Re: [stir] Alexey Melnikov's Discuss on draft-ietf-stir-certificates-11: (with DISCUSS and COMMENT)

Dave Crocker <> Wed, 02 November 2016 18:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9C4BA129B4F; Wed, 2 Nov 2016 11:52:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id R1y0WB3tG3vv; Wed, 2 Nov 2016 11:52:12 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 61B0A129B45; Wed, 2 Nov 2016 11:52:12 -0700 (PDT)
Received: by with SMTP id n85so16410778pfi.1; Wed, 02 Nov 2016 11:52:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:subject:to:references:cc:reply-to:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=pYxnXTPvUiHG051BHEZ+pOYMAjpdudQf/974cTUDsJM=; b=tRZcP7AbOYPTP/4TuxE26L1zTiQxk75OXtla1D5bEVRy15yEUJxDDnpWTb4MnQKWKW zEwVa35s7neLK5fbIbMVYlEF7/uxoUNJLtB5NtJSlFL0usCyTcM5eXrP7sEpiqL3w8ji qrcxQINEke6X3eAIqK+8EdCqjcvPLaxmFWWIsIySIDhMQGqBxdyLSUAZ0i1tIaDuM6t6 QhGWMjOi9ikkBNhELSb3Kl/kuUbBIfA9PsRcOSLZiCy0w6rG3jkppca63122qcS8qskf pYIFsf9h5tulALYVQClVASC3g5wPD4SYOTpCksXBuNVGZmczEGw3uFyduk9uzjSnEjrJ DB/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:from:subject:to:references:cc:reply-to :organization:message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=pYxnXTPvUiHG051BHEZ+pOYMAjpdudQf/974cTUDsJM=; b=IzY1jk5aTqpz1Gyoa4am7TjDBpH5IxnLbQAFeLrQv/+9D48CoXl04f1HxN94BX3OUh j+/E7xBT0fjg/VFVwwapYECTAd+OKaaydCctupNZ65gn9TcuNDdQnsa8JaPV/QqlHC7V CNGa0tv949gbuZU/ptVhFRzmrOZkr5KrtDJSkhwpB6fKbLdnkHSppx06mgGmpV+mC23f kqGtpVEZ7qjU1hk5L+R3BWivYFRls+Gu6U9bPcZeEeWbxHxN3MAk+leTBGX4XfHnZvxk zk+2nRrjhdRQ+vpZkbAiyp+iYPquPeuEGBbbkcDUtKiLUywRbjdYaq4qbuZvjjVs+y0d qxuw==
X-Gm-Message-State: ABUngvcLlEEAgF3WDn/gElJnRWTywfM0WL6RjU29ZAf6FxYkxZ9eYwiczWZJSePAmxQMRg==
X-Received: by with SMTP id 85mr9453607pfx.21.1478112731992; Wed, 02 Nov 2016 11:52:11 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id l7sm6464415pfk.80.2016. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Nov 2016 11:52:11 -0700 (PDT)
From: Dave Crocker <>
X-Google-Original-From: Dave Crocker <>
To: Alissa Cooper <>, Alexey Melnikov <>
References: <> <> <> <> <>
Organization: Brandenburg InternetWorking
Message-ID: <>
Date: Wed, 02 Nov 2016 11:52:03 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Cc: Russ Housley <>, IETF STIR Mail List <>, IESG <>,,, Robert Sparks <>
Subject: Re: [stir] Alexey Melnikov's Discuss on draft-ietf-stir-certificates-11: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Nov 2016 18:52:13 -0000

On 11/2/2016 11:41 AM, Alissa Cooper wrote:
> My understanding of the JWT Claim Constraints is that a CA can use them to constrain which claims it expects to receive when asked to validate a cert. Let’s imagine a context in which the base set of claims defined in this spec has been extended to include a “confidence” claim that allows a carrier to differentiate between cases where a number block is fully operated by a customer (e.g., Carrier X assigns a block to Enterprise Y), delegated to a wholesaler, or operating via an SBC. Imagine that the “full,” “delegated,” and “sbc” claims about a “confidence” claim have all been specified. The permitted and excluded constraints could be used to limit claims to one of these categories, e.g., permitted would be set to “full” for the claim “confidence” for numbers in the block used by Enterprise Y.


This presumes that claims are to be made about 'interesting' properties 
and issues, whereas the actual task the work is chartered for is far 
simpler, namely authentication of a call's identifier.

More generally, you have described here a broad model for processing 
that is to be performed by the receiver, based on these (standardized?) 
claims by the caller (or, rather, the caller's operator.)

Do you have examples of such a distributed, multi-administration policy 
and decision model being used successfully?

What has been defined and what you describe is quite a complex system.


   Dave Crocker
   Brandenburg InternetWorking