Last Call Review of draft-ietf-stir-oob-05
review-ietf-stir-oob-05-genart-lc-nandakumar-2019-09-16-00

Request Review of draft-ietf-stir-oob
Requested revision No specific revision (document currently at 07)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2019-09-17
Requested 2019-09-03
Authors Eric Rescorla , Jon Peterson
I-D last updated 2019-09-16
Completed reviews Secdir Last Call review of -05 by Watson Ladd (diff)
Genart Last Call review of -05 by Suhas Nandakumar (diff)
Opsdir Last Call review of -05 by Shwetha Bhandari (diff)
Genart Telechat review of -06 by Suhas Nandakumar (diff)
Secdir Telechat review of -06 by Watson Ladd (diff)
Assignment Reviewer Suhas Nandakumar
State Completed
Request Last Call review on draft-ietf-stir-oob by General Area Review Team (Gen-ART) Assigned
Posted at https://mailarchive.ietf.org/arch/msg/gen-art/40TTDHlTBecIeCRy594Y08t_AO8
Reviewed revision 05 (document currently at 07)
Result Almost ready
Completed 2019-09-16
review-ietf-stir-oob-05-genart-lc-nandakumar-2019-09-16-00
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.

Document: draft-ietf-stir-oob-??
Reviewer: Suhas Nandakumar
Review Date: 2019-09-16
IETF LC End Date: 2019-09-17
IESG Telechat date: Not scheduled for a telechat

Summary: Thanks for a lucid document. This document is Almost Ready with few
minor issues / clarifications.

Major issues: None

Minor issues:
1. Section 7.2 para 2 states : "The CPS responds with any such PASSporTs
(assuming they exist)." Given CPS will always respond with a dummy PASSporT,
the statement in the parentheses doesn't hold.

2. Section 7.4 Call flow: "Call from CS (forged caller-id info)" . Since its
the attacker making the call here, we probably need to change it as "Call from
Attacker (forged caller-id info)".

3. Section 7.5 has the following:

Sign(K_cps, K_temp)
Sign(K_temp, E(K_receiver, PASSporT)) --->

This is a clarification question for my understanding. What happens when
one of the 2 messages sent gets lost when storing the PASSporT. Should we need
to add any clarifications to that extent ?

4. Section 77.5 last para: clarification question
Since PASSporT is encrypted at CPS , how is it aged out based on the "iat"
value. Is it a function to VS to age out PASSporTs at a given CPS ?

5. Section 8.2 last part has the  sentence "This document
   does not prescribe any particular treatment of calls that have valid
   PASSporTs associated with them."

 I wasn't sure of the intent of this sentence.

Nits/editorial comments:

1. Introduction para 1: Reference to PASSporT missing
2. Introduction para 2: Xalls -> Calls
3. Section 5.2 para 1: would be nice to add reference to Section 10
4. Section 7.2 Call Flow: "Store PASSporT" --> "Store Encrypted PASSporT"
5. Section 7.2 Call Flow: "Ring phone with callerid" --> "Ring phone with
verified callerid" 6. Section 8.2 Step 3: "number number" --> "number" 7.
Section 8.3 para 2: "Per Step 3" --> "Per Step 3 of Section 8.1" 8. Section 10
last para: The acronyms AS and VS are used first time 9. Section 11: missing
references to subcert, VIPR