Skip to main content

Secure Telephone Identity Credentials: Certificates
draft-ietf-stir-certificates-18

Revision differences

Document history

Date Rev. By Action
2017-12-28
18 Tero Kivinen Closed request for Last Call review by SECDIR with state 'No Response'
2017-12-20
18 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2017-12-19
18 Cindy Morgan IESG state changed to RFC Ed Queue from Approved-announcement sent
2017-12-18
18 Sean Turner New version available: draft-ietf-stir-certificates-18.txt
2017-12-18
18 (System) New version approved
2017-12-18
18 (System) Request for posting confirmation emailed to previous authors: Jon Peterson , Sean Turner
2017-12-18
18 Sean Turner Uploaded new revision
2017-12-18
17 (System) IANA Action state changed to No IC from Waiting on RFC Editor
2017-12-18
17 (System) IANA Action state changed to Waiting on RFC Editor from Waiting on Authors
2017-12-15
17 (System) IANA Action state changed to Waiting on Authors from In Progress
2017-12-15
17 (System) IANA Action state changed to In Progress from RFC-Ed-Ack
2017-12-15
17 Cindy Morgan IESG state changed to Approved-announcement sent from Approved-announcement to be sent
2017-12-15
17 Cindy Morgan IESG has approved the document
2017-12-15
17 Cindy Morgan Closed "Approve" ballot
2017-12-15
17 Cindy Morgan Ballot approval text was generated
2017-12-15
17 Cindy Morgan Ballot writeup was changed
2017-12-14
17 Cindy Morgan IESG state changed to Approved-announcement to be sent::Revised I-D Needed from Waiting for AD Go-Ahead
2017-12-14
17 (System) IANA Review state changed to Version Changed - Review Needed from IANA - Not OK
2017-12-14
17 Sean Turner New version available: draft-ietf-stir-certificates-17.txt
2017-12-14
17 (System) New version approved
2017-12-14
17 (System) Request for posting confirmation emailed to previous authors: Jon Peterson , Sean Turner
2017-12-14
17 Sean Turner Uploaded new revision
2017-12-14
16 Alexey Melnikov [Ballot Position Update] New position, Yes, has been recorded for Alexey Melnikov
2017-12-13
16 Spencer Dawkins [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins
2017-12-13
16 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2017-12-13
16 Terry Manderson [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson
2017-12-13
16 Eric Rescorla [Ballot comment]
Removing my discuss based on conversations with the authors
2017-12-13
16 Eric Rescorla [Ballot Position Update] Position for Eric Rescorla has been changed to No Objection from Discuss
2017-12-13
16 Alia Atlas [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas
2017-12-13
16 Deborah Brungard [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard
2017-12-13
16 Amanda Baber IANA Review state changed to IANA - Not OK from Version Changed - Review Needed
2017-12-13
16 Warren Kumari [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari
2017-12-13
16 Kathleen Moriarty
[Ballot comment]
Thanks for your work on this draft! 

NIT: Section 4, bullet 4, RFC8017 is PKCS #1 v2.2, not v1.5.
There are some other …
[Ballot comment]
Thanks for your work on this draft! 

NIT: Section 4, bullet 4, RFC8017 is PKCS #1 v2.2, not v1.5.
There are some other mentions of v1.5, did you mean that or 2.2?  2.2 fixes a few problems, so I was glad to see that reference.
2017-12-13
16 Kathleen Moriarty [Ballot Position Update] New position, Yes, has been recorded for Kathleen Moriarty
2017-12-13
16 Suresh Krishnan [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan
2017-12-13
16 Ben Campbell [Ballot Position Update] New position, Yes, has been recorded for Ben Campbell
2017-12-12
16 Eric Rescorla
[Ballot discuss]
  national policies.  The count field is only applicable to start
  fields' whose values do not include "*" or "#" (i.e., a …
[Ballot discuss]
  national policies.  The count field is only applicable to start
  fields' whose values do not include "*" or "#" (i.e., a
  TelephoneNumber that does not include "*" or "#").  count never
  overflows a TelephoneNumber digit boundary (i.e., a
  TelephoneNumberRange with TelephoneNumber=10 with a count=91 will
  address numbers 10-99).

This text doesn't seem very clear. When you say "never overflows a digit
boundary" do you mean "doesn't extend the integer to the left"? Because
you sure seem to be overflowing the 1s place here.

Is the algorithm that you are given the input TN, Count, and TN
consists D digits that the range is:

  MIN(TN + Count, 10^D - 1)

That would be consistent with your example here, but I don't think consistent
with your text. Or do you mean something else?
2017-12-12
16 Eric Rescorla [Ballot Position Update] New position, Discuss, has been recorded for Eric Rescorla
2017-12-12
16 Alissa Cooper [Ballot Position Update] New position, Yes, has been recorded for Alissa Cooper
2017-12-12
16 Benoît Claise [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise
2017-12-09
16 (System) IANA Review state changed to Version Changed - Review Needed from IANA - Not OK
2017-12-09
16 Sean Turner New version available: draft-ietf-stir-certificates-16.txt
2017-12-09
16 (System) New version approved
2017-12-09
16 (System) Request for posting confirmation emailed to previous authors: Jon Peterson , Sean Turner
2017-12-09
16 Sean Turner Uploaded new revision
2017-11-30
15 (System) RFC Editor state changed to AUTH48 from IESG
2017-11-30
15 (System) IESG state changed to Waiting for AD Go-Ahead from In Last Call
2017-11-26
15 Sheng Jiang Request for Last Call review by OPSDIR Completed: Has Nits. Reviewer: Sheng Jiang. Sent review to list.
2017-11-21
15 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Sheng Jiang
2017-11-21
15 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Sheng Jiang
2017-11-18
15 Tero Kivinen Request for Last Call review by SECDIR is assigned to Klaas Wierenga
2017-11-18
15 Tero Kivinen Request for Last Call review by SECDIR is assigned to Klaas Wierenga
2017-11-16
15 Joel Halpern Request for Last Call review by GENART Completed: Ready. Reviewer: Joel Halpern. Sent review to list.
2017-11-16
15 (System) IANA Review state changed to IANA - Not OK from Version Changed - Review Needed
2017-11-16
15 Amanda Baber
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-stir-certificates-15. If any part of this review is inaccurate, please let …
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-stir-certificates-15. If any part of this review is inaccurate, please let us know.

We understand that upon approval of this document, we'll need to update existing references in the registries and complete one new action. However, we have a question about the new action. Please see below.

First, upon approval of this document, for the registrations added to https://www.iana.org/assignments/smi-numbers after this document was initially approved (see Section 11.1), we will update the references to point to the document's most recent version number.

Second, upon approval of this document, we will add the following registration to http://www.iana.org/assignments/media-types:

application/tnauthlist  [RFC-to-be]

QUESTION: The template provided in Section 11.2 doesn't include the "Fragment Identifier considerations" or "Deprecated alias names for this type" fields that were added to the media type template in RFC 6838 (https://tools.ietf.org/html/rfc6838#section-5.6). Do these field need to be added?

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

Thank you,

Amanda Baber
Lead IANA Services Specialist
2017-11-16
15 Jean Mahoney Request for Last Call review by GENART is assigned to Joel Halpern
2017-11-16
15 Jean Mahoney Request for Last Call review by GENART is assigned to Joel Halpern
2017-11-16
15 (System) RFC Editor state changed to IESG from AUTH48
2017-11-16
15 Adam Roach Ballot has been issued
2017-11-16
15 Adam Roach [Ballot Position Update] New position, Yes, has been recorded for Adam Roach
2017-11-16
15 Adam Roach Created "Approve" ballot
2017-11-16
15 Adam Roach Ballot writeup was changed
2017-11-16
15 Adam Roach Telechat date has been changed to 2017-12-14 from 2016-11-03
2017-11-16
15 Cindy Morgan
The following Last Call announcement was sent out (ends 2017-11-30):

From: The IESG
To: IETF-Announce
CC: adam@nostrum.com, stir@ietf.org, Robert Sparks , draft-ietf-stir-certificates@ietf.org, …
The following Last Call announcement was sent out (ends 2017-11-30):

From: The IESG
To: IETF-Announce
CC: adam@nostrum.com, stir@ietf.org, Robert Sparks , draft-ietf-stir-certificates@ietf.org, stir-chairs@ietf.org, rjsparks@nostrum.com, br@brianrosen.net
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call: Changes to  (Secure Telephone Identity Credentials: Certificates) to Proposed Standard


The IESG has received a request from the Secure Telephone Identity Revisited
WG (stir) to consider changes to the following document:

- 'Secure Telephone Identity Credentials: Certificates'
  as Proposed Standard

An earlier version of this document has already been approved for publication
by the IESG. Subsequent to such approval, the STIR working group identified a
small number of critically important omissions in the document, which this
version addresses. This IETF last call is intended to solicit comments solely
on the changes between the approved version and the current version. These
changes can be found at:

https://www.ietf.org/rfcdiff?url1=https://www.rfc-editor.org/authors/rfc8226.txt&url2=draft-ietf-stir-certificates-15


The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the ietf@ietf.org
mailing lists by 2017-11-30. Exceptionally, comments may be sent to
iesg@ietf.org instead. In either case, please retain the beginning of the
Subject line to allow automated sorting.

Abstract

  In order to prevent the impersonation of telephone numbers on the
  Internet, some kind of credential system needs to exist that
  cryptographically asserts authority over telephone numbers.  This
  document describes the use of certificates in establishing authority
  over telephone numbers, as a component of a broader architecture for
  managing telephone numbers as identities in protocols like SIP.


The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-stir-certificates/

The changes that are under review can be obtained via:
https://www.ietf.org/rfcdiff?url1=https://www.rfc-editor.org/authors/rfc8226.txt&url2=draft-ietf-stir-certificates-15

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-stir-certificates/ballot/


No IPR declarations have been submitted directly on this I-D.


The document contains these normative downward references.
See RFC 3967 for additional information:
    rfc7093: Additional Methods for Generating Key Identifiers Values (Informational - Independent Submission Editor stream)
    rfc3447: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 (Informational - IETF stream)
    rfc5912: New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX) (Informational - IETF stream)
Note that rfc8017 and rfc5912 are already listed in the acceptable Downref Registry.
2017-11-16
15 Cindy Morgan IESG state changed to In Last Call from Last Call Requested
2017-11-16
15 Adam Roach Last call was requested
2017-11-16
15 Adam Roach IESG state changed to Last Call Requested from AD Evaluation
2017-11-16
15 Adam Roach Last call announcement was changed
2017-11-16
15 Adam Roach Last call announcement was generated
2017-11-16
15 Adam Roach Running some changes through IETF LC again, per WG discussion.
2017-11-16
15 Adam Roach IESG state changed to AD Evaluation from RFC Ed Queue
2017-11-15
15 Sean Turner New version available: draft-ietf-stir-certificates-15.txt
2017-11-15
15 (System) New version approved
2017-11-15
15 (System) Request for posting confirmation emailed to previous authors: Jon Peterson , Sean Turner
2017-11-15
15 Sean Turner Uploaded new revision
2017-07-31
14 (System) RFC Editor state changed to AUTH48 from RFC-EDITOR
2017-07-17
14 (System) RFC Editor state changed to RFC-EDITOR from REF
2017-07-12
14 (System) RFC Editor state changed to REF from AUTH
2017-07-07
14 (System) RFC Editor state changed to AUTH from EDIT
2017-06-02
14 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2017-06-02
14 (System) IANA Action state changed to Waiting on RFC Editor from Waiting on Authors
2017-06-02
14 (System) IANA Action state changed to Waiting on Authors from In Progress
2017-06-02
14 (System) IANA Action state changed to In Progress from Waiting on Authors
2017-06-01
14 (System) IANA Action state changed to Waiting on Authors from In Progress
2017-05-30
14 (System) IANA Action state changed to In Progress
2017-05-30
14 (System) RFC Editor state changed to EDIT
2017-05-30
14 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2017-05-30
14 (System) Announcement was received by RFC Editor
2017-05-30
14 Cindy Morgan IESG state changed to Approved-announcement sent from Approved-announcement to be sent
2017-05-30
14 Cindy Morgan IESG has approved the document
2017-05-30
14 Cindy Morgan Closed "Approve" ballot
2017-05-30
14 Cindy Morgan Ballot approval text was generated
2017-05-30
14 Cindy Morgan Ballot writeup was changed
2017-05-30
14 Adam Roach IESG state changed to Approved-announcement to be sent from IESG Evaluation::AD Followup
2017-05-30
14 Adam Roach Ballot approval text was changed
2017-05-30
14 Adam Roach RFC Editor Note was changed
2017-05-30
14 Adam Roach RFC Editor Note was changed
2017-05-30
14 Adam Roach RFC Editor Note for ballot was generated
2017-05-30
14 Adam Roach RFC Editor Note for ballot was generated
2017-05-09
14 Sean Turner New version available: draft-ietf-stir-certificates-14.txt
2017-05-09
14 (System) New version approved
2017-05-09
14 (System) Request for posting confirmation emailed to previous authors: Jon Peterson , Sean Turner
2017-05-09
14 Sean Turner Uploaded new revision
2017-05-03
13 Alissa Cooper Shepherding AD changed to Adam Roach
2017-03-27
13 Jon Peterson New version available: draft-ietf-stir-certificates-13.txt
2017-03-27
13 (System) New version approved
2017-03-27
13 (System) Request for posting confirmation emailed to previous authors: Jon Peterson , Sean Turner
2017-03-27
13 Jon Peterson Uploaded new revision
2017-03-23
12 Alexey Melnikov
[Ballot comment]
Thank you for addressing my DISCUSS. The latest revision has introduced some minor errors which I don't think are intentional:

8.  JWT Claim …
[Ballot comment]
Thank you for addressing my DISCUSS. The latest revision has introduced some minor errors which I don't think are intentional:

8.  JWT Claim Constraints Syntax

  The subjects of certificates containing the JWT Claim Constraints
  certificate extension are specifies values for PASSporT claims that
  are permitted, values for PASSporT claims that are excluded, or both.
  The syntax of these claims is given in PASSporT; specifying new
  claims follows the procedures in [I-D.ietf-stir-passport]
  (Section 8.3).  When a verifier is validating PASSporT claims, the
  JWT claim MUST contain permitted values, and MUST NOT contain
  excluded values.  The non-critical JWT Claim Constraints certificate
  extension is included in the extension field of end entity
  certificates [RFC5280].  The extension is defined with ASN.1
  [X.680][X.681][X.682] [X.683].

The above text lists "excluded" claims several times, but you removed excluded from the ASN.1:

    JWTClaimConstraint ::= SEQUENCE {
      claim IA5String,
      permitted SEQUENCE OF IA5String
          }

So I think the text needs to be edited to be correct or you need to fix the ASN.1

In Section 9:

ServiceProviderCodeList ::= SEQUENCE SIZE (1..3) OF
  IA%String

Typo: IA5String
2017-03-23
12 Alexey Melnikov [Ballot Position Update] Position for Alexey Melnikov has been changed to No Objection from Discuss
2017-03-21
12 Robert Sparks Added to session: IETF-98: stir  Thu-0900
2017-03-14
12 Stephen Farrell
[Ballot comment]

Thanks for handling my discuss points, esp about cert
status. I think it'd be great if STIR prompted work to
ensure better privacy …
[Ballot comment]

Thanks for handling my discuss points, esp about cert
status. I think it'd be great if STIR prompted work to
ensure better privacy for OCSP transactions as that'd
be a useful mechanism (in addition to stapling) so I
hope that the further work envisaged here happens
in the not too distant future.
2017-03-14
12 Stephen Farrell [Ballot Position Update] Position for Stephen Farrell has been changed to No Objection from Discuss
2017-03-13
12 (System) Sub state has been changed to AD Followup from Revised ID Needed
2017-03-13
12 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed
2017-03-13
12 Jon Peterson New version available: draft-ietf-stir-certificates-12.txt
2017-03-13
12 (System) New version approved
2017-03-13
12 (System) Request for posting confirmation emailed to previous authors: Jon Peterson , Sean Turner
2017-03-13
12 Jon Peterson Uploaded new revision
2017-01-25
11 Stephen Farrell
[Ballot discuss]

Sorry but I have a load of discuss points on this one. I don't
think any of 'em are that hard though, except …
[Ballot discuss]

Sorry but I have a load of discuss points on this one. I don't
think any of 'em are that hard though, except maybe one. (I'll let
us all guess which one:-)

(1) TN auth list services - IIUC, these are not free today.  Is
that correct?  It's not clear to me that alternatives such as
listing all good numbers inside a cert are practical.  Did the WG
have an explicit consensus that building in a requirement to have
verifiers pay to be an effective RP is ok?  If so, can you send a
pointer to the list archive or minutes where that was agreed. If
not, don't the WG need to explicitly ok that?

(2) setion 8: you need to say more clearly exactly what the
IA5String values in the extension map to in the JWT. I assume it's
the field names but you don't say. You need to say if this
extension can or needs to be critical.

(3) section 9: you need to say whether this extension needs to be
or can be critical and where in the cert path it's allowed to be
and how to interpret things if >1 cert in the path has this
extension (if that's allowed, and if it is, then complexity awaits
us;-).

(4) section 10: you need to pick one MTI method I think. Why is
that wrong? You nearly, but not quite, do. Why not just do it?

(5) section 10: don't you need to somehow define "short-lived"?
That could be defined as an RP-configurable value, but even if so,
I think you need to say that. Even if you do that, I'm not sure
that an RP-configured value is right as short-lived certs, vs.
not, puts a different burden on the signer and if the signer and
RP have different ideas of what short-lived means, then interop
failures seem likely. Bottom line for this point: what's a short
lived cert?

(6) section 10: as with short-lived, don't you need to define HVE?

(7) section 10.2.1: Can OCSP be made use HTTPs here?  If not, then
you have the RP sending out the caller's TN in clear.  That seems
bad (cf. BCP188). Did the WG consider that? If this spec needs
OCSP/HTTPs then I think you need to have a new MUST for that (it's
uncommon or maybe never done?) and address the potential bootstrap
issues. (But I didn't think those through - did the WG?)

(new) moving this from 4474bis draft where it used to be - the
authors say they want to fix it here:

I think the ABNF conflicts with the E164Number definition
in the 4474bis draft.
2017-01-25
11 Stephen Farrell Ballot discuss text updated for Stephen Farrell
2016-11-08
11 Gunter Van de Velde Closed request for Last Call review by OPSDIR with state 'No Response'
2016-11-07
11 Robert Sparks Added to session: IETF-97: stir  Wed-0930
2016-11-03
11 Cindy Morgan IESG state changed to IESG Evaluation::Revised I-D Needed from IESG Evaluation
2016-11-03
11 Amanda Baber IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed
2016-11-02
11 Joel Jaeggli [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli
2016-11-02
11 Spencer Dawkins [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins
2016-11-02
11 Stephen Farrell
[Ballot discuss]

Sorry but I have a load of discuss points on this one. I don't
think any of 'em are that hard though, except …
[Ballot discuss]

Sorry but I have a load of discuss points on this one. I don't
think any of 'em are that hard though, except maybe one. (I'll let
us all guess which one:-)

(1) TN auth list services - IIUC, these are not free today.  Is
that correct?  It's not clear to me that alternatives such as
listing all good numbers inside a cert are practical.  Did the WG
have an explicit consensus that building in a requirement to have
verifiers pay to be an effective RP is ok?  If so, can you send a
pointer to the list archive or minutes where that was agreed. If
not, don't the WG need to explicitly ok that?

(2) setion 8: you need to say more clearly exactly what the
IA5String values in the extension map to in the JWT. I assume it's
the field names but you don't say. You need to say if this
extension can or needs to be critical.

(3) section 9: you need to say whether this extension needs to be
or can be critical and where in the cert path it's allowed to be
and how to interpret things if >1 cert in the path has this
extension (if that's allowed, and if it is, then complexity awaits
us;-).

(4) section 10: you need to pick one MTI method I think. Why is
that wrong? You nearly, but not quite, do. Why not just do it?

(5) section 10: don't you need to somehow define "short-lived"?
That could be defined as an RP-configurable value, but even if so,
I think you need to say that. Even if you do that, I'm not sure
that an RP-configured value is right as short-lived certs, vs.
not, puts a different burden on the signer and if the signer and
RP have different ideas of what short-lived means, then interop
failures seem likely. Bottom line for this point: what's a short
lived cert?

(6) section 10: as with short-lived, don't you need to define HVE?

(7) section 10.2.1: Can OCSP be made use HTTPs here?  If not, then
you have the RP sending out the caller's TN in clear.  That seems
bad (cf. BCP188). Did the WG consider that? If this spec needs
OCSP/HTTPs then I think you need to have a new MUST for that (it's
uncommon or maybe never done?) and address the potential bootstrap
issues. (But I didn't think those through - did the WG?)
2016-11-02
11 Stephen Farrell
[Ballot comment]

General - So a passport structure or SIP message can have a URI
for the cert. And the cert can have URLs for …
[Ballot comment]

General - So a passport structure or SIP message can have a URI
for the cert. And the cert can have URLs for OCSP and AIA and for
a TN download service. That's potentially an awful lot of comms
out of the RP to do STIR. Has someone put all that together into a
usable assembly? If so, where's that documented? (To be open about
it, I was more of a fan of the DKIM starting point for this work,
but that's really just opinion, so this is definitely a
non-blocking comment.  I'd still be intersted in an answer
though.)

- section 5: "Assignees of E.164 numbering resources participating
in this enrollment model should take appropriate steps to
establish trust anchors." That's ambiguous. Do you mean they
should establish a list of other folk's public keys they trust or
that they should generate their key pair and get their public key
on other folk's list of trust anchors?

- section 7: What's the REQUIRED for EST about? That just seems
wrong.

- section 10: SCVP? Really? Does anyone do that? I'd say get rid
of that text, it'll only cause grief.

- section 10: "CRLs are an obviously attractive solution" hmm -
s/obviously/initially/ would seem more accurate.

- 10.2: last two paras are speculative - do they belong in a spec
like this? If so, maybe re-word 'em so that they're not going to
confuse an implementer?
2016-11-02
11 Stephen Farrell [Ballot Position Update] New position, Discuss, has been recorded for Stephen Farrell
2016-11-02
11 Alia Atlas [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas
2016-11-02
11 Kathleen Moriarty
[Ballot comment]
Introduction: nit,
  Robocallers use impersonation as a means
  of obscuring identity; while robocallers can, in the ordinary PSTN,
  block (that …
[Ballot comment]
Introduction: nit,
  Robocallers use impersonation as a means
  of obscuring identity; while robocallers can, in the ordinary PSTN,
  block (that is, withhold) their caller identity, callees are less
  likely to pick up calls from blocked identities, and therefore
  appearing to calling from some number, any number, is preferable.

s/appearing to calling/appearing to call/

Section 10.2.1:
I'm wondering why SHA-1 is described as follows instaed of discouraged/not allowed ...
o  There is no requirement to support SHA-1, RSA with SHA-1, or DSA
      with SHA-1.

I don't see any references to RFCs that update RFC5280, like RFC6818.  It would be good to include these since 5280 is used for revocation methods mentioned.  6818 is for CRLs.
2016-11-02
11 Kathleen Moriarty Ballot comment text updated for Kathleen Moriarty
2016-11-02
11 Ben Campbell [Ballot Position Update] New position, Yes, has been recorded for Ben Campbell
2016-11-02
11 Suresh Krishnan [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan
2016-11-02
11 Kathleen Moriarty
[Ballot comment]
Introduction: nit,
  Robocallers use impersonation as a means
  of obscuring identity; while robocallers can, in the ordinary PSTN,
  block (that …
[Ballot comment]
Introduction: nit,
  Robocallers use impersonation as a means
  of obscuring identity; while robocallers can, in the ordinary PSTN,
  block (that is, withhold) their caller identity, callees are less
  likely to pick up calls from blocked identities, and therefore
  appearing to calling from some number, any number, is preferable.

s/appearing to calling/appearing to call/

Section 10.2.1:
I'm wondering why SHA-1 is described as follows instaed of discouraged/not allowed ...
o  There is no requirement to support SHA-1, RSA with SHA-1, or DSA
      with SHA-1.

I don't see any references to RFCs that update RFC5280, like RFC6818.  It would be good to include these when 5280 is used for revocation methods mentioned.  6818 is for CRLs.
2016-11-02
11 Kathleen Moriarty [Ballot Position Update] New position, No Objection, has been recorded for Kathleen Moriarty
2016-11-02
11 Deborah Brungard [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard
2016-11-02
11 Ralph Droms Request for Last Call review by GENART Completed: Ready. Reviewer: Ralph Droms.
2016-11-02
11 Jari Arkko [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko
2016-11-01
11 Terry Manderson [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson
2016-11-01
11 Mirja Kühlewind [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind
2016-11-01
11 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2016-11-01
11 Alexey Melnikov
[Ballot discuss]
I have one small issue that I would like to discuss before recommending approval of this document:

Reading Section 8 I was unable …
[Ballot discuss]
I have one small issue that I would like to discuss before recommending approval of this document:

Reading Section 8 I was unable to figure out what are "claim", "permitted" and "excluded" and what exact syntaxes they use. I think this is underspecified.
You are probably missing some references, examples or both.
2016-11-01
11 Alexey Melnikov [Ballot comment]
URI (RFC 3986), HTTP (RFC 7230) and HTTPS (RFC 2818) need to be Normative References.
2016-11-01
11 Alexey Melnikov [Ballot Position Update] New position, Discuss, has been recorded for Alexey Melnikov
2016-11-01
11 Alissa Cooper IESG state changed to IESG Evaluation from Waiting for Writeup
2016-11-01
11 Alissa Cooper Ballot has been issued
2016-11-01
11 Alissa Cooper [Ballot Position Update] New position, Yes, has been recorded for Alissa Cooper
2016-11-01
11 Alissa Cooper Created "Approve" ballot
2016-11-01
11 Alissa Cooper Ballot writeup was changed
2016-11-01
11 (System) IESG state changed to Waiting for Writeup from In Last Call
2016-10-31
11 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed
2016-10-31
11 Jon Peterson New version available: draft-ietf-stir-certificates-11.txt
2016-10-31
11 (System) New version approved
2016-10-31
10 (System) Request for posting confirmation emailed to previous authors: "Sean Turner" , "Jon Peterson"
2016-10-31
10 Jon Peterson Uploaded new revision
2016-10-28
10 Sabrina Tanamal IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK
2016-10-27
10 (System) IANA Review state changed to IANA - Not OK from IANA - Review Needed
2016-10-27
10 Sabrina Tanamal
(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-stir-certificates-10.txt. If any part of this review is inaccurate, please let …
(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-stir-certificates-10.txt. If any part of this review is inaccurate, please let us know.

Upon approval of this document, we understand that there are four registry actions to complete.

First, in the SMI Security for PKIX Certificate Extension subregistry in the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry located at:

http://www.iana.org/assignments/smi-numbers/

two new values are to be registered as follows:

Decimal: [ TBD-at-registration ]
Description: id-ce-TNAuthList
Reference: [ RFC-to-be ]

Decimal: [ TBD-at-registration ]
Description: id-ce-JWTClaimConstraints
Reference: [ RFC-to-be ]

As this is an Expert Review (see RFC 5226) registry, we will initiate the required review via a separate request. Approval by the expert is required for registration. 

Second, in the SMI Security for PKIX Online Certificate Status Protocol (OCSP) subregistry in the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry located at:

http://www.iana.org/assignments/smi-numbers/

a single new value is to be registered as follows:

Decimal: [ TBD-at-registration ]
Description: id-pkix-ocsp-stir-tn
Reference: [ RFC-to-be ]

Again, as this is an Expert Review (see RFC 5226) registry, we will initiate the required review via a separate request. Approval by the expert is required for registration. 

Third, in the SMI Security for PKIX Access Descriptor subregistry of the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry located at:

http://www.iana.org/assignments/smi-numbers/

a single new value is to be registered as follows:

Decimal: [ TBD-at-registration ]
Description: id-ad-stir-tn
Reference: [ RFC-to-be ]

Once again, expert review is required.

Fourth, in the SMI Security for PKIX Module Identifier also in the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry located at:

http://www.iana.org/assignments/smi-numbers/

a single new value is to be registered as follows:

Decimal: [ TBD-at-registration ]
Description: id-mod-tn-module
Reference: [ RFC-to-be ]

Once again, expert review is required.

We understand that these are the only actions required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

Thank you,

Sabrina Tanamal
IANA Services Specialist
PTI
2016-10-27
10 Tero Kivinen Request for Last Call review by SECDIR Completed: Has Nits. Reviewer: Klaas Wierenga.
2016-10-22
10 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Warren Kumari
2016-10-22
10 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Warren Kumari
2016-10-20
10 Jean Mahoney Request for Last Call review by GENART is assigned to Ralph Droms
2016-10-20
10 Jean Mahoney Request for Last Call review by GENART is assigned to Ralph Droms
2016-10-20
10 Tero Kivinen Request for Last Call review by SECDIR is assigned to Klaas Wierenga
2016-10-20
10 Tero Kivinen Request for Last Call review by SECDIR is assigned to Klaas Wierenga
2016-10-18
10 Cindy Morgan IANA Review state changed to IANA - Review Needed
2016-10-18
10 Cindy Morgan
The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: alissa@cooperw.in, stir@ietf.org, "Robert Sparks" , draft-ietf-stir-certificates@ietf.org, stir-chairs@ietf.org, …
The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: alissa@cooperw.in, stir@ietf.org, "Robert Sparks" , draft-ietf-stir-certificates@ietf.org, stir-chairs@ietf.org, rjsparks@nostrum.com
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Secure Telephone Identity Credentials: Certificates) to Proposed Standard


The IESG has received a request from the Secure Telephone Identity
Revisited WG (stir) to consider the following document:
- 'Secure Telephone Identity Credentials: Certificates'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2016-11-01. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  In order to prevent the impersonation of telephone numbers on the
  Internet, some kind of credential system needs to exist that
  cryptographically asserts authority over telephone numbers.  This
  document describes the use of certificates in establishing authority
  over telephone numbers, as a component of a broader architecture for
  managing telephone numbers as identities in protocols like SIP.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-stir-certificates/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-stir-certificates/ballot/


No IPR declarations have been submitted directly on this I-D.


The document contains this normative downward references.
See RFC 3967 for additional information:
    rfc7093: Additional Methods for Generating Key Identifiers Values (Informational - Independent Submission Editor stream)
    rfc3447: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 (Informational - IETF stream)
    rfc5912: New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX) (Informational - IETF stream)
Note that rfc3447 and rfc5912 are already listed in the acceptable Downref Registry.


2016-10-18
10 Cindy Morgan IESG state changed to In Last Call from Last Call Requested
2016-10-18
10 Alissa Cooper Last call was requested
2016-10-18
10 Alissa Cooper Ballot approval text was generated
2016-10-18
10 Alissa Cooper Ballot writeup was generated
2016-10-18
10 Alissa Cooper IESG state changed to Last Call Requested from Publication Requested
2016-10-18
10 Alissa Cooper Last call announcement was changed
2016-10-18
10 Robert Sparks
1. Summary

draft-ietf-stir-certificates defines protocol and is intended for publication
as Proposed Standard. From the abstract:

  In order to prevent the impersonation of telephone …
1. Summary

draft-ietf-stir-certificates defines protocol and is intended for publication
as Proposed Standard. From the abstract:

  In order to prevent the impersonation of telephone numbers on the
  Internet, some kind of credential system needs to exist that
  cryptographically asserts authority over telephone numbers.  This
  document describes the use of certificates in establishing authority
  over telephone numbers, as a component of a broader architecture for
  managing telephone numbers as identities in protocols like SIP.

This document is a component of a toolset for combating robocalling. In the
US, the FCC is applying significant pressure to the industry to deter
robocalling (with deadlines in the last part of 2016). An industry-led strike
force is moving towards deployment of a solution that uses that toolset. The
ATIS/SIP Forum IPNNI Task Force's SHAKEN solution relies on the toolset defined
by STIR and profiles it for deployment in the North American market.

2. Review and Consensus

This document has undergone heavy review. Interoperability testing at the SIPit
in September identified issues leading to the introduction of the JWT Claim
Constraints, shifting where LOA assertions are made.

The document suite has been through three working group last calls, the third
of which was abbreviated to one week. The first last call stimulated
significant discussion, some of which was heated.

3. Intellectual Property

The authors have each confirmed that any IPR they are aware of has been
disclosed. There are no IPR disclosures currently registered for this document

4. Other Points

There are three normative downreferences. Two (3447 and 5912) are
already in the downref registry. The other, 7093, should be called out in
IETF-LC.

The document provides an ASN.1 module. The module was verified by Russ Housley
and Sean Turner.

The document requires several actions from IANA. They are concretely described
in the document text. Note that the group intended to request pre-allocation of
a few of the codepoints discussed there, but the pre-allocation request was not
made.

2016-10-18
10 Robert Sparks Responsible AD changed to Alissa Cooper
2016-10-18
10 Robert Sparks IETF WG state changed to Submitted to IESG for Publication from In WG Last Call
2016-10-18
10 Robert Sparks IESG state changed to Publication Requested
2016-10-18
10 Robert Sparks IESG process started in state Publication Requested
2016-10-18
10 Robert Sparks Intended Status changed to Proposed Standard from None
2016-10-18
10 Robert Sparks Changed document writeup
2016-10-18
10 Robert Sparks Notification list changed to "Robert Sparks" <rjsparks@nostrum.com>
2016-10-18
10 Robert Sparks Document shepherd changed to Robert Sparks
2016-10-18
10 Jon Peterson New version available: draft-ietf-stir-certificates-10.txt
2016-10-18
10 (System) New version approved
2016-10-18
09 (System) Request for posting confirmation emailed to previous authors: "Sean Turner" , "Jon Peterson"
2016-10-18
09 Jon Peterson Uploaded new revision
2016-10-18
09 Alissa Cooper Changed consensus to Yes from Unknown
2016-10-18
09 Alissa Cooper Placed on agenda for telechat - 2016-11-03
2016-10-06
09 Jon Peterson New version available: draft-ietf-stir-certificates-09.txt
2016-10-06
09 (System) New version approved
2016-10-06
08 (System) Request for posting confirmation emailed to previous authors: "Sean Turner" , "Jon Peterson"
2016-10-06
08 Jon Peterson Uploaded new revision
2016-09-09
08 Jon Peterson New version available: draft-ietf-stir-certificates-08.txt
2016-07-22
07 Russ Housley
A two week WG Last Call for the STIR Certificates document started on 13 July 2016, and it will end on 27 July 2016.  Ideally …
A two week WG Last Call for the STIR Certificates document started on 13 July 2016, and it will end on 27 July 2016.  Ideally major concerns will be raised quickly so that they can be tackled during IETF 96.
2016-07-22
07 Russ Housley IETF WG state changed to In WG Last Call from WG Document
2016-07-08
07 Sean Turner New version available: draft-ietf-stir-certificates-07.txt
2016-07-07
06 Robert Sparks Added to session: IETF-96: stir  Tue-1400
2016-07-06
06 Sean Turner New version available: draft-ietf-stir-certificates-06.txt
2016-06-25
05 Sean Turner New version available: draft-ietf-stir-certificates-05.txt
2016-05-27
04 Russ Housley Added to session: interim-2016-stir-1
2016-05-26
04 Jon Peterson New version available: draft-ietf-stir-certificates-04.txt
2016-03-21
03 Robert Sparks Added to session: IETF-95: stir  Thu-1620
2016-03-21
03 Jon Peterson New version available: draft-ietf-stir-certificates-03.txt
2015-07-06
02 Jon Peterson New version available: draft-ietf-stir-certificates-02.txt
2015-03-25
01 Sean Turner New version available: draft-ietf-stir-certificates-01.txt
2014-10-23
00 Jon Peterson New version available: draft-ietf-stir-certificates-00.txt