Skip to main content

Secure Telephone Identity Revisited
charter-ietf-stir-02

Revision differences

Document history

Date Rev. By Action
2022-01-24
02 Cindy Morgan New version available: charter-ietf-stir-02.txt
2022-01-24
01-02 Cindy Morgan State changed to Approved from External Review (Message to Community, Selected by Secretariat)
2022-01-24
01-02 Cindy Morgan IESG has approved the charter
2022-01-24
01-02 Cindy Morgan Closed "Approve" ballot
2022-01-24
01-02 Cindy Morgan WG action text was changed
2022-01-24
01-02 Cindy Morgan WG action text was changed
2022-01-20
01-02 Murray Kucherawy New version available: charter-ietf-stir-01-02.txt
2022-01-18
01-01 Murray Kucherawy New version available: charter-ietf-stir-01-01.txt
2022-01-18
01-00 Murray Kucherawy Added charter milestone "Messaging Use Cases and Extensions for STIR"
2022-01-18
01-00 Murray Kucherawy Added charter milestone "Connected Identity for STIR"
2022-01-18
01-00 Murray Kucherawy Added charter milestone "Identity Header Error Handling"
2022-01-18
01-00 Murray Kucherawy Changed charter milestone "Submit Privacy analysis for Informational", Milestone order changed from 11 to 3
2022-01-18
01-00 Murray Kucherawy Changed charter milestone "Submit STIR Certificate Delegation as Proposed Standard", Milestone order changed from 10 to 2
2022-01-18
01-00 Murray Kucherawy
Changed charter milestone "Submit Assertion Values for a Resource Priority Header Claim in Support of Emergency Services Networks as Proposed Standard", Milestone order changed from …
Changed charter milestone "Submit Assertion Values for a Resource Priority Header Claim in Support of Emergency Services Networks as Proposed Standard", Milestone order changed from 9 to 1
2022-01-18
01-00 Murray Kucherawy Changed charter milestone "Submit PASSPorT Extension for rich call data for publication as Proposed Standard", Milestone order changed from 8 to 0
2022-01-06
01-00 Robert Wilton [Ballot Position Update] New position, No Objection, has been recorded for Robert Wilton
2022-01-06
01-00 John Scudder [Ballot Position Update] New position, No Objection, has been recorded for John Scudder
2022-01-06
01-00 Martin Vigoureux [Ballot Position Update] New position, No Objection, has been recorded for Martin Vigoureux
2022-01-06
01-00 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2022-01-06
01-00 Francesca Palombini [Ballot Position Update] New position, No Objection, has been recorded for Francesca Palombini
2022-01-05
01-00 Murray Kucherawy [Ballot Position Update] New position, Yes, has been recorded for Murray Kucherawy
2022-01-05
01-00 Benjamin Kaduk [Ballot comment]
RFC 4474 is obsoleted by RFC 8224; should the discussion of previous efforts
be updated to take account of that new(er) RFC?
2022-01-05
01-00 Benjamin Kaduk [Ballot Position Update] New position, No Objection, has been recorded for Benjamin Kaduk
2022-01-05
01-00 Martin Duke [Ballot Position Update] New position, No Objection, has been recorded for Martin Duke
2022-01-05
01-00 Éric Vyncke
[Ballot comment]
Same comment as Erik K... must be a data tracker glitch ? or simply the charter is unchanged and we are balloting twice …
[Ballot comment]
Same comment as Erik K... must be a data tracker glitch ? or simply the charter is unchanged and we are balloting twice ?
2022-01-05
01-00 Éric Vyncke [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke
2022-01-05
01-00 Roman Danyliw
[Ballot comment]
Please add milestones that capture the new work given this revised scope.  While there are outstanding milestones, they appear to be the same …
[Ballot comment]
Please add milestones that capture the new work given this revised scope.  While there are outstanding milestones, they appear to be the same ones as already set under the current charter.
2022-01-05
01-00 Roman Danyliw [Ballot Position Update] New position, No Objection, has been recorded for Roman Danyliw
2022-01-03
01-00 Lars Eggert [Ballot Position Update] New position, No Objection, has been recorded for Lars Eggert
2021-12-22
01-00 Erik Kline [Ballot comment]
I cannot tell the difference between this 01-00 and the last 01-00 on which we balloted...
2021-12-22
01-00 Erik Kline [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline
2021-12-17
01-00 Cindy Morgan Telechat date has been changed to 2022-01-06 from 2021-12-16
2021-12-17
01-00 Cindy Morgan Created "Approve" ballot
2021-12-17
01-00 Cindy Morgan Closed "Ready for external review" ballot
2021-12-17
01-00 Cindy Morgan State changed to External Review (Message to Community, Selected by Secretariat) from Start Chartering/Rechartering (Internal Steering Group/IAB Review)
2021-12-17
01-00 Cindy Morgan WG new work message text was changed
2021-12-17
01-00 Cindy Morgan WG review text was changed
2021-12-17
01-00 Cindy Morgan WG review text was changed
2021-12-17
01-00 Cindy Morgan WG review text was changed
2021-12-17
01-00 Cindy Morgan Added milestone "Submit Privacy analysis for Informational" from current group milestones
2021-12-17
01-00 Cindy Morgan Added milestone "Submit STIR Certificate Delegation as Proposed Standard" from current group milestones
2021-12-17
01-00 Cindy Morgan Added milestone "Submit Assertion Values for a Resource Priority Header Claim in Support of Emergency Services Networks as Proposed Standard" from current group milestones
2021-12-17
01-00 Cindy Morgan Added milestone "Submit PASSPorT Extension for rich call data for publication as Proposed Standard" from current group milestones
2021-12-16
01-00 Martin Vigoureux [Ballot Position Update] New position, No Objection, has been recorded for Martin Vigoureux
2021-12-15
01-00 Benjamin Kaduk [Ballot Position Update] New position, No Objection, has been recorded for Benjamin Kaduk
2021-12-15
01-00 John Scudder [Ballot Position Update] New position, No Objection, has been recorded for John Scudder
2021-12-15
01-00 Roman Danyliw [Ballot comment]
Please add milestones.
2021-12-15
01-00 Roman Danyliw [Ballot Position Update] New position, No Objection, has been recorded for Roman Danyliw
2021-12-15
01-00 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2021-12-08
01-00 Erik Kline
[Ballot comment]
[P4; nit]

* I think this text may be a tad redundant:

... It is important to note that while the
main focus …
[Ballot comment]
[P4; nit]

* I think this text may be a tad redundant:

... It is important to note that while the
main focus of this working group is telephone numbers, the STIR working group
will not [...] changes to circuit-switched
technologies. Moreover, the work of this group is limited to developing a
solution for telephone numbers.

  Telephone numbers are both the main focus and a strict limitation.
  Possibly this can be rephrased, but it's also not important at all.
2021-12-08
01-00 Erik Kline [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline
2021-12-06
01-00 Murray Kucherawy [Ballot Position Update] Position for Murray Kucherawy has been changed to Yes from No Objection
2021-12-06
01-00 Éric Vyncke
[Ballot comment]
I am just puzzled by the 3rd and 4th paragraph as they seem to indicate that the work has yet to be done, …
[Ballot comment]
I am just puzzled by the 3rd and 4th paragraph as they seem to indicate that the work has yet to be done, STIR specifications written, ... E.g., this sentence uses future tense: "the working group will specify and maintain a SIP header-based mechanism". AFAIK, STIR WG has already published 12 RFC so it has a solid foundation.

This does not prevent re-chartering of course.
2021-12-06
01-00 Éric Vyncke [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke
2021-12-03
01-00 Murray Kucherawy [Ballot Position Update] New position, No Objection, has been recorded for Murray Kucherawy
2021-12-03
01-00 Martin Duke [Ballot Position Update] New position, No Objection, has been recorded for Martin Duke
2021-12-02
01-00 Cindy Morgan Telechat date has been changed to 2021-12-16 from 2013-08-29
2021-12-01
01-00 Murray Kucherawy WG action text was changed
2021-12-01
01-00 Murray Kucherawy WG review text was changed
2021-12-01
01-00 Murray Kucherawy WG review text was changed
2021-12-01
01-00 Murray Kucherawy Created "Ready for external review" ballot
2021-12-01
01-00 Murray Kucherawy State changed to Start Chartering/Rechartering (Internal Steering Group/IAB Review) from Draft Charter
2021-12-01
01-00 Murray Kucherawy State changed to Draft Charter from Approved
2021-12-01
01-00 Murray Kucherawy New version available: charter-ietf-stir-01-00.txt
2020-03-25
01 Amy Vezza Responsible AD changed to Murray Kucherawy from Adam Roach
2018-01-30
01 Amy Vezza Responsible AD changed to Adam Roach from Richard Barnes
2013-08-30
01 Cindy Morgan New version available: charter-ietf-stir-01.txt
2013-08-30
01 Cindy Morgan State changed to Approved from IESG review
2013-08-30
01 Cindy Morgan IESG has approved the charter
2013-08-30
01 Cindy Morgan Closed "Approve" ballot
2013-08-30
01 Cindy Morgan Closed "Ready for external review" ballot
2013-08-30
00-07 Cindy Morgan WG action text was changed
2013-08-30
00-07 Cindy Morgan Version 00-07 added to clean up spacing and move milestones out of charter text and into datatracker tool.
2013-08-30
00-07 Cindy Morgan New version available: charter-ietf-stir-00-07.txt
2013-08-30
00-06 Cindy Morgan Added charter milestone "Submit out-of-band mechanism for Proposed Standard", due June 2014
2013-08-30
00-06 Cindy Morgan Added charter milestone "Submit Privacy analysis for Informational", due April 2014
2013-08-30
00-06 Cindy Morgan Added charter milestone "Submit credential specification for Proposed Standard", due February 2014
2013-08-30
00-06 Cindy Morgan Added charter milestone "Submit in-band mechanism for Proposed Standard", due November 2013
2013-08-30
00-06 Cindy Morgan Added charter milestone "Submit threat model for Informational", due November 2013
2013-08-30
00-06 Cindy Morgan Added charter milestone "Submit problem statement for Informational", due September 2013
2013-08-29
00-06 Richard Barnes New version available: charter-ietf-stir-00-06.txt
2013-08-29
00-05 Stewart Bryant [Ballot Position Update] New position, Yes, has been recorded for Stewart Bryant
2013-08-29
00-05 Sean Turner [Ballot comment]
I like Stephen's suggested changes.
2013-08-29
00-05 Sean Turner [Ballot Position Update] New position, Yes, has been recorded for Sean Turner
2013-08-29
00-05 Jari Arkko [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko
2013-08-29
00-05 Spencer Dawkins [Ballot Position Update] New position, Yes, has been recorded for Spencer Dawkins
2013-08-29
00-05 Martin Stiemerling [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling
2013-08-28
00-05 Joel Jaeggli [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli
2013-08-28
00-05 Ted Lemon [Ballot Position Update] New position, No Objection, has been recorded for Ted Lemon
2013-08-28
00-05 Barry Leiba [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba
2013-08-28
00-05 Stephen Farrell
[Ballot comment]

Two suggested clarifications, one to help not get confused with cnit
and one nit. Note that I consider #1 in particular to be …
[Ballot comment]

Two suggested clarifications, one to help not get confused with cnit
and one nit. Note that I consider #1 in particular to be a clarification
only, that is, I think the current charter means the same thing but
#2 makes this clearer. (That implies that I'll be liable to DISCUSS
stuff if told that its needed to support non TN name forms.) If that
is a problem then please consider this as a BLOCK position, but
i hope its not a problem.

#1, OLD:

Expansion of the authorization mechanism to identities using the
user@domain form is out of scope.  The work of this group is limited to
developing a solution for telephone numbers.

NEW:

The work of this group is limited to
developing a solution for telephone numbers.
Expansion of the authorization mechanism to identities using the
user@domain or other name forms is out of scope. 

#2, OLD:

The working group will coordinate with the Security Area on credential
management.

NEW:

The working group will coordinate with the Security Area on credential
management and signature mechanics.
2013-08-28
00-05 Stephen Farrell [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell
2013-08-28
00-05 Pete Resnick
[Ballot comment]
I need some reassurance. A hug would probably do, but an explanation is preferred.

  As its priority mechanism work item, the working …
[Ballot comment]
I need some reassurance. A hug would probably do, but an explanation is preferred.

  As its priority mechanism work item, the working group will specify a
  SIP header-based mechanism for verification that the originator of a
  SIP session is authorized to use the claimed source telephone number,
  where the session is established with SIP end to end.
  [...]
  Credentials used with this mechanism will be derived from existing
  telephone number assignment and delegation models.

Let's start with the second part above. If I want to start my own business to compete with (e.g.) Neustar to provide a credential service for telephone number use, am I out of luck and can't do it because the credentials need to be "derived from existing...assignment and delegation models"? That is, are you saying that I, the new entrepreneur, need to deal with current assignment and delegation authorities? It might be that I won't have a good reputation as a credential provider if I don't do that, but is there a requirement in the protocol work that I do that?

This brings me back to the first part above. Instead of "for verification that the originator of a SIP session is authorized to use", don't you really mean, "to provide a secure authorization credential for the originator's use of"? That is, it's not that "authorized" means "by some final legal or otherwise magical authority", but rather, "by anyone you (the receiver of this information) trust to tell you that the use is authorized", right?

All I want is some assurance that the above quoted text is vernacular that these SIP and security folks will understand, and that nobody is going to think that receivers of this information are getting anything beyond an assurance from someone that they may or may not decide to trust.

  In order to support anonymity, the working group will provide a
  solution in which the called party receives an indication that the
  source telephone number is unavailable.

Could (or should) the WG develop the protocol so that the authorization entity can say, "I know this call doesn't show a phone number, but the caller does have a phone number and they are authorized to use it"?
2013-08-28
00-05 Pete Resnick [Ballot Position Update] New position, No Objection, has been recorded for Pete Resnick
2013-08-28
00-05 Adrian Farrel [Ballot Position Update] New position, No Objection, has been recorded for Adrian Farrel
2013-08-28
00-05 Richard Barnes [Ballot Position Update] New position, Yes, has been recorded for Richard Barnes
2013-08-28
00-05 Richard Barnes Created "Approve" ballot
2013-08-28
00-05 Richard Barnes State changed to IESG review from External review
2013-08-28
00-05 Stewart Bryant [Ballot Position Update] New position, No Objection, has been recorded for Stewart Bryant
2013-08-23
00-05 Martin Stiemerling [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling
2013-08-21
00-05 Cindy Morgan WG review text was changed
2013-08-21
00-05 Cindy Morgan WG review text was changed
2013-08-21
00-05 Cindy Morgan Telechat date has been changed to 2013-08-29 from 2013-08-15
2013-08-21
00-05 Richard Barnes State changed to External review from Internal review
2013-08-21
00-05 Richard Barnes [Ballot Position Update] Position for Richard Barnes has been changed to Yes from Block
2013-08-21
00-05 Richard Barnes New version available: charter-ietf-stir-00-05.txt
2013-08-20
00-04 Richard Barnes New version available: charter-ietf-stir-00-04.txt
2013-08-19
00-03 Adrian Farrel [Ballot comment]
Thanks for fixing the charter text to resolve my issue.
2013-08-19
00-03 Adrian Farrel [Ballot Position Update] Position for Adrian Farrel has been changed to No Objection from Block
2013-08-19
00-03 Pete Resnick [Ballot Position Update] Position for Pete Resnick has been changed to No Objection from Block
2013-08-19
00-03 Richard Barnes New version available: charter-ietf-stir-00-03.txt
2013-08-19
00-02 Richard Barnes New version available: charter-ietf-stir-00-02.txt
2013-08-16
00-01 Richard Barnes [Ballot block]
Holding pending final check on the list.
2013-08-16
00-01 Richard Barnes [Ballot Position Update] Position for Richard Barnes has been changed to Block from Yes
2013-08-15
00-01 Sean Turner [Ballot Position Update] New position, Yes, has been recorded for Sean Turner
2013-08-15
00-01 Adrian Farrel
[Ballot block]
This is a really picky thing, but I think it is important for how the working group is perceived externally.

The charter text …
[Ballot block]
This is a really picky thing, but I think it is important for how the working group is perceived externally.

The charter text launches with...

> The STIR working group will specify mechanisms for the validation of
> the source telephone number for an incoming call.

From the rest of the document it is completely clear you are restricting to SIP and not worried about POTS. Could you please make this clear in this opening sentence.
2013-08-15
00-01 Adrian Farrel [Ballot Position Update] New position, Block, has been recorded for Adrian Farrel
2013-08-15
00-01 Stephen Farrell [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell
2013-08-15
00-01 Pete Resnick
[Ballot block]
I'm blocking because I think the following should be clear before going out for external review:

In the body of the charter text …
[Ballot block]
I'm blocking because I think the following should be clear before going out for external review:

In the body of the charter text it says:

  In order to be authoritative, credentials used with this mechanism will
  be derived from existing telephone number assignment and delegation
  models.  That is, when a telephone number or range of telephone numbers
  is delegated to an entity, relevant credentials will be generated (or
  modified) to reflect such delegation.  The mechanism must allow a
  telephone number holder to further delegate and revoke use of a telephone
  number without compromising the global delegation scheme.

I think (but am not sure) that the following deliverable is supposed to address the above:

  - A document describing the credentials required to support
    telephone number identity authentication

But it's not clear to me what is going to be in that document. I want to suggest two additions to the charter. These are purely straw men; I'm pretty sure this is not precisely what you mean to do, but your responses to this will make it clear what you do intend.

1. Add another "The working group will coordinate" paragraph:

  The working group will coordinate with existing telephone number
  assignment and delegation authorities to assure deployability of the
  credentialing mechanism.

2. Add to the end of the deliverable above:

    ...including a description of the deployment practices required by
    telephone number assignment and delegation authorities to maintain
    and distribute those credentials
   
Is it your intention to do anything like the above? If not, are those issues out of scope for the WG to address?
2013-08-15
00-01 Pete Resnick [Ballot Position Update] New position, Block, has been recorded for Pete Resnick
2013-08-14
00-01 Joel Jaeggli [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli
2013-08-14
00-01 Ted Lemon [Ballot Position Update] New position, No Objection, has been recorded for Ted Lemon
2013-08-13
00-01 Richard Barnes [Ballot Position Update] New position, Yes, has been recorded for Richard Barnes
2013-08-13
00-01 Spencer Dawkins
[Ballot comment]
I'm somewhat concerned with this text:

"The STIR working group will specify mechanisms for the validation of
the source telephone number for an …
[Ballot comment]
I'm somewhat concerned with this text:

"The STIR working group will specify mechanisms for the validation of
the source telephone number for an incoming call.  Since it
has become fairly easy to present an incorrect source telephone number, a
growing set of problems have emerged over the last decade.  As with
email, the claimed source identity of a SIP request is not verified,
permitting unauthorized use of the source identity as part of deceptive
and coercive activities, such as robocalling (bulk unsolicited commercial
communications), vishing (voicemail hacking, and impersonating banks) and
swatting (impersonating callers to emergency services to stimulate
unwarranted large scale law enforcement deployments)."

which is correct, but really easy to read outside the IETF as "we told you SIP was a bad idea, because we're seeing more and more spoofed CLIDs and the claimed source identify of a SIP request is not verified".

Is it possible for this paragraph to make it more obvious that spoofed source identities are a problem for all types of telephony, and STIR is going to make things better for SIP?

In this text:

"Several factors contributed to this lack of
success, including: failure of the problem to be seen as critical at the
time; lack of any technical means of producing a proof of authority over
telephone numbers; misalignment of the mechanisms proposed by RFC 4474
with the complex deployment environment that has emerged for SIP; lack of
end-to-end SIP session establishment; and inherent operational problems
with a transitive trust model."

Is STIR supposed to work hop-by-hop (with proxies)? Or will this be limited to SIP sessions established end-to-end? I'm reading the following text as saying "hop-by-hop":

"The working group will coordinate with other working groups in the RAI
Area regarding signaling through existing deployments."
2013-08-13
00-01 Spencer Dawkins [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins
2013-08-13
00-01 Brian Haberman [Ballot Position Update] New position, No Objection, has been recorded for Brian Haberman
2013-08-12
00-01 Barry Leiba
[Ballot comment]
  The STIR working group will specify mechanisms for the validation of
  the source telephone number for an incoming call.
...
  …
[Ballot comment]
  The STIR working group will specify mechanisms for the validation of
  the source telephone number for an incoming call.
...
  This working group will define
  mechanisms that allow verification of the authorization of the calling
  party to use a particular telephone number.

The beginning sentences lead one to believe that the working group will develop something that confirms *the source telephone number*.  The end of the first paragraph says otherwise: it will confirm that the calling party is authorized to use the telephone number that's presented.

That's not the same thing.  If I call you from my Skype number, the number you will see is my Google Voice number.  That's OK, because all is authorized.  This situation meets what the last sentence says, but not what the first sentence says.

Maybe change the first sentence to this?:
NEW
  The STIR working group will specify mechanisms to assert authorization
  for the source telephone number for an incoming call.
END

  The in-band mechanism must be sent
  to the IESG for approval and publication prior to the out-of-band
  mechanism.

That's "prior to sending the out-of-band mechanism to the IESG," right?  In other words, it's OK for the working group to work on the o-o-b mechanism while they're still arguing about the in-band one?  So it will be up to the WGCs to manage that discussion, and to make sure that ratholing on the o-o-b stuff doesn't get in the way of the in-band deliverable, yes?

  Expansion of the authorization mechanism to identities using the
  user@domain form are deferred since the main focus of the working group
  is to develop a solution for telephone numbers.

This is way too wishy-washy.  It's "deferred"?  The "main focus"?  No, it's out of scope, because telephone numbers are the *only* focus.  Maybe this?:

NEW
  Expansion of the authorization mechanism to identities using the
  user@domain form are out of scope; the working group is limited to
  developing a solution for telephone numbers.
END

Milestones: Does it really make sense to have the mechanism published as a PS *before* doing the privacy analysis?

---------------------------------------------------------------

Purely editorial:

  As its priority mechanism work item, the working group will specify a SIP
  header-based mechanism for verification of the originator of a SIP session is
  authorized to use the claimed source telephone number, where the session
  is established with SIP end to end.

Make it "verification that the originator" ("that", not "of").

  The working group will consider choices for protecting
  identity information and credentials used, but will likely be based on a
  digital signature mechanism that covers

How about this ("the working group" is not the subject of what comes after the comma, and the "but" seems to be the wrong conjunction)?:

NEW
  The working group will consider choices for protecting
  identity information and credentials used.  That protection will likely
  be based on a digital signature mechanism that covers
END

  However, the
  in-band and the out-of-band mechanisms should share as much in common

As with the "but" above, there's no need for the "However"; just start the sentence with the "The".
2013-08-12
00-01 Barry Leiba [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba
2013-08-12
00-01 Jari Arkko [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko
2013-08-12
00-01 Richard Barnes Placed on agenda for telechat - 2013-08-15
2013-08-12
00-01 Richard Barnes WG action text was changed
2013-08-12
00-01 Richard Barnes WG review text was changed
2013-08-12
00-01 Richard Barnes Created "Ready for external review" ballot
2013-08-12
00-01 Richard Barnes State changed to Internal review from Informal IESG review
2013-08-12
00-01 Richard Barnes Initial review time expires 2013-08-19
2013-08-12
00-01 Richard Barnes State changed to Informal IESG review from Not currently under review
2013-08-12
00-01 Richard Barnes New version available: charter-ietf-stir-00-01.txt
2013-07-25
00-00 Richard Barnes New version available: charter-ietf-stir-00-00.txt
2013-07-25
00-00 Richard Barnes Responsible AD changed to Richard Barnes