Personal Assertion Token (PaSSporT) Extension for Signature-based Handling of Asserted information using toKENs (SHAKEN)
draft-ietf-stir-passport-shaken-08

[Ballot comment]
Jon and I talked offline and came up with some text that I believe is mutually acceptable. In the interest of moving this forward, I am clearing my DISCUSS and trusting the AD to follow through with the new version.

[Ballot comment]
Thank you for resolving the copyright issues.

[Original ballot COMMENT section preserved below]

I am interested in seeing the resolution of discussion on Ekr's Discuss, but
will stick to that thread for such discussion.

Section 4

Am I reading this properly that the difference between 'A' and 'B' is that
in 'B' we don't have any information about the device that's originating
the call, just the identity of the user/customer?

[Ballot comment]
I echo Ben's "Yes assuming the Discusses can be resolved". It's about time we provided this capability!

I did have a couple of comments you might want to consider, along with anything else that pops up during IESG Evaluation.

"SHAKEN" isn't spelled out in either the title or Abstract - that would probably help almost all the readers of this document ...

I did find it odd that

  This indicator allows for both identifying the service provider that
  is vouching for the call as well as clearly indicating what
  information the service provider is attesting to.  The 'attest' claim
  can be one of the following three values: 'A', 'B', or 'C' as defined
  in [ATIS-1000074].

used "A", "B", and "C", instead of something like "F"(ull), "P"(artial), and "G"(ateway), because if you discover a need for a fourth value, it's not clear whether anyone would be assuming "A" < "B" < "C" ordering in their code, that would break if the fourth value was naturally between "A" and "B".  If you're sure no one but Spencer would be so dumb, that's a fine response ...

[Ballot comment]
I am balloting "Yes" because I want to see the anti-robocalling framework get deployed sooner than later. But I share some of the privacy concerns that have been raised by others. I will follow that conversation on the thread resulting from Ekr's DISCUSS.

Some additional comments:

*** Substantive Comments ***

§3: "The second claim is a unique origination identifier that should be
used by the service provider..."
Was that "should" meant as a "SHOULD"?

§4
- Some of the terminology in the definitions of the attestation types seems vague to me.  Does "authenticated relationship with the initiator" mean the same as "has authenticated the originator of the call"? Does "established a verified association with the calling party telephone number" mean the same as "verified that the calling party has the right to use the calling identity"? (The ATIS doc has more detailed explanations, which makes me wonder if it wouldn't have been better to just reference those definitions.)

- The type "C" description includes "Has no relationship with the initiator of the call (e.g.,
international gateways)" in the list of MUST conditions. Is it the intent that an operator can only use a Type C attestation if it does not have that relationship? That is, an operator that did have a relationship with the initiator of the call is not allowed to use a type C attestation to avoid disclosure of the relationship? (How would one test that?)

§10:
- As Alissa mentioned, the fact that similar information that might be gleaned from originid is carried in SIP is not very convincing. It's historically been common for operators to use SBCs to hide things like Record-Route and Via. (and I presume History-Info).

- Is originid required? Could an operator who had privacy concerns simply choose not to include it? (Maybe that operator has sufficient internal records to hunt down bad actors.)

- The ATIS doc talks about using the originid in type B attestations to track "reputation". I assume this sort of tracking could be done by parties other than the attesting operator? If so, I think that's worth some discussion.

*** Editorial Comments ***

- Abstract: Please expand SHAKEN in the abstract.

§1: Please expand VoIP, TDM, and SS7

[Ballot comment]
I support Eric's DISCUSS. In addition to points made by Benjamin in that thread, I think if this document is going to say that threats introduced by origids "already existed in SIP," it also needs to talk about expectations for usage of origids in cases were existing SIP features to support anonymous calling are in use. Presumably callers who enable such features may also not expect their calling patterns to be linkable.

[Ballot discuss]
A nontrivial amount of text in this document appears to have been taken from
https://access.atis.org/apps/group_public/download.php/32237/ATIS-1000074.pdf
which notes that "No part of this publication may be reproduced in any
form, in an electronic retrieval system or otherwise, without the prior
written permission of the publisher."  Do we have prior written permission
to duplicate such text?

[Ballot comment]
I am interested in seeing the resolution of discussion on Ekr's Discuss, but
will stick to that thread for such discussion.

Section 4

Am I reading this properly that the difference between 'A' and 'B' is that
in 'B' we don't have any information about the device that's originating
the call, just the identity of the user/customer?

[Ballot discuss]
Rich version of this review at:
https://mozphab-ietf.devsvcdev.mozaws.net/D5207


I would like to discuss the privacy properties of origids. As I read
this text, it does not actually require them to be unlinkable or that
it not be possible to determine whether two ids represent the same
person behind the origid generator, and I believe it should do so.
Practically implementing that may require an ID that is longer than a
UUID.

[Ballot comment]

> 
>      This document extends PASSporT, which is a token object that conveys
>      cryptographically-signed information about the participants involved
>      in communications.  The extension is defined, corresponding to the
>      SHAKEN specification, to provide both a specific set of levels-of-
>      confidence to the correctness of the originating identity for a SIP

Nit: confidence of or confidence in



>      in communications.  The extension is defined, corresponding to the
>      SHAKEN specification, to provide both a specific set of levels-of-
>      confidence to the correctness of the originating identity for a SIP
>      based Communication Service Provider (CSP) telephone network
>      originated call as well as an identifier that allows the CSP to
>      uniquely identify the origination of the call within its network.

Nit: originator


S 1.
>      need to be accounted for where PASSporT signatures may represent
>      either direct or indirect call origination scenarios.  The SHAKEN
>      [ATIS-1000074] specification defines levels of attestation of the
>      origination of the call as well as an origination identifier that can
>      help create a unique association with the origination of calls from
>      various parts of the VoIP or TDM telephone network.  This document

I can't read this. What is the association between?


S 2.
>      capitals, as shown here.
> 
>      In addition, the following terms are used in this document:
> 
>      o  Verified association: is typically defined as an authenticated
>        relationship with a device that initiated a call, for example, a

relationship between the call and the device?


S 4.
> 
>      o  Has a direct authenticated relationship with the initiator of the
>        call and can identify the customer associated with the initiator.
> 
>      o  Has NOT established a verified association with the calling party
>        telephone number being used for the call.

For those who aren't; voice experts, can you give an example of when
this would happen?


S 10.
>      integrity protection and non-repudiation properties as the base
>      claims in the PASSporT.
> 
>  10.  Privacy Considerations
> 
>      As detailed in [RFC3261] Section 26, SIP messages inherently carry

Thanks for including this section.

Chris plans to produce an -05 version of the document based on feedback received so far. The document will go onto an IESG agenda as soon as the new version comes out.

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-stir-passport-shaken-04. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator understands that, upon approval of this document, there are two actions which we must complete.

First, in the JSON Web Token Claims registry on the JSON Web Token (JWT) registry page located at

https://www.iana.org/assignments/jwt/

two new registrations are to be made

Claim Name: attest
Claim Description: Attestation level as defined in SHAKEN framework
Change Controller: IESG
Reference: [ RFC-to-be ]

Claim Name: origid
Claim Description: Originating Identifier as defined in SHAKEN
Change Controller: IESG
Reference: [ RFC-to-be ]

We understand that the three-week mailing list review for these registrations commenced on October 18th and should be completed by November 8th. We will ask the experts whether they can be approved more quickly.

Second, in the Personal Assertion Token (PASSporT) Extensions registry on the Personal Assertion Token (PASSporT) registry page located at

https://www.iana.org/assignments/passport/

a single new registration is to be made:

ppt value: shaken
Reference: [ RFC-to-be ]

As this document is requesting registration in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. As the designated expert is an author, we have sent a question to Adam Roach concerning this review.

The IANA Functions Operator understands that these are the only actions required upon document approval.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

Thank you,

Amanda Baber
Lead IANA Services Specialist

The following Last Call announcement was sent out (ends 2018-11-02):

From: The IESG
To: IETF-Announce
CC: adam@nostrum.com, draft-ietf-stir-passport-shaken@ietf.org, stir@ietf.org, Robert Sparks , stir-chairs@ietf.org, rjsparks@nostrum.com
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (PASSporT SHAKEN Extension (SHAKEN)) to Proposed Standard


The IESG has received a request from the Secure Telephone Identity Revisited
WG (stir) to consider the following document: - 'PASSporT SHAKEN Extension
(SHAKEN)'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2018-11-02. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the beginning of
the Subject line to allow automated sorting.

Abstract


  This document extends PASSporT, which is a token object that conveys
  cryptographically-signed information about the participants involved
  in communications, to include information defined as part of the
  SHAKEN specification from ATIS (Alliance for Telecommunications
  Industry Solutions) and the SIP Forum IP-NNI Joint Task Force.  These
  extensions provide a level of confidence in the correctness of the
  originating identity for a telephone network that has communications
  coming from both STIR participating originating communications as
  well as communications that does not include STIR information.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-stir-passport-shaken/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-stir-passport-shaken/ballot/


No IPR declarations have been submitted directly on this I-D.

> As required by RFC 4858, this is the current template for the Document
> Shepherd Write-Up.

>  Changes are expected over time. This version is dated 24 February 2012.

> (1) What type of RFC is being requested (BCP, Proposed Standard,
> Internet Standard, Informational, Experimental, or Historic)?  Why
> is this the proper type of RFC?  Is this type of RFC indicated in the
> title page header?

This document standardizes a use of PASSporTs, exercising its extension
mechanisms. Its intended status is Proposed Standard.

> (2) The IESG approval announcement includes a Document Announcement
> Write-Up. Please provide such a Document Announcement Write-Up. Recent
> examples can be found in the "Action" announcements for approved
> documents. The approval announcement contains the following sections:

Technical Summary

  This document extends PASSporT, which is a token object that conveys
  cryptographically-signed information about the participants involved
  in communications, to include information defined as part of the
  SHAKEN specification from ATIS (Alliance for Telecommunications
  Industry Solutions) and the SIP Forum IP-NNI Joint Task Force.  These
  extensions provide a level of confidence in the correctness of the
  originating identity for a telephone network that has communications
  coming from both STIR participating originating communications as
  well as communications that does not include STIR information.

Working Group Summary

  This document is a product of the STIR working group.

Document Quality

  There are implementations of this document.
  JWT claims registration review was requested 18 Oct 2018

Personnel

  Robert Sparks is the document shepherd.
  Adam Roach is the responsible area director.

> (3) Briefly describe the review of this document that was performed by
> the Document Shepherd.  If this version of the document is not ready
> for publication, please explain why the document is being forwarded to
> the IESG.

The shepherd reviewed this document, ran id-nits, and visually inspected
the example PASSporTs provided.

> (4) Does the document Shepherd have any concerns about the depth or
> breadth of the reviews that have been performed?

This document began WGLC in April 2018. Feedback from the group was
minimal. (The document is short and straightforward.)
One suggestion to use the compact form of PASSporT with
these claims was discussed at the STIR session at IETF 102. The
suggestion was rejected (in offline conversations), and the document
was updated to explicitly state that the use of the compact form of
PASSporT is not specified. The security considerations section was
added to the document very late in the process, but again, the document
is short and straightforward, and the security considerations are not
surprising.

> (5) Do portions of the document need review from a particular or from
> broader perspective, e.g., security, operational complexity, AAA, DNS,
> DHCP, XML, or internationalization? If so, describe the review that
> took place.

JWT claims registration review was requested 18 Oct 2018.
See


> (6) Describe any specific concerns or issues that the Document Shepherd
> has with this document that the Responsible Area Director and/or the
> IESG should be aware of? For example, perhaps he or she is uncomfortable
> with certain parts of the document, or has concerns whether there really
> is a need for it. In any event, if the WG has discussed those issues and
> has indicated that it still wishes to advance the document, detail those
> concerns here.

There are no such concerns outstanding,

> (7) Has each author confirmed that any and all appropriate IPR
> disclosures required for full conformance with the provisions of BCP 78
> and BCP 79 have already been filed. If not, explain why.

Each author has so confirmed.

> (8) Has an IPR disclosure been filed that references this document?
> If so, summarize any WG discussion and conclusion regarding the IPR
> disclosures.

There are no such disclosures filed.

> (9) How solid is the WG consensus behind this document? Does it
> represent the strong concurrence of a few individuals, with others
> being silent, or does the WG as a whole understand and agree with it?

The document is straighforward and has the consensus of the working
group, even if feedback has been minimal. 

> (10) Has anyone threatened an appeal or otherwise indicated extreme
> discontent? If so, please summarise the areas of conflict in separate
> email messages to the Responsible Area Director. (It should be in a
> separate email because this questionnaire is publicly available.)

No such indications have been made.

> (11) Identify any ID nits the Document Shepherd has found in this
> document. (See https://www.ietf.org/tools/idnits/ and the Internet-Drafts
> Checklist). Boilerplate checks are not enough; this check needs to be
> thorough.

None.

> (12) Describe how the document meets any required formal review
> criteria, such as the MIB Doctor, media type, and URI type reviews.

See Item (5)

> (13) Have all references within this document been identified as
> either normative or informative?

Yes

> (14) Are there normative references to documents that are not ready for
> advancement or are otherwise in an unclear state? If such normative
> references exist, what is the plan for their completion?

No such references exist, but the IESG should note the normative
reference to the the ATIS/SIP Forum NNI Task Group document at
[ATIS-10000074]. The group believes this normative reference is
appropriate.

> (15) Are there downward normative references references (see RFC 3967)?
> If so, list these downward references to support the Area Director in
> the Last Call procedure.

No such references exist.

> (16) Will publication of this document change the status of any
> existing RFCs? Are those RFCs listed on the title page header, listed
> in the abstract, and discussed in the introduction? If the RFCs are not
> listed in the Abstract and Introduction, explain why, and point to the
> part of the document where the relationship of this document to the
> other RFCs is discussed. If this information is not in the document,
> explain why the WG considers it unnecessary.

This document does not attempt to change the status of any other document.


> (17) Describe the Document Shepherd's review of the IANA considerations
> section, especially with regard to its consistency with the body of the
> document. Confirm that all protocol extensions that the document makes
> are associated with the appropriate reservations in IANA registries.
> Confirm that any referenced IANA registries have been clearly
> identified. Confirm that newly created IANA registries include a
> detailed specification of the initial contents for the registry, that
> allocations procedures for future registrations are defined, and a
> reasonable name for the new registry has been suggested (see RFC 5226).

The IANA considerations section registers entries in two existing registries.
The registrations are straightforward, and the instructions are clear and
complete.

> (18) List any new IANA registries that require Expert Review for future
> allocations. Provide any public guidance that the IESG would find
> useful in selecting the IANA Experts for these new registries.

This document creates no registries.

> (19) Describe reviews and automated checks performed by the Document
> Shepherd to validate sections of the document written in a formal
> language, such as XML code, BNF rules, MIB definitions, etc.

No such formal language sections exist. The shepherd visually inspected
the example PASSporT objects