Re: [stir] I-D Action: draft-ietf-stir-messaging-01.txt
Ben Campbell <ben@nostrum.com> Fri, 12 November 2021 04:50 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FFAD3A11DC for <stir@ietfa.amsl.com>; Thu, 11 Nov 2021 20:50:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.12
X-Spam-Level: *
X-Spam-Status: No, score=1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, KHOP_HELO_FCRDNS=0.4, MAY_BE_FORGED=2.399, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rmDZdnGRi3xq for <stir@ietfa.amsl.com>; Thu, 11 Nov 2021 20:50:30 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F2723A11DB for <stir@ietf.org>; Thu, 11 Nov 2021 20:50:30 -0800 (PST)
Received: from smtpclient.apple (mta-70-120-133-87.satx.rr.com [70.120.133.87] (may be forged)) (authenticated bits=0) by nostrum.com (8.17.1/8.16.1) with ESMTPSA id 1AC4oM1D052816 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 11 Nov 2021 22:50:23 -0600 (CST) (envelope-from ben@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1636692623; bh=GbIJwzzu5ilTYALMnGt59tK8mHta4sCjxr7SQRmdJOg=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=WPV5eMzm5/4eWpI+Dz4e3VWnP7PRv++4qpX+UqXUrtBCOkxf+4EB7xb2ajLfyyPsH uea1/ZcT7def74OutquvF4v4XtzrbJxBvOqsaJjf3BAaejXwJ0kLUB0N34o6ZDUA0s K31ttblqiPp2YyFtWx/bXfRVw958EzlgQdwruD0M=
X-Authentication-Warning: raven.nostrum.com: Host mta-70-120-133-87.satx.rr.com [70.120.133.87] (may be forged) claimed to be smtpclient.apple
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.20.0.1.32\))
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <163649299634.6482.9891939183926403571@ietfa.amsl.com>
Date: Thu, 11 Nov 2021 22:50:16 -0600
Cc: "Peterson, Jon" <jon.peterson@team.neustar>, Chris Wendt <chris-ietf@chriswendt.net>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2DF9FF10-A53C-4496-B8C3-4EBE5E15F7C7@nostrum.com>
References: <163649299634.6482.9891939183926403571@ietfa.amsl.com>
To: stir@ietf.org
X-Mailer: Apple Mail (2.3693.20.0.1.32)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/yaCZQ0wVO8zdQabCLUPrG0Zr9R8>
Subject: Re: [stir] I-D Action: draft-ietf-stir-messaging-01.txt
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2021 04:50:34 -0000
(No hats) Thanks for the update. A few high level thoughts. We’ve probably talked about some of these before, but I’ve slept since then. Freshness: I wonder if we need to think about (and maybe even say something) about passport freshness for messaging. The time frame for message delivery is different than for voice calls. They may end up on message stores for store-and-forward or message history applications. I suspect the freshness guidance in RFC 8224 won’t be right. OTOH, extending the freshness window for more than a few minutes could be a replay attack problem. Maybe the passport should be verified prior to putting a “read" message into a history folder, but that may not make sense for store-and-forward of unread messages. CPIM: I see that it now mentions CPIM. My concern about CPIM based messages is that some systems use it to attach metadata to the message. As far as I know, the use of CPIM for security interworking between messaging protocols hasn’t really happened. But it is being used by some messaging systems (e.g. RCS) to attach metadata to messages for other purposes. I suspect there are cases where intermediaries add or consume CPIM header fields. This could be an issue for the MSGi mechanism if we assume the entire body is always protected. RFC 8591 section 9.1 talks about this in some more detail for S/MIME, but the same issues may apply here. I’m not saying that we should necessarily change from msgi protecting the entire body—it’s just something we should think about and maybe get some feedback from implementors. SMS: I’ve been thinking if we could use OOB passports in some way to authenticate legacy SMS messages, especially if they are sent or delivered using SIP (e.g. the 3GPP’s SMS-over-IP spec. But IIUC, in that spec the SIP From, To, and R-URI do not necessarily represent the sender and the recipient. That information is buried in the body. Figuring out a solution for that is probably out-of-scope for STIR, but it would be nice if we don’t preclude others form solving this. (I suspect the answer is that SMS-over-IP is a completely different protocol that only incidentally uses SIP at the edge, and someone would need to specify how to use passports with it.) Thanks! Ben. > On Nov 9, 2021, at 3:23 PM, internet-drafts@ietf.org wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Secure Telephone Identity Revisited WG of the IETF. > > Title : Messaging Use Cases and Extensions for STIR > Authors : Jon Peterson > Chris Wendt > Filename : draft-ietf-stir-messaging-01.txt > Pages : 10 > Date : 2021-11-09 > > Abstract: > Secure Telephone Identity Revisited (STIR) provides a means of > attesting the identity of a telephone caller via a signed token in > order to prevent impersonation of a calling party number, which is a > key enabler for illegal robocalling. Similar impersonation is > sometimes leveraged by bad actors in the text messaging space. This > document considers the applicability of STIR's Persona Assertion > Token (PASSporT) and certificate issuance framework to text and > multimedia messaging use cases, both for instant messages carried or > negotiated by SIP. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-stir-messaging/ > > There is also an htmlized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-stir-messaging-01 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-stir-messaging-01 > > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > > _______________________________________________ > stir mailing list > stir@ietf.org > https://www.ietf.org/mailman/listinfo/stir
- [stir] I-D Action: draft-ietf-stir-messaging-01.t… internet-drafts
- Re: [stir] I-D Action: draft-ietf-stir-messaging-… Ben Campbell