IETF Logo Mail Archive

Re: [stir] AD Evaluation: draft-ietf-stir-passport-rcd

pierce@numeracle.com Tue, 27 September 2022 16:52 UTC

Return-Path: <pierce@numeracle.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 306D2C159A1C for <stir@ietfa.amsl.com>; Tue, 27 Sep 2022 09:52:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=numeracle-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bcg8BKx4PvEm for <stir@ietfa.amsl.com>; Tue, 27 Sep 2022 09:52:04 -0700 (PDT)
Received: from mail-oa1-x2a.google.com (mail-oa1-x2a.google.com [IPv6:2001:4860:4864:20::2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFC28C159828 for <stir@ietf.org>; Tue, 27 Sep 2022 09:52:04 -0700 (PDT)
Received: by mail-oa1-x2a.google.com with SMTP id 586e51a60fabf-131886d366cso2393357fac.10 for <stir@ietf.org>; Tue, 27 Sep 2022 09:52:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=numeracle-com.20210112.gappssmtp.com; s=20210112; h=thread-index:content-language:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:from:to:cc:subject:date; bh=EV1ClY5z33yafjyUpB/RpK+0gH8lqvgGzZ0XStG8Dzg=; b=7/Lo1qa1VyCef7Qnh+WyadAraEloHYOJ1zKR0rnM6uDEaEsO42U0a6WmEKsm7q+u05 YpVUNJ5SeegzFygSsq9qZmL+bJ8P+JF9RhFlaDUIVjiKTh35zFuZRtOw3ZAc51skNfW1 e0y3kkNr9MbP99RGkxL7q1t/BUTQ1FD016SgAog4LtSC8DcQXQNjFDGJa6E+xz+VXULw EnJCGVO+J/VESDwGY/+YkKhPX05BM6DQdOWzMCtJP8InMdJ1RRqxjUIPGpOvVHPnfS2B mYQc2ld6smUqLBmI49xn3SY4gMnrKYzb9x6N/yFjR5FWb0/UDaB/vhRI38U1frzafshQ UM0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=thread-index:content-language:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:x-gm-message-state:from:to:cc :subject:date; bh=EV1ClY5z33yafjyUpB/RpK+0gH8lqvgGzZ0XStG8Dzg=; b=cXyBATwSca3b0e7iFohsWD+jMgPRzVdubmmvRNcVvPlHkXgEH4XksePDzwfzcQ0txu E013K4ufmtpuIiYLyOzkq79BASmOj48d10PWg+cGolxA0OiGZBbGlYrj6ogiN/FHLbs3 lJj3UUpKkBlh62BXiPoKsviOleYAdPnVTrBz9f6oPXuH/mgzAliiFWG+snyvnwV6iGNa Zpd4DgWSRYTuijVRZBGHy59WXHkPnktXJKkEOG5Uotcz2PKnpHmeinJ0G167ENaWDicV l2sRpvlaLjAspgW2BDysbdfw1NbVDkNTrCSgT3VipkO6wyhjGBUpA2i6GFV8cJmEtyhT x//w==
X-Gm-Message-State: ACrzQf3GxdrlTM09JoZHq52m3uDtrP8b/myC5gKVkznMoRCWOfUs0CRM QLeMEwKaCx9a96ulHYRbmZq4bA==
X-Google-Smtp-Source: AMsMyM7Lz6+M/gylGA0J9cJ+llO3yO0C0kBZOaI5KXTDBWBlqQhMmCmoSc+J7AynqrU9X8ylDZrKgw==
X-Received: by 2002:a05:6870:8917:b0:127:8962:ccb6 with SMTP id i23-20020a056870891700b001278962ccb6mr2766741oao.221.1664297523523; Tue, 27 Sep 2022 09:52:03 -0700 (PDT)
Received: from NumeracleLegion ([2605:a601:ae1c:4300:e479:f84f:bf0c:a176]) by smtp.gmail.com with ESMTPSA id z21-20020a0568301db500b00638ef9bb847sm879855oti.79.2022.09.27.09.52.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Sep 2022 09:52:03 -0700 (PDT)
From: pierce@numeracle.com
To: 'Chris Wendt' <chris-ietf@chriswendt.net>
Cc: "'Murray S. Kucherawy'" <superuser@gmail.com>, 'IETF STIR Mail List' <stir@ietf.org>
References: <CAL0qLwZaKc20eNus1wSj_-Zjys9prm1+55Ergtr=QDNi3G-sZg@mail.gmail.com> <22207E7F-87E9-41F1-B08E-5745F07353B5@chriswendt.net> <CAL0qLwZpMY+Far0skD9K4hnBMcp=DmxPwR+pSzWNTY8dxXYf4g@mail.gmail.com> <018401d8d27b$9fa65c80$def31580$@numeracle.com> <A26DC532-D4E0-41A2-8B35-822262AF2E62@chriswendt.net>
In-Reply-To: <A26DC532-D4E0-41A2-8B35-822262AF2E62@chriswendt.net>
Date: Tue, 27 Sep 2022 11:52:03 -0500
Message-ID: <021001d8d291$786426f0$692c74d0$@numeracle.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0211_01D8D267.8F8FCCA0"
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQI1R5jljLi4hXcmyiyV2+ScpY19QQJR/zsCAi57N3cB4NgMYQIARX02rPeFvxA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/mN_RJp8_HYvBEKdvXZV01Ey-ghQ>
Subject: Re: [stir] AD Evaluation: draft-ietf-stir-passport-rcd
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2022 16:52:09 -0000

You are correct, I did mean security considerations, Section 18 (not 8.1).  Nice catch.  And as you say “out-of-scope” language is already there.

 

 

From: Chris Wendt <chris-ietf@chriswendt.net> 
Sent: Tuesday, September 27, 2022 11:35 AM
To: <pierce@numeracle.com> <pierce@numeracle.com>
Cc: Murray S. Kucherawy <superuser@gmail.com>; IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] AD Evaluation: draft-ietf-stir-passport-rcd

 

I agree Pierce, the first paragraph of the security considerations section does have text to say that content validation/vetting policies are out of scope specifically.

 

-Chris





On Sep 27, 2022, at 8:15 AM, pierce@numeracle.com <mailto:pierce@numeracle.com>  wrote:

 

IMHO, validation of content in icn, crn, nam, etc., is outside the scope of the RCD specification.  Perhaps that should be (part of) the message in Section 8.1?

 

Pierce

 

From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org> > On Behalf Of Murray S. Kucherawy
Sent: Monday, September 26, 2022 10:36 PM
To: Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net> >
Cc: IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org> >
Subject: Re: [stir] AD Evaluation: draft-ietf-stir-passport-rcd

 

On Mon, Sep 26, 2022 at 2:21 PM Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net> > wrote:

> How do we know that the reason placed in a "crn" claim is true?  Could this be abused?  If so, should this be called out in Section 13 or 18 (or somewhere else)?

Section 8.1 was intended to address this use of constraints if the signer is “non-authoritative”.  The general concept is that RCD information should be vetted by trusted participants in the eco-system.  “crn” is a claim that i think we conceptually provide a bit more latitude with just because call reason may more generally be a more dynamic field, but there is nothing in the specification that doesn’t allow for an eco-system using this specification to mandate the use of constraints.  This is a balance we have needed to support for most of the specs to allow for flexibility depending on use of the specs.

 

I'm not sure I follow.  The question I'm asking is: Is there anything stopping me from giving a false reason in a "crn" claim?  Could I, for instance, claim the call is an emergency of some type and thus get you to answer when I'm actually just going to try to sell you something?  If that's a risk, I think that should be explicit; it would be enough to say that there's no validation for what's in the "crn" claim (and couldn't possibly be).

 

[...]

> For that matter, would ABNF be useful here?

Likely would but we haven’t included it in other relevant specs, i would hate to add at last minute.

 

I don't mind waiting if it's worth doing.  :-)

 

Thanks for the rest, looks good.

 

-MSK

v2.23.0 | Report a Bug | By Email