HedgeDoc notes from IETF 118 STIR WG # Secure Telephony Identity Revisited {#secure-telephony-identity-revisited} ## Chairs {#chairs} * Ben Campbell * Robert Sparks * Russ Housley ## Agenda {#agenda} 1) Administrivia - Agenda Bashing - Minute Taker - Jabber Scribe - Bluesheets - Meetecho tool 2) Connected Identity for STIR - Jon Peterson and Chris Wendt - draft-ietf-stir-rfc4916-update-04 - Is this ready for WG Last Call? 3) Certificate Lifetimes - Jon Peterson and Sean Turner - draft-ietf-stir-certificates-ocsp-06 - Now with stapling! - Ready for WGLC? - draft-peterson-stir-certificates-shortlived-04 - Next Steps? 4) STIR+MLS - Jon Peterson and Richard Barnes - draft-peterson-stir-mls-00 - Next steps? 5) Any Other Business (if time permits) ## Actions (note-taking by Simon Castle) {#actions-note-taking-by-simon-castle} 1) Administrivia * Change on the mailing list to draft-ietf-stir-servprovider-oob-05 to make it informational. * Proceeding to standards track. * No request for a seperate/restarted Last Call due to the change. 2) Connected Identity for STIR * New -04 version written following comments received post last WGLC. * Proposal to advance to IESG. * Robert Sparks * (Chair hat): poll for number of readers and implementers: low-to-none for both. Seems little interest. * (Non-chair hat): Thinks it's good, recommend it proceeds. IPPNI has started paying attention to it. * Chris Wendt and Sean Turner: * General consensus to progress to next stage. 3) Certificate Lifetimes * draft-ietf-stir-certificates-ocsp-06 and draft-peterson-stir-certs-shortlived-05 now both include stapling as options for their corresponding proposals (OCSP, short-lived certificates respectively). * For OCSP, proposing a new "stpl" element in PASSporT payload * Jon Peterson requesting some help getting a plausible example of a stapled OCSP response; Sean Turner working on this. * For short-lived, proposal is to carry the certificate chain in x5c in the PASSporT header * Effectively a "staple" but it's large! * Normative language included: Proposal is that this MUST be supported by compliant (to this extension) VS implementations, SHOULD be used by AS's when certs are shorter-lived than a week. * Looking for feedback on that threshold. * Chris Wendt: possibly larger than it needs to be, usual targets will be less than that * Ben Campbell: might be too large, maybe a day? * Chris Wendt: 1 day may be too low * Eric Rescorla: Are there actually current certs out there at less than a week? Responses: some, possibly more in the future. Could get as low as per-call. * Consensus in-meeting for 3 days (and still a SHOULD, not MUST) * Next steps * Fix stapling example in OCSP draft, then advance * Adopt the shortlived draft: no objection in the meeting, so will happen. 4) STIR+MLS * One approach: use Certs, using TnAuthLists * TnAuthList identification could be broken into seperate elements for SPC vs TNs * Feeling towards keeping them together * The extension allows for both together * Limited value for separation * Other approach: PASSporTs * Identify group members using 'orig' and possibly RCD content * 'mky' PASSporT claim can carry a hash over a public key used for MLS * PASSporT expiry would need to be handled carefully since message sessions can be long-lived * Eric Rescorla: This is effectively a delegate certificate * Chris Wendt: PASSporTs are a call-time thing * Concerns around key transparency but these might be a latter problem to resolve after getting further through initial approaches. * Next steps * Draft -00 put forward to get a general starting point * Want to decide if there's interest and a feeling towards an approach * 'Widespread agreement' of interest (5 thumbs up, 0 thumbs down) * Action item to call for adoption (after short-lived) * Still need to talk to MLS WG directly, probably some co-ordination needed there * Still lots to flesh out * Probably a lot of dependency on what MLS integration with RCS ends up looking like * Question about requiring how to handle trust history (identify that a message sent 9 months ago was valid at the time even if the certificate is invalid now) * Is this just a concern for the application server? 5) AOB * Kaliya Young * Interactions with Identity Woman * Is there an opportunity for future working between forms of online identification? * Russ Housley: There's specific requirements around getting phone-numbers and STIR gives guarantees about the phone number. Room for dialogue but fixed scope from STIR * Ben Campbell: recommend cross-participation through the mailing lists * Jon Peterson: Offering general F2F chat to cover ground-work. * Jon Peterson: request for STIR to not meet on Friday next time!