IETF Logo Mail Archive

Re: [stir] WGLC Review of draft-ietf-stir-messaging-02

Russ Housley <housley@vigilsec.com> Tue, 10 May 2022 18:43 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C15BC15E41D; Tue, 10 May 2022 11:43:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NUIMvE4J2lEJ; Tue, 10 May 2022 11:43:44 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0ABAC15E41C; Tue, 10 May 2022 11:43:44 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 86B606FE6F; Tue, 10 May 2022 14:43:43 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 7570D1004B6; Tue, 10 May 2022 14:43:43 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <6CEAEB75-6BC5-4BA9-9FCA-1B1F971655DE@nostrum.com>
Date: Tue, 10 May 2022 14:43:43 -0400
Cc: IETF STIR Mail List <stir@ietf.org>, draft-ietf-stir-messaging@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <6690AD2B-F6B0-491D-8349-D799796FA6A2@vigilsec.com>
References: <6CEAEB75-6BC5-4BA9-9FCA-1B1F971655DE@nostrum.com>
To: Ben Campbell <ben@nostrum.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/pMMt6CxY5S4tmQyaHG1AGMnfUrc>
Subject: Re: [stir] WGLC Review of draft-ietf-stir-messaging-02
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2022 18:43:48 -0000

I have two comments.

Section 3.1: There is an informative reference to [I-D.peterson-stir-rfc4916-update].  It seems like we should have a reference to RFC 4916.  It is not clear to me that the already approved document is not sufficient for the point being made here.

Section 3.2:  This should include a reference for SHA2.  (Also in Ben's list below.)

   [FIPS.180-3]
               National Institute of Standards and Technology, "Secure
               Hash Standard (SHS)", FIPS PUB 180-3, October 2008,
               <http://csrc.nist.gov/publications/fips/fips180-3/
               fips180-3_final.pdf>.

Russ

> On May 6, 2022, at 5:02 PM, Ben Campbell <ben@nostrum.com> wrote:
> 
> (As individual)
> 
> Hi,
> 
> This is a WGLC review of draft-ietf-stir-messaging-02. I think this is pretty much ready to progress. I have a few minor comments that don’t necessarily need to block progress.
> 
> Thanks!
> 
> Ben.
> 
> Substantive:
> ----------------
> 
> §3.2: 
> 	• “msgi" MUST NOT appear in PASSporTs with a type other than "msg”…”
> 		• Why is that? I guess if a VS that does not understand “msgi”, it might verify the sender number but not check integrity even though it was offered. Given that the fallback position is to do neither, is that really a fail?
> 
> 	• Do we want to say anything about “msgi” interaction with encrypted messages? I assume one would calculate the msgi digest post-encryption.
> 
> §3.2.1: “in which case something like out-of-band [RFC8816] conveyance”
> 	• Would it make sense to also reference servprovider-oob?  (I can be convinced not to make this depend on a WIP draft, but I assume we are talking about an informative reference.)
> 
> §7:
> 	• It might be worth noting that this mechanism does not add any privacy protection to the original message content that wasn’t there in the first place.
> 
> §8: 
> 	• It might be good for the sec cons to refer back to the text about store-and-forward (and any other place we see the messaging use case differ from the calling user case). (No strong feelings on this except that the sec cons feel a bit light.)
> 	• It might be worth observing that, while “msgi” can contribute to replay prevention for the passport, it does not help with replay of the same identical message.
> 
> Editorial:
> ----------
> 
> General: There’s still quite a bit of “could be” language that perhaps “could be” recast as “can be” or even “is”.
> 
> Abstract: 
> 
> 	• s/Persona/Personal
> 	• Last sentence: I propose “… both for messages carried as a payload in SIP requests and for messages sent in sessions negotiated with SIP.”
> 
> §1:
> 	•  2nd paragraph, first sentence: “… however...” needs commas fore and aft.
> 	• “… not currently widespread”: That statement is already becoming dated. I propose we just say “Spammers and fraudsters are increasingly turning to…”
> 
> §3.2
> 	• First paragraph, 2nd sentence: “for example” needs commas.
> 	• “MUST support the following hash algorithms: "SHA256", "SHA384", or "SHA512", which are defined as part of the SHA-2 set of cryptographic hash functions by the NIST.”
> 		• Is there a reasonable citation?
> 
> 
> 
> 
> 
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email