Re: [stir] Comments on draft-ietf-stir-rfc4474bis-13.txt

Alan Ford <> Thu, 13 October 2016 08:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 615DA1296D8 for <>; Thu, 13 Oct 2016 01:04:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Y2qM0tDztl5W for <>; Thu, 13 Oct 2016 01:04:15 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 95035129431 for <>; Thu, 13 Oct 2016 01:04:14 -0700 (PDT)
Received: by with SMTP id b75so122420542lfg.3 for <>; Thu, 13 Oct 2016 01:04:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:message-id:mime-version:subject:date:references:to:in-reply-to; bh=K+2hBrCUB6wP7v0nzs/rbNCfx0oAcSg1aKRTPt/+v9M=; b=icvkuHl83dH7HxVg6z57fZfmzgjwa2eZBCYQkJG0pwnMqk4WyxqR7KlKi6JwHjlAdd yZmSnzxeooqcUhjlyJOF/2IA9YJkzrjOHO6b+beIOP9RyjiOdL0L7k1JDEHvowIdYvW6 QmZ+xFcVJG1rq/8HxXUKVsqs5WMBHFR+1AkTJG9v/TLk/rOYOvRTPln6XynPtBJjthPR hbxiEwiVIXlUy4LoG9SK1oz+o87Ut2y5ag4wAGKB+dws5n5KEo+qSFJrmj1wG0uunhDQ kQRT8OwyGZ5UJSnc0Vb2sDbFsvSEREEVXXbCZYoWFLCKeYkimp9cGPJZXNlh7yyfbdfz eWRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:from:message-id:mime-version:subject:date :references:to:in-reply-to; bh=K+2hBrCUB6wP7v0nzs/rbNCfx0oAcSg1aKRTPt/+v9M=; b=mABRbbbf3aYa9NqmKAgdgdEE/3nxundWhTbuN1VIEw+87TS6OXrPtPBWbXU/mquPUj VomnQQuKTIOGgStWP/G1W1S8XMD8EVaB8oC+PmLxr4OF40LVXRjYWCol7jjJkd0qYGHv 8SVmm2vyPDo06C7xFn55GnXitHYCYlI82mD+O5W3NIAYDDZUvGqhp9lFXKPirUyFcx+V VGM76OcWMxNi4kk9ZFcgrajR1qruUeoniMCNWbgtG8parm4HWZUgd8x9Q7vQFBzRcIxe eQZjJrkBG4WWSbxV8eTMPhQhz4T01iAlS25LZDPcrvkwAw1M+MmFZJRQBA3+7UYGQQhT RVtQ==
X-Gm-Message-State: AA6/9Rn+Hq5abCDIrJY/pkokpiT9Uk69cqu4I/oAHflNUSTP/GsTqOEu+CxSaSRV75dh+A==
X-Received: by with SMTP id w10mr1157585wmb.99.1476345851886; Thu, 13 Oct 2016 01:04:11 -0700 (PDT)
Received: from alans-mbp.lan ([]) by with ESMTPSA id lz5sm20358293wjb.24.2016. for <> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 13 Oct 2016 01:04:11 -0700 (PDT)
From: Alan Ford <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B8D3C684-584B-4E25-B2DB-67946CCF5621"
Message-Id: <>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Date: Thu, 13 Oct 2016 09:05:43 +0100
References: <>
In-Reply-To: <>
X-Mailer: Apple Mail (2.3124)
Archived-At: <>
Subject: Re: [stir] Comments on draft-ietf-stir-rfc4474bis-13.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Oct 2016 08:04:17 -0000

Hi all,

Does anybody else have any thoughts on this? I still fear I may be missing something, but in its present form I see there being a lot of unnecessary deployment headaches around canonicalisations and the need to go into a 438 exchange. Guidance on the use of full form (which in reality would probably lead to the use of full form in most scenarios) would seem to make this much easier. I personally think this issue needs to be resolved before publication.


> On 2 Oct 2016, at 12:17, Alan Ford <> wrote:
> Hi all,
> In general this clarifies a number of the issues raised, and I feel the use of the compact/full distinction is much clearer for current and future implementors than “canon".
> However, there is still opportunity for providing guidance of when to use each form, to avoid interop issues further down the line.
> In particular, in Section 6.1, it says:
>    An authentication service MAY use the full form of the PASSporT in
>    the Identity header field.  The presence of the full form is OPTIONAL
>    because the information carried in the baseline PASSporT object's
>    headers and claims is usually redundant with information already
>    carried elsewhere in the SIP request.  Using the compact form can
>    significantly reduce SIP message size, especially when the PASSporT
>    object contains media keys.  The syntax of the compact form is given
>    in [I-D.ietf-stir-passport <>] Section 6 <>; essentially, it contains a
>    base64 encoding of the JSON header and payload in the PASSporT
>    object.
> Firstly, "essentially, it contains a base64 encoding of the JSON header and payload in the PASSporT object” surely is a typo? The compact form contains a base64 encoding of the signature?
> This text also does not clarify why you would want to use the full form when not using optional extensions. The point I have been making in earlier mails, and which I feel would be valuable to add to the document, is something along the lines of “If, however, a sender does not know how a receiver may canonicalise the source or destination addresses, for example if it does not know whether tn, uri, or both would be used, then it SHOULD include the full form.”. (Section 8 makes comments along these lines but not as explicitly).
> Also, in Section 6.2.3, it talks about using the full form to help with canonicalisation of orig:
>    As an optimization, when the full form is present, the verification
>    service MAY compute its own canonicalization of an originating
>    telephone number and compare it to the values in the "orig" element
>    of PASSporT before performing any cryptographic functions in order to
>    ascertain whether or not the two ends agree on the canonical number
>    form.
> I think it would be helpful to also point out it helps with the canonicalisation of dest, by adding a sentence such as:
> “Similarly, the presence of the full form allows the receiver to see how the sender canonicalised the destination address(es), such as whether it was canonicalised to a tn, a uri, or both, and so this can help the receiver know how to canonicalise the headers and thus verify the claims.”
> Regards,
> Alan