IETF Logo Mail Archive

Re: [stir] Questions about stir-certificates

"Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com> Fri, 20 October 2017 19:49 UTC

Return-Path: <pierce.gorman@sprint.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F57213431D for <stir@ietfa.amsl.com>; Fri, 20 Oct 2017 12:49:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9CuP6u5n3SSf for <stir@ietfa.amsl.com>; Fri, 20 Oct 2017 12:49:52 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0097.outbound.protection.outlook.com [104.47.40.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4BE513207A for <stir@ietf.org>; Fri, 20 Oct 2017 12:49:48 -0700 (PDT)
Received: from DM5PR05CA0041.namprd05.prod.outlook.com (10.174.188.158) by DM5PR05MB3595.namprd05.prod.outlook.com (10.174.242.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.156.2; Fri, 20 Oct 2017 19:49:47 +0000
Received: from SN1NAM01FT060.eop-nam01.prod.protection.outlook.com (2a01:111:f400:7e40::205) by DM5PR05CA0041.outlook.office365.com (2603:10b6:4:39::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.156.4 via Frontend Transport; Fri, 20 Oct 2017 19:49:47 +0000
Authentication-Results: spf=pass (sender IP is 144.230.32.81) smtp.mailfrom=sprint.com; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=sprint.com;
Received-SPF: Pass (protection.outlook.com: domain of sprint.com designates 144.230.32.81 as permitted sender) receiver=protection.outlook.com; client-ip=144.230.32.81; helo=preapdm2.corp.sprint.com;
Received: from preapdm2.corp.sprint.com (144.230.32.81) by SN1NAM01FT060.mail.protection.outlook.com (10.152.64.104) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.77.10 via Frontend Transport; Fri, 20 Oct 2017 19:49:47 +0000
Received: from pps.filterd (preapdm2.corp.sprint.com [127.0.0.1]) by preapdm2.corp.sprint.com (8.16.0.21/8.16.0.21) with SMTP id v9KJjQLl018725; Fri, 20 Oct 2017 15:49:46 -0400
Received: from plswe13m03.ad.sprint.com (plswe13m03.corp.sprint.com [144.229.214.22]) by preapdm2.corp.sprint.com with ESMTP id 2dkbkumdf2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 20 Oct 2017 15:49:46 -0400
Received: from PLSWE13M04.ad.sprint.com (2002:90e5:d617::90e5:d617) by plswe13m03.ad.sprint.com (2002:90e5:d616::90e5:d616) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Fri, 20 Oct 2017 14:49:45 -0500
Received: from PLSWE13M04.ad.sprint.com ([fe80::2c01:fcb8:e729:4a7a]) by plswe13m04.ad.sprint.com ([fe80::2c01:fcb8:e729:4a7a%24]) with mapi id 15.00.1293.002; Fri, 20 Oct 2017 14:49:45 -0500
From: "Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] Questions about stir-certificates
Thread-Index: AQHTSTpVoMtE8aZexUWHseJtpp6pN6LtIBHg
Date: Fri, 20 Oct 2017 19:49:44 +0000
Message-ID: <171f91651e9e4a2eb7873fdbe1b9fcea@plswe13m04.ad.sprint.com>
References: <D60E0087.1EEE44%jon.peterson@neustar.biz> <CABkgnnV41djmwJ2A8WkLv1Qu_zxAKPb8EJnuoFS1Zeog3momyQ@mail.gmail.com> <6432f01322c74b1196075c4549f18a12@plswe13m04.ad.sprint.com> <4bbb6330-96e7-6317-cbae-07991075e776@alum.mit.edu>
In-Reply-To: <4bbb6330-96e7-6317-cbae-07991075e776@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.214.116.46]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:144.230.32.81; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(376002)(346002)(39860400002)(2980300002)(438002)(189002)(13464003)(51444003)(24454002)(51914003)(199003)(53936002)(2950100002)(86362001)(53546010)(6246003)(478600001)(106002)(316002)(93886005)(189998001)(23676002)(966005)(68736007)(5250100002)(2501003)(6306002)(76176999)(8676002)(305945005)(14454004)(2900100001)(24736003)(7736002)(356003)(7696004)(229853002)(2171002)(54356999)(3846002)(2906002)(33646002)(97736004)(110136005)(102836003)(81156014)(6116002)(47776003)(106466001)(5660300001)(81166006)(108616004)(8936002)(50466002)(50986999); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB3595; H:preapdm2.corp.sprint.com; FPR:; SPF:Pass; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; SN1NAM01FT060; 1:bcNZkRhnZ5OmTkpO3T0shMFoAJX+8vHqzoPGRrQY1yiVM9mdqYe5vzZEduPwSun+fpMnW0PWe3JPlARJ4t7gBknf+7SWzmOMjc7qpXJRD2tSjTe3gIPoVOXpSh323J1X
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4066571d-b8b4-4b19-71cf-08d517f3b7de
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(8251501002)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199); SRVR:DM5PR05MB3595;
X-Microsoft-Exchange-Diagnostics: 1; DM5PR05MB3595; 3:4EZd1I62K0qUy2B4i3UBMVOW5DAn8L2jMNThizBzhZBIhYwqze3J104HF2ed6qb2BEJAfsrUBnV57qGmr0eWWfp/4yYDXRAUF4Ruqrjk8W4lskUtMWPhXAVF4DcDR1njj5oWPgg1WbWl+eWZF1t16McF+OkrUHKC1qL2BHXOOTIhsB2Dam23fbquSEWcr4Rgym1myCpsCYgTSPAl9EMwImxSqIVCVfp4iZxOXWr/yw2UCsB5tgRuV/pHVMxg2HFon90YXwoUaMJvZz6V2Wui0BmXGGAhrX4MVhfx6D3G958r/1mYFAQvMhhX+kKe14j7OI9ViNNxZBGsqiJQM3q5JiROsO0bVqAF87UXnYz+oV4=; 25:8j678vhczIrObXLN1xI7IwsWL8v6WTpB2KTHkd7bdcS6WDKhTX2gwen6eUzvSYz4+MXXehFp4VVw6C1vlaU4sW6A+ZaeEWwh6gCA4dus+9OiyP5ZKy38NyXp0c6/BfDGBKQH7qO3j215L1IUYCVD0BoTjBKA9YWed1GHybT2XKZcOkMMIStj5jOjNMEeZH8yd1PTKldoNX9OqEwtZd9/Dy2JXOBUWamOD2A/pvwuYL2kWTQoMlRAVt8Puy+ffgQXT9mAnpn5NALRG+QfpWsHFITCqyaOBeOCD8xYv0Hja33OkW9A1cGdsm5ldwTKC2zEJQT7AbX9zNQv+SNj0VLXEw==
X-MS-TrafficTypeDiagnostic: DM5PR05MB3595:
X-Microsoft-Exchange-Diagnostics: 1; DM5PR05MB3595; 31:KSYVB9ke7WYKCh9uBher/fKNmExIJwCLxJ9VkgrOeDHRlFsGGYxFukh/9BvgKK/nYkhe9M5Elbn0vQ+3sZh5tvPtTPE6aT3tb8BmzhKM90ta2RgQRdhxvMCTMG522VItAx7gyr27zntpfc4wot9rjx7rIHPbTiqS8FcZeSwyCpCS9m4wAIO5fgTD1gc6OCICC5x1aH4MBilwh/6eXpz9i7XMrBFVmo9AMo2z+ySg1Y0=; 20:B5/qrNPH1hKEA6Xmj5pNYVNYYmjsA7BbaxyBWm/yGtS2JCr274zH/CFDRDDdQD5+x9GMsUAksZfAqMDvzAAIsasX793UKnl/e0WJPK6EOOBSPzg+OeBICvlWM6tjC0XUtDrU81sfrbGYMKRCnT7njTydosF7uqWa/gIgpvlyNju9X7jpTS+LSNEjuKDSp1OAR0dw9euVYQqq7zcOODiecvaF6l3p0363et6SZ4uM2UhfnLMCtzKF9cdpdLULK56//mwtkrouEX1Sg4J5RHKpnxHujgQxF/IYJlZ4CHtC72HimF5A1i/cg7L6JSW7RvHXZPI2wmQSe/N/HvgXJw/NUrHC7pdJf2OwjURrROdWGqyd4OOonGaySV/TzekBUbanFP/xRdU+y6qxBTJ8dOv5HlKnQ8tOYiEphp8aOQJesPqiHECm9CZk/PmfQMDg3NWxj6JS7vT6AkDADWFp0atRK//eG54P7D3MKh6BgTJCkV+YPLJDr9BvEX1wf/Nf2GAr
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(278428928389397);
X-Microsoft-Antispam-PRVS: <DM5PR05MB359528C83AA5962A8C0F7CC389430@DM5PR05MB3595.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(10201501046)(100000703101)(100105400095)(93006095)(93004095)(3231020)(3002001)(6055026)(6041248)(20161123560025)(20161123555025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM5PR05MB3595; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM5PR05MB3595;
X-Microsoft-Exchange-Diagnostics: 1; DM5PR05MB3595; 4:UYF5L0wfFtzWd9y5n2/1kIn1WRhziUqX56sAuI3CBeshA4erP6cIJmnq6KWqjj1LQoTXBHyQbqa+vmhVxN8FjepUDSCvFY/MpDECHDa5alMrU0R2gb4+or/pw1NL5xQ7BCHMJ0HE6SOKweh9eF8gLLiNvDGhaIQxNk9nXSCinbXEvUK3eP5fVHRp26EhYOa65hlib60SBd1nR0v5dNOMtqNRCL9YeECVf7NgrmfZPUPhesEER238tsRwP7VwmlfjgZrnZCyA4JghGaSXRE4a6MP/chTEWSfkmEDzM+OBAY0f5kptgsXDw7Ph6P0ijOAmJ/n18J9Nn5eNtSrIwvsfBg==
X-Forefront-PRVS: 0466CA5A45
X-Microsoft-Exchange-Diagnostics: 1;DM5PR05MB3595;23:qbd223n1mMOLkZtWyUomWZL2fdxgihWAY/heHGO9ai9k+Q/UI0CPcA2Y9mKFLyfcLLIZS04+9wJgW+qhHY0nuC8Kjmiv13NSMiyvpGFPTQGTWGtE0+HQcTVvG/9ovfinTns/To7XKKslkvUHjFjthx+U6xRQ31cS5OgYZZ0G5kHqVq5lfEBIMcEiU3NyUQUFmsiatFTHk/l4uAzfXWRCxsKOXeLMR6HN712SuNx9e0MTtCjp1Ie69aUuyNMbILxUrgTYO92ebbAg/qgOKSqtG1Nq0lOm5ZhQG18bDhgMatYk4SLJDbeqXwmpFCsz+bRPKtc/+TpAGgMBEoYJcnYpvk71Tz8yX8MyB8TnW9Ed/GLwKJbQwomrZuNRgzhajbN6aos+v9eBfRnKt60DAZw1FYR8AlY1axst2S6sC+Pb/9T2kNecYdd4lF8R0dUEMkSNcYCSUsOmeETIrELYIe4ExedSRMxTeGU5bY3cnUrgyUHT+8NFWsQ/Etqs3GVMx89qGJTE7IWhJ8pyQGaUr9RlsPWUEFg50lnhow/RraTBKcm9gYrXTwv0ObzCsBcyXLB/0C7OGqNkOLOKSbFhUWxh8xtbUf/b4KppMG6nirtyWBf1uvc7E3hMZtcxYMdHm4q5OW3/bWIqs/RiYOC1sRFbQ0w72cPlzbl/Fh66iID5tuQ0lGspChpgV5JMqeh43YYcBruVBNN8jADXElLeggGPC1Jg5u112ZCAwjAtSXfuVNgxwfw+LxjTTOrGBGVB4OCiSVN/DmhGdbr0F3ZgNHedszfzZ3HsMF371ElTT1RAaUO4ELPz53SR0xt3lotSKcofz0lTTAf0U2ot0F0ODkJJ8nNKUQ7Rm+WmeCBu2D9OKPjgDxSbhRNsZXueUmyORxtJQh2wYxg8yLq5T5g5dHBhP5dS/WWjiXNzT/dDnJfXWZD7k77DQwYhDWXBo6beZB4IvSOZrKGwEyf0PDsF0HA+MBcDbFTZlcGqxFjS605DV+rGdIaM/8FsZY9QATr4A4PysEYxPLG+A+3ETy7XSA7LWtG/ISQvSmW5olLUK0UiCcNtcQU0kRzDMbSw6quUeYbvQ3MQuB3shR75c4yVLxtGKLrRJTg9bG+Qcl9dhnPdHdxQim5vMrLe3beU23qHhfaXSY6HV2g9meM2mzdsNBhtkN2rOi/DDRh1WdG5GXom+zDVECvwcX9UnYPYcx8TCHnGCuFe3HSrSQ5h7dKkNPU8ZY8s2vWIDIBuasHTxT04aS3oufhePwhxtrahCW0Vky/L/RionSZmXZi73KeQVx+Eyw==
X-Microsoft-Exchange-Diagnostics: 1; DM5PR05MB3595; 6:lBEK4SOyvFSJ8BIF56IkS7OtFkHOgX7lkaJDUOPsR2qmc4du0oqCR3PYIWexMmFZ4Ai2XrO0FKzDfzi94nOCtud01UjKsPDMVujUbMGwN99g58qcQIY5MhPlsVGdQO/kdSsO2ZCXiDWv6tYqtxrijJ5cN6Ekb78R4PtWS675W+6NF53yTQUhp0SArq85kz2zOOIiQqWvZ5KErb7N8yC3hT/1pJN+5BwWyg29aCzPVwt7vlqtZvkuM1f7G6/ikwFws9sSMVk+FNzlgFRKZCDDcr7oWnDGlB4zcY/4f5YzSb0POrVMDhW6hD0Sya5F7PW8FZ66MfLuw1Pr4B9rMrRO7Q==; 5:fqBVfQiCY+Wn82jagZn6MmtgBAAOSl92JWGNBBxXPdjJVWdVc+zwvHBhstXoU+sXvkXHAuK9mtYhHMKOYfnDsV1trD7eCxMe31WaJsgB5Bz84qyTaP74ZBbGkNenDz9BAoPK3qvYm4YuZcaMCg0WjA==; 24:bIWmf0Y8DGtcba+FrJaUZKiSKmvY6oLD9S2zKU1DFEe1TtbdYCUR9aoEmfQBaRWOzcZGO4C8E39LPhQw7JsswLjUULaz0fN10x/pNPabOek=; 7:eVd6Avt+FUjSlpQ0lfJw9BnK0Fr4NPVZlGtKpiNtpbGIhOSV9bS4/VFN9lFOxTViI9OUh/qekDeEAEsgzTol9ov7o4A06qq7A/2TEfMOvDq8V/QMqVMIV87Ln0jdjC0RqXw02xzekuP2MLCPJgZyX8WmTctiI3yRvMdXddwB+bZFKlkDWNwGCwZBxnC1GYYcXDqeyAaIf0vGCdnSTHpt8VXaUsdDCDps9+9edS7nJk8=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: sprint.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Oct 2017 19:49:47.0062 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4066571d-b8b4-4b19-71cf-08d517f3b7de
X-MS-Exchange-CrossTenant-Id: 4f8bc0ac-bd78-4bf5-b55f-1b31301d9adf
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=4f8bc0ac-bd78-4bf5-b55f-1b31301d9adf; Ip=[144.230.32.81]; Helo=[preapdm2.corp.sprint.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB3595
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/xdvAU8YWfPyboRAeaLun9-g3X1g>
Subject: Re: [stir] Questions about stir-certificates
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2017 19:49:57 -0000

Government agencies and financial institutions would not be given "Full" attestation under ordinary circumstances and so their calls would not get the green check (although Chris' TN PoP could help change that).

Remembering the originating telephone number of government agencies and financial institutions may be difficult for some consumers (and probably not a source of many calls for the average Joe in any case).

Challenges with the veracity of calling name information remain even in the presence of STIR/SHAKEN.  It's an area of opportunity for further study and development.

Pierce

-----Original Message-----
From: Paul Kyzivat [mailto:pkyzivat@alum.mit.edu] 
Sent: Friday, October 20, 2017 12:46 PM
To: stir@ietf.org
Subject: Re: [stir] Questions about stir-certificates

On 10/20/17 12:15 PM, Gorman, Pierce A [CTO] wrote:
> Martin,
> 
> I want to offer my compliments for your comments attempting to help improve the standard and make STIR more robust.
> 
> You also observed, "PKI, this isn't that great a solution.  Every time we use some out-of-band mechanism, it turns out to be brittle.  When something is brittle, the immediate reaction is to make it non-blocking."
> 
> The protocol and policy challenges of STIR and PKI are contributing factors to why I believe STIR/SHAKEN by itself will probably always be non-blocking.
> 
> Even if we constrain our consideration to the Service Provider use case, there are many thousands of Service Providers and hundreds of government authorities and so SHAKEN/STIR may only ever be fragile and non-blocking in perpetuity.  If we consider non-network-centric end-user application and per-Telephone Number use cases, I think the already considerable policy, protocol, and operational challenges become even more significant.
> 
> Furthermore, STIR/SHAKEN is a mechanism for conveying relative trustworthiness of the calling telephone number, and AFAIK consumer preference studies of VoIP-originated SPAM have so far been anecdotal and unscientific.  It is not yet clear whether a positive indication of trust such as a green check mark will be preferred (or acceptable), as compared to a negative indication of trust such as a red circle with a diagonal red slash across it on a white background.
> 
> The majority of telephony consumers may prefer to only be alerted to suspicious call attempts.   SHAKEN's "Full" attestation provides the highest level of trust with regard to the originating telephone number not having been spoofed, but consumers may not want to be told, "here's another most likely benign call attempt".
> 
> "Partial" and "Gateway" attestations as indications of relative untrustworthiness of the calling number may be usable as filters for secret-sauce analytics and/or post-processing forensic investigation.  IMHO they are not suited for at-a-glance indications of unwanted calling attempts to subscribers.   And, I assume no user, enterprise, or originating or transit service provider will volunteer "Fraudulent" or " SPAM" attestations although they would be undeniably more usable for an at-a-glance decision about whether to accept a call.

Speaking strictly as a telephony consumer: I see value in *both* the positive and negative indicators. I am inclined to use the negative one when deciding whether to answer the call at all, and the positive one for whether to trust the call for sensitive matters, such as with government agencies and financial institutions.

This can be coupled with per-number policy at my own end (in my address
book) by remembering which numbers have previously received full attestation. That can raise the bar on future calls from the same number.

	Thanks,
	Paul

> -----Original Message-----
> From: Martin Thomson [mailto:martin.thomson@gmail.com]
> Sent: Thursday, October 19, 2017 7:28 PM
> To: Peterson, Jon <jon.peterson@team.neustar>
> Cc: stir@ietf.org; Sean Turner <sean@sn3rd.com>
> Subject: Re: [stir] Questions about stir-certificates
> 
> Thanks for the response Jon,
> 
> It took me a little while to revive state for this, so I hope that I'm at least consistent with before...
> 
> On Fri, Oct 20, 2017 at 3:17 AM, Peterson, Jon <jon.peterson@team.neustar> wrote:
>>> The first question is whether this delegation makes any sense for 
>>> service provider codes.  A service provider that signs a subordinate 
>>> (such as an enterprise that operates a PBX) is hardly going to allow 
>>> that subordinate to use their service provider code.  In light of 
>>> that, it seems like subjectAltName is entirely appropriate place to 
>>> put a service provider code.
>>
>> I think the use case for SPC delegation is probably not the 
>> enterprise case. A service bureau case makes more sense. We've also 
>> entertained cases where a large carrier, say, might have authority 
>> over multiple SPCs in one cert, but might want to delegate to some 
>> part of its own network a certificate for just one of those SPCs. 
>> I've also dimly envisioned, if this all takes off, use cases for 
>> selectively delegating applications associated with an SPC for a 
>> particular service, probably to a service
>> bureau: like, Company A is doing the SMS for SPC 6166.
> 
> That makes me more confident that you have the right model, as least with respect to subjectAltName.  I was concerned that a SPC was an identity of the entity doing the signing, but it seems like it is instead a proxy for a number range.  Cast in those terms, the model you have is OK.  But it really isn't that clear from the document that this is the model.  For a relative outsider, it might be useful to say that this is an assumption in your model.
> 
>>> It's also unclear to me whether a certificate that includes AIA for 
>>> telephone numbers also effectively constrains subordinates to comply 
>>> with that set.
>>
>> I hope it does, yes. We can make sure the document does say that.
> 
> I trust that you will do that :)
> 
>>> The document doesn't say.  On the assumption that it does, what 
>>> happens when the resource identified in the AIA changes?
>>
>> This is supposed to be a feature, believe it or not. If the resource 
>> behind the AIA changes, the scope of the certificate changes. Part of 
>> resolving the chain of authority in this model would be dereferencing 
>> any such AIA's, yes, and making sure it still holds.
>>
>>> There's a possibility that changes in the referenced resource could 
>>> invalidate subordinates.  Doesn't this put AIA on the critical path?
>>
>> That last point is probably better for Sean to speak to than me.
> 
> I just checked and RFC 5280 mandates AIA as a non-critical extension.
> I think that's a bit of a deal-breaker.
> 
>>From my (limited) experience with out-of-band information in the web
> PKI, this isn't that great a solution.  Every time we use some out-of-band mechanism, it turns out to be brittle.  When something is brittle, the immediate reaction is to make it non-blocking.  That was the case with CRLs and OCSP.  That's why we have OCSP stapling.
> 
> This might be a different story.  Maybe the sheer quantity of numbers will lead to the right incentives and people will insist on retrieving up-to-date information from these resources.  But nothing in the mechanism will require it unless this document does.
> 
> If you need to use AIA, then you need to do something about it being non-critical.  I think that a strategic "MUST" might be all you need.
> "MUST support AIA, retrieve an updated AIA, and use the information provided therein"
> 
> For that to work, you need an MTI retrieval mechanism and format.  I assume that this is just a DER-encoded TNAuthList.  You probably want to write that down.  And then someone will end up asking whether you have a media type for it.
> 
> And then there is the privacy story with these sorts of things.  Big lists of AIA are probably OK (K-anonymity with large K), but I can imagine the CA being able to use this as a way to track calls.  Not serious here because lists are generally long, but it was a problem with CRLs and OCSP on the web, so it's worth a brief mention at least.
> 
>>> The draft is unclear on how uniqueness is managed for service 
>>> provider codes, or even if uniqueness is a requirement.  Is this a 
>>> property of the certification path in that a trust anchor will be 
>>> connected to a particular country prefix (or set thereof), or is 
>>> there something more concrete?
>>
>> The SPC as specified is admittedly a blank check we're writing at 
>> this point, but I think that's about where we are in deployment. The 
>> early adopters of this are North American carriers, there are already 
>> bodies who allocate codes for such carriers. I don't think the IETF 
>> is the right place to do that or to try to figure out how those 
>> identifiers should be internationally allocated or what should happen 
>> when signed messages pass into places where other sorts of SPCs might be in use.
>> What's there now is good enough to let people kick the tires and get 
>> some experience; it will give national and international bodies 
>> enough leeway to define what they want for it, and we can point to that later.
> 
> I think that you need more than that.  At least acknowledge that the service provider code is defined within a certain scope and that someone consuming the code needs to be aware of where the code is coming from.
> 
>>> How does one add `count` to a number containing "*" or "#"?
>>
>> Don't get wrong: I won't pretend that every possible corner case 
>> involving "*" and "#" has been given adequate consideration. They are 
>> there in the syntax to cover a very small number of paranoid 
>> forward-compatibility use cases of the "To" header field, mostly ones 
>> that in turn will use the proposed "divert" extension. (For example, 
>> I'm dialing *69. That goes to a server that is going to retarget the call to the last party who called me.
>> How should that retargeting server sign the "divert"?) I don't think 
>> count will be practically relevant to those cases, which will would 
>> have to use specialized certs anyway. I know we don't have all that 
>> fully specified, but kind of like SPC, we're trying to leave a bit of 
>> wiggle room in the syntax not to close doors on possibilities.
> 
> Please define something.  Either say that addition of numbers that contain these digits is invalid, or that the count is added to any numeric digits to the right of these digits.  If this turns out to be a bad idea, then see my answer regarding prefixes.
> 
>>> Does the addition of `count` treat the `start` as an integer?
> 
> You missed this question.  I think that it's important.  It's the little things that can trip up implementations.
> 
> "123" + 10 is probably "123", "124", "125", ..., "132", is that correct?
> What about "123" + 1000?  It might pay to say that overflow into more digits isn't permitted, especially if you consider the case of "123*69" + 32.  Is this up to "154*69" or "123*100" or "124*00" or something else?  It might be easier to say that it's invalid.
> 
>>> What does a `count` of 0 mean?
>>
>> I believe a count of '0' is disallowed.
> 
> Indeed it is.
> 
>>> How do I express that all numbers in the +1 prefix are covered?
>>
>> If it were up to me, probably, I wouldn't want the NANPA to publish a 
>> cert with authority for +1, but instead, for the valid set of 10,000 
>> blocks (done with "count") that cover the allocated +1NPANXX's. But 
>> to your bigger question...
>>
>>> (The NANP is perhaps a bad example, try finding solid information on 
>>> the numbering plan for +257).  Did the working group consider a 
>>> number prefix in addition to the range, to allow for saying "+1..." 
>>> as a single rule?
>>
>> I went back and forth a lot between count versus prefix a couple 
>> years ago, and honestly neither is perfect. Count can least 
>> theoretically do things prefix can't; but doing some that are ugly to 
>> do with count can be done very elegantly with prefix. Maybe the best 
>> thing for us to do is at least leave the door open in the syntax to 
>> specify another way to do number ranges? I think for our current 
>> purposes count is probably okay, but I wouldn't object to adding 
>> wiggle room so we could specify other options in the future.
> 
> I would make sure that there is an extension point.  My ASN.1 is rusty, but I think that adding ... to TNEntry would be enough for that.
> 
> 
> 
> ________________________________
> 
> This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir
>

v2.23.0 | Report a Bug | By Email