[stir] Raw Notes for STIR@103
Robert Sparks <rjsparks@nostrum.com> Thu, 08 November 2018 22:04 UTC
Return-Path: <rjsparks@nostrum.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 969E4128A5C for <stir@ietfa.amsl.com>; Thu, 8 Nov 2018 14:04:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3bzkh9K6HSPh for <stir@ietfa.amsl.com>; Thu, 8 Nov 2018 14:04:27 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F5A2128C65 for <stir@ietf.org>; Thu, 8 Nov 2018 14:04:27 -0800 (PST)
Received: from unescapeable.local ([47.186.18.66]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id wA8M4QMh021202 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <stir@ietf.org>; Thu, 8 Nov 2018 16:04:27 -0600 (CST) (envelope-from rjsparks@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host [47.186.18.66] claimed to be unescapeable.local
To: "stir@ietf.org" <stir@ietf.org>
From: Robert Sparks <rjsparks@nostrum.com>
Message-ID: <321ea237-87f1-cae5-dba5-a3da3bbfe877@nostrum.com>
Date: Thu, 08 Nov 2018 16:04:26 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/xabbcbM0TsoFydYkDK4dR09fLBg>
Subject: [stir] Raw Notes for STIR@103
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 22:04:31 -0000
Many thanks to Jonathan Lennox and Jean Mahoney for taking notes during the STIR session at IETF 103. Jonathan's notes can be found in the etherpad at https://etherpad.tools.ietf.org/p/notes-ietf-103-stir?useMonospaceFont=true Jean's notes are copied below: ==================================================================== STIR WG Session IETF 103 Bangkok MONDAY, 5 November 2018 at 1120 Chairs: Russ Housley, Robert Sparks AD: Adam Roach ------------------------------------------------------------ Administrative tasks Presenter: Adam Roach Presentation: https://datatracker.ietf.org/meeting/103/materials/slides-103-stir-chair-slides-00 (Slight delay in starting the meeting: Chair delays, Meetecho issues for remote participants, stale Agenda cache that did not show session slides.) Minute Taker: Jon (Lennox?), Jean Mahoney (backup) Jabber Scribe: Christer Holmberg (who couldn't get into the Jabber room, Adam Roach became backup scribe) Bluesheets Agenda Bash Jon Peterson - Chris will present RCD, not me. (no other changes to the agenda) ------------------------------------------------------------ draft-ietf-stir-passport-shaken Presenter: Chris Wendt Presentation: https://datatracker.ietf.org/meeting/103/materials/slides-103-stir-passport-shaken-00 slide 1: Title slide 2: Some Comments to discuss Chris - The origid identifier is opaque, and allows the service provider to trace back where the call was originated, not the originator itself, no personal info is being leaked. Robert Sparks - For the Privacy Considerations, you should be able to point to the base PASSporT spec, and it will talk about all these other things. But I haven't verified that. Jon Peterson - The Privacy Considerations in 3323 probably aren't well aligned with this. This identifier doesn't contain any personally identifying info. It's an opaque identifier of network resources rather than people. It's used for service provider tracing. If you are concerned about people tracking this, you can generate a new origid every time you generate a call. It's internal to service provider networks. That closes the privacy gap, but point to PASSport base spec also. Chris - I'm happy to incorporate text like that. ACTION: Chris to add text to Privacy Considerations pointing to base PASSporT spec and explaining that new origids can be generated, and post to mailing list. slide 3: New Terminology text slide 4: New Abstract text slide 5: Other comments Chris - I'll put a new version of the Privacy Considerations on list, and if no comments, I'll release an -05. Adam Roach, as AD - I will put this on the Telechat as soon as -05 comes out unless anyone has an objection? (no comments from room) ------------------------------------------------------------ draft-ietf-stir-passport-divert Presenter: Jon Peterson Presentation: https://datatracker.ietf.org/meeting/103/materials/slides-103-stir-divert-and-out-of-band-00 slide 1: Title slide 2: draft-ietf-stir-passport-divert-04 slide 3: What's New in -04 slide 4: Pre-div in SHAKEN Jon - a recent question came up about having a signature over R-URIs. I think a R-URI is more ephemeral that is frequently modified. We might want to say something about this though. What if you are an authentication service and you get a call that you are supposed to sign, and the To and R-URI are already different? Does the difference reflect a semantic change? A different admin domain perhaps. How do handle it? We want to sign over To so the verification service knows who the original caller was trying to reach. If we want to change that, we'd have to change it in 8224. If you sign over R-URI and not the To, it exposes a new class of attacks. Jon - I kinda like things the way they are, and div was created to handle a change to the admin domain that was semantically meaningful. Since people are concerned about what to do - add language to div spec on why it works the way it does. div is an array, we could sign both the To and the R-URI. Chris? Chris - The freephone use case where the retargeting happens in the originating network or intermediary network that was the most discussed. After we discussed it, it's a different use case than typical call forwarding case vs the case where you call 1-800-United and it's a geographic phone number it's being redirected to and the end user knows it's representing 1-800-United. We need to talk about the differentiation between those two cases in this draft, and accommodate those cases on the shaken side. Jon - Redirection or retargeting cases on the originating side - that's what diversion was created for. We have created plugins that make div work for these use cases. I can imagine a auth service privy to a dip creating the whole div. Whoever is generating those queries should generate the full div for the call. I can add descriptive text to talk a bit more. The core mechanism is correct. I don't see what we would change in the mechanism. We should LC this and be done, right? Robert - +1 on not trying to change the mechanism to address the R-URI. If you consider the ATIS case and simplify it to a pure SIP case, and you receive a R-URI that is wholly unrelated to the To, what does that mean for your signature? Jon - We don't constrain policy decisions of authentication services and verification services. As long as you have the proper credential to sign the To, I can see you doing it in that case. Chris - We tried to make this generic and this adds some logic that makes it complex. I guess that's SIP in general. Jon - We could create a document on why authentication services and verification services should sign and validate things respectively. What they should present to the application or user as a result of receiving a valid passport. There's a bit of guidance in 8224, but it's policy free, we don't say why you sign. If there was appetite in the WG to explore that more. Chris - it's the exceptions that you can handle R-URI change, but for the standard call forwarding scenarios, you should have a div. Jon - That's my preference, if you are creating a div, if you have a R-URI that is radically different than the original To. It makes it easier for a verification service when it receives the request. So you can have some assurance that it is not a cut and paste attack. slide 5: Issues Jon - I'm comfortable to go to LC with the spec as-is. Happy to have more eyes on it. Russ - Can anyone offer a reason why it is not ready for LC? (silence) ACTION: Start WGLC on draft-ietf-stir-passport-divert this week. ------------------------------------------------------------ draft-ietf-stir-oob Presenter: Jon Peterson Presentation: https://datatracker.ietf.org/meeting/103/materials/slides-103-stir-divert-and-out-of-band-00 slide 6: draft-ietf-stir-oob slide 7: Basic STIR Out of Band slide 8: Next Steps Russ - WGLC has been initiated, but haven't had a consensus call yet. Jon - We can have a consensus call that nobody cares and we can bring this forward. The idea was worth documenting, but not worth driving into a fuller mechanism at this point. Russ - If I recall the agreement in Montreal correctly, we were going to publish framework, but not details of protocol instances that implemented the framework. Jon - if anyone really wants to do this, I'll be waiting. I'll carry a torch. Russ - We will make the consensus call - if there are any last minute issues, post them immediately. ACTION: If anyone has last-minute issues with draft-ietf-stir-oob, post them to the mailing list immediately. ------------------------------------------------------------ draft-ietf-stir-passport-rcd Presenter: Chris Wendt Presentation: https://datatracker.ietf.org/meeting/103/materials/slides-103-stir-rich-call-data-00 slide 1: Title slide 2: Overview of update Chris - Any questions or comments? Jon - The only thing I'd add - for some of the 3rd party cases we discussed, there is a use in defining a ppt type for rcd because it would operate with different passport rules. Chris - Right, we didn't remove that, this is just an additional mechanism that we added to the document. slide 3: Example of 'shaken' + 'rcd' claim slide 4: Additional Update to Discuss Jon - I think we need it. There are a couple of ways to approach this. Do we want to include a jCard by reference or value? Do we want a URL in there? You could sign that compact form style. You could put the whole jCard in a SIP request and sign over that in passport. If you use the URL approach that could be in a separate SIP header, could sign that in compact form style. Doing it by reference, you could have other formats besides jCard. Gives you modularity. Russ - We have experience with a certificate that contains a URL, it's a longer lived thing than a passport. When it is done, you will see a URL followed by a hash. If you chase the value from the URIL you compare it to the hash. The signer and validator are both using the same dereferenced value. Jon - when a SIP call is in flight you can imagine the jCard changing, that could be surprising to the generator of the passport. Ted Hardy - I'm a little confused about what security property would be important when we are talking about a URI to a logo. There is content negotiation possible based on where you dereference it. What your UA is capable of displaying. The hashes to the canonical version have to be each included. You get a lot of failure modes. The value of RCD is not exactly the same as the certificate. I'm hesitant to do that unless you are sure the elements for which you want to do a URL and a hash - the nature of object that you dereference would be sufficiently static and last as the passport did. Russ - Jon said that there are other places in SIP where we do this. My point was, if we wanted to build a more general mechanism, then for some of them, the signer and validator need to make sure they got the same object. Ted - I agree, but where's that line? Would that go into this document or a more general one that addresses the use of URLs in SIP? Russ - Right now, the document has pass the whole value, there's no issue. Only if we choose to support some things passed by reference. If it's only RCD, I don't think there's an issue, if we go beyond that, need to make sure the template isn't applied inappropriately. Ted - That makes sense to me. You should limit the kinds of url schemes permitted here the way SIP does. A mismatch seems problematic. Chris - A jCard itself can have URLs inside them. Ted - That's different, you will sign the jCard as an assemblage. You aren't guaranteeing the objects dereferenced, you are saying this is what was presented as the jCard. The results of that versus the results of trying to sign dereferenced value are pretty different. Jon - I'm just want to get compact form back. I'm worried about the size of these things. If's a shaken passport, and we add a rcd to, and there's a div. Anything we can do to cut the passports down. We can do by value or by reference. By reference may have rough corners with e tags or hashes, that's just a versioning system for content on the other side of it. I'd like to get compact to work with this. Chris - I like including that. To early to know what the industry would do. Could see a future where all jCards are dereferenced through URL. slide 5: Rich Call Data Russ - Any last questions? (silence from room) ------------------------------------------------------------ Any Other Business (if time allows) and Wrap Up Presenters: Chairs Russ - We have wrapped up with 7 minutes to spare. Thank you.
- [stir] Raw Notes for STIR@103 Robert Sparks