HedgeDoc notes from IETF 118 STIR WG

Secure Telephony Identity Revisited

Chairs

• Ben Campbell
• Robert Sparks
• Russ Housley

Agenda

1) Administrivia
- Agenda Bashing
- Minute Taker
- Jabber Scribe
- Bluesheets - Meetecho tool

2) Connected Identity for STIR
- Jon Peterson and Chris Wendt
- draft-ietf-stir-rfc4916-update-04
- Is this ready for WG Last Call?

3) Certificate Lifetimes
- Jon Peterson and Sean Turner
- draft-ietf-stir-certificates-ocsp-06
- Now with stapling!
- Ready for WGLC?
- draft-peterson-stir-certificates-shortlived-04
- Next Steps?

4) STIR+MLS
- Jon Peterson and Richard Barnes
- draft-peterson-stir-mls-00
- Next steps?

5) Any Other Business (if time permits)

Actions (note-taking by Simon Castle)

1) Administrivia

• Change on the mailing list to draft-ietf-stir-servprovider-oob-05 to
  make it informational.
  • Proceeding to standards track.
  • No request for a seperate/restarted Last Call due to the change.

2) Connected Identity for STIR

• New -04 version written following comments received post last WGLC.
• Proposal to advance to IESG.

• Robert Sparks

  • (Chair hat): poll for number of readers and implementers:
    low-to-none for both. Seems little interest.
  • (Non-chair hat): Thinks it's good, recommend it proceeds. IPPNI
    has started paying attention to it.

• Chris Wendt and Sean Turner:

  • General consensus to progress to next stage.

3) Certificate Lifetimes

• draft-ietf-stir-certificates-ocsp-06 and
  draft-peterson-stir-certs-shortlived-05 now both include stapling as
  options for their corresponding proposals (OCSP, short-lived
  certificates respectively).

  • For OCSP, proposing a new "stpl" element in PASSporT payload
  • Jon Peterson requesting some help getting a plausible example of
    a stapled OCSP response; Sean Turner working on this.
  • For short-lived, proposal is to carry the certificate chain in
    x5c in the PASSporT header
    • Effectively a "staple" but it's large!
    • Normative language included: Proposal is that this MUST be
      supported by compliant (to this extension) VS
      implementations, SHOULD be used by AS's when certs are
      shorter-lived than a week.
      • Looking for feedback on that threshold.
        • Chris Wendt: possibly larger than it needs to be,
          usual targets will be less than that
        • Ben Campbell: might be too large, maybe a day?
        • Chris Wendt: 1 day may be too low
        • Eric Rescorla: Are there actually current certs out
          there at less than a week? Responses: some, possibly
          more in the future. Could get as low as per-call.
        • Consensus in-meeting for 3 days (and still a SHOULD,
          not MUST)

• Next steps

  • Fix stapling example in OCSP draft, then advance
  • Adopt the shortlived draft: no objection in the meeting, so will
    happen.

4) STIR+MLS

• One approach: use Certs, using TnAuthLists

  • TnAuthList identification could be broken into seperate elements
    for SPC vs TNs
  • Feeling towards keeping them together
    • The extension allows for both together
    • Limited value for separation

• Other approach: PASSporTs

  • Identify group members using 'orig' and possibly RCD content
  • 'mky' PASSporT claim can carry a hash over a public key used for
    MLS
  • PASSporT expiry would need to be handled carefully since message
    sessions can be long-lived
  • Eric Rescorla: This is effectively a delegate certificate
  • Chris Wendt: PASSporTs are a call-time thing
  • Concerns around key transparency but these might be a latter
    problem to resolve after getting further through initial
    approaches.
  • Next steps
  • Draft -00 put forward to get a general starting point

  • Want to decide if there's interest and a feeling towards an
    approach

    • 'Widespread agreement' of interest (5 thumbs up, 0 thumbs
      down)
    • Action item to call for adoption (after short-lived)

  • Still need to talk to MLS WG directly, probably some
    co-ordination needed there

  • Still lots to flesh out

    • Probably a lot of dependency on what MLS integration with
      RCS ends up looking like

  • Question about requiring how to handle trust history (identify
    that a message sent 9 months ago was valid at the time even if
    the certificate is invalid now)

    • Is this just a concern for the application server?

5) AOB

• Kaliya Young

  • Interactions with Identity Woman
  • Is there an opportunity for future working between forms of
    online identification?
  • Russ Housley: There's specific requirements around getting
    phone-numbers and STIR gives guarantees about the phone number.
    Room for dialogue but fixed scope from STIR
  • Ben Campbell: recommend cross-participation through the mailing
    lists
  • Jon Peterson: Offering general F2F chat to cover ground-work.

• Jon Peterson: request for STIR to not meet on Friday next time!