Skip to main content

Minutes IETF119: stir: Mon 07:30

Meeting Minutes Secure Telephone Identity Revisited (stir) WG
Date and time 2024-03-18 07:30
Title Minutes IETF119: stir: Mon 07:30
State Active
Other versions markdown
Last updated 2024-04-01


Hedge notes from IETF 119 STIR WG

Secure Telephony Identity Revisited


  • Ben Campbell
  • Robert Sparks
  • Russ Housley


1) Administrivia
- Agenda Bashing
- Minute Taker
- Jabber Scribe
- Bluesheets - Meetecho tool

2) Certificates
- draft-ietf-stir-certificates-ocsp-06
- draft-peterson-stir-certificates-shortlived-05 (Candidate for
- Jon Peterson and Sean Turner

- draft-wendt-stir-certificate-transparency-00 
    - Chris Wendt

- draft-peterson-stir-mls-01
- Jon Peterson and Richard Barnes

4) Any Other Business (if time permits)

Actions (note-taking by Simon Castle)


  • 07 is now out! (as of this morning) building in stapling.
  • Examples included.
  • Request that implementers review the new draft to evaluate the
    impact of the size of the staple.
  • Question for attendees/reviewers: should there be a decoding of the
    PEM in the example
  • Question for attendees/reviewers: should there be something
    specifying the algorithms in the PASSporT, or is that built in to

draft-peterson-stir-certificates-shortlived-05 (Candidate for adoption)

  • No new version, since it's being called for adoption already.
  • Eric Rescorla has sent feedback on the mailing list

    • Questions about x5u/x5c (and typo of x5y)
    • Suggestion for highlight of normative change (move from x5u to
    • Should certs be listed in both x5u AND x5c?
  • Alec Fenichel

    • nothing precluding users from doing both if the URL is in both.
      Jon Peterson doesn't see an issue
    • Example in the text (for OCSP) - mismatch in certificate
      extension (example ends .cer, frequently .pem is the extension
      for PEM format)
      • Jon Peterson to look at RFC 5280 to make sure this draft
        doesn't conflict!
      • Russ Housley to find a reference about specifying a chain of
        certs in DER.
  • Summary of direction forwards:

    • Stick with PEM
    • Change examples to reflect
    • Keep x5c as written up but also add note to keep the x5u field
      in those shortlived
  • No objections for adoption of the short-lived draft.


  • Chris Wendt presenting

    • One key decision looking for input on: Current certificate
      transparency document provides three patterns, which we might be
      able to simplify - do we need any mechanisms other than
      pre-certificates? (See RFC 9162)
  • Orie Steele (in chat) offered route to using just the "SCT" part
    without the rest of RFC 9162, which is rarely implemented.

  • Jon Peterson:

    • This only works if everyone signs up otherwise a rogue CA
      doesn't list their certs (or their real certs) and all verifiers
      choose to trust.
    • Recommends use of the 'observatory' approach, based on the way
      the old SSL Observatory used to work.

      • Observes and detects changes to existing certificates in use
        when that's not expected to flag suspicious new actors.
    • Chris: could be applied primarily to delegates, where we don't
      have as many established processes today.

      • Jon: Ownership of individual numbers is complex, makes this
  • Eric Rescorla: needs a threat analysis before this can be adopted

  • Jon Peterson: needs more work on the list, not ready for adoption.
  • Conclusion: not being adopted at this time, will continue


  • Jon Peterson and Richard Barnes
  • Interaction with the MIMI WG (Jon Peterson also talking there.
  • More coordination and integration to be done.
  • draft-peterson-mimi-idprover is a strawman draft covering the
    discovery problem in MIMI, reuses some ideas from ACME integration.
  • Conclusion: Too early for adoption, more work to be done in

Any Other Business (if time permits)

  • Time does not permit!
  • What's the future of the WG? Are we on the long tail for closing
    • Call for discussion on the mailing list.