Last Call Review of draft-ietf-stir-oob-05

Request Review of draft-ietf-stir-oob
Requested rev. no specific revision (document currently at 07)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2019-09-17
Requested 2019-09-03
Authors Eric Rescorla, Jon Peterson
Draft last updated 2019-09-16
Completed reviews Secdir Last Call review of -05 by Watson Ladd (diff)
Genart Last Call review of -05 by Suhas Nandakumar (diff)
Opsdir Last Call review of -05 by Shwetha Bhandari (diff)
Genart Telechat review of -06 by Suhas Nandakumar (diff)
Secdir Telechat review of -06 by Watson Ladd (diff)
Assignment Reviewer Suhas Nandakumar 
State Completed
Review review-ietf-stir-oob-05-genart-lc-nandakumar-2019-09-16
Posted at
Reviewed rev. 05 (document currently at 07)
Review result Almost Ready
Review completed: 2019-09-16


I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at


Document: draft-ietf-stir-oob-??
Reviewer: Suhas Nandakumar
Review Date: 2019-09-16
IETF LC End Date: 2019-09-17
IESG Telechat date: Not scheduled for a telechat

Summary: Thanks for a lucid document. This document is Almost Ready with few minor issues / clarifications.

Major issues: None

Minor issues:
1. Section 7.2 para 2 states : "The CPS responds with any such PASSporTs (assuming they exist)." 
Given CPS will always respond with a dummy PASSporT, the statement in the parentheses doesn't hold.

2. Section 7.4 Call flow: "Call from CS (forged caller-id info)" . Since its the attacker making the call here, we probably need to change it as "Call from Attacker (forged caller-id info)".

3. Section 7.5 has the following: 

Sign(K_cps, K_temp)
Sign(K_temp, E(K_receiver, PASSporT)) --->

This is a clarification question for my understanding. What happens when 
one of the 2 messages sent gets lost when storing the PASSporT. Should we need to add 
any clarifications to that extent ?

4. Section 77.5 last para: clarification question
Since PASSporT is encrypted at CPS , how is it aged out based on the "iat" value. Is it 
a function to VS to age out PASSporTs at a given CPS ?

5. Section 8.2 last part has the  sentence "This document
   does not prescribe any particular treatment of calls that have valid
   PASSporTs associated with them."

 I wasn't sure of the intent of this sentence. 

Nits/editorial comments:

1. Introduction para 1: Reference to PASSporT missing
2. Introduction para 2: Xalls -> Calls
3. Section 5.2 para 1: would be nice to add reference to Section 10
4. Section 7.2 Call Flow: "Store PASSporT" --> "Store Encrypted PASSporT"
5. Section 7.2 Call Flow: "Ring phone with callerid" --> "Ring phone with verified callerid"
6. Section 8.2 Step 3: "number number" --> "number"
7. Section 8.3 para 2: "Per Step 3" --> "Per Step 3 of Section 8.1"
8. Section 10 last para: The acronyms AS and VS are used first time
9. Section 11: missing references to subcert, VIPR