IETF Logo Mail Archive

Re: [stir] current draft charter - ENUM and databases

"Peterson, Jon" <jon.peterson@neustar.biz> Wed, 19 June 2013 18:18 UTC

Return-Path: <jon.peterson@neustar.biz>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39F7621F9E9C for <stir@ietfa.amsl.com>; Wed, 19 Jun 2013 11:18:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.521
X-Spam-Level:
X-Spam-Status: No, score=-106.521 tagged_above=-999 required=5 tests=[AWL=0.078, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i6Bux5Bn-dul for <stir@ietfa.amsl.com>; Wed, 19 Jun 2013 11:18:50 -0700 (PDT)
Received: from neustar.com (mx2.neustar.com [156.154.25.104]) by ietfa.amsl.com (Postfix) with ESMTP id 0108B21F9B12 for <stir@ietf.org>; Wed, 19 Jun 2013 11:18:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.biz; s=neustarbiz; t=1371665869; x=1687024818; q=dns/txt; h=From:Subject:Date:Message-ID:Content-Language: Content-Type:Content-ID:Content-Transfer-Encoding; bh=iZYjy0XkvN o9j13CnwakMpBXu6G3SFU2ByeSBhvOH44=; b=lvb6+CFsoPpBL9c5xVVZtC3/60 fEnhZjCfIPpLjy66EfttTUXtcOcE4rQDhzoJGke/hds5SawhgBqy1+bMgYvQ==
Received: from ([10.31.58.69]) by chihiron2.nc.neustar.com with ESMTP with TLS id J041123125.21176225; Wed, 19 Jun 2013 14:17:48 -0400
Received: from stntexmb12.cis.neustar.com ([169.254.2.76]) by stntexhc10.cis.neustar.com ([169.254.4.240]) with mapi id 14.02.0342.003; Wed, 19 Jun 2013 14:18:34 -0400
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: "Lee, Yiu" <Yiu_Lee@Cable.Comcast.com>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] current draft charter - ENUM and databases
Thread-Index: AQHOaJxVI+SntM7IA0Gg0AdKCtvNaJk3aKkAgAG9EACAAJEAgP//mGKAgAElawD//6FkgIAAmBwA///JN4AAMejCAAApJjoAAAhMdYAAAGdqgP//mfUA
Date: Wed, 19 Jun 2013 18:18:33 +0000
Message-ID: <CDE73C1B.23F53%jon.peterson@neustar.biz>
In-Reply-To: <E3FAB1F4F41F3A45B287E8D9C53522FD472CF5AC@PACDCEXMB05.cable.comcast.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.4.130416
x-originating-ip: [192.168.128.220]
x-ems-proccessed: R64IxjzeHPwwd+efoj3ZcA==
x-ems-stamp: lEGBfKKGRM9rAJEjoIS5Yg==
Content-Type: text/plain; charset="us-ascii"
Content-ID: <FAD0F7EEA1060D43B9008D4D1A6BAC7A@neustar.biz>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [stir] current draft charter - ENUM and databases
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stir>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2013 18:18:54 -0000

I think this list has gotten bogged down in the question of how to
download credentials at the verification service. I sense this is
motivated by a feeling that we are going to have a beauty contest and pick
one way to download credentials, and everyone would like it to be their
favorite way.

I don't really look at the STIR problem that way, though. I don't really
care, at the end of the day, how a verification service downloads
credentials. I don't think we even need to arrival a single way of doing
it. The Identity-Info header of RFC4474 gives verification services a hint
of where they could acquire credentials. Nothing about RFC4474 assumes
though that the verification service doesn't already have a public key for
the auth service, or that the verification service doesn't have its own
means of looking up credentials in a store, say (see Step 1 of Section 6
of RFC4474). Dereferencing the Identity-Info is not in that strict sense
required.

Even when there verification service does dereference the URI in
Identity-Info to get a credential, RFC4474 leaves the door pretty wide
open for what protocols can be used: it does specify HTTP as MTI, but this
is not exclusive. We discussed using SIP itself (with a fetch SUB), CID
for multipart MIME and several other options. I can even imagine using a
DNS URI for this, especially for a DANE or DANE-like case where you want
to tip off the verifier that the public key can be found in the DNS.
Again, the presence of a DNS URI in Identity-Info would just be a hint, a
"in case you didn't know, my public key is in a DANE record." Maybe some
verification services wouldn't need that hint as they always check the DNS
for a public key.

So you could argue even that at an over-the-wire level, we wouldn't even
need to change Identity-Info to support using the DNS as a way to access
credentials. What would need to change, of course, is the logic used by
auth/verification services to handle telephone numbers, and for DANE-like
cases, to check reference integrity. This, I think, is where the actual
STIR work should lie. I don't think we should try to legislate a one true
way that services must make credentials available. We should introduce
flexibility here, even if it means perhaps having two MTIs for
Identity-Info URI schemes instead of one. But we shouldn't get caught up
on what protocol you use to fetch credentials.

Jon Peterson
Neustar, Inc.

On 6/19/13 10:23 AM, "Lee, Yiu" <Yiu_Lee@Cable.Comcast.com> wrote:

>Can we get the dnskey record and verify it by the ds record and forget the
>whole CA thing?
>
>On 6/19/13 1:12 PM, "Hadriel Kaplan" <hadriel.kaplan@oracle.com> wrote:
>
>>We have can't just look up the DNS domain key of 'foo.com' to get the
>>certificate

v2.23.0 | Report a Bug | By Email