[stir] Thoughts on draft-ietf-stir-cert-delegation-00
Eric Burger <eburger@standardstrack.com> Sun, 21 July 2019 21:17 UTC
Return-Path: <eburger@standardstrack.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34788120128 for <stir@ietfa.amsl.com>; Sun, 21 Jul 2019 14:17:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aVLWB_o8VgBY for <stir@ietfa.amsl.com>; Sun, 21 Jul 2019 14:17:51 -0700 (PDT)
Received: from biz221.inmotionhosting.com (biz221.inmotionhosting.com [198.46.93.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FF75120098 for <stir@ietf.org>; Sun, 21 Jul 2019 14:17:51 -0700 (PDT)
Received: from [31.133.149.60] (port=50243 helo=dhcp-953c.meeting.ietf.org) by biz221.inmotionhosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <eburger@standardstrack.com>) id 1hpJDI-000Hnk-Ae for stir@ietf.org; Sun, 21 Jul 2019 14:17:50 -0700
From: Eric Burger <eburger@standardstrack.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_B6D38F3F-84C9-4C02-9971-47F7F8FA4931"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <7C374987-D354-4E74-9DC3-647A3C322750@standardstrack.com>
Date: Sun, 21 Jul 2019 17:17:47 -0400
To: stir@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
X-OutGoing-Spam-Status: No, score=-0.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - biz221.inmotionhosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - standardstrack.com
X-Get-Message-Sender-Via: biz221.inmotionhosting.com: authenticated_id: eburger+standardstrack.com/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: biz221.inmotionhosting.com: eburger@standardstrack.com
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/vJ-66-BqBb8KlEM8G42bWLEaoS8>
Subject: [stir] Thoughts on draft-ietf-stir-cert-delegation-00
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 21:17:53 -0000
Section 4: Will SHAKEN certificates carry a TNAuthList? If not, we are in academic exercise land. If so, we are good. If not, should we be? If we should, is it practical? The last three paragraphs imply to me that this is a fancy way of saying in the U.S. context the PA will allow the CA to issue signing certificates to enterprises. Is this interpretation correct? If so, does that not dramatically simplify things? An enterprise gets a signing certificate. They sign their Identity header. Since they are not a CSP entitled to put traffic on the public network, their CSP will also sign with something like the opt mechanism. Mission accomplished? Remember, a B attestation from a trusted CSP over a signed Identity is going to get much better treatment than an A attestation from The Grace L. Ferguson Robocalling and Storm Door Company <https://www.amazon.com/Grace-Ferguson-Airline-Storm-Hungry/dp/B00122NVAQ>. Section 5: Is the verification of the scope of the validation certificate in real-time, or can it be done administratively off-line? Section 8, last paragraph of p. 7: I thought RFC 2119 does not apply to non-protocol thingies, like being the protocol police and attempting to enforce a totally non-protocol policy. As such, having an RFC 3514 evil bit in the CA seems a bit odd. As the TBD offers, I’d suggest not going there.
- [stir] Thoughts on draft-ietf-stir-cert-delegatio… Eric Burger
- Re: [stir] Thoughts on draft-ietf-stir-cert-deleg… Peterson, Jon