[stir] Summary comments on draft-ietf-stir-* document trio at WG Last Call
Dave Crocker <dhc@dcrocker.net> Fri, 12 August 2016 23:26 UTC
Return-Path: <dhc@dcrocker.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56C7D12D877 for <stir@ietfa.amsl.com>; Fri, 12 Aug 2016 16:26:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.209
X-Spam-Level:
X-Spam-Status: No, score=-1.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dcrocker.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SJevMykkoLNt for <stir@ietfa.amsl.com>; Fri, 12 Aug 2016 16:25:59 -0700 (PDT)
Received: from simon.songbird.com (unknown [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 403C412D85C for <stir@ietf.org>; Fri, 12 Aug 2016 16:25:59 -0700 (PDT)
Received: from [192.168.1.168] (76-218-8-128.lightspeed.sntcca.sbcglobal.net [76.218.8.128]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u7CNQ3GQ026954 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT) for <stir@ietf.org>; Fri, 12 Aug 2016 16:26:03 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dcrocker.net; s=default; t=1471044363; bh=goQQMH4n4OH1ryc4odre0dS44z0Q8QWB7exru38gGIY=; h=From:Subject:References:To:Reply-To:Date:In-Reply-To:From; b=FDT9PzlDRxlfPqMgIBrAlQi0AjlySXoOv6B0IEnWnhZy1bgWv04pZuy6N4FyjpNpo sF7nBBRMbT2sq6NAFl6JdsCbCbVjkhklTGhKFQVD4I3agX58WRIBGAhhVpGpRZnC7f sHnw0c/7BlEJQ0ttCfVcBiw/T89ylra4RH6dRlTA=
From: Dave Crocker <dhc@dcrocker.net>
References: <D975E88FEBB366379F3D8DB2DDF473C9C3E4F2CF@Janices-iPhone> <c8b90ad2-dd66-9aeb-756b-cf3d95eeacd3@bbiw.net> <17A4057909C5124FBCA624CD7B0C43A20121B4A6A890@HQ1-MAILMB-V1.trade.ftc.gov>
Organization: Brandenburg InternetWorking
To: "stir@ietf.org" <stir@ietf.org>
Message-ID: <eeb5dd18-94a6-aa60-7f5f-a2f8ee30a61a@dcrocker.net>
Date: Fri, 12 Aug 2016 16:25:27 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <17A4057909C5124FBCA624CD7B0C43A20121B4A6A890@HQ1-MAILMB-V1.trade.ftc.gov>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/l0vlPJyUtFlDgMYvROufgAcCiH0>
Subject: [stir] Summary comments on draft-ietf-stir-* document trio at WG Last Call
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: dcrocker@bbiw.net
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2016 23:26:00 -0000
Greetings, I've done self-initiated reviews on the three documents that were put into the STIR Working Group Last Call: * Secure Telephone Identity Credentials: Certificates draft-ietf-stir-certificates-07.txt "The use of certificates in establishing authority over telephone numbers" * Persona Assertion Token draft-ietf-stir-passport-05 "A token format for verifying with non-repudiation the sender of and authorization" * Authenticated Identity Management in the Session Initiation Protocol (SIP) draft-ietf-stir-rfc4474bis-10.txt "A mechanism for securely identifying originators of SIP requests" This note is a summary of the core comments and conclusions in those reviews, with some further thoughts. The summary of all that follows is quite simple: These documents are in need of extensive additional work and after that is done, they still will not specify a coherent capability. The worked need to turn this into a coherent capability is substantial and possibly risky. My specific reviews are: Review of: draft-ietf-stir-passport-05 https://mailarchive.ietf.org/arch/msg/stir/vypQUp6ILfCitdB2PEWo_2bZmZw Review of: draft-ietf-stir-rfc4474bis-10 https://mailarchive.ietf.org/arch/msg/stir/N334mEfCpWowtSnXNrx2ElPGr84 Review: draft-ietf-stir-certificates-07 https://mailarchive.ietf.org/arch/msg/stir/VkB0HMs5JrHRLcOrDmMukdIzD3A Separately, I posted a comment about the choice of JWT/JSON: https://mailarchive.ietf.org/arch/msg/stir/8S0DnRRY6rb368Rt-k4zqQkbd90 Since I'm not a phone guy, I should preface with some information about my background that is relevant to the following comments, beyond noting that I have done technical work for quite a few decades and that I have extensive and varied IETF experience: I've built and run a couple of national email services. I'm a Senior Technical Advisor to M3AAWG <m3aawg.org>, which is an Internet anti-abuse trade association. I'm also a co-author of the current specification for DKIM, which provides an authenticated identifier for email. Further I participate in a number ad hoc industry consortia that develop anti-abuse-related enhancements that are based on the use of DKIM and SPF. I participated in the the STIR effort as it was chartered. None of this guarantees that anything that follows is correct, but it should provide some context for my views about efforts to design technical services used to mitigate abuse... Telephone spam is a serious, urgent, global problem, and has been for some years. Efforts to mitigate it would be greatly aided by reliable, accurate caller-id authentication, similar to the benefits that already accrue for email anti-abuse efforts based on authentication. The primary benefit will be to allow development of accurate reputation information for the caller-id, because then there is assurance that it has only been used by an authorized actor. In general, this promotes identification of calls from good actors, rather than directly serving to identify bad actors -- absent additional mechanisms, such as ones ensuring a semantic of exclusivity, with a guarantee that /all/ calls using the caller-id will be validated.(cf, DMARC) However given some essential operational differences between telephony and email, this assurance is probably more easily made for telephony than it is for email. Discussions to pursue a standardized telephony authentication mechanism began approximately 5 years ago. The IETF's STIR working group began 3 years ago. The technical aspects of global telephony probably preclude ever achieving a solution that will cover all phone service, everywhere. The mix of telephone administrations is challenging, but the considerable mix of telephony technologies is the major impediment: differences in their underlying semantics and limitations to their extensibility make a comprehensive, hybrid solution highly problematic, if not impossible. The STIR working group nonetheless originally pursued a set of hybrid solutions, only more recently gravitating toward a narrower effort, targeting a SIP-only initial capability for authenticated calls. Telephony is increasingly using SIP and there already is a significant global infrastructure using it. In technical terms, SIP is more amenable to this kind of authentication enhancement, than are the legacy technologies, especially given that its use of header-fields for parameters and meta-data is almost identical to that of email, even to the point of having a "From" header field. The nature of the basic tasks for this type of authentication service include: * Deciding where to get the caller-id from. The legitimate technical challenges here are that the SIP phone world has several forms of caller-id strings and several places they can occur. So defining a deterministic algorithm is not necessarily straightforward. However resolving the details in obtaining and processing the variations in caller-id appears to primarily be a matter of defining a precise and reliable algorithm. The specifications have text that I believe is intended to provide this detail, but I was unable to converge on an understanding of what the deterministic behavior and results would be. It appears to talk about possibilities, rather than provide a clear, reasonable and deterministic algorithm. * Deciding on the authentication algorithms and data packaging -- data to hash, hashing algorithm, crypto algorithm, where to to put the result, etc. This is quite a bit of detail and needs to be done correctly, but rarely involves creativity or any interesting debates. However, here too the specification seems to provide for alternatives rather than a single, simple, clear, interoperable solution, absent additional, unstated private agreements. * Deciding how the public key is to be associated with the relevant 'identity' and deciding how it will be found and validated. That is, a key query service. In most crypto services, this involves a 'certificate' with an authority hierarchy. For common certs, these involve an independent public key cert infrastructure (PKI). For DANE, the hierarchy matches the domain name hierarchy for the name having the key, which is stored in the DNS. For DKIM, the key is self-certified: this key also is stored with the name and can (presumably) only be put there by the domain owner. Use of the 'common' PKI service is widely viewed as highly problematic, particularly in terms of making serious reliance on proper authentication, for more than mitigating man-in-the-middle attacks. DKIM has extensive deployment and operational experience, however its authority hierarchy only aligns nicely with domain names. The DANE model does not have significant deployment penetration or operational experience. Also as with DKIM, it's authority alignment is with domain names, not telephone number administration. OAuth is a recent capability that might provide a reasonable cert model that can be applied here, but I don't know enough yet to be sure. Caller-ids based on classic telephone numbers, however, are problematic. Especially due to number portability, the authority hierarchy for numbers does not align at all well with the string of numbers. In effect, any next number in a sequence can be administered by a different entity. Worse, a prior attempt at an inter-organization query service based on telephone number (ENUM) was not successful. In other words, the requirement to have an inter-organization query and validation capability for keys associated with caller-ids should be viewed as both difficult and discouraging, essentially at the level of a open research task: We have no global experience with a successful version of a comparable inter-provider service, or at least not at the necessary scale. But we do have examples of failure... In any event nothing in the current specification specifies how to find and validate the associated key. All that is supplied is very general commentary. And this fact is worth repeating: The trio of documents do not attempt to specify the highest-risk component to the authentication service: a complete and interoperable key query mechanism. Based on the discussions on the working group mailing list and from various private discussions, it appears that folk think that what remains to be done are mere details, or policies, rather than development of core technologies or mechanisms, and that these will be settled elsewhere (ATIS-SIP Forum, or the like). But the work remaining includes basic functional capabilities, not mere administrative or operational (policy) details. Perhaps these will indeed get resolved in those later discussions, but it will require quite a bit of additional effort and time. I suspect it will require far more effort than is currently appreciated. My sense is that the folk intending to pursue use of this work have an underlying expectation that there will be a set of bilateral and/or multilateral provider-based agreements that determine the remaining details, rather than there being an integrated public service. This has been, after all, common in the telephone industry. However it is at odds with the IETF's approach to the definition of open, interoperable services that work at scale. Further, the IETF's publishing the current specifications will mean that the IETF is blessing a set of documents that do not offer a coherent, usable technical capability. I believe that is somewhere between unusual and unprecedented. The proffered drafts do not include any coherent description of the integrated service that is being specified. Simple architectural charts that show the components and how they are functionally connected, with descriptions of their roles and interactions, go quite a long way towards developing a shared, community understanding of what is being done. An essential example here is to delineate relevant administrative trust boundaries. Note that even very recent discussions on the list demonstrate a basic lack of this shared understanding, such as where validation will be done and what will be done with the result. And this example has profound import to the service model, since validation at end-user devices requires a key query service that will operate over the open Internet, whereas validation only amongst 'authorized' providers won't. Some individuals seem to have a clear model for this. However the group does not. The design has chosen use of a JSON/JWT for a "Passport" abstraction of a common "token" collecting together identity, key and other 'claims' information. In terms of computer science design, it looks reasonable; it is modular, based on some standardized technologies, and appears to be extensible. And my original reaction to it was that while it was not necessary to the immediate task, it might have some long-term appeal. However the more I have slogged through the specifications and tried to discuss issues with individuals, it has become clear to me that it is adding quite a bit of complexity to the reading and probably to the software, for literally /no/ immediate benefit. In fact, it is not merely additional overhead: my sense is that it has made it more difficult to find various errors in the detail of the specifications. There is no JSON already in the SIP environment that is being signed; the extensibility is easily obtained more directly; and the aggregate specifications are significantly more difficult to comprehend. The certificate draft is not a specification. It is a discussion, often about basic concepts or about a hypothetical future. Hence, the highest-risk component to the proposed capability remains entirely unspecified. For all three documents, the writing often is bloated and opaque and error-prone, where the reader apparently is expected to have quite a bit of very detailed background that is not stated in the documents. One of the drafts had not even been processed through a spelling corrector, although this was a Las Call Verion. Also, non-trivial algorithms are written as complex prose rather than simple algorithms. I suspect these have errors but can't be sure. It often was not clear to me what was meant -- or it was clear that the text had not specified what it claimed to specify. The specifications are also often incomplete, with respect to the scope of the document. That is, they simply don't cover what they say they will (and which they need to cover.) The documents purport to provide modularity, but contain enough cross-references, cross-discussion and bi-directional dependencies to defeat this. All of the above suggests a working group that did not seek to specify a complete capability, did not diligently participate in the specification and review of these documents, and does not have a precise and workable shared understanding of what the target service will be nor how that service will be achieved. The difference between being able to validate at the callee's independent SIP implementation, versus requiring validation to be done by a service provider, is merely one of many examples of these problems with the working group effort.. I should also make at least a quick comment about the process problems that have been so clearly demonstrated on the list during my review effort: In roughly 30 years of participating in the IETF and doing reviews of working group documents, I have never before seen an almost complete lack of public engagement in dealing with a review. Disagreement is common. Silence is not. The authors have refused to engage in substantive, public discussion about these reviews, promising instead to make back-room decisions as they see fit. The rest of the working group has so far been almost completely silent on the substance of the reviews. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
- Re: [stir] Conduct (was - Re: Summary comments on… Dave Crocker
- Re: [stir] Summary comments on draft-ietf-stir-* … Dave Crocker
- Re: [stir] Conduct (was - Re: Summary comments on… Richard Shockey
- Re: [stir] Summary comments on draft-ietf-stir-* … Richard Shockey
- [stir] Conduct (was - Re: Summary comments on dra… Dave Crocker
- Re: [stir] Summary comments on draft-ietf-stir-* … Gorman, Pierce A [CTO]
- Re: [stir] Summary comments on draft-ietf-stir-* … Tony Rutkowski
- Re: [stir] Summary comments on draft-ietf-stir-* … Dave Crocker
- Re: [stir] Summary comments on draft-ietf-stir-* … Peterson, Jon
- [stir] Summary comments on draft-ietf-stir-* docu… Dave Crocker