Last Call Review of draft-ietf-stir-cert-delegation-03
review-ietf-stir-cert-delegation-03-genart-lc-robles-2020-08-26-00

Request Review of draft-ietf-stir-cert-delegation
Requested revision No specific revision (document currently at 04)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2020-08-26
Requested 2020-08-12
Authors Jon Peterson
I-D last updated 2020-08-26
Completed reviews Genart Last Call review of -03 by Ines Robles (diff)
Secdir Last Call review of -03 by Carl Wallace (diff)
Secdir Telechat review of -04 by Carl Wallace
Assignment Reviewer Ines Robles
State Completed
Request Last Call review on draft-ietf-stir-cert-delegation by General Area Review Team (Gen-ART) Assigned
Posted at https://mailarchive.ietf.org/arch/msg/gen-art/VksHLl-OxiQEBY1efbYD8l6xBJI
Reviewed revision 03 (document currently at 04)
Result Ready w/issues
Completed 2020-08-26
review-ietf-stir-cert-delegation-03-genart-lc-robles-2020-08-26-00
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.

Document: draft-ietf-stir-cert-delegation-03
Reviewer: Ines Robles
Review Date: 2020-08-26
IETF LC End Date: 2020-08-26
IESG Telechat date: Not scheduled for a telechat

Summary:

This specification details how that authority can be delegated from a parent
certificate to a subordinate certificate.  This supports a  number of use cases
where callers want to use a particular calling number, but for whatever reason,
their outbound calls will not pass through the authentication service of the
service provider that controls that numbering resource, it includes also those
where service providers grant credentials to enterprises or other customers
capable of signing calls with Secure Telephone Identity Revisited (STIR).

I have some minor suggestions/questions to the authors.

Major issues: None

Minor issues:

1-Introduction Section:

"..., including various forms of robocalling, voicemail hacking, and
swatting..." --> should a reference to RFC7375 be added here?

2- It would be nice to add in Terminology section:

-  delegation: the concept of delegation and its levels are defined in RFC8226.
- definition for "legitimate spoofing". I understand that the draft explain it
with an example.

3- It would be nice to add references to concepts, e.g. cA boolean --> cA
boolean [rfc5280#section-4.2.1.9]

"x5u" link -> "x5u" (X.509 URL) [RFC7515#section-4.1.5] link

4- Section 4: It would be nice to add graphics explaining the process.
E.g. can be used as a model the images displayed in
https://access.atis.org/apps/group_public/download.php/47134/IPNNI-2019-00043R000.pdf
or https://niccstandards.org.uk/wp-content/uploads/2019/03/ND1522V1.1.1.pdf

5- Section 5:"Authentication service behavior for delegate certificates is
little
   changed from [RFC8224] STIR behavior" --> It is not clear to me what are the
   little changes.

Additionally, how you quantify little/big changes?, maybe something like?:
"Authentication service behavior varies from STIR behavior [RFC8224] as
follows:...."

6- Section 8.1: Should the picture displayed in
https://www.ietf.org/proceedings/104/slides/slides-104-stir-certificate-delegation-00--Slide
5 be added here?

7- Security Consideration section: should a reference to RFC7375 be added here?

Nits/editorial comments:

8- Expand the first time: JWS -> JSON Web Signature (JWS)

Thank you for this document,

Ines.