IETF 98 - Secure Telephone Identity Revisited (STIR) Thursday, 30 March 2017 - Room: Zurich G === Summary === The IESG evaluation resulted in changes to draft-ietf-stir-rfc4474bis, draft-ietf-stir-passport, and draft-ietf-stir-certificates. They were discussed. The room supported the changes. In particular, the room supported continuing to include # and * in telephone numbers, and moving the certificate freshness discussion into a new document. After discussion around moving forward with OCSP or short-lived certificates, the room supported pursuing sort-lived certificates. There was discussion around the JWT constraints semantics. Russ Housley proposed a change to the syntax that the room supported. The room supported defining passport extensions for CNAM and diversion. The remaining miletones were discussed (out-of-band and the privacy analysis). There were people in the room willing to work on these items now. The chairs will propose updates to these milestones, and additional milestones for the work identified above. The room supported a virtual interim in May/June to move out-of-band and the newly identified work forward. === Notes from Pete Resnick === Starting at 09:05 (Action items and conclusions of the room marked with **) Presentation of Bob Marley's "Legend" to Alissa as a thank you gift. Stir it up! Chairs' slides: https://www.ietf.org/proceedings/98/slides/slides-98-stir-administrivia-00.pdf - Agenda Bashing - rfc4474bis + PASSporT + certs (Jon Peterson in front) https://www.ietf.org/proceedings/98/slides/slides-98-stir-rfc4474bis-certificates-certificate-freshness-01.pdf - Review of documents - Pretty much done, but a bit to do in certificates - Review of the last minute fixes - Discussion of whether numbers can get "#" or "*". Room was asked whether a change was needed. - ** Room was silent; no change needed ** - JWT Claim Constraints - Ended up in the document treating claim constraints as a whitelist - Question about how to put a constraint in with an optional set of values - Russ explains that you can have a list of values, but no mechanism to have a constraint with optional values - Not even clear that this does a whitelist in the way this document uses claim constraints - Chris Wendt and Henning Schulzring ask questions about possibilities for dealing with this - ** Russ believes he has a change that would address the issue; he will write up a slide ** - Crossover to SIPBRANDY - Adam Roach pointed out an interaction where 4474bis might need to say something about retransmissions - Added some text to address the issue - Please review the text - With these changes, 4474bis and PASSporT should be stable - IESG had many comments about the certificates draft - Service Provider Codes - Coordinating with ATIS since they're the ones using all of the different identifiers - Henning asks whether OCNs might be mistaken for other kinds of codes. Jon says that the trust anchor would indicate the context. ** Henning asks that this be documented. ** - Stephen Farrell had a DISCUSS regarding freshness - In the end, the editor concluded that this document should punt on this issue - Left in bit about providing TN Auth List by reference - Regarding freshness, we now have two new documents that offer different ways forward: OCSP and Short-lived certificates - We may need to go down both paths to get a bit of experience before we recommend either of these approaches - Richard Barnes points out that OCSP is not suitable for real-time use, so if that is the intent, probably shouldn't do that unless you have some way to do this different from the web - Henning asks whether we would simply check to see if the number has changed since certificate issuance; maybe this is not useful - Henning suggests that the pub-sub model for CRLs might be reasonable - If we go down the OCSP path, we would likely need stapling, and that might require protocol extensions to carry staples in SIP - Alternative solution is to use short-lived credentials, which look an awful lot like stapled certificates - Paul Hoffman points out that OCSP + staple usually involves another party who issues the certificate; probably better to stick with one party solution - ACME makes short-lived certificates much easier, and can be used not just for end-user certificates - Chris questions how to deal with the distribution problem; Jon says that 4474bis has mecahanisms - Starting to sound like people are leaning toward short-lived certificate - Richard points out that the difference between the mechanisms is the failure scenarios - Cullen Jennings says that people have to do lifetimes anyway, so short-lived certificates are sensible. Richard agrees. Chris thinks they're best way forward. - ** Sense of the room is to move forward with short-lived certificates ** - Russ presents a slide on a proposed JWT Constraints Syntax https://www.ietf.org/proceedings/98/slides/slides-98-stir-proposed-jwt-constraints-syntax-00.pdf https://www.ietf.org/proceedings/98/slides/slides-98-stir-revised-proposal-for-jwt-constraints-syntax-00.pdf - People nodding agreement as slide is being presented - Some bikeshedding from Paul Hoffman and Henning on format changes - ** Sense of the room is that people like the proposal, nits on the format strings notwithstanding ** - Jon returns to presentation: Forgotten items that need to be put in; ** Nobody objects to adding them ** - Chair indicates that the group would look into the interaction between ACME and STIR - Chair asks whether sense of the room is willing to work on the remaining milestones. ** Sense of the room is to do so. ** - Henning asks whether we can explore the "location trust" problem; Subir Das indicates that he'd be willing to work on emergency work - Chair asks for people who are willing to work on the the out-of-band. Hands were raised. Chair asks for document editor volunteers. - Jon suggests a (possibly virtual) interim to get the work moving forward, May or June Chair closes meeting at 10:26