Minutes IETF118: stir: Fri 08:30
minutes-118-stir-202311100830-00
Meeting Minutes | Secure Telephone Identity Revisited (stir) WG | |
---|---|---|
Date and time | 2023-11-10 08:30 | |
Title | Minutes IETF118: stir: Fri 08:30 | |
State | Active | |
Other versions | markdown | |
Last updated | 2023-11-30 |
HedgeDoc notes from IETF 118 STIR WG
Secure Telephony Identity Revisited
Chairs
- Ben Campbell
- Robert Sparks
- Russ Housley
Agenda
1) Administrivia
- Agenda Bashing
- Minute Taker
- Jabber Scribe
- Bluesheets - Meetecho tool
2) Connected Identity for STIR
- Jon Peterson and Chris Wendt
- draft-ietf-stir-rfc4916-update-04
- Is this ready for WG Last Call?
3) Certificate Lifetimes
- Jon Peterson and Sean Turner
- draft-ietf-stir-certificates-ocsp-06
- Now with stapling!
- Ready for WGLC?
- draft-peterson-stir-certificates-shortlived-04
- Next Steps?
4) STIR+MLS
- Jon Peterson and Richard Barnes
- draft-peterson-stir-mls-00
- Next steps?
5) Any Other Business (if time permits)
Actions (note-taking by Simon Castle)
1) Administrivia
- Change on the mailing list to draft-ietf-stir-servprovider-oob-05 to
make it informational.- Proceeding to standards track.
- No request for a seperate/restarted Last Call due to the change.
2) Connected Identity for STIR
- New -04 version written following comments received post last WGLC.
- Proposal to advance to IESG.
-
Robert Sparks
- (Chair hat): poll for number of readers and implementers:
low-to-none for both. Seems little interest. - (Non-chair hat): Thinks it's good, recommend it proceeds. IPPNI
has started paying attention to it.
- (Chair hat): poll for number of readers and implementers:
-
Chris Wendt and Sean Turner:
- General consensus to progress to next stage.
3) Certificate Lifetimes
-
draft-ietf-stir-certificates-ocsp-06 and
draft-peterson-stir-certs-shortlived-05 now both include stapling as
options for their corresponding proposals (OCSP, short-lived
certificates respectively).- For OCSP, proposing a new "stpl" element in PASSporT payload
- Jon Peterson requesting some help getting a plausible example of
a stapled OCSP response; Sean Turner working on this. - For short-lived, proposal is to carry the certificate chain in
x5c in the PASSporT header- Effectively a "staple" but it's large!
- Normative language included: Proposal is that this MUST be
supported by compliant (to this extension) VS
implementations, SHOULD be used by AS's when certs are
shorter-lived than a week.- Looking for feedback on that threshold.
- Chris Wendt: possibly larger than it needs to be,
usual targets will be less than that - Ben Campbell: might be too large, maybe a day?
- Chris Wendt: 1 day may be too low
- Eric Rescorla: Are there actually current certs out
there at less than a week? Responses: some, possibly
more in the future. Could get as low as per-call. - Consensus in-meeting for 3 days (and still a SHOULD,
not MUST)
- Chris Wendt: possibly larger than it needs to be,
- Looking for feedback on that threshold.
-
Next steps
- Fix stapling example in OCSP draft, then advance
- Adopt the shortlived draft: no objection in the meeting, so will
happen.
4) STIR+MLS
-
One approach: use Certs, using TnAuthLists
- TnAuthList identification could be broken into seperate elements
for SPC vs TNs - Feeling towards keeping them together
- The extension allows for both together
- Limited value for separation
- TnAuthList identification could be broken into seperate elements
-
Other approach: PASSporTs
- Identify group members using 'orig' and possibly RCD content
- 'mky' PASSporT claim can carry a hash over a public key used for
MLS - PASSporT expiry would need to be handled carefully since message
sessions can be long-lived - Eric Rescorla: This is effectively a delegate certificate
- Chris Wendt: PASSporTs are a call-time thing
- Concerns around key transparency but these might be a latter
problem to resolve after getting further through initial
approaches. - Next steps
- Draft -00 put forward to get a general starting point
-
Want to decide if there's interest and a feeling towards an
approach- 'Widespread agreement' of interest (5 thumbs up, 0 thumbs
down) - Action item to call for adoption (after short-lived)
- 'Widespread agreement' of interest (5 thumbs up, 0 thumbs
-
Still need to talk to MLS WG directly, probably some
co-ordination needed there -
Still lots to flesh out
- Probably a lot of dependency on what MLS integration with
RCS ends up looking like
- Probably a lot of dependency on what MLS integration with
-
Question about requiring how to handle trust history (identify
that a message sent 9 months ago was valid at the time even if
the certificate is invalid now)- Is this just a concern for the application server?
5) AOB
-
Kaliya Young
- Interactions with Identity Woman
- Is there an opportunity for future working between forms of
online identification? - Russ Housley: There's specific requirements around getting
phone-numbers and STIR gives guarantees about the phone number.
Room for dialogue but fixed scope from STIR - Ben Campbell: recommend cross-participation through the mailing
lists - Jon Peterson: Offering general F2F chat to cover ground-work.
-
Jon Peterson: request for STIR to not meet on Friday next time!