Re: [stir] STIR certificate delegation
Chris Wendt <chris-ietf@chriswendt.net> Tue, 12 March 2019 14:51 UTC
Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BC521310E5 for <stir@ietfa.amsl.com>; Tue, 12 Mar 2019 07:51:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MjVmx3p6aTlv for <stir@ietfa.amsl.com>; Tue, 12 Mar 2019 07:51:51 -0700 (PDT)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87E3F1310E7 for <stir@ietf.org>; Tue, 12 Mar 2019 07:51:43 -0700 (PDT)
Received: by mail-qk1-x736.google.com with SMTP id z3so1593954qkf.5 for <stir@ietf.org>; Tue, 12 Mar 2019 07:51:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZdBT/tsuoq2MJ5MP7uvzjG3K56Uzyqmp7UqXKiJVCOE=; b=f7Mvz2GWsy4svheuOIw50HJHNnS6fJPnR6qVbrsKONSe7rPQXNz6M1qSIj9Ik8bu5O rD8ArocMEg4+LNSTEKrwWy4slhRe5FbRD0cyyE3lrMHIHq+2CXZYjDA7qXQ5E8gLU6up n0PATmlV1q0r/d9u1HTffVPlX1KOaVyV0oB79TX8XDI9/BvIcUKKY/wbVqRAal6K8e84 dKa8B6rkYAFcdCZHo5H0yCwVS94hr6Xw4N/1oiOMCqcgeUw+3t9r4k4KO0aq6QWi9Y49 03w71XM1CwKs5Ay0LMZ3Hwhc3hjyJFspxu3vjMUFJZE0MszhRU3hoFQLZCOSHl9iDwPk EuaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZdBT/tsuoq2MJ5MP7uvzjG3K56Uzyqmp7UqXKiJVCOE=; b=jzM1QhEnoE9Jaz3okGbM8RnuUQN1fZCwdApIGwhPAE3Emmn/y7NJ42LPoe2qoT6Jr8 ZFGTAZXnYLBO2CPwNdRkRna1CDpm/xeOElmAhVbHbZO5QnA07Kpvi4wQdLrHzMA1FF74 jDTqFbhmkDgtL75see2MoJbnlhv3T0QW5gqvcJFJ0m9Y3EP1gz/POYy7nbvCIxGAjrac sPq0DFiA7NG3r14ODGTHN1hf0s9OO2Nx/ZsQiCclviBNTsdHre0IzWumrjliRJbQkaLZ 3LYbucuZabFKP4TWZ5EiTbZX5DYE+mVBCmojdv/SFAXtWL3Kts2LBQZC9QQPamjYil9S 270Q==
X-Gm-Message-State: APjAAAWEtfpo3VMYLpwe8dm9jUAoflVT605jIyQ8K0h1q62NTkwohAuX S509yYn06Prk33ewy/gBXpuHaKvxu/Q=
X-Google-Smtp-Source: APXvYqzDYTOiZH2HqPrZ4GFLKmK3pRVPXN4YIO/xe3/U/bVpo/PozeodB3W0OGQhaPMHo2osH+6YpA==
X-Received: by 2002:ae9:f20c:: with SMTP id m12mr15631530qkg.236.1552402302600; Tue, 12 Mar 2019 07:51:42 -0700 (PDT)
Received: from [10.37.48.21] (209.222.19.251.adsl.inet-telecom.org. [209.222.19.251]) by smtp.gmail.com with ESMTPSA id y134sm4828335qka.73.2019.03.12.07.51.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Mar 2019 07:51:41 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Chris Wendt <chris-ietf@chriswendt.net>
In-Reply-To: <63E9BF16-DA95-4E1B-9550-A4A45FDAC547@team.neustar>
Date: Tue, 12 Mar 2019 10:51:40 -0400
Cc: "stir@ietf.org" <stir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <719D5CF4-56AC-4449-8993-BE0D833CDBD5@chriswendt.net>
References: <63E9BF16-DA95-4E1B-9550-A4A45FDAC547@team.neustar>
To: "Peterson, Jon" <jon.peterson=40team.neustar@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/zgq8NOo7rGcQbXpftHN8jWIWiLQ>
Subject: Re: [stir] STIR certificate delegation
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 14:51:53 -0000
+1 Jon and I have discussed this and it is aligned with what was presented a few weeks ago to the IP-NNI Joint Task Force for delegated certificates and enterprise use cases. > On Mar 12, 2019, at 10:01 AM, Peterson, Jon <jon.peterson=40team.neustar@dmarc.ietf.org> wrote: > > > Hello, > > I've submitted a new draft which takes a first stab at specifying a way to delegate certificates in STIR. This would allow a carrier, say, to delegate to an enterprise authority for one or more telephone numbers so that the enterprise can run its own authentication service and sign calls itself. > > https://www.ietf.org/id/draft-peterson-stir-cert-delegation-00.txt > > Basically, this document proposes that delegation of STIR certificates rely on something a bit like the RPKI "encompassing" mechanism: that is, rather than having some explicit constraint in a certificate that indicates which names it can delegate to, that instead the TNAuthList is itself the constraint, so that relying parties who receive calls signed by this certificate, as they inspect a certificate chain, verify that each child certificate's scope of TNAuthList authority is encompassed by its parent's. This can be a bit messy when delegating from SPC to TN ranges, but that messiness probably isn’t avoidable. > > It also, perhaps controversially, has an optimization that allows certificates that can sign delegate certificate (and thus have their CA boolean set to "true") to actually sign PASSporTs as well. > > This document has a few interactions with the ACME mechanisms using the Authority Token for TNAuthLists as well, which we are still ironing out a bit, but which is reflected in those drafts today. > > Comments welcome! We should find some time to discuss in Prague. > > Jon Peterson > Neustar, Inc, > > _______________________________________________ > stir mailing list > stir@ietf.org > https://www.ietf.org/mailman/listinfo/stir
- [stir] STIR certificate delegation Peterson, Jon
- Re: [stir] STIR certificate delegation Chris Wendt
- Re: [stir] STIR certificate delegation Mary Barnes
- Re: [stir] STIR certificate delegation Richard Barnes