A Framework for Consent-Based Communications in the Session Initiation Protocol (SIP)
draft-ietf-sip-consent-framework-04

[Ballot discuss]
Revising my previous discuss position in light of IESG discussion:

Please consider the following three changes:

* The document gives the impression that these exploders often accept
postings from anyone, so once a recipient has given authorization to
receive postings from an exploder anyone can use the exploder to spam
the recipient.  After discussion with Cullen, I understand the intent
is that there will be a range of possible posting restrictions to such
exploders, but this document is concerned only with recipient
authorizations so those mechanisms are out of scope.  The document
needs to be revised to make that clear, at a minimum with a security
consideration.

* I find the use of HTTP URLs to mean something other than "point
your web browser at this page and have the user do what appears
on the page" problematic in terms of extensibility.  It sounds like
this has been a controversial point in the WG as well.  While I won't
block over this issue, I recommend a mechanism to distinguish
"use HTTP in some SIP-specific special way" from "use HTTP in the
standard web-client sense".  If that involves simply eliminating the
SIP-specific way, that would be a good outcome.

* I find the mandate to include a SIP URL in all uses of this mechanism
to be problematic in terms of extensibility.  Specifically
the text "At least one of these URIs MUST be a SIP or SIPS URI."  It's
fine if SIP URLs are the mandatory-to-implement consent mechanism, but
forbidding sites from applying a site-policy to use an alternative
consent mechanism seems problematic for the future.  I view the as a
similar issue to mandatory-to-implement authentication vs.
mandatory-to-use authentication.  Saying "all SIP devices MUST advertise
and support use of HTTP digest in all cases" would be a design error,
while mandating implementation of HTTP digest is good for
interoperability.

Also, the security considerations should contain an informative
reference to draft-ietf-sipping-spam-05.txt.

[Ballot discuss]
In section 4.1:

  It is also RECOMMENDED that relays request recipients to refresh
  their permissions periodically.  If a recipient fails to refresh its
  permissions for a given period of time, the relay SHOULD delete the
  permissions related to that recipient.

This document ought to have guidance for times when the relay might not refresh permissions or delete them.  In particular, it's harmful for relays to request permission and receive it from the human-readable part of the MESSAGE (in the case where the user agent has not implemented the consent framework) and then periodically time out this permission and ask the user again.

[Ballot comment]
In section 4.1:

  It is also RECOMMENDED that relays request recipients to refresh
  their permissions periodically.  If a recipient fails to refresh its
  permissions for a given period of time, the relay SHOULD delete the
  permissions related to that recipient.

This document ought to have guidance for times when the relay might not refresh permissions or delete them.  In particular, it's harmful for relays to request permission and receive it from the human-readable part of the MESSAGE (in the case where the user agent has not implemented the consent framework) and then periodically time out this permission and ask the user again.

[Ballot comment]
Many good suggestions were make in the Gen-ART Review by Vijay Gurbani.
  It can be found at:

    http://www.alvestrand.no/ietf/gen/reviews/
    draft-ietf-sip-consent-framework-03-gurbani.txt

[Ballot discuss]
While I am not a SIP expert, I believe this creates a spam-friendly
environment and thus will be problematic in production.  My
understanding, based on this document, is that a "SIP Relay" in the
SIP world performs a function similar to a mailing list expander in
the email world (at least that functionality would be a kind of
"SIP Relay").

The consent-based framework for mailing lists has evolved over time as
the spam threat has evolved.  Current practice is as follows:

1. Lists that allow any sender to post are less common
  and require a manual moderator in practice to be useful.
2. Lists that allow only list members to post are more common.
3. Lists that are juicy attack targets and perform 2, also have to
  provide a subscription mechanism that is difficult to automate.

Given the present situation with Windows worms on the Internet, I
presume spammers have (illegitimate) access to legitimate client
credentials so client authentication is not a sufficient defense.

Given those assumptions, this proposal is presently too rigid to adapt
to the spam threat.

Please consider the following three changes:

* Provide a way to limit the sender to the set of recipient URIs, or
make sure the protocol can accommodate that change in the future.

* I find the use of HTTP URLs to mean something other than "point
your web browser at this page and have the user do what appears
on the page" highly problematic in this context because that is
the mechanism likely necessary to address issue 3.

* I find the mandate for a SIP URL to be problematic -- specifically
the text "At least one of these URIs MUST be a SIP or SIPS URI."  If
spammers attack, there's likely to be a requirement that a SIP URI not
be provided in some cases in order to require HTTP-based captcha or
similar mechanisms that are difficult to automate.  I recommend making
this a SHOULD.

Also, the security considerations should contain an informative
reference to draft-ietf-sipping-spam-05.txt.

[Ballot discuss]
What are the semantics of a 470 (Consent Needed) response when the Permission-Missing header
field is absent?  Section 5.9.2 implies that the Permission-Missing header field is optional ("should
the response carry one") but it is unclear what a client would do with such a response.

IANA Last Call comments:

Action 1 (section 6.1):

Upon approval of this document, the IANA will make the following assignments in the "Session Initiation Protocol (SIP) Parameters " registry located at
http://www.iana.org/assignments/sip-parameters
sub-registry "Response Codes"

Response Code Reference
------------- ---------
[tbd (470)] Consent Needed [RFC-sip-consent-framework-03]


Action 2 (sections 6.3, 6.2):

Upon approval of this document, the IANA will make the following assignments in the "Session Initiation Protocol (SIP) Parameters " registry located at
http://www.iana.org/assignments/sip-parameters
sub-registry "Header Fields"

Header Name compact Reference
----------------- ------- ---------
Permission-Missing [RFC-sip-consent-framework-03]
Trigger-Consent [RFC-sip-consent-framework-03]

Action 3 (section 6.4):

Upon approval of this document, the IANA will make the following assignments in the "Session Initiation Protocol (SIP) Parameters " registry located at
http://www.iana.org/assignments/sip-parameters
sub-registry "Header Field Parameters and Parameter Values"

Predefined
Header Field Parameter Name Values Reference
---------------------------- --------------------------- ---------- ---------
Trigger-Consent target-uri No
[RFC-sip-consent-framework-03]

We understand the above to be the only IANA Actions for this document.

PROTO Write-up

(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he or she believe this
version is ready for forwarding to the IESG for publication?

Keith Drage

The document has been reviewed and is ready for forwarding to IESG for publication.

(1.b) Has the document had adequate review both from key WG members
and from key non-WG members? Does the Document Shepherd have
any concerns about the depth or breadth of the reviews that
have been performed?

Document history:

- draft-rosenberg-sipping-consent-framework-00 was submitted 8th July 2004 and
expired 6th January 2005.
- draft-ietf-sipping-consent-framework-00 was submitted 18th October 2004 and
expired 18th April 2005.
- draft-ietf-sipping-consent-framework-01 was submitted 20th February 2005 and
expired 21st August 2005.
- draft-ietf-sipping-consent-framework-02 was submitted 18th July 2005 and expired
19th January 2006.
- draft-ietf-sipping-consent-framework-03 was submitted 5th October 2005 and
expired 8th April 2006.
- draft-ietf-sipping-consent-framework-04 was submitted 25th February 2006 and
expired 29th August 2006.
- draft-ietf-sipping-consent-framework-05 was submitted 12th June 2006 and expired
14th December 2006.
- draft-ietf-sip-consent-framework-00 was submitted 17th September 2006 and expired
21st March 2007.
- draft-ietf-sip-consent-framework-01 was submitted 26th November 2006 and expired
30th May 2007.
- draft-ietf-sip-consent-framework-02 was submitted 5th July 2007 and expires 6th
January 2007.

WGLC was initiated in the SIP WG on draft-ietf-sip-consent-framework-00 on 25th September
2006 with comments requested by 17th October 2006.

Review was made and comments were received from: Jeroen van Bemmel, Shida Schubert, Ben
Campbell, AC Mahendran, Mary Barnes. During the course of the work comments have also
been made by: Dean Willis, Andrew Allen, Cullen Jennings, Paul Kyzivat, Adam Roach,
Geoffrey Dawirs, Miguel Garcia.

The document was moved from the SIPPING WG to the SIP WG in conformance with RFC 3427
because it defines new header fields and a response code. Prior review and discussion
therefore took place in the SIPPING group.

Key discussions have taken place about which methods to use for various parts of the
consent framework.

The document is closely related with:

- draft-ietf-sipping-consent-format-03;
- draft-ietf-sipping-pending-additions-02;
- draft-ietf-sipping-uri-services-06;
- draft-ietf-sip-uri-list-message-01;
- draft-ietf-sip-uri-list-subscribe-01;
- draft-ietf-sip-uri-list-conferencing-01;
- draft-ietf-sip-multiple-refer-01.

Both OMA and 3GPP use the uri-list documents (as documented in their PROTO writeups). As
these documents have a mandatory normative dependence on the consent framework, then
they also need the consent framework.

(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective,
e.g., security, operational complexity, someone familiar with
AAA, internationalization, or XML?

The document defines mechanisms that are entirely internal to the Session Initiation
Protocol (SIP). The document shepherd considers that no external review from an external
specialist is necessary, apart from as follows.

While the document was generated as a result of a request from security advisers
concerning the original uri-list documents (see above), the document has not had a
separate security review, and that should there occur.

(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he
or she is uncomfortable with certain parts of the document, or
has concerns whether there really is a need for it. In any
event, if the WG has discussed those issues and has indicated
that it still wishes to advance the document, detail those
concerns here. Has an IPR disclosure related to this document
been filed? If so, please include a reference to the
disclosure and summarize the WG discussion and conclusion on
this issue.

The document defines a new SIP protocol extension for a particular purpose in a form
that has been used for many other extensions. The document shepherd has no concerns with
the document.

There have been no IPR disclosures on this document.

(1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with
others being silent, or does the WG as a whole understand and
agree with it?

While the document has been reviewed by appropriate SIP experts, the level of readership
of the SIP working group has apparently been low. This may lead one to assume that the
contents for this solution are correct, but potentially there could have been other
solutions out there that have been missed.

(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarize the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)

None indicated.

(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? (See
http://www.ietf.org/ID-Checklist.html and
http://tools.ietf.org/tools/idnits/.) Boilerplate checks are
not enough; this check needs to be thorough. Has the document
met all formal review criteria it needs to, such as the MIB
Doctor, media type, and URI type reviews? If the document
does not already indicate its intended status at the top of
the first page, please indicate the intended status here.

The document has been reviewed against the guidelines in RFC 4485 and it is believed
that the document is conformant with those guidelines.

While the document defines a new SIP response code, and two new SIP header fields, these
have been performed as a SIP working group item, and therefore this draft is in
conformance with RFC 3427.

For ID-NITS the checks against idnits 2.04.09 report no NITS found.

(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that
are not ready for advancement or are otherwise in an unclear
state? If such normative references exist, what is the
strategy for their completion? Are there normative references
that are downward references, as described in [RFC3967]? If
so, list these downward references to support the Area
Director in the Last Call procedure for them [RFC3967].

The document has separate sections for normative and informative references. The
normative references have been checked and found to be normative.

(1.i) Has the Document Shepherd verified that the document's IANA
Considerations section exists and is consistent with the body
of the document? If the document specifies protocol
extensions, are reservations requested in appropriate IANA
registries? Are the IANA registries clearly identified? If
the document creates a new registry, does it define the
proposed initial contents of the registry and an allocation
procedure for future registrations? Does it suggest a
reasonable name for the new registry? See [RFC2434]. If the
document describes an Expert Review process, has the Document
Shepherd conferred with the Responsible Area Director so that
the IESG can appoint the needed Expert during IESG Evaluation?

The document defines the following values that require registration:

* Trigger-Consent header field
* Permission-Missing header field
* target-uri header field parameter to Trigger-Consent header field
* 470 response code

Section 6 of the document provides the IANA considerations section, and this defines the
above.

(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML
code, BNF rules, MIB definitions, etc., validate correctly in
an automated checker?

The document defines two items in ABNF (Trigger-Consent and Permission-Missing). These
augment the ABNF defined in RFC 3261.

Both these items pass Bill Fenner's ABNF parser in the tools webpage.

(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Write-Up. Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary
Relevant content can frequently be found in the abstract
and/or introduction of the document. If not, this may be
an indication that there are deficiencies in the abstract
or introduction.

Working Group Summary
Was there anything in the WG process that is worth noting?
For example, was there controversy about particular points
or were there decisions where the consensus was
particularly rough?

Document Quality
Are there existing implementations of the protocol? Have a
significant number of vendors indicated their plan to
implement the specification? Are there any reviewers that
merit special mention as having done a thorough review,
e.g., one that resulted in important changes or a
conclusion that the document had no substantive issues? If
there was a MIB Doctor, Media Type, or other Expert Review,
what was its course (briefly)? In the case of a Media Type
Review, on what date was the request posted?

Personnel
Who is the Document Shepherd for this document? Who is the
Responsible Area Director? If the document requires IANA
experts(s), insert 'The IANA Expert(s) for the registries
in this document are .'

Technical summary.

The Session Initiation Protocol (SIP) supports communications across many media types,
including real-time audio, video, text, instant messaging, and presence. In its current
form, it allows session invitations, instant messages, and other requests to be
delivered from one party to another without requiring explicit consent of the recipient.
Without such consent, it is possible for SIP to be used for malicious purposes,
including amplification, and DoS (Denial of Service) attacks. This document identifies
a framework for consent-based communications in SIP.

Working group summary.

There is consensus in the working group to publish this document. The document came
about due to security area concerns about the need to protect against denial of service
attacks and amplification attacks when various relay and uri-list mechanisms are used in
SIP.

Document Quality

There has been no indication of implementation.

Personnel

The document shepherd for this document was Keith Drage. The responsible Area Director
was Cullen Jennings. 'The IANA Expert(s) for the registries in this document are .