IETF Logo Mail Archive

Re: [stir] current draft charter - ENUM and databases

"Lee, Yiu" <Yiu_Lee@Cable.Comcast.com> Wed, 19 June 2013 21:30 UTC

Return-Path: <yiu_lee@cable.comcast.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C031C21E80AC for <stir@ietfa.amsl.com>; Wed, 19 Jun 2013 14:30:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.231
X-Spam-Level:
X-Spam-Status: No, score=-5.231 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HOST_EQ_MODEMCABLE=1.368, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fI4noy21NaOH for <stir@ietfa.amsl.com>; Wed, 19 Jun 2013 14:30:37 -0700 (PDT)
Received: from cable.comcast.com (copdcavout01.cable.comcast.com [76.96.32.253]) by ietfa.amsl.com (Postfix) with ESMTP id 24F4E21E80B2 for <stir@ietf.org>; Wed, 19 Jun 2013 14:30:35 -0700 (PDT)
Received: from ([24.40.56.116]) by copdcavout01.cable.comcast.com with ESMTP id C7WM3M1.78243950; Wed, 19 Jun 2013 15:29:57 -0600
Received: from PACDCEXHUB05.cable.comcast.com (24.40.56.122) by pacdcexhub03.cable.comcast.com (24.40.56.116) with Microsoft SMTP Server (TLS) id 14.2.318.1; Wed, 19 Jun 2013 17:30:31 -0400
Received: from PACDCEXMB05.cable.comcast.com ([169.254.7.207]) by pacdcexhub05.cable.comcast.com ([fe80::3d40:bdea:7266:7f5a%18]) with mapi id 14.02.0318.001; Wed, 19 Jun 2013 17:30:31 -0400
From: "Lee, Yiu" <Yiu_Lee@Cable.Comcast.com>
To: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] current draft charter - ENUM and databases
Thread-Index: AQHObTQ5XmPLrMwRWEiVEqWBKKhJyg==
Date: Wed, 19 Jun 2013 21:30:30 +0000
Message-ID: <E3FAB1F4F41F3A45B287E8D9C53522FD472D009D@PACDCEXMB05.cable.comcast.com>
In-Reply-To: <CDE73C1B.23F53%jon.peterson@neustar.biz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.5.130515
x-originating-ip: [68.87.16.247]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3454507829_25597"
MIME-Version: 1.0
Subject: Re: [stir] current draft charter - ENUM and databases
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stir>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2013 21:30:43 -0000

I pretty much agree what you said. The Identity-Info field is very
flexible. I guess we need to agree with the problem we tried to solve
first in stir. My gut feeling is we may be able to use rfc4474 plus some
minor twists to get what we want.


On 6/19/13 2:18 PM, "Peterson, Jon" <jon.peterson@neustar.biz> wrote:

>
>I think this list has gotten bogged down in the question of how to
>download credentials at the verification service. I sense this is
>motivated by a feeling that we are going to have a beauty contest and pick
>one way to download credentials, and everyone would like it to be their
>favorite way.
>
>I don't really look at the STIR problem that way, though. I don't really
>care, at the end of the day, how a verification service downloads
>credentials. I don't think we even need to arrival a single way of doing
>it. The Identity-Info header of RFC4474 gives verification services a hint
>of where they could acquire credentials. Nothing about RFC4474 assumes
>though that the verification service doesn't already have a public key for
>the auth service, or that the verification service doesn't have its own
>means of looking up credentials in a store, say (see Step 1 of Section 6
>of RFC4474). Dereferencing the Identity-Info is not in that strict sense
>required.
>
>Even when there verification service does dereference the URI in
>Identity-Info to get a credential, RFC4474 leaves the door pretty wide
>open for what protocols can be used: it does specify HTTP as MTI, but this
>is not exclusive. We discussed using SIP itself (with a fetch SUB), CID
>for multipart MIME and several other options. I can even imagine using a
>DNS URI for this, especially for a DANE or DANE-like case where you want
>to tip off the verifier that the public key can be found in the DNS.
>Again, the presence of a DNS URI in Identity-Info would just be a hint, a
>"in case you didn't know, my public key is in a DANE record." Maybe some
>verification services wouldn't need that hint as they always check the DNS
>for a public key.
>
>So you could argue even that at an over-the-wire level, we wouldn't even
>need to change Identity-Info to support using the DNS as a way to access
>credentials. What would need to change, of course, is the logic used by
>auth/verification services to handle telephone numbers, and for DANE-like
>cases, to check reference integrity. This, I think, is where the actual
>STIR work should lie. I don't think we should try to legislate a one true
>way that services must make credentials available. We should introduce
>flexibility here, even if it means perhaps having two MTIs for
>Identity-Info URI schemes instead of one. But we shouldn't get caught up
>on what protocol you use to fetch credentials.
>
>Jon Peterson
>Neustar, Inc.
>
>On 6/19/13 10:23 AM, "Lee, Yiu" <Yiu_Lee@Cable.Comcast.com> wrote:
>
>>Can we get the dnskey record and verify it by the ds record and forget
>>the
>>whole CA thing?
>>
>>On 6/19/13 1:12 PM, "Hadriel Kaplan" <hadriel.kaplan@oracle.com> wrote:
>>
>>>We have can't just look up the DNS domain key of 'foo.com' to get the
>>>certificate
>

v2.23.0 | Report a Bug | By Email