Re: [stir] AD Review: draft-ietf-stir-passport-divert
Adam Roach <adam@nostrum.com> Mon, 18 November 2019 08:47 UTC
Return-Path: <adam@nostrum.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CC3E120919; Mon, 18 Nov 2019 00:47:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.279
X-Spam-Level:
X-Spam-Status: No, score=-1.279 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.4, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dd-JRSfVsDIw; Mon, 18 Nov 2019 00:47:38 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29C3A120908; Mon, 18 Nov 2019 00:47:38 -0800 (PST)
Received: from Orochi.local ([196.52.19.209]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id xAI8lWfs048406 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 18 Nov 2019 02:47:36 -0600 (CST) (envelope-from adam@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1574066857; bh=DQo6b4vpbBE9U1bY/j2iM+16kjysExIJ1qm0rfcRH1Y=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=s40LSsvLnaoE6XL+Oh8DRmg9Ibfglx/iRv7CdJQEZWSwGM4VNpxjfrOQ3XUBeebsY /5D7Pz6ve8UBfu6WGicnUoVJfUvWNbNSxTt0lKEapbpMVinmmeQpYR5pYZpYp4ReG/ JshGeVBiZIhDcsFujRd5ZleAxXqk6N2Z7mR8wkto=
X-Authentication-Warning: raven.nostrum.com: Host [196.52.19.209] claimed to be Orochi.local
To: "Peterson, Jon" <jon.peterson@team.neustar>, "draft-ietf-stir-passport-divert.all@ietf.org" <draft-ietf-stir-passport-divert.all@ietf.org>
Cc: "stir@ietf.org" <stir@ietf.org>
References: <12e57a54-927c-a768-34ac-b1055bff88f6@nostrum.com> <52DE2B0B-4C03-46E7-8335-778CA80C6DE2@team.neustar>
From: Adam Roach <adam@nostrum.com>
Message-ID: <44875992-bf2b-6edd-9234-6ae90019b5a1@nostrum.com>
Date: Mon, 18 Nov 2019 16:47:32 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <52DE2B0B-4C03-46E7-8335-778CA80C6DE2@team.neustar>
Content-Type: multipart/alternative; boundary="------------82D23AE54C3599FD29FF8BFF"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/eP7y4vwrBgbOabzJl7e6WeWbfIw>
Subject: Re: [stir] AD Review: draft-ietf-stir-passport-divert
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 08:47:45 -0000
Thanks for the new draft. This looks good, and I'll be requesting IETF
last call momentarily.
Please treat this as a last call comment, and address it with any other
feedback you receive during last call:
> The same "div" PASSporT would result if the "dest" object of the
> original PASSporT contained an array value, such as
> {"tn":["12155551213"],["19995551234"]}
This should be {"tn":["12155551213","19995551234"]} (note: no brackets
around the comma)
/a
On 11/5/19 06:07, Peterson, Jon wrote:
> Hey Adam,
>
> I do apologize, I did know the examples in here were broken when we sent out the last version, and I promised the chairs I'd patch them, but hadn't gotten around to it. The examples in the new version were generated by our implementation, I did check them against jwt.io, so hopefully everything is in order now. Also, the "div" example that showed the value of the object as an array has been fixed; that was just hasty pasting on my part.
>
> In addition to your welcome nits and clarity fixes (which are in the new version), you found a couple other good substantive ones here...
>
> §3:
>
> > A "div" PASSporT claims set is populated with elements drawn from the
> > PASSporT(s) received for a call by the retargeting entity: at a high
> > level, the original identifier for the called party in the "dest"
> > array will become the "div" claim in the new PASSporT. If the "dest"
> > array of the original PASSporT contains multiple identifiers, the
> > retargeting entity MUST select only one them to occupy the "div"
> > field in the new PASSporT...
>
> This is confusing, for a couple of reasons. While the language in RFC 8225
> gets objects and arrays mixed up (and I need to file an errata on this), the
> intention is clear enough to implement. However, the preceding text is
> actually
> ambiguous due to the confusion between "array" and "object".
>
> I did try to repair this ambiguity where the text was careless about "object", "value" and "array", and included an example showing how you select just one value from any "dest" array to be the one you are redirecting from.
>
> §4.1:
>
> > Furthermore note that a request may also be retargeted a
> > second time, at which point the subsequent retargeting entity SHOULD
> > generate one "div" PASSporT for each previous "div" PASSporT in the
> > request. This can create multiple chains of "div" PASSporTs in a
> > single request, which complicates the procedures that need to be
> > performed at verification services.
>
> Read literally, this doesn't just create multiple chains; it creates
> a exponential explosion of Identity header fields. Consider a request
> that contains two non-"div" Identity header fields that gets redirected
> four times.
>
> This is a good catch. I put in some text to clarify that on each redirection there is one "div" PASSporT per baseline non-div PASSporT that does not have a common "orig" and "dest". Well, I put it better than that in the text. Hopefully it's clear now, let me know if it isn't.
>
> Thanks again,
>
> Jon Peterson
> Neustar, inc.
>
>
>
>
- [stir] AD Review: draft-ietf-stir-passport-divert Adam Roach
- Re: [stir] AD Review: draft-ietf-stir-passport-di… Peterson, Jon
- Re: [stir] AD Review: draft-ietf-stir-passport-di… Adam Roach