IETF Logo Mail Archive

Re: [stir] WG Last Call comments on stir-oob-04

"Peterson, Jon" <jon.peterson@team.neustar> Thu, 25 April 2019 22:04 UTC

Return-Path: <prvs=3018427e2f=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E9DC12021B for <stir@ietfa.amsl.com>; Thu, 25 Apr 2019 15:04:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.638
X-Spam-Level:
X-Spam-Status: No, score=-0.638 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=1.363, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oeR74CN8Szjv for <stir@ietfa.amsl.com>; Thu, 25 Apr 2019 15:04:10 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBDBB12012F for <stir@ietf.org>; Thu, 25 Apr 2019 15:04:10 -0700 (PDT)
Received: from pps.filterd (m0078666.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x3PM4AQW005161; Thu, 25 Apr 2019 18:04:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=selector1; bh=Hjlie3KP9+T3qz9HN+1kR3rDejkjTPXHbnYBOAh2St4=; b=g3gdIxZcNhRQkxeXFBP5wLS89QhGQQu0o05GPVvX0MlV5NnqaOc5ioTOuw9A6Wu5qaV0 65a5rR4jw1BbEOXfNBf6KFsxmYOHHswDw3mrxWcACrSOmDGw4dOuaV/L4T5clY/3VRjQ 2j0uuecryrd8cNrs6KnAvFk8EbtouEeTFhe/XqpJDm3x0ZADB8atE7elYzMt5Mie1pEM zyRLJf7vkwVedV21wu7Y/xw32jnp9SxrTN2W8O30iNz0+LjwOsdBg3f2en5+l226z6SW IeSstvMtIdJyi3LQC4LrCn/tvyR/1XcN1eRDZrCmWVO5lCLU0m4+7CHx8gLfK02lyxRC iQ==
Received: from stntexhc11.cis.neustar.com ([156.154.17.216]) by mx0a-0018ba01.pphosted.com with ESMTP id 2ryyhrtvej-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 25 Apr 2019 18:04:10 -0400
Received: from STNTEXMB101.cis.neustar.com ([fe80::a831:d3b4:fb4e:e45b]) by stntexhc11.cis.neustar.com ([::1]) with mapi id 14.03.0439.000; Thu, 25 Apr 2019 18:04:08 -0400
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Russ Housley <housley@vigilsec.com>, Eric Rescorla <ekr@rtfm.com>
CC: IETF STIR Mail List <stir@ietf.org>
Thread-Topic: WG Last Call comments on stir-oob-04
Thread-Index: AQHU3r2yzeCxb2+EfE2c1NNekzBydKZA8lWAgAyDgQA=
Date: Thu, 25 Apr 2019 22:04:08 +0000
Message-ID: <254E8676-CB2A-431E-AC2F-5EEAE2B3453A@team.neustar>
References: <9BB03273-2BFA-4907-9234-EC8CE33E0186@team.neustar> <C85EE94D-B228-4F23-9F2D-89D4D312F7EF@vigilsec.com>
In-Reply-To: <C85EE94D-B228-4F23-9F2D-89D4D312F7EF@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.9.190412
x-originating-ip: [10.96.13.90]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A48370191B66A74DAF00A2956929598B@neustar.biz>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-25_18:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904250135
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/sj31CuBTDwm5wywwruXcGSXPnoA>
Subject: Re: [stir] WG Last Call comments on stir-oob-04
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 22:04:12 -0000

Thanks for the notes Russ. A few responses inline.
    
    Major:
    
    Title page: As discussed on the mail list, please change the 
    intended status to "Informational".
    
    Section 11: To date, STIR certificates are only used to digital
    signature.  This document suggests that the public key in the
    certificate can also be used to provide confidentiality.  This
    works if the public key is RSA, and the certificate has the
    appropriate key usage bits set.  However, this does not work if
    the public key is DSA, ECDSA, Ed25519, or several others.  I
    am not asking for a major change to the document, but this
    should be pointed out in the document.  

<Jon>This is an artifact of how long the document has been in progress - since before we moved STIR to ECDSA. So, good catch. I do think we should at least sketch a plausible way to get those encryption keys into the architecture. We'll circle around on that and come back with something. </Jon>

    And, Section 11 should
    point out that finding the credential for the callee cannot
    leverage the "x5u" claim in the PASSporT when the public key
    can only be used for digital signature.
    
<Jon> I'd like to keep the x5u semantics the same in OOB as in-band, definitely, so some change to the text is needed there, agreed. </Jon>
    
    Minor:
    
    Section 2: Please update the first paragraph to reference RFC 8174
    in addition to RFC 2119, as follows: 
    
       The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
       "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
       "OPTIONAL" in this document are to be interpreted as described in
       BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
       capitals, as shown here.
       
    Of course, also add a reference to RFC 8174.

<Jon> Will do. </Jon>
    
    The figure in Section 7.2 can be easily adjusted to fit the normal
    margins.  Also, the example telephone numbers should use the 555
    conventions.  I suggest:
    
       Alice                    Call Placement Service                  Bob
       --------------------------------------------------------------------
    
       Store PASSporT for 2.222.555.2222 -->
    
       Call from 1.111.555.1111 ------------------------------------------>
    
    
                                        <-------------- Request PASSporT(s)
                                                         for 2.222.555.2222
    
                                        Obtain Encrypted PASSporT -------->
                                        (2.222.555.2222, 1.111.555.1111)
    
                                                  [Ring phone with callerid
                                                          = 1.111.555.1111]
    
    Also, adjust the text to reference these example telephone numbers.
    
    Likewise, please adjust the example telephone numbers in Section 9.
    
    It should be equally easy to remove three spaces from the figure in
    Section 7.4 to fit the normal margins.

<Jon> Will fix various margins. The numbers are illegal ones, just illegal in a different way than usual. </Jon>
    
    Section 7.3: Please add a reference for TLS.  I assume you will use
    [RFC8446].
    
    Section 7.5: s/Sign(K_cps, K_temp))/Sign(K_cps, K_temp)/
    
    Section 11: Please add a reference for OCSP.  I assume you will use
    [RFC2560].

<Jon> Will fix those. </Jon>
    
    Section 14: I think it would be helpful to include pointers to
    Sections 7.3 and 7.4 in the Security Considerations.

<Jon>Yes, I am convinced we need some better Sec Cons text here. And as to nits below, will fix those, thanks. </Jon>
    
    Nits:
    
    Suggested spelling: s/CPSs/CPSes/  (Note: This spelling is used for
    Certificate Practice Statements.)
    
    Section 3: Please spell out the first use of "POTS".  As an alternative,
    the sentence could be reworded to use PSTN, which has already been used
    many times by this point in the document.
    
    Sections 5.1 and 5.4: s/in the SIP world/in a SIP environment/
    
    Section 5.4: s/back to the IP world/back to a SIP environment/
    
    Section 5.4: s/returns to the IP world/returns to a SIP environment/
    
    Section 5.5: s/a valid calls/a valid call/
    
    Section 6.2: s/one that is valid/one or more that are valid/
    
    Section 7.5: Please add an informative reference on blinded signatures.
    
Jon Peterson
Neustar, Inc.

v2.23.0 | Report a Bug | By Email