Re: WG Review: Secure Telephone Identity Revisited (stir)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The following mostly are points that I raised within the group's mailing list discussion, during charter development. In my view, they have not yet been adequately resolved:


On 8/21/2013 10:52 AM, The IESG wrote:
   Please send your comments to the IESG mailing list (iesg
at ietf.org) by 2013-08-28.
...
The STIR working group will specify Internet-based mechanisms that allow
verification of the calling party's authorization to use a particular
telephone number for an incoming call.

"use a particular telephone number for an incoming call" has no obvious and unambiguous technical meaning. In fact, it seems to imply the meaning of "authorization to call a particular number". However of course that's not the intended meaning. Since this is the only text in this paragraph that says what the working group will /do/ it should make its statement with clarity and technical substance.

That is, the charter needs to use a precise term for specifying the specific role of the number of interest. In earlier drafts, "caller id" was used. The next sentence uses "source telephone number". Perhaps that is acceptable.


Since it has  become fairly easy
to present an incorrect source telephone number, a growing set of
problems have emerged over the last decade.  As with email, the claimed
source identity of a SIP request is not verified, permitting unauthorized

As a matter of form, I'll note the SIP's community's use of "identity" is what is called "identifier" in the identity community.

...

As its priority mechanism work item, the working group will specify a SIP

Reference to work priority is only meaningful in the face of a list of tasks that will be considered simultaneously and what it means to give priority to one over another. Based on the lengthy mailing list discussion of in-band vs. out-of-band, it appears that the current charter is actually intended to support simultaneous work on alternative mechanisms, rather than pursuing them sequentially.

This should be made explicit. If the requirement is to work on them sequentially, then state that. If the intent is to work on both approaches simultaneously, then say that.

...


In addition to its priority mechanism work item, the working group will
consider a mechanism for verification of the originator during session
establishment in an environment with one or more non-SIP hops, most
likely requiring an out-of-band authorization mechanism.  However, the
in-band and the out-of-band mechanisms should share as much in common as
possible, especially the credentials.  The in-band mechanism must be sent
to the IESG for approval and publication prior to the out-of-band
mechanism.

"in-band and the out-of-band mechanisms should share as much in common as possible"

This is the essential text that mandates working on both approaches simultaneously and makes the earliet assertion about priority moot. (Note how far down in the charter this is buried, yet how fundamental a requirement is establishes.)


...

Input to working group discussions shall include:


That's a lengthy list of documents. Why has it left out other documents discussed during charter development and clearly of continuing interest to the effort, namely:

   A proposal for Caller Identity in a DNS-based Entrusted Registry
   (CIDER)
   draft-kaplan-stir-cider-00

   An Identity Key-based and Effective Signature for Origin-Unknown
   Types
   draft-kaplan-stir-ikes-out-00


d/


--
Dave Crocker
Brandenburg InternetWorking
bbiw.net




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]