Technical Summary
RFC 8226 specifies the use of certificates for Secure Telephone
Identity Credentials, and these certificates are often called "STIR
Certificates". RFC 8226 provides a certificate extension to
constrain the JSON Web Token (JWT) claims that can be included in the
Personal Assertion Token (PASSporT) as defined in RFC 8225. If the
PASSporT signer includes a JWT claim outside the constraint
boundaries, then the PASSporT recipient will reject the entire
PASSporT. This document updates RFC 8226 to define an additional way
that the JWT claims can be constrained.
Working Group Summary
The draft was generally well supported and non-controversial. A previous version of the draft also included an "exludeValues" option to indicate disallowed claim values. This option was removed after WGLC discussion suggested that it would be easily circumvented for claims with free-form values and not needed for claims with enumerated values. The removal resulted in a second WGLC.
No appeals or other friction are anticipated.
Document Quality
The author has implemented a a module for the open source pyasn1-modules library. The RFC that this updates is currently implemented in a number of voice carrier networks, and is in fact a regulatory requirement for US carriers as part of the FCC anti-robocalling initiative.
The one version or another was reviewed by several people, including the authors of RFC 8226 and your humble document shepherd. The removal of "excludeValues" resulted from list discussion triggered by WGLC comments. This change resulted in a second WGLC.
There has been no external expert review at the time of this report.
Personnel
Ben Campbell is the document shepherd.
Murray Kucherawy is the responsible Area Director.