoft.com header.b=nD8xsiXk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0IOlGXvdz38k for <stir@ietfa.amsl.com>; Mon, 25 Jul 2022 12:04:08 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03522C13CCED for <stir@ietf.org>; Mon, 25 Jul 2022 12:03:44 -0700 (PDT)
Received: from pps.filterd (m0078664.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 26PEEUgS024398 for <stir@ietf.org>; Mon, 25 Jul 2022 15:03:44 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=team-neustar; bh=0lengM3rzDPuRa//1LoivRuAbWbT4M8lY0PC7yII6ps=; b=Gl/Z/UD/ooLohQ4Z42pTeoAh6D1GqNWITyDHUhAoPkA4x2LW2x7iPV0O5xhKbAZNpA51 WwPhh+Tur2DsPh33q+MkX8XSHeUt/Yt7Xs/aLefJt2pPRea7eq0PIbLUoZkvnmNMV6kv 8i9f1Tm5fpok6O5gA3cGK4aeeuKTkz5Nv+C+XbuXmylfq2YPjB9n0vPfzTryBTdyW2Gj 4VngpGNFKnaRpnPsWpQljzrnQ3rDLBdBgKw8sljpzfLW1sPJzgEUVO/sylnw07n9xyMx kmQ80yKucD86m0sq2WSvGcHxD9USpHH4Z81Li8nc521BCKD3hVUbC4tJ+8vT8sezwOd3 zw==
Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-0018ba01.pphosted.com (PPS) with ESMTPS id 3hgbmyu1pq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <stir@ietf.org>; Mon, 25 Jul 2022 15:03:43 -0400
Received: from m0078664.ppops.net (m0078664.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 26PIYmPK029558 for <stir@ietf.org>; Mon, 25 Jul 2022 15:03:43 -0400
Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam04lp2041.outbound.protection.outlook.com [104.47.73.41]) by mx0a-0018ba01.pphosted.com (PPS) with ESMTPS id 3hgbmyu1pm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 25 Jul 2022 15:03:42 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hTZGg6kFz3OWmikkvPOrc2w81MrGmtJKABRVNWrDOxk4kMAXEfpLte3wEjR56Dz+uun1lIp+ISpLnoXGw9E4bI1hWvmA/WjPki8FsJxjnEofys0GHVJOtRrcBAlLvXnphSp5y+1lreS38MJUsd/Hn7enBCdq+ilwos5n1Lumu2LmwDsKScDd9xeu61WPpa7QT92G/nJsgYK0wmOXS6MmJ/X1fmiC1k2x/T8Zn4gAt5JrZ58hcSgoPlsEYRwvm3cGrAuCalcsq5FhPjjwzVEQ88f5fe3f4B/+pBinL4qQTAPWg9bROUChIKRIO0RET5zFemf2CMNZvF5k4xzQpW35xg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BDMXtKIUtk2vrxh262WGLXd4xVmGfu/Am6hDhUdNtPs=; b=bxfcpCZSgUkjBYEqIGipAmuQSoUO8JfLfl65gXGy97IdXsUcjmKNixEAiNkdKjCkLGEvzRO2lxZx51v2QlEmBz3JdOLXS9WyIYP7OJkz0VNXJ7oJkeimz2J41NeZ4WGGRiYn9t3qx4ZU/rYA/Rmofs0GhVwZBY/HFeSb2mfGPU/r40V8oaJKy/lnZMQlLWSV7A9N/0CvhyhIMpoK0UdDjiJPtBjI/ExTx6kX/a8ZLdJjgc5SWkU2teGYgMHma0XVCNOBOJzukfyDdZ2wNCIYs6T1yyUq/eNOKkCALteuQ8aaeHzx8xuIBS6aO09+ME39eJGxytZWyMINIA86QALf+Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.neustar; dmarc=pass action=none header.from=team.neustar; dkim=pass header.d=team.neustar; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.onmicrosoft.com; s=selector1-neustar-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BDMXtKIUtk2vrxh262WGLXd4xVmGfu/Am6hDhUdNtPs=; b=nD8xsiXk1ww+Tz3+DFSPq+H06BC2mNtSX28NF52AdUxiCPaAPJ5Y++1E+dMqbyt3u+QvUPkepzpsfM+LUd6CREi8iU6xF1UMtrwQGp1NuNbaCnd7Aa1yfMBioVunKp0wqCuL1Yo5kwf6hLnxT4b/RCD8wzYpjUfFJxrUj6X/e4U=
Received: from BY5PR17MB3569.namprd17.prod.outlook.com (2603:10b6:a03:1b9::20) by MWHPR17MB1424.namprd17.prod.outlook.com (2603:10b6:300:8d::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.24; Mon, 25 Jul 2022 19:03:40 +0000
Received: from BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::1194:97c1:34e9:4fd5]) by BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::1194:97c1:34e9:4fd5%7]) with mapi id 15.20.5458.024; Mon, 25 Jul 2022 19:03:40 +0000
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Russ Housley <housley@vigilsec.com>, Ben Campbell <ben@nostrum.com>
CC: IETF STIR Mail List <stir@ietf.org>, "draft-ietf-stir-messaging@ietf.org" <draft-ietf-stir-messaging@ietf.org>
Thread-Topic: [stir] WGLC Review of draft-ietf-stir-messaging-02
Thread-Index: AQHYYYywMDiKSuhXSE+5WJ0f1HYaHK0YeKWAgHczsIA=
Date: Mon, 25 Jul 2022 19:03:40 +0000
Message-ID: <8F399B6B-4F37-4F9E-90F6-CEDB22918363@team.neustar>
References: <6CEAEB75-6BC5-4BA9-9FCA-1B1F971655DE@nostrum.com> <6690AD2B-F6B0-491D-8349-D799796FA6A2@vigilsec.com>
In-Reply-To: <6690AD2B-F6B0-491D-8349-D799796FA6A2@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.1b.201012
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c95b071b-1209-4d76-5b8b-08da6e706310
x-ms-traffictypediagnostic: MWHPR17MB1424:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Th5ltu2bc4d1b7C/QBSFe7nwezBpN5Pt3SACB8FE7EDKxTLcK2JfHNHhCn1y2Ke9d9tHQiMzTkeY+dgKpxlLIyCREZtkynk7X4TuuRAQESlHCQSO7WAmhXZyLzUsDzcRqYmFFwO1i7rL0HZ57mla6Jn2+gMOjEHn12PU3njIyjCZBjIWjIYOIWmRvS3SBypb4AGcBCLHkgUA1caeYyfLIxBe7u4o6gRVoc8Ex0byl2f2139Y37qGsC6AGGiaJmXGZ00Za98VjabLutuNL04zZ8VnwldMbziIHEmhTeNWFEgqP22GzOR3UX+wB2dbKaUVJeiD4MS2sWPAJSVbKUpeLiCRomTLgp+Ar+jCUMJD7n1HAXCvv5c/WO6qKWKnNmjBl1xOEr8oJOdVn8HYlXVYS83OprONIcxUu7lmOJPzWVnp5TOVx4lwBFP9QBUb89j2fWQyq/8qC357K9pF3koSIqgbQ1GBaBTKbEIXPmJn/stnB4rQLWpA7W17Zm+n7dL/DDGcbp3MmsNogNKcdgX9PhnmxphNjjgCPlrA8YtU5XU5VAwnN8n5Nl8ARgSXqUQ5NlCKnXzpCcqpQdl0qcObamNo5ELksjUXZRZrCv5cFjvakniS574RmJdqBvWN+gw1UjfoMigfxJj1MkOybwjeTWBtyzp52VbVUUV0ULhOit1QD7W8lxbKgMW4FMAUomevvpURpbL6tckqTmc5VaYXkTybDVkCDP+69N3QxNUouWCLIcNUzvkjNWIaMhr0dQtvgd0sPlW6SI/o9QTOUKe3k4apmBeA+wfFGD8PxNB+QFLsR58nD0OhfhmuHdNhL21UfHCFeBcbM7/Iz3P4NfEuhhI/LrpA7rycLN32oFIHtF3QLZ/KDXF8A8BvyhtXbZm6TUDvPNu1PN4xmTrDVNQoKQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR17MB3569.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(39860400002)(376002)(366004)(396003)(136003)(346002)(122000001)(38100700002)(110136005)(316002)(2906002)(76116006)(66556008)(54906003)(38070700005)(186003)(2616005)(66946007)(478600001)(966005)(33656002)(6486002)(8936002)(8676002)(66476007)(5660300002)(86362001)(41300700001)(83380400001)(53546011)(64756008)(66446008)(4326008)(71200400001)(91956017)(6506007)(6512007)(46492015)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 5/e331/jWOXhyEBe7Zqk92QjP5Iu1Mq9RN8iHvE7C/8/+wPGBaSq6/djCX3U9+KS4RqJpm0H011ymoFy2Rfdy3NreyTX8+oyruasAZrDPxcQZs5nWEelkwWAESOn1xW7FOB7/IElVggTwa2tKeehDaCyDdb6TGjxE1CNNc3zhRw3hChO3qkB88a1BktRn5bTIZsNe9roVV+BVydjGg55XYRHRuUhfouyyi0g7v6umSU6WAPwVbCpgjIM7ST+WSLibluEGQSsOTx7ZO+yKayL8UDS7bOHUTTx8gGJPKshlaCTGfxF3uPNla9TOOQtISu5+l1hMRglhwE7MOXZ+IoJBlxJc/JMGtgKAYVdml0HSTstYkB+Pa3YwAWkKNeprdk37lGCsJR11ss+jdunAV+PPR9ufMcsy9dqoUax5FtBAvl21vu42awrh2JPAQeVbkh0Arozo60raWjdzaZchNUxNkcMtYUkdd9fzjsdY1oXuTBI/TdzsBOK0+PKjlLnKJEtnRyyeT08fI4pHe3TihwhQsbgQy9Flqjf9JUfjedj4qaO8d7vVrLbw1+0qFgBVK/FA4jiLn5fAD8dU+fv8Dmcceq5yG0XiNRvT8HlO7555I4+b7wCMDAS+uJPjYQ0t3TFevVXzshyHxmyUDkoLwIx8xiVWvIWdtHBTRWxK0eV1xgvXWJcMF48ecr1B/GFBQv7hUpU0CNxBC5OlJRuC7BER+xlPsDFD/e3bghOPXG+k/mlJz7tFBmRI7ijef2I9InKX/OXrhQhKpSbsEX60qU0t/3BprvLZ+SGl54FgsDPt2aMqGe/p3KuRxtA3T535ggBDOJqoXgm4DTXZJVW/kWfw9sjoq7XMfWEkIYXGKwRIfUx22I4yk0uxc0zaAjlMa6CSiau7psBhR31iPVe0cMWyZK6llInRrN5bmaM2GZWEiykq84VHzrGA1f56TO+XAH2T/hrpLtAgLLhj5YjXpHcV+KRPLgMHPN4zoiAarUflhXqcenMof1w3NvFP9DI7f6pp1+ZGRYk0Tbfen6ZuLmwS0zislnkZqv0zTjVDhG3zGBQFdc9zteIVEvgYtm5zUc6qoPux69eIg27MZsFjHlxACejmGataiQ1lJuWVQ4OPUU6P2hUVQrauFgF8J2xW3p9FVsLMN4qmOA6OWdsOE9cw6KsoKeApU6ikrSSE3FiPuqmPT6dT1920S0662Zy3Gp+bavNe1LkDUu8H4uIcvDE+WYuyaPeDafz+5mOEyTAIV3ltpRVRYyXkUhiuoj4wNInSm2WzCTgaXXrxCK/COV2ElC2JZQxSrfcoGiKmstqCh75+Wao25WEOfVbItRtdXHe1ctwntjg+cg08uceLTssAmHL5KXTYnME4aEsZ4dTllVlH6wgl3+sVOy2S6V4HE0xUga1h5T3Ppl9om53rk9wDHsGaMFuCRriqjdJxuOcD4PiSnlQpmWFYu6ertSsNi964xzlqMTHM7C6qNkz5GbfeEvVqh5iBG5AAnAe+mmo0ZbR+VdmobRCurEwm54bDJtDRcAhQbS66Gx82pMTXVkia8+OfLkz+32efVr0UWjodPnhdSqQxA1kndF7pNPdTzTv7/+FUhhXXbtEJeIiytmdc1OrIPLhxf6HoTjGlt4dCK4qmp3NnG0rDzbsiNXJrsgOV1J7IjKqF3S8e1h0bOlVAg==
Content-Type: text/plain; charset="utf-8"
Content-ID: <625976E64F4D8E43BB72689A40A8C19D@namprd17.prod.outlook.com>
X-OriginatorOrg: team.neustar
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR17MB3569.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c95b071b-1209-4d76-5b8b-08da6e706310
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2022 19:03:40.3130 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 73a2bbc1-f307-47c4-8f94-5f379c68bc30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CNpSlVvI992y5RArTqzoTvpr4XT3vkCJh+3xsAEaRfUwlDt7Bk4gqf3xu+o6C5MI+t5uh2LzBjZSlAzibU8bwgHAsehlqSV8Eqdelz4XNiw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR17MB1424
X-Proofpoint-GUID: OOxhhawvGuByKtVfAo0WAnmgxEXQvKPp
X-Proofpoint-ORIG-GUID: OOxhhawvGuByKtVfAo0WAnmgxEXQvKPp
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-25_12,2022-07-25_03,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 adultscore=0 mlxscore=0 malwarescore=0 impostorscore=0 spamscore=0 mlxlogscore=867 phishscore=0 clxscore=1011 lowpriorityscore=0 suspectscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=2 engine=8.12.0-2206140000 definitions=main-2207250079
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/clbz7ibfVSV83qboahtZuwcxFqc>
Subject: Re: [stir] WGLC Review of draft-ietf-stir-messaging-02
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2022 19:04:13 -0000

Thanks for these notes Russ. Some responses inline.

Jon Peterson
Neustar (a TransUnion company)

On 5/10/22, 2:43 PM, "Russ Housley" <housley@vigilsec.com> wrote:

    I have two comments.
    
    Section 3.1: There is an informative reference to [I-D.peterson-stir-rfc4916-update].  It seems like we should have a reference to RFC 4916.  It is not clear to me that the already approved document is not sufficient for the point being made here.

I do think rfc4916update is a better ref here in so far as it is specific to STIR, rather than RFC4474 - but, I see your point. We can swap it out if you want. But since it's informative, there's no harm in keeping it, right?
    
    Section 3.2:  This should include a reference for SHA2.  (Also in Ben's list below.)
    
       [FIPS.180-3]
                   National Institute of Standards and Technology, "Secure
                   Hash Standard (SHS)", FIPS PUB 180-3, October 2008,
                   < https://urldefense.com/v3/__http://csrc.nist.gov/publications/fips/fips180-3/__;!!N14HnBHF!7u69jEQuIgKv2qDqGvzquD4aQTTQgMi0mmD3JXQC2L8NWNe7HZxR6g0l4UxKjwJy411KZuXcdlf6YuI8fAjUyA$  
                    fips180-3_final.pdf>.

Okay.
    
    Russ
    
    > On May 6, 2022, at 5:02 PM, Ben Campbell <ben@nostrum.com> wrote:
    > 
    > (As individual)
    > 
    > Hi,
    > 
    > This is a WGLC review of draft-ietf-stir-messaging-02. I think this is pretty much ready to progress. I have a few minor comments that don’t necessarily need to block progress.
    > 
    > Thanks!
    > 
    > Ben.
    > 
    > Substantive:
    > ----------------
    > 
    > §3.2: 
    > 	• “msgi" MUST NOT appear in PASSporTs with a type other than "msg”…”
    > 		• Why is that? I guess if a VS that does not understand “msgi”, it might verify the sender number but not check integrity even though it was offered. Given that the fallback position is to do neither, is that really a fail?
    > 
    > 	• Do we want to say anything about “msgi” interaction with encrypted messages? I assume one would calculate the msgi digest post-encryption.
    > 
    > §3.2.1: “in which case something like out-of-band [RFC8816] conveyance”
    > 	• Would it make sense to also reference servprovider-oob?  (I can be convinced not to make this depend on a WIP draft, but I assume we are talking about an informative reference.)
    > 
    > §7:
    > 	• It might be worth noting that this mechanism does not add any privacy protection to the original message content that wasn’t there in the first place.
    > 
    > §8: 
    > 	• It might be good for the sec cons to refer back to the text about store-and-forward (and any other place we see the messaging use case differ from the calling user case). (No strong feelings on this except that the sec cons feel a bit light.)
    > 	• It might be worth observing that, while “msgi” can contribute to replay prevention for the passport, it does not help with replay of the same identical message.
    > 
    > Editorial:
    > ----------
    > 
    > General: There’s still quite a bit of “could be” language that perhaps “could be” recast as “can be” or even “is”.
    > 
    > Abstract: 
    > 
    > 	• s/Persona/Personal
    > 	• Last sentence: I propose “… both for messages carried as a payload in SIP requests and for messages sent in sessions negotiated with SIP.”
    > 
    > §1:
    > 	•  2nd paragraph, first sentence: “… however...” needs commas fore and aft.
    > 	• “… not currently widespread”: That statement is already becoming dated. I propose we just say “Spammers and fraudsters are increasingly turning to…”
    > 
    > §3.2
    > 	• First paragraph, 2nd sentence: “for example” needs commas.
    > 	• “MUST support the following hash algorithms: "SHA256", "SHA384", or "SHA512", which are defined as part of the SHA-2 set of cryptographic hash functions by the NIST.”
    > 		• Is there a reasonable citation?
    > 
    > 
    > 
    > 
    > 
    > _______________________________________________
    > stir mailing list

v2.23.0 | Report a Bug | By Email