IETF Logo Mail Archive

Re: [stir] certificates: short-lived or status

"Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com> Thu, 16 March 2017 13:48 UTC

Return-Path: <pierce.gorman@sprint.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 941C01294F9 for <stir@ietfa.amsl.com>; Thu, 16 Mar 2017 06:48:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.708
X-Spam-Level:
X-Spam-Status: No, score=-2.708 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aS-LKZ74Usc6 for <stir@ietfa.amsl.com>; Thu, 16 Mar 2017 06:48:36 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0110.outbound.protection.outlook.com [104.47.40.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E15341294ED for <stir@ietf.org>; Thu, 16 Mar 2017 06:48:35 -0700 (PDT)
Received: from BL2PR05CA0013.namprd05.prod.outlook.com (10.255.226.13) by BY1PR0501MB1656.namprd05.prod.outlook.com (10.160.206.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.4; Thu, 16 Mar 2017 13:48:33 +0000
Received: from SN1NAM01FT006.eop-nam01.prod.protection.outlook.com (2a01:111:f400:7e40::209) by BL2PR05CA0013.outlook.office365.com (2a01:111:e400:c04::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.4 via Frontend Transport; Thu, 16 Mar 2017 13:48:32 +0000
Authentication-Results: spf=pass (sender IP is 144.230.32.81) smtp.mailfrom=sprint.com; neustar.biz; dkim=none (message not signed) header.d=none;neustar.biz; dmarc=bestguesspass action=none header.from=sprint.com;
Received-SPF: Pass (protection.outlook.com: domain of sprint.com designates 144.230.32.81 as permitted sender) receiver=protection.outlook.com; client-ip=144.230.32.81; helo=preapdm2.corp.sprint.com;
Received: from preapdm2.corp.sprint.com (144.230.32.81) by SN1NAM01FT006.mail.protection.outlook.com (10.152.65.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.961.10 via Frontend Transport; Thu, 16 Mar 2017 13:48:32 +0000
Received: from pps.filterd (preapdm2.corp.sprint.com [127.0.0.1]) by preapdm2.corp.sprint.com (8.16.0.17/8.16.0.17) with SMTP id v2GDjcov042269; Thu, 16 Mar 2017 09:48:31 -0400
Received: from plswe13m03.ad.sprint.com (plswe13m03.corp.sprint.com [144.229.214.22]) by preapdm2.corp.sprint.com with ESMTP id 294b4yhs7b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 16 Mar 2017 09:48:31 -0400
Received: from PLSWE13M04.ad.sprint.com (2002:90e5:d617::90e5:d617) by plswe13m03.ad.sprint.com (2002:90e5:d616::90e5:d616) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 16 Mar 2017 08:48:30 -0500
Received: from PLSWE13M04.ad.sprint.com ([fe80::2c01:fcb8:e729:4a7a]) by plswe13m04.ad.sprint.com ([fe80::2c01:fcb8:e729:4a7a%24]) with mapi id 15.00.1210.000; Thu, 16 Mar 2017 08:48:30 -0500
From: "Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com>
To: Alex Bobotek <alex@bobotek.net>, Richard Shockey <richard@shockey.us>, Richard Barnes <rlb@ipv.sx>, "DOLLY, MARTIN C" <md3135@att.com>
CC: "stir@ietf.org" <stir@ietf.org>, "Peterson, Jon" <jon.peterson@neustar.biz>
Thread-Topic: [stir] certificates: short-lived or status
Thread-Index: AQHSnhv11mLjKa9ttEW7uwkpCL66QKGXe4bg
Date: Thu, 16 Mar 2017 13:48:30 +0000
Message-ID: <874a5b206ba94f8e82ea6b8573da9359@plswe13m04.ad.sprint.com>
References: <D45861BA.1C7D28%jon.peterson@neustar.biz> <CAL02cgTSCPywYAaDEgL6rdOWgguJ76kpN5HFNTqN=0ej1fX_Hw@mail.gmail.com> <AF16F227-E16F-4C45-BA6D-9AFB80174273@att.com> <CAL02cgSbYMvmXFTw-bhPH7FwEeMwCdCpi3ur_4z5aF0oDmU4fQ@mail.gmail.com> <99159CA6-2365-43D8-ADA2-494182DBD30C@shockey.us> <4B1956260CD29F4A9622F00322FE053101B8596D14F8@BOBO1A.bobotek.net>
In-Reply-To: <4B1956260CD29F4A9622F00322FE053101B8596D14F8@BOBO1A.bobotek.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.123.104.27]
Content-Type: multipart/alternative; boundary="_000_874a5b206ba94f8e82ea6b8573da9359plswe13m04adsprintcom_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:144.230.32.81; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(39450400003)(39860400002)(39410400002)(39850400002)(39840400002)(2980300002)(438002)(377454003)(199003)(189002)(252514010)(24454002)(9170700003)(84326002)(8676002)(4326008)(5660300001)(4546004)(81166006)(33646002)(1680700002)(5250100002)(229853002)(2950100002)(606005)(8936002)(53546007)(189998001)(575784001)(86362001)(356003)(2906002)(2900100001)(7906003)(24736003)(54356999)(50986999)(76176999)(15974865002)(53936002)(7736002)(6246003)(512874002)(6306002)(54906002)(54896002)(106466001)(53386004)(38730400002)(325944008)(108616004)(790700001)(93886004)(6116002)(3846002)(102836003)(236005)(7696004); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0501MB1656; H:preapdm2.corp.sprint.com; FPR:; SPF:Pass; MLV:sfv; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; SN1NAM01FT006; 1:kOdTUYeDZPSEJ4tBakF5ei4KkJHOcVmq4/V1AgEZbx+SSepMwkDrDZn847MLGsdaDMKmVz6FokLxHDvs7s5chOAym9QcD/NSHn2c4HYp64WNJ10qlQaJxom4wx8SUpuOEjGZjZR+SbLrE0g38R0h3+BCxwHsgScvZEreOMxRxVxsuHh7q0EP4uFoBy84Q3atigaSYrPwPiKJgxysYdSu4Q1ZWAcwI16v7XVBu/GOEawUstLJDaTHe+xi6vrTYB0dGfId6evbEn0KuOyI2gO53vvqkwomHtRJGA3afaf9LItZ2uiHXjro98+aC/HSZydb4gT5qea/uECbvZOSrHZSninRfdgVWPyiyeWqipEQjyowhaQ6Ths9L4NjogN9pu5sb8xNSOb24rjf/MQ77qQOvxxNfE6on8e74HhhYMQfZzmqEO2QMEYRavlIeAu7LY7h0ix06z5RDUi3fN1YfXO4N/OxEA+ikQiDQ9VairSeS4iPUS199kPp7W0v6p2EH0gAbjorGbSkf4P+KqEj4ivMUPQ6AyFn+AoRX9E3vacAPSOXyp0Cp4R90trKwFqv/zSh+NMDhSbTmljzMHMAeiuBKuVDx31hcx4gX9AK9x3aev4=
X-MS-Office365-Filtering-Correlation-Id: 94bee6c4-5677-4575-2d11-08d46c7322cc
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(8251501002)(2017030254033); SRVR:BY1PR0501MB1656;
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0501MB1656; 3:1UHkOQCjPMdgiCy3nbNXLUBXr30yqdtpYPtUULqd6+GF53XiCPWP6vyyWOij5n5LfXdBp14/0m/g3JxcGfs9FJbxWNG51s0vmy2GwPY9VSh794DyeE+OdyRR3cl4spJbuyQwweY39TRnxt2hwISBV0D24r8tL7/ct/g2g6lhhvBxm2e28X/Gcc1oT6cbmFa23lrB+w0j3ozrn/3Jn1VVgWB9/PLWnYMTPFkx4Ft+9UxHzwEA89AdmOiTALLyXUlApkAe+eAHgVwKIX5A8SvTMxR/3gImk1Y0di344ZQnrer9vlSxUg3To/vuJ6UoJIupLUjk24i/QjNCBXMlyGsjOaA+PoUHM5tUNibcahuEU4FKXtfZxsc5/wkPNkDR/bauPfXreaEh2RgyZ7ih2bwNxQuL9PRzvQNlTDklBDdLmNo=; 25:jdxaIYRD9/IqH/OsIIErGvtHBAREpJr333zScdgoUT8r6am5BUBKXiW4KUUL6kSS6A76ravhLCYncADUQNVpLtkjMm3vPu+egO3vslXcNoSRuP1kgZO9ZzLv8DTSEdgg1la7HnackNLefnc+m7BVx70V+ZOuEaugEfQ0EM7X016v37W7EOElhY29u5/5n4m0uClqczBoVXVcM1kwa5GBBYbDRJ9UBUNKW1q/kG/jrX00T+SV9We7DwT/1zUfIJzvjtQDuB2bcPw+rVAfzrvAXckT/kDYjfdnshWnjs2xltlUFj2CbbDdgEY6UaOxxqXX/ypMC5fk8ZjvPetjWR3oUWGULmXxjgQwZyWQQIEsYGRwJGjAV0ZnHalBFSGQj6HKWd8gN2RvYEiJU2vq+S0Ubs33K8KlZwUhgj3xEKucw1KYSpic2jtCF9kfu7C3v8ipL8gOjcXd0x5vbBjVKpFWOA==
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0501MB1656; 31:xeCpVA/H0/n6/kfN8Wg3367GXRUB7TR1LkpAcbvRnmfBpOy9t75SKqLIJIrp/f80ekPJBlyi4uLXLUQlTusOUVCGbnt8zfCERYWGMCo3M8Svu9UXKJMOsSz4wEOfTqXJdJJOrSmfa7r2PuaHs3NF8ck+fi8h+uaMgDPdxyG2IT+7EtJnilwGt88cNVLNuxZPNBs6NDe/37L5gsD+lHAEqlHeht6hUS4q0y2Bj69DuvRlGRd1oX9FV92oBKvlZN56GBTk7HLtVNcpLyQM14HDdA==; 20:Y7SJzAPiSz3Ym7WhE33DzoACC42m1ailCF3E8fomMuTSMZrifi1xqrz72MTQLxx+hiTih73fFrigVZoV2HWRFGtNcBlPnNf2SkaZMWUdxDUCBJW1wbD2U8DF7D9yRc3sUsqjA2+rVIJpyjVAFrgUuK5u3qYCnC/qPmiQdLpYnfx4iA2qwGCbHD9mqW9JqwRf56lFUXTeRJQ81j2x0tKzEW290yry9CQLXP77hqjPEcwnB0MocEIU9z5KluD1d1HGP7s69EQS5ytpeWAxaDJh9k87r+OQRFTHFLYm1ZIwghpB5iRJOQExYccpyFPFmh0NMx58xSBUQphGD0YCcaitdFSqbFhkuV69skInmaNA69hcgW1b65SqPFp1pZJTkaT1OnXVxKu8wx4h4MN6dGZMdrppt8ai9zY2oWpCgFFFZyLEdnNzF0X4pQclYGwbt9SgafZeXF0JHgwV9exPNlqzkxOjFYuHiIRVSSU/+ZnbweiuI7Jnn8D+Eq2aFtucsr6b
X-Microsoft-Antispam-PRVS: <BY1PR0501MB16562B51C8A4BA7FF2BBD20D89260@BY1PR0501MB1656.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(10436049006162)(97927398514766)(21748063052155);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(13017025)(13023025)(13024025)(13015025)(13018025)(5005006)(8121501046)(10201501046)(20161123222025)(3002001)(6055026)(6041248)(20161123558025)(20161123560025)(20161123555025)(20161123562025)(20161123564025)(6072148); SRVR:BY1PR0501MB1656; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0501MB1656;
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0501MB1656; 4:hlblpzSpSNC0XlErFVHFGNtUtcDajKFFOTZbVnXjvEEji+IbIa3k4YIfXRQHSZ7zp4cH+gCDL4qplpdSCAcy9EP3nurM7Q7rTeEErjkG6iaN7+fK6HwAUgpEOM2WyNXGFaXZ452y+F1gpOzMSIdSFTmRWcjk1zUhHljPqczE9LejazOFdXJK4NOzwiaIA9XzB/KDml4EStzlPVN4K/kTVVy42+wKJTA4duJGYmazJG6HY78efcuEvXx/NaoQr0YioncInUlsaKl65E0Lk48ucyiNgIT0RMdoEvLVG792RfX83wnEHk/cyRN1WAL75QdV+Xd5QsHIh7QpS4Aa6EKR+wtF4NH3pBSK9uxsOoU2BbGpH5VmkFmkVB7OkhvLx/KNLSmQ9j2AvoVKG0znzQYqabPwD5BuSenZe+oCvEHsbpg/GlweIHmqqUZbbdujRC+5Kh1K4hvdvL0o76aQLPRRvfVR4vOz4DOC2uobR9k5Q+Il6wf0B1ZgA7OaAeBfReWe5VNApvOBzMxysh2sY4LtXelRJJkAKBeX15pOVb1XaMaEOiplSi2PRBkOANwzW90j4Hv6sIUWBWr+NTavr/u9SRgNVCUyssgukEvzjWcMEiXLd+WoB7dWDd4aIxqUSXM3rMgSae4SHdcalSFluPeq2y+WwNdbKc4KmrbVKeGaZAyPZUrAPPpnO3zsWxAMevTGx8bvNQONgTsMcjsX89r4b/nJZLFzNc87yWLhCyPvfq3onVurdGQJh30VJAim/fCdIBySRuAEZkGv5N5cansfjxAZGLdlgWjuXlE5mSFnIq3uEaepI+5MhqVyukaRLkZg5FSEcqkLpNswM/dm+VFvcOtd8HbVMDfgXWK/XEr2R/7YHoepVL4BSYMJ5tX1pJIFsRaof6BdKsky0lCOCQYOdQ==
X-Forefront-PRVS: 024847EE92
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0501MB1656; 23:Kzo8YF2Y46r3mqydELO56kkYKLtNdxDljypNRd/C2McZsJR+QebZVfBo4Fi2eSYjJntEpr8g36coKKNTlAHx2fogz2viNzFNqttKc6N2XEW3KLpHcyOWFBTM+hjm753TcFOZ4JlcV7o7OIPPYicfNwC904NZR1U7Z0gtD+OW8NcxeNUG5rEd9ZXeHEcLGJlqospjZKRSq4i1WF00eAPW5Uk64cuNtxfoFsJ3Hca3snn5ejsjGNYmfapM3gNYMuGBlgzJJzdgZG7z5V205aEQuJdxLK0xMAqsqGNhzWOQPfp1yMR2opbjOb9IeBQFpY45mHstv9TPtHpyyiq6dL1vAXh2xzATNKlTmix+mc8Q6DZVT0xGNRj5EX1PzNcyuAZPr09MHTRSxmFwZjddKiPgp7WS3puWQBrWefRTouHHHuHtZJDbjL+Ymq5rM39viFYKpwlYcOW8L+//JnYCJFYMuKlBPfaArVsJc9r3uv6gWzbFMsiWXrPVw1udZ6fUN/6awsikhBi6TtMTYVuqvDX+YX9iK+0mEDFW9LnLJSOf7mWJdbMJA5dbsqQ2uIJFiMg47w5sQ74KyXJzFj47q7m54hC7VgLDV882UizVS+WjUjwhymMVTzJENT7IpmHbScX0P7jqNwRpzU1Gi/G6ku2zpsJSIjdimBtkCiCPjacxRsv7/bx6K2O18vz2EAzjdpbgpK/g9jHeZq/ile1mESomm2PqAzXrHBqQTTZWf+djXY7CtI1snZ3oF12K94t+rUwrTMboivZk1dvghm6+JrnAmVO87pI6Xli/iJqZXT6Bq/P+aI2byI9cppC0QQrsvbu3bCVFHUU5pQ0bSZP8fyMonTiNMZey7eBP7qmRS/lXUtbUXe/LldKnLWPaKe1EKqLNTbHD/Wsjhhyc6zlR0kbFwdwldV1lkq88JGtD8+eA18QbCCmGWDwTiesKkSWgc1C5DfDw39hB68bSC2iLrwmzGiCUnfk4y3csBghL9xITiCYuQyeVZUqK3QRBS+mNrY5Oo/9spFlFQh+3+lZ5aSA815QKnF5//KpEkccL53zYp6k3BR2aAM2domi99P2G/RJdeT5PoSyuNhpszhuw5neLrkN86snaoMaC3ce0j12YWgy/WORYO5SXZj9LMB3Y5R7lDHyPism3QK2M+4Xosk6aEByerF5uxHSDgpgo8OADzVsW0RrmBXs3JajdavbclZxQTh2G6hbxvclJlN8l/6EhS2vghiR+XGYVFlojQCkkqwsHx53EMAm05JAKizvgYT7l6juFpViAvNL1DMCpO79qcFpYv9zOrFLTCQHBq2ccmMiY9K1GTyrwiYQZP4UShFrTyuAZ9cFs3daCQTu+oWR6RkrjYd0MJmf4VPZzJ6duXRBQtYjAgkYH539DQRRgAmrx
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0501MB1656; 6:pd3UfZm2qtiBlu4Phl3Wa9czbUWZ4cQceewR7jrzzXkGvIGxIzBPjgUk3iJgVkl8+BYyRs0/MYOVxQzA5uwr6ZqZFXQcWgLj1BXCQa2ijt9RBcXfXIzBi/gC5hh+hBzVB0WmO2ktfYS/LOFZ/MqoNm7cfbCVdP+hmqpxYzawTPXWEuv/ERXUpLgtP2vFP4Rw8DNniFEPuPxsN2i1Q5QKFvV0vVjDselUzj2wiDUeQMzl+LLRBLPMipJjWwDz/ADL4hCminhvtDreQ+2/WR9NCwbcYEnBAUp3HNFoyxB0F+uqDfUM8K5bFS6Y/LI8tqGz4d+pNOYMYb8aP49xr5OweqooLtT2w4B5mozYLYaklksekAbOZ2mtG5oAk9ti3DCcHE86S2lbyR0xrFvqnMgBa2lNO3+OLqR45og1s/ev+p0=; 5:6n8fVb2XNBMblo8SijOBXYNkZKsFQnioAcNcVaJsQkj94ar0ipSdeUmkFobZp3yGSi5g/oMxJLxAT3Vr8AKvyD6O3pAK5+nd6aMAFbgsTcQGHPfqdPMlqXbfedUDLiMm/UpPU8Cwax3mZDQD3dVp4Q==; 24:ysJy/4f0jcg5boqVlmayAi1G+8DBjMr7GjgAsTqawwNtg+p/x6IOce6NPLZeGSnZgBSdEsh3CkFWIK/lJcy4bqOUM8zs7f1UUA/1Rxorg3M=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0501MB1656; 7:zDt0RZYbfuMeAGvBLZG3kt0ES2/ExRFyr5uQ8LxLbFStHt8BDG6SlxyeI6U9qAuCnX0LGi8nay/G79cs6FqC2ZAE9ol9+pYg0OdKyIIPnaczfHkqbosFmO48j14hh8HjDtC0CfNo+4fC2rWlyI4cT8ePxVPkiUuIerH/QIxMp0uWXmC0J4eywT7mujizE5aDnRXwiPE+MoBMl0f1QhzIPpcWnpeEELd8Uh6t75EdOgoQdQkpF8uRPOdvza+ATE5/dIfli4uE64+cFE60J/c+9C1/l9BG0p5ijms9P7DcydAatSbO3ajuYEGxKBG0+zBlar6wvChIAJXUj+iByf0hmQ==
X-OriginatorOrg: sprint.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Mar 2017 13:48:32.3333 (UTC)
X-MS-Exchange-CrossTenant-Id: 4f8bc0ac-bd78-4bf5-b55f-1b31301d9adf
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=4f8bc0ac-bd78-4bf5-b55f-1b31301d9adf; Ip=[144.230.32.81]; Helo=[preapdm2.corp.sprint.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0501MB1656
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/o2urcIo_TFHwDuvi0eucv0_AT_Y>
Subject: Re: [stir] certificates: short-lived or status
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 13:48:41 -0000

+1

From: Alex Bobotek [mailto:alex@bobotek.net]
Sent: March 16, 2017 1:07 AM
To: Richard Shockey <richard@shockey.us>; Richard Barnes <rlb@ipv.sx>; DOLLY, MARTIN C <md3135@att.com>
Cc: stir@ietf.org; Peterson, Jon <jon.peterson@neustar.biz>
Subject: Re: [stir] certificates: short-lived or status

It would be a mistake to consider even all _national_ authorities trustworthy.  Analytics systems will need to consider issuer chain as well as individual certificate reputation trustworthiness.  There are too many stories of bought passports.

Regards,

Alex

From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Richard Shockey
Sent: Wednesday, March 15, 2017 5:26 PM
To: Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>>; DOLLY, MARTIN C <md3135@att.com<mailto:md3135@att.com>>
Cc: stir@ietf.org<mailto:stir@ietf.org>; Peterson, Jon <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>>
Subject: Re: [stir] certificates: short-lived or status


With limited exceptions I don’t see issuing certificates for individual TN’s at all..at least not for the immediate future.

—

Richard Shockey

Shockey Consulting LLC

Chairman of the Board SIP Forum

www.shockey.us<http://www.shockey.us>

www.sipforum.org<http://www.sipforum.org>

richard<at>shockey.us

Skype-Linkedin-Facebook –Twitter  rshockey101

PSTN +1 703-593-2683


From: stir <stir-bounces@ietf.org<mailto:stir-bounces@ietf.org>> on behalf of Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>>
Date: Wednesday, March 15, 2017 at 7:47 PM
To: "DOLLY, MARTIN C" <md3135@att.com<mailto:md3135@att.com>>
Cc: "stir@ietf.org<mailto:stir@ietf.org>" <stir@ietf.org<mailto:stir@ietf.org>>, "Peterson, Jon" <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>>
Subject: Re: [stir] certificates: short-lived or status

So you're trusting the folks issuing certificates to be perfectly reliable, and service providers never to use a cert for a number that's been ported away?

On Wed, Mar 15, 2017 at 7:42 PM, DOLLY, MARTIN C <md3135@att.com<mailto:md3135@att.com>> wrote:
I do not see the need for short lived certs for a TN call setup service
Martin C. Dolly
Lead Member of Technical Staff
Core & Government/Regulatory Standards
AT&T
Cell: +1.609.903.3360<tel:+1.609.903.3360>
Email: md3135@att.com<mailto:md3135@att.com>


On Mar 15, 2017, at 7:37 PM, Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:
I would note that "freshness" is but one aspect of a certificate that you need OCSP for.  The far more common use in the WebPKI is when the CA simply screws up.

In any case, to recap the experience from the Web PKI, the trade-off space has basically the following shape:
1. Do a live query [draft-ietf-stir-certificates-ocsp]
2. Make something with a short lifetime
2.a. Mandatory OCSP stapling
2.b. Short-lived certificates [draft-peterson-stir-certificates-shortlived]
The trade-off is basically between the sender/signer having to do queries (to refresh OCSP or get a new cert) and recipient/verifier having to do queries (to fetch OCSP).  (2.a) is a bad deal unless you have some legacy need to use OCSP; otherwise it's just bloat relative to (2.b).
If you ask web people, you're likely to get a pretty strong preference for (2), i.e., putting the burden on the sender, because (a) it's more predictable and (b) it's offline with respect to call time, and thus much less performance sensitive.  The web started out with (1) and it has turned out to be totally unworkable, because the CAs can't operate OCSP servers that are good enough to avoid seriously degrading the performance of browsing experience.
The main push-back we get from server operators about (2) is that it requires outbound connections from web servers -- load and downtime never come up as issues.  Outbound connections shouldn't be an issue for STIR signers, since they're likely to be making outbound connections all the time anyway.  Even if not, it's a simple firewall rule to write to let out connections to your CA.
--Richard

On Wed, Mar 15, 2017 at 4:33 PM, Peterson, Jon <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>> wrote:

In reaction to the IESG review, and as well, to our own general sense that we're still not ready to mandate any particular direction, we ended up pulling the real-time status check of OCSP out of the last version of stir-certificates. Figuring out how we want to manage certificate freshness, especially in light of certificates assigned to telephone numbers, is probably the last bit about the core STIR work, before we go on to extensions and so forth, that we need to tackle.

I'd like to spend some meeting time talking about two approaches, as well as any better ideas anybody comes up with for this. The first is roughly what was in the stir-certificates document previously, which is now captured in:

https://tools.ietf.org/html/draft-ietf-stir-certificates-ocsp-00<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dstir-2Dcertificates-2Docsp-2D00&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=G9v8uCSSQhCmpw7ItG0r2g&m=p0Tz67-L9Fy0iCB4NsaQL-xivtUT_OhohUYV7gr17x0&s=RPvZjXuy_wnl9IwmrPj4Y6KsACaINE1guHTRyh5Eki4&e=>

The other is an approach based on short-lived certificates, which would likely rely on ACME or something similar. I've mocked up a discussion draft for that:

https://tools.ietf.org/html/draft-peterson-stir-certificates-shortlived-00<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dpeterson-2Dstir-2Dcertificates-2Dshortlived-2D00&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=G9v8uCSSQhCmpw7ItG0r2g&m=p0Tz67-L9Fy0iCB4NsaQL-xivtUT_OhohUYV7gr17x0&s=NdnWiTSJii5i3j1NaEkrF56dhUYNP0kFJXCtqr_sPdg&e=>

... though it is still fairly content-free at the moment.

I think reviewing what we've done with stir-certs and these two approaches warrants some face-time discussion. Thoughts here on the list beforehand are welcome too.

Thanks,

Jon Peterson
Neustar, Inc.



_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_stir&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=G9v8uCSSQhCmpw7ItG0r2g&m=p0Tz67-L9Fy0iCB4NsaQL-xivtUT_OhohUYV7gr17x0&s=xBPq9-hmuqFdGVD3GNxGolnkagSy3snLiWRrLaXOzX4&e=>

_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_stir&d=DwICAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=G9v8uCSSQhCmpw7ItG0r2g&m=p0Tz67-L9Fy0iCB4NsaQL-xivtUT_OhohUYV7gr17x0&s=xBPq9-hmuqFdGVD3GNxGolnkagSy3snLiWRrLaXOzX4&e=

_______________________________________________ stir mailing list stir@ietf.org<mailto:stir@ietf.org> https://www.ietf.org/mailman/listinfo/stir

________________________________

This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.

v2.23.0 | Report a Bug | By Email