IETF Logo Mail Archive

Re: [stir] current draft charter - ENUM and databases

Hadriel Kaplan <hadriel.kaplan@oracle.com> Wed, 19 June 2013 17:12 UTC

Return-Path: <hadriel.kaplan@oracle.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C9321F9AAD for <stir@ietfa.amsl.com>; Wed, 19 Jun 2013 10:12:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.556
X-Spam-Level:
X-Spam-Status: No, score=-6.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sz+v4DiS3N+1 for <stir@ietfa.amsl.com>; Wed, 19 Jun 2013 10:12:18 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id D6DF121F8EAE for <stir@ietf.org>; Wed, 19 Jun 2013 10:12:15 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r5JH5uuk015998 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 19 Jun 2013 17:05:56 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r5JHCCEf014561 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 19 Jun 2013 17:12:13 GMT
Received: from abhmt115.oracle.com (abhmt115.oracle.com [141.146.116.67]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r5JHCBI7011939; Wed, 19 Jun 2013 17:12:12 GMT
Received: from [10.1.21.23] (/10.5.21.23) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 19 Jun 2013 10:12:11 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Hadriel Kaplan <hadriel.kaplan@oracle.com>
In-Reply-To: <E3FAB1F4F41F3A45B287E8D9C53522FD472CEA44@PACDCEXMB05.cable.comcast.com>
Date: Wed, 19 Jun 2013 13:12:09 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <6A78B3BE-F3C5-4B40-BBAB-EAFFBED57D3E@oracle.com>
References: <E3FAB1F4F41F3A45B287E8D9C53522FD472CEA44@PACDCEXMB05.cable.comcast.com>
To: "Lee, Yiu" <Yiu_Lee@Cable.Comcast.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] current draft charter - ENUM and databases
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stir>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2013 17:12:23 -0000

[background:] For the "email-style" case what I mean is a source identity of something like 'alice@foo.com', where by definition 'foo.com' is authoritative for usernames within its domain, and the scope of the 'alice' is constrained to the 'foo.com' domain.  What I *don't* mean is an E.164 that just happens to be encoded in a SIP URI like 'sip:+12125551212@foo.com'.  There is no TN for a "email-style" URI, for the term "email-style" I'm using anyway.

So for en email-style URI, the premise I'm assuming is the same as RFC 4474: a certificate identifying 'foo.com' signed by a trusted CA is sufficient to believe it's really a valid From of 'alice@foo.com'.  So all the verifier needs is the certificate of the From's domain, to verify the signer/originator can claim the user name.  In RFC 4474 that certificate is retrieved via an HTTP URL that the originator provides in a SIP header.  I'm just saying it's not absolutely necessary that a URL be provided in a SIP header, but we could instead get it from DNS.

We have can't just look up the DNS domain key of 'foo.com' to get the certificate, though, because 'foo.com' will resolve to stuff used for other things that we don't care about.  So a relatively common tactic people use is to prefix the DNS query key with a pre-defined/standardized/agreed-upon string for a specific node of the domain (creating an artificial name basically).  The '_cid' is just an example of such a prefix string we could standardize using.  So everyone would know to add a '_cid.' to the domain name of the email-stlye domain in the received From to find the cert in DNS for that domain; and that domain would know to put it there for everyone to get.

-hadriel


On Jun 19, 2013, at 9:14 AM, "Lee, Yiu" <Yiu_Lee@Cable.Comcast.com> wrote:

> I am on board using dns for lookup. One question in your example: When you
> receive alice@foo.com, how do you derive it to "_cid.foo.com"? Do you
> suggest _cid is the tn or some other identifier?
> 
> 
> On 6/18/13 1:36 PM, "Hadriel Kaplan" <hadriel.kaplan@oracle.com> wrote:
> 
>> I think that's still possible even for email-style names.  For example,
>> when receiving a request from'alice@foo.com' we could do a DNS lookup for
>> '_cid.foo.com' or some such pre-defined naming scheme, to get the
>> caller-id cert for 'foo.com'; or the RR for that DNS key could redirect
>> us to somewhere else if need be.  Or we could do an HTTP automatically
>> for 'http://foo.com/cid', or even 'http://foo.com/cid/ldkjhlashl' where
>> the last part is a hash of the username.
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email