IETF Logo Mail Archive

Re: [stir] Review of: draft-ietf-stir-passport-05

Christer Holmberg <christer.holmberg@ericsson.com> Sat, 30 July 2016 11:30 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EF4312D946 for <stir@ietfa.amsl.com>; Sat, 30 Jul 2016 04:30:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3O71F5jP6MX9 for <stir@ietfa.amsl.com>; Sat, 30 Jul 2016 04:30:25 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7A0112D933 for <stir@ietf.org>; Sat, 30 Jul 2016 04:30:24 -0700 (PDT)
X-AuditID: c1b4fb30-ea88e980000009f9-17-579c8fce97bf
Received: from ESESSHC018.ericsson.se (Unknown_Domain [153.88.183.72]) by (Symantec Mail Security) with SMTP id DC.C7.02553.ECF8C975; Sat, 30 Jul 2016 13:30:23 +0200 (CEST)
Received: from ESESSMB209.ericsson.se ([169.254.9.142]) by ESESSHC018.ericsson.se ([153.88.183.72]) with mapi id 14.03.0301.000; Sat, 30 Jul 2016 13:30:20 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "dcrocker@bbiw.net" <dcrocker@bbiw.net>, "Peterson, Jon" <jon.peterson@neustar.biz>
Thread-Topic: [stir] Review of: draft-ietf-stir-passport-05
Thread-Index: AQHR6Pa8IhcNFBWCX0CjWpL6ATcrHqAvhU6AgAAES4CAAAVOAIAAOSgAgAAMsQCAACJJAIAA4os4
Date: Sat, 30 Jul 2016 11:30:20 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B476FE6CB@ESESSMB209.ericsson.se>
References: <07e0eb16-6758-cdf1-c571-1f1ed768e741@dcrocker.net> <D3C152B2.1A69BA%jon.peterson@neustar.biz> <b096b541-c8af-9617-c9d7-5a1beb5230e8@dcrocker.net> <D3C16040.1A6A09%jon.peterson@neustar.biz> <d66d91f0-9ea2-6295-e749-e48ea37b4892@dcrocker.net> <D3C19686.1A6A4E%jon.peterson@neustar.biz>, <dd60178b-fa24-5099-166c-f8a0093cb668@dcrocker.net>
In-Reply-To: <dd60178b-fa24-5099-166c-f8a0093cb668@dcrocker.net>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_7594FB04B1934943A5C02806D1A2204B476FE6CBESESSMB209erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprEIsWRmVeSWpSXmKPExsUyM2K7h+75/jnhBp1XmS1+f/rAZnGmwdJi +dptTA7MHpd2nmTzWLLkJ5PHjobnzAHMUVw2Kak5mWWpRfp2CVwZ7b+WMRe8nsBYsffcV8YG xldlXYycHBICJhKf3z5n7GLk4hASWM8osf/bXnYIZwmjxJXLl5i6GDk42AQsJLr/aYM0iAhE Srz6eYEdxGYWUJd48egNmC0sYCWxd9UxNpByEQFrifszJSHKoyQuvrzACGKzCKhKLO16ygRi 8wr4Sty5eA1q7zMmiT/TNrKAJDgFHCTmHHsFNpNRQEzi+6k1TBC7xCWavqxkhThaQGLJnvPM ELaoxMvH/1ghavIlNj6bwwKxQFDi5MwnLBMYhWchaZ+FpGwWkjKIuIHEl/e3oWxtiWULXzND 2PoS3e9PMyGLL2BkX8UoWpxanJSbbmSkl1qUmVxcnJ+nl5dasokRGFMHt/w22MH48rnjIUYB DkYlHt4FM2eHC7EmlhVX5h5ilOBgVhLhXdUzJ1yINyWxsiq1KD++qDQntfgQozQHi5I4r/9L xXAhgfTEktTs1NSC1CKYLBMHp1QDo0f69uZ7rFPfPAkoltq+kOfjaenG5RyHAoKuqf89Gv++ w/dmqsDRW9WePW6K1ntUij/c13OUfLBrnfO0H3zb//3S+7O8KYeJ8Znez/zwFO3Jpo09t7Ri D8cpZi6w3LespjN41pnINb6z42am9Vsa9V2brfJf9P9F7tslD6zrbNSsVPpfSO9sU2Ipzkg0 1GIuKk4EACa2IBmlAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/rSPQlVkcYr-joWRDSeO32riub8k>
Cc: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] Review of: draft-ietf-stir-passport-05
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jul 2016 11:30:27 -0000

Hi Dave,

I am the one who originally suggested the usage of JWT. I don't understand the claim that JWT is "outside the context of SIP". JWT is a generic/standardized mechanism how to calculate and encode a signature, and that is the reason I suggested it - not because I saw usage outside of SIP, or because I wanted to extend the scope of the charter. I see no reason why JWT can't be used by SIP. If we would NOT use JWT we would probably have to define more STIR-specific procedures regarding the calculating/encoding of the signature ourselves. It's better to use a standardized mechanism in my opinion.

I am also the one who raised the encoding issue in Berlin. But that was not related to the usage of JWT as such, but to the fact that we don't carry the encoded JWT object in one piece in the SIP message. We "split" the object into two pieces, and carry one piece as the Identity header field value, and the other piece as the canon header field parameter value. I questioned that, and commented that we, if we want to do it that way, need more details on how the "split" is done and how the resulting parts are encoded. Jon promised to add more text to cover those comments. Also note that  my comment was not related to draft-passport, but to draft-4474bis.

Regards,

Christer

Sent from my Windows Phone
________________________________
From: Dave Crocker<mailto:dhc@dcrocker.net>
Sent: ‎30/‎07/‎2016 02:59
To: Peterson, Jon<mailto:jon.peterson@neustar.biz>
Cc: IETF STIR Mail List<mailto:stir@ietf.org>
Subject: Re: [stir] Review of: draft-ietf-stir-passport-05

Jon,

On 7/29/2016 2:56 PM, Peterson, Jon wrote:
> The only thing JWT has to do with SIP is that JWT can be a container for a
> signed set of metadata and claims that might be useful in preventing
> impersonation in a SIP request. JWT was chosen not because it has any
> exclusive or special applicability to SIP, but instead because it could
> have applicability both to SIP and other protocols.

Sorry to be repetitious but I do not see that case made, discussed or
agreed to in the working group record.

What I did see was a repeated claim that using JWT was simpler, which I
suspect is quite simply wrong, if only because it requires more
mechanism that directly adding the necessary information to a SIP header
field. (cf, DKIM, of course.)


>> Note that during the wg session in Berlin there was /still/ question
>> about where to put the JWT information.
>
> Kind of. It was a question about the best syntax for transporting only

And there's the rub.  At this stage of the effort, after 3 years of wg
effort, and given three major drafts in wg Last Call, something as basic
as how to carry the necessary information for its primary use case is
not settled yet.  That's quite troubling, both in general and, given the
importance and urgency of that motivating use case, in particular.


>> The recording of that interim is not accessible and the very terse
>> summary text of the session show nothing about an intervention.
>
> The "intervention" is reflected in the summary text: "Chris Wendt
> introduced the verified token being discussed in the IP-NNI task force."

Sorry to belabor this but how does 'introducing' something equate to "a
major intervention in the work last fall to the effect that we
need to build more generically for real-time communications rather than
just SIP. We're interested in getting this to work properly with WebRTC..."?


>  We made a decision there to
> try to merge these into the core proposal, as the summary reads "An open
> design team was formed to discuss finding a common way to address the
> signaling."

Ahh, so that's what that was intended to mean.

Except that while the word 'signaling' does show up in the messages at
that time, it doesn't seem to apply to this point.


> You are absolutely correct that there were no submissions to the STIR
> mailing list immediately following the interim on Friday October 9. Not a
> single related email went out on Saturday the 10th, Sunday the 11th, or
> even Monday October 12th (which, incidentally, was Columbus Day). Then, on
> the 13th, the only mail that went out announced that the Doodle poll for
> the design team had (behind the scenes) resolved, and that its first
> meeting would be that coming Friday, the 16th. The day of that design call
> there were 44 messages sent to the list on related subjects.

So, I think I understand the general idea behind 'claims' in a larger
context of transactions and reputations.  As a general model for making
and maybe validating a variety of assertions /about/ an entity, it's
probably a reasonable approach, although the pragmatics of its
application at Internet scale are arguably unproven.

However the task of authenticating the proper use of an identifier in a
field is a rather more constrained requirement.  And there are a number
of operational examples, which happen not to require a general claims model.

Simply put, the task is to take an identifier, bind it to the object
that is relevant (such as a SIP Invite), where the binding mechanism
requires a basic demonstration of 'approval' of the identifier's use,
from the authority responsible for administering the identifier.  That
really is all there is to the required semantics.

Things only get complicated when the goal is made more general (which I
don't see prompted by the working group charter.)


>> Nor do I see anything in the mailing list postings that /do/ show up
>> those several days later.
>
> I can imagine that since I had to annotate even the summary text of the
> interim meeting in order to show how it related to this topic, it might
> not be clear from the threads on encoding, the NNI and so on how they were
> salient to these decisions if you weren't participating in the WG at the
> time. Maybe looking at the design team minutes for Oct 16th would be
> clearer? It at least mentioned JWT explicitly.

I had already looked at those notes.  They didn't help.  There is
nothing I saw that made this expanded scope obvious, nevermind justified.

>
> https://www.ietf.org/mail-archive/web/stir/current/msg02183.html
>
>> So I've no idea what you meant by "hard upon it."
>
> I understand you feel that progress should have been more immediate to
> justify my characterization.
>
>> Hence your explanation:
>>
>>      "we need to build more generically for real-time communications
>> rather than just SIP."
>>
>> does not seem to reflected in the wg record.
>
> Maybe you'll find the Oct 16th design team minutes clearer on this point.
> Or maybe they too would require more annotation to clarify the subject and
> thinking of the working group after the fact. The discussions that they
> reflect, anyway, were sufficient to drive consensus at the time.

Sorry.  I still don't see any discussion on the list for the specific
requirement of other uses.  Lots of discussion about delegation --
including one suggesting a lack of requirement for a 'nicely engineered,
convoluted, infinitely extensible, handles all corner cases certificate
delegation model' -- but not for the expanded scope I am asking after.

So perhaps it was agreed to by the group in the same fashion that was
apparently going to be expressed for the current draft during the Last
Call, namely silence.

d/

--

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net

_______________________________________________
stir mailing list
stir@ietf.org
https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email