Minutes IETF98: stir

Meeting Minutes Secure Telephone Identity Revisited (stir) WG
Title Minutes IETF98: stir
State Active
Other versions plain text
Last updated 2017-04-05

Meeting Minutes

IETF 98 - Secure Telephone Identity Revisited (STIR)
Thursday, 30 March 2017 - Room: Zurich G

=== Summary ===

The IESG evaluation resulted in changes to draft-ietf-stir-rfc4474bis,
draft-ietf-stir-passport, and draft-ietf-stir-certificates.  They were
discussed.  The room supported the changes.  In particular, the room
supported continuing to include # and * in telephone numbers, and moving
the certificate freshness discussion into a new document.  After
discussion around moving forward with OCSP or short-lived certificates,
the room supported pursuing sort-lived certificates.  There was
discussion around the JWT constraints semantics.  Russ Housley proposed a
change to the syntax that the room supported.

The room supported defining passport extensions for CNAM and diversion.

The remaining miletones were discussed (out-of-band and the privacy
analysis).  There were people in the room willing to work on these items
now.  The chairs will propose updates to these milestones, and additional
milestones for the work identified above.

The room supported a virtual interim in May/June to move out-of-band and
the newly identified work forward.

=== Notes from Pete Resnick ===

Starting at 09:05

(Action items and conclusions of the room marked with **)

Presentation of Bob Marley's "Legend" to Alissa as a thank you gift. Stir it up!

Chairs' slides:

- Agenda Bashing

- rfc4474bis + PASSporT + certs (Jon Peterson in front)
  - Review of documents - Pretty much done, but a bit to do in
  - Review of the last minute fixes
    - Discussion of whether numbers can get "#" or "*". Room was asked
      whether a change was needed.
      - ** Room was silent; no change needed **
  - JWT Claim Constraints
    - Ended up in the document treating claim constraints as a whitelist
    - Question about how to put a constraint in with an optional set of
    - Russ explains that you can have a list of values, but no mechanism
      to have a constraint with optional values
    - Not even clear that this does a whitelist in the way this document
      uses claim constraints
    - Chris Wendt and Henning Schulzring ask questions about possibilities
      for dealing with this
    - ** Russ believes he has a change that would address the issue; he
      will write up a slide **
  - Crossover to SIPBRANDY
    - Adam Roach pointed out an interaction where 4474bis might need to
      say something about retransmissions
    - Added some text to address the issue - Please review the text
  - With these changes, 4474bis and PASSporT should be stable
  - IESG had many comments about the certificates draft
    - Service Provider Codes - Coordinating with ATIS since they're the
      ones using all of the different identifiers
    - Henning asks whether OCNs might be mistaken for other kinds of
      codes. Jon says that the trust anchor would indicate the context.
      ** Henning asks that this be documented. **
    - Stephen Farrell had a DISCUSS regarding freshness - In the end,
      the editor concluded that this document should punt on this issue
      - Left in bit about providing TN Auth List by reference
    - Regarding freshness, we now have two new documents that offer
      different ways forward: OCSP and Short-lived certificates
      - We may need to go down both paths to get a bit of experience
        before we recommend either of these approaches
      - Richard Barnes points out that OCSP is not suitable for
        real-time use, so if that is the intent, probably shouldn't do
        that unless you have some way to do this different from the web
      - Henning asks whether we would simply check to see if the number
        has changed since certificate issuance; maybe this is not useful
      - Henning suggests that the pub-sub model for CRLs might be
      - If we go down the OCSP path, we would likely need stapling, and
        that might require protocol extensions to carry staples in SIP
      - Alternative solution is to use short-lived credentials, which
        look an awful lot like stapled certificates
      - Paul Hoffman points out that OCSP + staple usually involves
        another party who issues the certificate; probably better to
        stick with one party solution
      - ACME makes short-lived certificates much easier, and can be used
        not just for end-user certificates
      - Chris questions how to deal with the distribution problem; Jon
        says that 4474bis has mecahanisms
      - Starting to sound like people are leaning toward short-lived
      - Richard points out that the difference between the mechanisms
        is the failure scenarios
      - Cullen Jennings says that people have to do lifetimes anyway, so
        short-lived certificates are sensible. Richard agrees. Chris
        thinks they're best way forward.
      - ** Sense of the room is to move forward with short-lived
        certificates **
  - Russ presents a slide on a proposed JWT Constraints Syntax
    - People nodding agreement as slide is being presented
    - Some bikeshedding from Paul Hoffman and Henning on format changes
    - ** Sense of the room is that people like the proposal, nits on the
      format strings notwithstanding **
  - Jon returns to presentation: Forgotten items that need to be put in;
    ** Nobody objects to adding them **

- Chair indicates that the group would look into the interaction between

- Chair asks whether sense of the room is willing to work on the
  remaining milestones.  ** Sense of the room is to do so. **

- Henning asks whether we can explore the "location trust" problem;
  Subir Das indicates that he'd be willing to work on emergency work

- Chair asks for people who are willing to work on the the out-of-band.
  Hands were raised.  Chair asks for document editor volunteers.
  - Jon suggests a (possibly virtual) interim to get the work moving
    forward, May or June

Chair closes meeting at 10:26