Minutes IETF118: stir: Fri 08:30
minutes-118-stir-202311100830-00

Meeting Minutes Secure Telephone Identity Revisited (stir) WG
Date and time 2023-11-10 08:30
Title Minutes IETF118: stir: Fri 08:30
State Active
Other versions markdown
Last updated 2023-11-30

minutes-118-stir-202311100830-00

HedgeDoc notes from IETF 118 STIR WG

Secure Telephony Identity Revisited

Chairs

  • Ben Campbell
  • Robert Sparks
  • Russ Housley

Agenda

1) Administrivia
- Agenda Bashing
- Minute Taker
- Jabber Scribe
- Bluesheets - Meetecho tool

2) Connected Identity for STIR
- Jon Peterson and Chris Wendt
- draft-ietf-stir-rfc4916-update-04
- Is this ready for WG Last Call?

3) Certificate Lifetimes
- Jon Peterson and Sean Turner
- draft-ietf-stir-certificates-ocsp-06
- Now with stapling!
- Ready for WGLC?
- draft-peterson-stir-certificates-shortlived-04
- Next Steps?

4) STIR+MLS
- Jon Peterson and Richard Barnes
- draft-peterson-stir-mls-00
- Next steps?

5) Any Other Business (if time permits)

Actions (note-taking by Simon Castle)

1) Administrivia

  • Change on the mailing list to draft-ietf-stir-servprovider-oob-05 to
    make it informational.
    • Proceeding to standards track.
    • No request for a seperate/restarted Last Call due to the change.

2) Connected Identity for STIR

  • New -04 version written following comments received post last WGLC.
  • Proposal to advance to IESG.

  • Robert Sparks

    • (Chair hat): poll for number of readers and implementers:
      low-to-none for both. Seems little interest.
    • (Non-chair hat): Thinks it's good, recommend it proceeds. IPPNI
      has started paying attention to it.

  • Chris Wendt and Sean Turner:

    • General consensus to progress to next stage.

3) Certificate Lifetimes

  • draft-ietf-stir-certificates-ocsp-06 and
    draft-peterson-stir-certs-shortlived-05 now both include stapling as
    options for their corresponding proposals (OCSP, short-lived
    certificates respectively).

    • For OCSP, proposing a new "stpl" element in PASSporT payload
    • Jon Peterson requesting some help getting a plausible example of
      a stapled OCSP response; Sean Turner working on this.
    • For short-lived, proposal is to carry the certificate chain in
      x5c in the PASSporT header
      • Effectively a "staple" but it's large!
      • Normative language included: Proposal is that this MUST be
        supported by compliant (to this extension) VS
        implementations, SHOULD be used by AS's when certs are
        shorter-lived than a week.
        • Looking for feedback on that threshold.
          • Chris Wendt: possibly larger than it needs to be,
            usual targets will be less than that
          • Ben Campbell: might be too large, maybe a day?
          • Chris Wendt: 1 day may be too low
          • Eric Rescorla: Are there actually current certs out
            there at less than a week? Responses: some, possibly
            more in the future. Could get as low as per-call.
          • Consensus in-meeting for 3 days (and still a SHOULD,
            not MUST)

  • Next steps

    • Fix stapling example in OCSP draft, then advance
    • Adopt the shortlived draft: no objection in the meeting, so will
      happen.

4) STIR+MLS

  • One approach: use Certs, using TnAuthLists

    • TnAuthList identification could be broken into seperate elements
      for SPC vs TNs
    • Feeling towards keeping them together
      • The extension allows for both together
      • Limited value for separation

  • Other approach: PASSporTs

    • Identify group members using 'orig' and possibly RCD content
    • 'mky' PASSporT claim can carry a hash over a public key used for
      MLS
    • PASSporT expiry would need to be handled carefully since message
      sessions can be long-lived
    • Eric Rescorla: This is effectively a delegate certificate
    • Chris Wendt: PASSporTs are a call-time thing
    • Concerns around key transparency but these might be a latter
      problem to resolve after getting further through initial
      approaches.
    • Next steps
    • Draft -00 put forward to get a general starting point

    • Want to decide if there's interest and a feeling towards an
      approach

      • 'Widespread agreement' of interest (5 thumbs up, 0 thumbs
        down)
      • Action item to call for adoption (after short-lived)

    • Still need to talk to MLS WG directly, probably some
      co-ordination needed there

    • Still lots to flesh out

      • Probably a lot of dependency on what MLS integration with
        RCS ends up looking like

    • Question about requiring how to handle trust history (identify
      that a message sent 9 months ago was valid at the time even if
      the certificate is invalid now)

      • Is this just a concern for the application server?

5) AOB

  • Kaliya Young

    • Interactions with Identity Woman
    • Is there an opportunity for future working between forms of
      online identification?
    • Russ Housley: There's specific requirements around getting
      phone-numbers and STIR gives guarantees about the phone number.
      Room for dialogue but fixed scope from STIR
    • Ben Campbell: recommend cross-participation through the mailing
      lists
    • Jon Peterson: Offering general F2F chat to cover ground-work.

  • Jon Peterson: request for STIR to not meet on Friday next time!