[stir] Comments and Ready for Adoption: draft-peterson-stir-cert-delegation
Eric Burger <eburger@standardstrack.com> Fri, 19 April 2019 19:37 UTC
Return-Path: <eburger@standardstrack.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6902812036E for <stir@ietfa.amsl.com>; Fri, 19 Apr 2019 12:37:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.69
X-Spam-Level:
X-Spam-Status: No, score=-1.69 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, T_SPF_PERMERROR=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=standardstrack.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRPWgSukZxNp for <stir@ietfa.amsl.com>; Fri, 19 Apr 2019 12:37:28 -0700 (PDT)
Received: from biz221.inmotionhosting.com (biz221.inmotionhosting.com [198.46.93.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 271CE120368 for <stir@ietf.org>; Fri, 19 Apr 2019 12:37:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=standardstrack.com; s=default; h=To:Date:Message-Id:Subject:Mime-Version: Content-Type:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=2DA6y1TB2zsET1pFuavXF1UAbBE/o1YJLChYyodXHnA=; b=hNqdsz1ICEiYIYTDDllhXY0csI 9eCgtHwjUd0QxdKI+ErBM3p5HmQrYXRMDOWpXGNgVvzuuAlQQJDrRs1tpkIYmXWDDbmbzgU9vD/Vz p/+JWQoFOJJL/j8Pfb4iOmbZyl4WqUCzestp79CKJmtQALqBa3OCRGSRZFswP6B4mX50=;
Received: from [104.129.194.128] (port=3138 helo=[172.20.27.185]) by biz221.inmotionhosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <eburger@standardstrack.com>) id 1hHZK6-001hd8-MK for stir@ietf.org; Fri, 19 Apr 2019 12:37:27 -0700
From: Eric Burger <eburger@standardstrack.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_526680DA-6C2D-43D0-9B46-37C3673CEBF5"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Message-Id: <69ACDD9A-436B-4ED9-AA31-26431256334A@standardstrack.com>
Date: Fri, 19 Apr 2019 15:37:18 -0400
To: stir@ietf.org
X-Mailer: Apple Mail (2.3445.104.8)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - biz221.inmotionhosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - standardstrack.com
X-Get-Message-Sender-Via: biz221.inmotionhosting.com: authenticated_id: eburger+standardstrack.com/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: biz221.inmotionhosting.com: eburger@standardstrack.com
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/tGD6gv3nVQDnRfETzoYIkICtDpY>
Subject: [stir] Comments and Ready for Adoption: draft-peterson-stir-cert-delegation
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Apr 2019 19:37:30 -0000
High level: it is ready for adoption as a work group item. Since it will need at least a name change, here are my comments at this point in its lifecycle. Section 3.1 says that a certificate path /should/ be validated. Under what circumstances would it be OK to not validate the chain? Section 4: an example chain, or at least a picture, would help Section 5: Does this mean that all certificates will have “ca” set? If so, would we not have to validate the entire chain? I.e., MUST in Section 3.1? If not, what stops a bad actor from generating a signing certificate for TNs it does not own? Section 7: I’d just refer to STIR’s text with respect there is no anonymity except for explicit anonymity (RFC 3325). However, if we have a delegated certificate chain, is there an issue with some information leakage? I would think not, because would one only use the delegation mechanism when one is explicitly NOT trying to be anonymous? I.e., use an asserted identity that may not be obvious to the connected service provider (in the SHAKEN sense)?
- [stir] Comments and Ready for Adoption: draft-pet… Eric Burger
- Re: [stir] Comments and Ready for Adoption: draft… Richard Barnes