IETF Logo Mail Archive

Re: [stir] WGLC: draft-ietf-stir-passport-rcd-09

Chris Wendt <chris-ietf@chriswendt.net> Mon, 25 July 2022 15:17 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CDD0C13C202 for <stir@ietfa.amsl.com>; Mon, 25 Jul 2022 08:17:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r5lYvhGyFxuB for <stir@ietfa.amsl.com>; Mon, 25 Jul 2022 08:17:03 -0700 (PDT)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B68CC13C228 for <stir@ietf.org>; Mon, 25 Jul 2022 08:16:14 -0700 (PDT)
Received: by mail-pf1-x42f.google.com with SMTP id d10so10701440pfd.9 for <stir@ietf.org>; Mon, 25 Jul 2022 08:16:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20210112.gappssmtp.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=U07WRZ0SIxrjbQJf/9PCsV3LZ1xXIwCe1JlLctwcvcU=; b=cqJRo26xiqTKbqilLNPmPOo4bBn6smBsYCMVFXXA/y/pYS0jXH6FpokpDesISei13q xuWVVDnWs2Ukq5KtlwzYnAfQkxxZ3uYSBBDaaIihDNxcgzLebPNGHOeM2uZMfQ8ra9wo UZI3F3oR6t+gyXAKu06ZzwSwxaMYl+4wZKV+CwizBdDm5GOwh+u1ErrXRyw54u7Yqx45 WIiMYv9GH1bzATiETRLdHGqQlixsBcmWFaboZtT9RScA7DJ+90m0UpcRwXv4/ucsDE3J MVNwssZQimtaOxVM+p07osChW5qngHEEi7mKReSmlwYIXBxVANWxH/SyameUmbv+qhS+ d7Aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=U07WRZ0SIxrjbQJf/9PCsV3LZ1xXIwCe1JlLctwcvcU=; b=lE9UGhZtKT/i0G0mRfOiaOVN1YaCNCF2KLhJtBcQoa4TgM7r5Mx3tNvrpndBHIc2Ex 5AiozXbVQkoM0e2R9Uq3wkWNzXDKSYdpDxIjIZsEp+lC3RW3fhiMROWfYG96Ajp2BNM7 aB/XxRHbFxCnQqNer7QaT/4NYU+8FBgqAA+FKp9htAHphesjB3AFFqlkGK8ISPmr6eoz syYB8msY1+n+FDoakJVLcUrnI3jYY6t28JNu2Esrf6XJvLvhDYyLLQHsJ4WuViMYCY9C 4hnT2ueS9F2QRnt7xbA7s0vF3o3LtVLKBRJE8XMdkgBHQSPK0FpuX1jWv4MdNpRhclL7 3Nhw==
X-Gm-Message-State: AJIora8K182hE301g7SK+eNOBlLT/DxnmH3sLy4E1UDLDPoXAvqPT53K LVbqit3gFo7Z7Vhtp4fhfNFLfpOTknThQ5Q9
X-Google-Smtp-Source: AGRyM1ti7rPrUDE+F01TK4qwDgxklxm0I5pqOPzkgaMvow/7Uu3wCjxpVmlPgkqy8PpVaSbVTJEiUA==
X-Received: by 2002:a05:6a00:f85:b0:52a:c718:ff9 with SMTP id ct5-20020a056a000f8500b0052ac7180ff9mr12895108pfb.85.1658762173928; Mon, 25 Jul 2022 08:16:13 -0700 (PDT)
Received: from smtpclient.apple (dhcp-8b2d.meeting.ietf.org. [31.133.139.45]) by smtp.gmail.com with ESMTPSA id 24-20020a630f58000000b00419b66846fcsm8438034pgp.91.2022.07.25.08.16.12 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Jul 2022 08:16:13 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <50F50BA5-20ED-49ED-B124-926A74AE4050@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_05200305-9E82-47CA-BA18-D2B145D5DF13"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Date: Mon, 25 Jul 2022 11:16:09 -0400
In-Reply-To: <6B54979F-CFFF-4634-9B06-F0F52AE69F76@nostrum.com>
Cc: Russ Housley <housley@vigilsec.com>, IETF STIR Mail List <stir@ietf.org>
To: Ben Campbell <ben@nostrum.com>
References: <5393b70d-bfc7-c8ac-eb8d-30c8087a1e89@nostrum.com> <6981C79A-4024-4291-B2BB-A969EF8FD930@vigilsec.com> <6B54979F-CFFF-4634-9B06-F0F52AE69F76@nostrum.com>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/lkKf-KoNaGR8EdpOvjpn0ngx9Vk>
Subject: Re: [stir] WGLC: draft-ietf-stir-passport-rcd-09
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2022 15:17:07 -0000

Hi Ben, All,

I’ve gone through your comments and will release a forthcoming 19 with your comments and Russ’s comments addressed.
I recognize this is a day before our STIR meeting, but thought it would be best to have it available, hoping this should be fairly complete in terms of addressing comments.

-Chris

> On Apr 29, 2022, at 5:44 PM, Ben Campbell <ben@nostrum.com> wrote:
> 
> Hi,
> 
> I think version 17 is in pretty good shape, and I think we’ve handled the “hard” problems. I have some mostly minor comments There are a few that I probably should have noticed on previous versions. Hopefully they don’t fall too far outside of Russ’s guidance for feedback, and in any case I don’t think they are showstoppers:
> 
> Substantive:
> 
> §3, 2nd paragraph: This should probably mention “icn” in the first category, since it is separate from jCard data.

Yes agree, added a reference to icon data.

> 
> §6.1.2: “Even though this is probably not the typical case, an "rcdi" JSON pointer or integrity digest is optional if the image value is directly included via a data URI.”
> 
> Apologies, I should have caught this one in an earlier version. But wouldn’t a data: URL typically point to a body part that is not covered by the PASSporT signature? If so, it could be subject to tampering in route. Would that need integrity protection less than a HTTPS URL? I guess tampering would require an on-path attacker. But I am still skeptical of the exception unless the data: URL points to data covered by the PASSporT signature.

My understanding is that data URIs (rfc2397) always include the data inline, so would not be separate from the data:.  Here is an image example: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==

That said, i included an explicit reference to RFC2397.

> 
> $9.3: Third example: Some of the examples shows a jcard photo and logo URIs, but no “icn” keys. Given the guidance to use “icn” for a default image, should “icn” keys be included?

Yes i included two examples, one with https and one with data URIs

> 
> §14.2, 2nd paragraph: “Similarly, the "jcd" or linked "jcl" jcard information and "crn" can be optionally, based on local policy for devices that support it, used to populate a Call-Info header field following the format of [I-D.ietf-sipcore-callinfo-rcd].”
> 
> Should this mention “icn”?

Added both “icn” and “apn"

> 
> §18 (Apologies, these are probably things I missed in previous versions:
> 
> First paragrapoh: The normative MUST seems dubious. Can we assert normative requirements to ecosystems we don’t control?

Changed to SHOULD

> 
> Third paragraph: “may be a recommended way “. I suggest “may be a useful way” or “is a recommended way”.

Fixed


> 
> Editorial comments:
> 
> §4, 3rd paragraph: “pass-by-value or passed-by-reference;”
> Inconsistent use of “pass” vs “passed”. Either is okay, but we should pick one.

Fixed

> 
> §4, table, first row, 2nd column: s/RDC/RCD

Fixed

> 
> §5.1.1: “If there is no string associated with a display name, the claim value MUST then be an empty string.”
> Should “claim value” be “key value”?
> 

I think claim value is appropriate, "key value" is generic to JSON, but claim value is specific to JWT.  I actually recall being told to use this terminology by JWT folks.

> 
> 
> 
> 
>> On Apr 25, 2022, at 2:51 PM, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
>> 
>> This might be the longest WG Last Call in history ....
>> 
>> A new version was just posted: https://www.ietf.org/id/draft-ietf-stir-passport-rcd-17.txt <https://www.ietf.org/id/draft-ietf-stir-passport-rcd-17.txt>
>> 
>> Regarding the ongoing WG Last Call, we have two questions:
>> 
>> (1) Have any of the changes introduced new issues?
>> 
>> (2) Have all previously raised issues are resolved?
>> 
>> For the STIR WG Chairs,
>>  Russ
>> 
>> 
>>> On Dec 8, 2020, at 4:30 PM, Robert Sparks <rjsparks@nostrum.com <mailto:rjsparks@nostrum.com>> wrote:
>>> 
>>> This is a WGLC for draft-ietf-stir-passport-rcd-09.
>>> 
>>> Please send reviews to the list by the end of day 22 Dec 2020.
>>> 
>>> If you plan to provide a review but need more time, please let us know early.
>>> 
>>> See <https://datatracker.ietf.org/doc/draft-ietf-stir-passport-rcd/ <https://datatracker.ietf.org/doc/draft-ietf-stir-passport-rcd/>>
>>> 
>>> RjS
>> 
>> _______________________________________________
>> stir mailing list
>> stir@ietf.org <mailto:stir@ietf.org>
>> https://www.ietf.org/mailman/listinfo/stir
> 
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email