IETF Logo Mail Archive

Re: [stir] WGLC Review of draft-ietf-stir-messaging-02

"Peterson, Jon" <jon.peterson@team.neustar> Mon, 25 July 2022 19:44 UTC

Return-Path: <prvs=2205c7f97b=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11A44C131936; Mon, 25 Jul 2022 12:44:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar header.b=HywwPwse; dkim=pass (1024-bit key) header.d=neustar.onmicrosoft.com header.b=vWjISMUA
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B9onMU-OmBVf; Mon, 25 Jul 2022 12:44:29 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5044C131934; Mon, 25 Jul 2022 12:44:29 -0700 (PDT)
Received: from pps.filterd (m0078664.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 26PEEV1A024403; Mon, 25 Jul 2022 15:05:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=team-neustar; bh=M5hkHCZSFWhhBiod4UPtEcrpbHadEnIAfbhN61iM2Xc=; b=HywwPwse1OjZCSJiQWWKpnHzrlSzVt3/RpsSDJq8d9ZhkL4il1EJ2zLlmqRL9LXLh3vX oQCrYTh5tfMfraw2Zpl8qzugTUNaf/9XQmvKUVtw3HmweEBnpgzdbxcFzBU+5DZVpkbD rbJUYLB6g/66yOG4AyY75ldVbMmMfxix3vk3K2TphKRXGazlKnCTrj7bJTL+8yIVcQtb 1Qwu65cixCkE7dYR4w48sDIdTGhQfJDj5Q82FV+8Ox4ey9nJs9gFqbWJVjMBGy3b9jNg U+ZEDDlLwsFoLjmdt0cmJdl/uklOJf/Tz84JN5Xelb68pdcGOalYQKbIoxE03Ugcmg9Y 8g==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2107.outbound.protection.outlook.com [104.47.70.107]) by mx0a-0018ba01.pphosted.com (PPS) with ESMTPS id 3hgbmyu1sn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 25 Jul 2022 15:04:59 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jQSpKvZzG92IbI7PHDEStW6RIXSKUNb/rMxa5PkfygWPUBTUfn0AsoIapiyqwFDljGbJPAQ3c4SlrLv6LRtTfLYM6ObWYit0//br/YFCkifc4SUGm+OOpIgbmsnv0TvPqns5gO62AU3Ha94ycTumotJ9Z+RjZk2KVP3F9qnJxF4Tl+ALYcyJg8kqw7GmsfQlpCk8osrTWqfQNzyGXAt4HKivuz00NoEh8D0tK+hVItZ766/OYerbmjozSkqmlZPfQT99OE9IOnnuqPdd4U84CMqb5+VGZ1UulTiA0CFzhu5la3dy49zhrNWD/u04Q7tosogcFRDGryr2PXfG76tcEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=M5hkHCZSFWhhBiod4UPtEcrpbHadEnIAfbhN61iM2Xc=; b=YQea9bB4IS2XwinnhZI2nl2i9WPBiPj0CRrlPMi9CW3FXW7BgXZaiuYL5OLqc1/JXFkoVYPLrmTEoW+xyVuek6uRg/ZW+0WEBWwCDeDIzks7WRjacQVn0dJ2th2R1tHr67AJ0kEg4IbYSu9+oCJV6k9ZVuHjbQtc9zPeSt6owGtJ8FuOOWpzNuQD/FIOO0ufDS39PKo+AiWPbZAGuTpRH3BYbhuCN/LhJjUhA2akdj/sPgm3L+rkTPQIFJOujGFzrZ8SkSO6ckpzR59Tlx4ZJVK+lilpRjvJNtsk4dgqm/rPqFZKGd7GGw3YmzsFr7zZI9msdr60mu3Rc7OpWczPgw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.neustar; dmarc=pass action=none header.from=team.neustar; dkim=pass header.d=team.neustar; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.onmicrosoft.com; s=selector1-neustar-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=M5hkHCZSFWhhBiod4UPtEcrpbHadEnIAfbhN61iM2Xc=; b=vWjISMUAJGVCc3AXmJeMcVNr/UznhE1QUlP+24tMnn6jRsg5mplhujTgzk9dYwRRIMwF1kd1PtOJRT1oyyUVhV8i/11LxQBBp9YshxuNO83x8qMfO/sndoZhKndpwDOiPCQZqDGgDRZODMhORF1Pa7WNzvs9VdbNL4d+FszYCW0=
Received: from BY5PR17MB3569.namprd17.prod.outlook.com (2603:10b6:a03:1b9::20) by CH2PR17MB3656.namprd17.prod.outlook.com (2603:10b6:610:46::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.24; Mon, 25 Jul 2022 19:04:56 +0000
Received: from BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::1194:97c1:34e9:4fd5]) by BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::1194:97c1:34e9:4fd5%7]) with mapi id 15.20.5458.024; Mon, 25 Jul 2022 19:04:56 +0000
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Ben Campbell <ben@nostrum.com>, IETF STIR Mail List <stir@ietf.org>
CC: "draft-ietf-stir-messaging@ietf.org" <draft-ietf-stir-messaging@ietf.org>
Thread-Topic: WGLC Review of draft-ietf-stir-messaging-02
Thread-Index: AQHYYYywMDiKSuhXSE+5WJ0f1HYaHK2PrLCA
Date: Mon, 25 Jul 2022 19:04:56 +0000
Message-ID: <1187B989-4BDC-407D-AD3F-727F410C36EC@team.neustar>
References: <6CEAEB75-6BC5-4BA9-9FCA-1B1F971655DE@nostrum.com>
In-Reply-To: <6CEAEB75-6BC5-4BA9-9FCA-1B1F971655DE@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.1b.201012
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4fd8bccf-4101-4e58-958f-08da6e709052
x-ms-traffictypediagnostic: CH2PR17MB3656:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: QEUhQLBPi7KR8OUYwpCCNeSxrQPH9477moIDnB45kGretDAqn3Ukr1l1GK/2hY3dBPZHE90gwT1ejMMbA1xvEAviM+mtnUvjftId8NZRvkTvfr/eHhqnQluAq/i1qo7CvW6vMtK2IPRflXtZoxn1x76UEsuv0iEtrTeZwMdfcOpWaYIwqKueVDEFOwgNMzh6xo39Zw1AmnIt3bu3V/WvEyDVQfxReoTaEcAfqxw24Nt78+NY53NixDbaJXtIcRKHOoIiLZVoNOBdqk+uE35XRR6eYoCyles1VQtSZ5TQw537JtqR22luY5Pg/MA0EAcPFTAVY73UxbhGqLAPOPGOS/HBDxdzfLOYhMtwI+1jbkvrPseNsl307OSh2igzeRSysb0XASfRPkc3NPivz3hKVlcWeW5wLoOoq+uLaKAIQzC3BPo3R8L8e4xNe1qrY4Ui/xAGdKoKY+E31edR2iPCp1nODgEJuDtSbfip9BdSsUWnILyO82AMlH2l6RnlsE6VNW8sXBlnh/Vl9NkeMknrQ7JuWpZ2Ywp1QrqZWuqGMmZ3ul5Ii8t6ad4CB2HrR5mfwv9HviI7GLO+XH54iPJzN++K9Ww3zFunlpVr9RgQA/2HhfbqWwID5X7jdP8zVjpxvFeRmMSEXT0HwHCb9+Tt3QQ2KdelSUwY+FNB2xxv8g/aBhD4wFDnWi2xVoCpkr4iaHnl+T9XMHlBJ9FAxw7jKJzgWERn9Cwg91PqLetLjSgfVH0OZb0nFylCoAe79aAXVKnbYCgJt25VY85UzR4nxudyOVTSxWwNTrWgnGB0mshtjHGKCYh3yk5Rr47uysKM++SKbcOAiZElIFM2FpSF4bxnkmAdREdQYz18OeQUZyw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR17MB3569.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(39860400002)(136003)(366004)(346002)(376002)(396003)(110136005)(6486002)(41300700001)(316002)(71200400001)(2906002)(478600001)(38100700002)(8936002)(64756008)(91956017)(4326008)(8676002)(66946007)(66446008)(76116006)(66476007)(5660300002)(66556008)(33656002)(122000001)(38070700005)(83380400001)(86362001)(2616005)(6512007)(186003)(6506007)(46492015)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: YP9bfl3kJKMtCe/KOZWW6c9eDfkI1M+NhUYglyCeO6Uaf90HtNYlpGXYrfo4gy7q91nDimnCLUHHzJ4m1tHpSACM7W68B7xEzXvv5uiYYp5TUWhpoNvedUHQ5I2tyfWX3vJ0JDi2OOn6SfSUzy43oWNVvMbwfuHUwPlYzDaoGRPsoLsa09IhLwcRF8VkSN+lGkz/e0XtY5KagcAIKSaQ6OXo2pjVSIfW7VLsoabf5K5f8+Wq9azwv+d0m+/nT/DJWn5uwzUmvocQKMeRlVDYY479zx53tMKYVBYXihrHXt38djUUymfJwylFXc7SbkVZSm7mXkpqKAHoJRzlv9KZatSA2eXU2Lmg/4AMWGBn/XFZDrE2q8w+fzFgBIgaOsAvCGi8layBkyie4u2jZ+8FCufbLCDmHOoyjaZyyEB67wFbak5es9cFpnNS9dCdgj/uQmCw8T+4Vn5gAZDXSmijHixkiSvmH5DjetsjWzrNEjSG0XNJEc9vc2093rVSNIDD3cgnBvCbaoUELelk88t7WLi/zA34wBHRGwVG4VKQSwvfsnbw+jp+TJXIoXXtcBjMEC4AetzbVacty7r2Efb6J4uIzBFNfxqd+EXfMRy426LZ0Ac5OdqqZr7mhcrUvj0F351N57GGbfiA2xOjFqsPIVxF1k+uKevPZ70P1P0bvPV+EZ1dPg42feJc1Qye0vbdX7vNhPvMAdf/Gg/BImxE8Y4jmRZu4GmNf3EgsCSXvkxBEh1kPj9EW+OTmxxPXkWdhqFPeNVQwuho5X0suPgf79eyG5ACbNZ2qAM8z6IwDpRHxIC4VILPw+dqYlm2pJ2W+sQ9Vd0nTBsND/c1h0mUm7aMdSmbMuTXUPrqmEY+LxzI86/zW8U4dHDP6Wu13xs4Y4DX3U0fi6raVysihlrQ20bohgMbi2Y0IzZIIHAqtENNP4hnT3sVFaE8Rw1qJ2VhEu3LPUuE/MTheKGwAz0EbuDMQrQ0yNSmTBDHqXsSnoRw7Tv8pk8Zh14vrVqX7GRMXtx59OuAVndTt0TB7m9TvbMhvxfqXNru0DpukCONoRyi/PsRvdEq14i7Q6/ahp0Jmn8nXibpar7Z2EjWA/QWid8a/OI8kJpWOuzk35m7FJ+DXYpojKBx4R+R4buMJZzzPblN+5nNWSYwlA8P7yMkC3qwiJVM86vcA/WJf7ICtUc0UWp+kLjC0Y8GLYVDK2coD42O9fA58TS5NBVKLnAg/LRPsdlvawwpcJLLiLcrG0t/ezWNmLufooDqwcRaRt7opVIgP9XnFe2o95Yc08Grmmp2U8thM1Dl/bEVIElrszWLMi5bOsaTVXF3XNCE57lROLwygIJAnM71fI3WMKxHihFvQdQz/8yoFjy1iO2BraP1P2GWR0+9JKoOPzm+AtLGwiKX2agUsd/AwjQrS4IWLfJor4pHQ1V2uxRKVE7YL9rXfVHkhrKggfUp+PgLm1ciydq6eh11EnqhSEuxeP69mba58iNoKSAU9Wxivtg34onXSMOBOnK/LDw3aZimups+ygiGOyHzAHsi1tqPLC3FJ5fafCpMLYCCuM+aSUIkEhDpEfNMvRZ+quZquLj2/4+YN+KiLNShAhue0+q3eq5XAtIEMqLpbifvTp6yDyUZGGReaybPoh3VfziOtQV3NwRZDfoGGPngSzo7hCnS8h4HDg==
Content-Type: text/plain; charset="utf-8"
Content-ID: <93260C7776B526419117D1882F2C68A6@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: team.neustar
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR17MB3569.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4fd8bccf-4101-4e58-958f-08da6e709052
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2022 19:04:56.2445 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 73a2bbc1-f307-47c4-8f94-5f379c68bc30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bqiVt0mVwfuWVJTbfP8q8KA42GABzLUYM3h3o7aP4yTjbgd8OPF85o3as1rTnboifOnYXXHjLEFFBkgGb9AX3EFa0/RcI5rprJLXvSkfXaA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR17MB3656
X-Proofpoint-GUID: cQlkPsJHvBpeTw1r7vr-2KKwVpvhHVYu
X-Proofpoint-ORIG-GUID: cQlkPsJHvBpeTw1r7vr-2KKwVpvhHVYu
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-25_12,2022-07-25_03,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 adultscore=0 mlxscore=0 malwarescore=0 impostorscore=0 spamscore=0 mlxlogscore=776 clxscore=1015 phishscore=0 priorityscore=1501 suspectscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207250079
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/eQuvvrvql_M2wthv0mV2WteF64Y>
Subject: Re: [stir] WGLC Review of draft-ietf-stir-messaging-02
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2022 19:44:34 -0000

Hi Ben,

Getting to some older comments here (apologies for not getting to them sooner...). Inline below.

Jon Peterson
Neustar (a TransUnion company)
    
    Substantive:
    ----------------
    
    §3.2: 
    	• “msgi" MUST NOT appear in PASSporTs with a type other than "msg”…”
    		• Why is that? I guess if a VS that does not understand “msgi”, it might verify the sender number but not check integrity even though it was offered. Given that the fallback position is to do neither, is that really a fail?
    
The general fail that worried me is that someone might mistake a PASSporT covering a message for a PASSporT covering a telephone call. What would it mean to add a "msgi" to a SHAKEN PASSporT type, say? Does that mean the PASSporT is now about a message rather than a telephone call? Obviously any implementation that doesn't understand "msgi" would just ignore the element. I think it makes more sense to 

    	• Do we want to say anything about “msgi” interaction with encrypted messages? I assume one would calculate the msgi digest post-encryption.

Agreed it would be calculated after, but since we're scoping the integrity protection to the MIME layer, I think that goes without saying. But still, I'll add something about that.
    
    §3.2.1: “in which case something like out-of-band [RFC8816] conveyance”
    	• Would it make sense to also reference servprovider-oob?  (I can be convinced not to make this depend on a WIP draft, but I assume we are talking about an informative reference.)

I think for our current purposes it's fine to just reference the RFC. Nothing about servprovider-oob changes the high-level guidance we're giving here in stir-messaging, anyway.
    
    §7:
    	• It might be worth noting that this mechanism does not add any privacy protection to the original message content that wasn’t there in the first place.

Okay, will add.
    
    §8: 
    	• It might be good for the sec cons to refer back to the text about store-and-forward (and any other place we see the messaging use case differ from the calling user case). (No strong feelings on this except that the sec cons feel a bit light.)

Okay, I at least added a pointer to the store-and-forward text.

    	• It might be worth observing that, while “msgi” can contribute to replay prevention for the passport, it does not help with replay of the same identical message.
    
The section on "msgi" does contain some considerations about replay protection; that is now pointed to by the Sec Cons as well. 


    Editorial:
    ----------
    
    General: There’s still quite a bit of “could be” language that perhaps “could be” recast as “can be” or even “is”.

Yeah, um, I agree it's a little hand-wavy rather than normative in many areas, but I think we get the normative stuff we need.
    
    Abstract: 
    
    	• s/Persona/Personal
    	• Last sentence: I propose “… both for messages carried as a payload in SIP requests and for messages sent in sessions negotiated with SIP.”

OK.
    
    §1:
    	•  2nd paragraph, first sentence: “… however...” needs commas fore and aft.

OK.

    	• “… not currently widespread”: That statement is already becoming dated. I propose we just say “Spammers and fraudsters are increasingly turning to…”

OK.
    
    §3.2
    	• First paragraph, 2nd sentence: “for example” needs commas.

OK

    	• “MUST support the following hash algorithms: "SHA256", "SHA384", or "SHA512", which are defined as part of the SHA-2 set of cryptographic hash functions by the NIST.”
    		• Is there a reasonable citation?

Um, I think so?

v2.23.0 | Report a Bug | By Email