Re: WG Review: Secure Telephone Identity Revisited (stir)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+ iesg
-iesg-secretary

On Wed, Aug 21, 2013 at 3:18 PM, Christopher Morrow
<morrowc.lists@xxxxxxxxx> wrote:
> On Wed, Aug 21, 2013 at 3:07 PM, Dave Crocker <dhc@xxxxxxxxxxxx> wrote:
>> The following mostly are points that I raised within the group's mailing
>> list discussion, during charter development.  In my view, they have not yet
>> been adequately resolved:
>>
>>
>> On 8/21/2013 10:52 AM, The IESG wrote:
>>>
>>>    Please send your comments to the IESG mailing list (iesg
>>> at ietf.org) by 2013-08-28.
>>
>> ...
>>>
>>> The STIR working group will specify Internet-based mechanisms that allow
>>> verification of the calling party's authorization to use a particular
>>> telephone number for an incoming call.
>>
>>
>> "use a particular telephone number for an incoming call" has no obvious and
>
> it'd actually be kind of nice if the focus was NOT on the (us)
> 10-digit "number", but instead on the 'identity' making the call.
> There's a real chance to move beyond the '10-digit number' and to some
> stronger, wider, richer sense of 'identity'... we should take that
> opportunity and run with it.
>
>> unambiguous technical meaning.  In fact, it seems to imply the meaning of
>> "authorization to call a particular number".  However of course that's not
>> the intended meaning.  Since this is the only text in this paragraph that
>> says what the working group will /do/ it should make its statement with
>> clarity and technical substance.
>>
>> That is, the charter needs to use a precise term for specifying the specific
>> role of the number of interest.  In earlier drafts, "caller id" was used.
>
> s/number/identity/
>
>> The next sentence uses "source telephone number".  Perhaps that is
>> acceptable.
>
> no... focus on 'telephone number' is broken. Hell, it's not even
> what's used in the phone system anyway... not really.
>
>>> Since it has  become fairly easy
>>> to present an incorrect source telephone number, a growing set of
>>> problems have emerged over the last decade.  As with email, the claimed
>>> source identity of a SIP request is not verified, permitting unauthorized
>>
>>
>> As a matter of form, I'll note the SIP's community's use of "identity" is
>> what is called "identifier" in the identity community.
>>
>> ...
>>
>>> As its priority mechanism work item, the working group will specify a SIP
>>
>>
>> Reference to work priority is only meaningful in the face of a list of tasks
>> that will be considered simultaneously and what it means to give priority to
>> one over another.  Based on the lengthy mailing list discussion of in-band
>> vs. out-of-band, it appears that the current charter is actually intended to
>> support simultaneous work on alternative mechanisms, rather than pursuing
>> them sequentially.
>>
>> This should be made explicit.  If the requirement is to work on them
>> sequentially, then state that.  If the intent is to work on both approaches
>> simultaneously, then say that.
>>
>> ...
>>
>>
>>> In addition to its priority mechanism work item, the working group will
>>> consider a mechanism for verification of the originator during session
>>> establishment in an environment with one or more non-SIP hops, most
>>> likely requiring an out-of-band authorization mechanism.  However, the
>>> in-band and the out-of-band mechanisms should share as much in common as
>>> possible, especially the credentials.  The in-band mechanism must be sent
>>> to the IESG for approval and publication prior to the out-of-band
>>> mechanism.
>>
>>
>> "in-band and the out-of-band mechanisms should share as much in common as
>> possible"
>>
>> This is the essential text that mandates working on both approaches
>> simultaneously and makes the earliet assertion about priority moot. (Note
>> how far down in the charter this is buried, yet how fundamental a
>> requirement is establishes.)
>>
>>
>> ...
>>
>>> Input to working group discussions shall include:
>>>
>>
>> That's a lengthy list of documents.  Why has it left out other documents
>> discussed during charter development and clearly of continuing interest to
>> the effort, namely:
>>
>>    A proposal for Caller Identity in a DNS-based Entrusted Registry
>>    (CIDER)
>>    draft-kaplan-stir-cider-00
>>
>>    An Identity Key-based and Effective Signature for Origin-Unknown
>>    Types
>>    draft-kaplan-stir-ikes-out-00
>>
>>
>> d/
>>
>>
>> --
>> Dave Crocker
>> Brandenburg InternetWorking
>> bbiw.net




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]