A Framework for Consent-Based Communications in the Session Initiation Protocol (SIP)
draft-ietf-sip-consent-framework-04
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
04 | (System) | post-migration administrative database adjustment to the No Objection position for Lisa Dusseault |
2012-08-22
|
04 | (System) | post-migration administrative database adjustment to the No Objection position for Chris Newman |
2012-08-22
|
04 | (System) | post-migration administrative database adjustment to the No Objection position for Tim Polk |
2012-08-22
|
04 | (System) | post-migration administrative database adjustment to the No Objection position for Lars Eggert |
2008-02-11
|
04 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2008-02-08
|
04 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2008-02-08
|
04 | (System) | IANA Action state changed to Waiting on RFC Editor from In Progress |
2008-02-08
|
04 | (System) | IANA Action state changed to In Progress from Waiting on Authors |
2008-02-07
|
04 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2008-02-07
|
04 | (System) | IANA Action state changed to In Progress |
2008-02-07
|
04 | Amy Vezza | IESG state changed to Approved-announcement sent |
2008-02-07
|
04 | Amy Vezza | IESG has approved the document |
2008-02-07
|
04 | Amy Vezza | Closed "Approve" ballot |
2008-02-07
|
04 | Amy Vezza | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Amy Vezza |
2008-02-07
|
04 | Tim Polk | [Ballot Position Update] Position for Tim Polk has been changed to No Objection from Undefined by Tim Polk |
2008-02-07
|
04 | Tim Polk | [Ballot Position Update] Position for Tim Polk has been changed to Undefined from Discuss by Tim Polk |
2008-01-31
|
04 | Lars Eggert | [Ballot Position Update] Position for Lars Eggert has been changed to No Objection from Discuss by Lars Eggert |
2008-01-31
|
04 | Chris Newman | [Ballot Position Update] Position for Chris Newman has been changed to No Objection from Discuss by Chris Newman |
2008-01-31
|
04 | Lisa Dusseault | [Ballot Position Update] Position for Lisa Dusseault has been changed to No Objection from Discuss by Lisa Dusseault |
2008-01-31
|
04 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2008-01-31
|
04 | (System) | New version available: draft-ietf-sip-consent-framework-04.txt |
2008-01-10
|
04 | Amy Vezza | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza |
2008-01-10
|
04 | Chris Newman | [Ballot discuss] Revising my previous discuss position in light of IESG discussion: Please consider the following three changes: * The document gives the impression that … [Ballot discuss] Revising my previous discuss position in light of IESG discussion: Please consider the following three changes: * The document gives the impression that these exploders often accept postings from anyone, so once a recipient has given authorization to receive postings from an exploder anyone can use the exploder to spam the recipient. After discussion with Cullen, I understand the intent is that there will be a range of possible posting restrictions to such exploders, but this document is concerned only with recipient authorizations so those mechanisms are out of scope. The document needs to be revised to make that clear, at a minimum with a security consideration. * I find the use of HTTP URLs to mean something other than "point your web browser at this page and have the user do what appears on the page" problematic in terms of extensibility. It sounds like this has been a controversial point in the WG as well. While I won't block over this issue, I recommend a mechanism to distinguish "use HTTP in some SIP-specific special way" from "use HTTP in the standard web-client sense". If that involves simply eliminating the SIP-specific way, that would be a good outcome. * I find the mandate to include a SIP URL in all uses of this mechanism to be problematic in terms of extensibility. Specifically the text "At least one of these URIs MUST be a SIP or SIPS URI." It's fine if SIP URLs are the mandatory-to-implement consent mechanism, but forbidding sites from applying a site-policy to use an alternative consent mechanism seems problematic for the future. I view the as a similar issue to mandatory-to-implement authentication vs. mandatory-to-use authentication. Saying "all SIP devices MUST advertise and support use of HTTP digest in all cases" would be a design error, while mandating implementation of HTTP digest is good for interoperability. Also, the security considerations should contain an informative reference to draft-ietf-sipping-spam-05.txt. |
2008-01-10
|
04 | (System) | [Ballot Position Update] New position, No Objection, has been recorded for Sam Hartman by IESG Secretary |
2008-01-09
|
04 | Lisa Dusseault | [Ballot comment] |
2008-01-09
|
04 | Lisa Dusseault | [Ballot discuss] In section 4.1: It is also RECOMMENDED that relays request recipients to refresh their permissions periodically. If a recipient fails to … [Ballot discuss] In section 4.1: It is also RECOMMENDED that relays request recipients to refresh their permissions periodically. If a recipient fails to refresh its permissions for a given period of time, the relay SHOULD delete the permissions related to that recipient. This document ought to have guidance for times when the relay might not refresh permissions or delete them. In particular, it's harmful for relays to request permission and receive it from the human-readable part of the MESSAGE (in the case where the user agent has not implemented the consent framework) and then periodically time out this permission and ask the user again. |
2008-01-09
|
04 | Lisa Dusseault | [Ballot Position Update] Position for Lisa Dusseault has been changed to Discuss from Abstain by Lisa Dusseault |
2008-01-09
|
04 | Lisa Dusseault | [Ballot comment] In section 4.1: It is also RECOMMENDED that relays request recipients to refresh their permissions periodically. If a recipient fails to … [Ballot comment] In section 4.1: It is also RECOMMENDED that relays request recipients to refresh their permissions periodically. If a recipient fails to refresh its permissions for a given period of time, the relay SHOULD delete the permissions related to that recipient. This document ought to have guidance for times when the relay might not refresh permissions or delete them. In particular, it's harmful for relays to request permission and receive it from the human-readable part of the MESSAGE (in the case where the user agent has not implemented the consent framework) and then periodically time out this permission and ask the user again. |
2008-01-09
|
04 | Lisa Dusseault | [Ballot Position Update] New position, Abstain, has been recorded by Lisa Dusseault |
2008-01-02
|
04 | (System) | State Changes to IESG Evaluation from IESG Evaluation - Defer by system |
2007-12-21
|
04 | (System) | Removed from agenda for telechat - 2007-12-20 |
2007-12-20
|
04 | Sam Hartman | State Changes to IESG Evaluation - Defer from IESG Evaluation by Sam Hartman |
2007-12-20
|
04 | David Ward | [Ballot Position Update] New position, No Objection, has been recorded by David Ward |
2007-12-20
|
04 | Ross Callon | [Ballot Position Update] New position, No Objection, has been recorded by Ross Callon |
2007-12-20
|
04 | Magnus Westerlund | [Ballot Position Update] New position, No Objection, has been recorded by Magnus Westerlund |
2007-12-20
|
04 | Jon Peterson | [Ballot Position Update] New position, No Objection, has been recorded by Jon Peterson |
2007-12-20
|
04 | Russ Housley | [Ballot comment] Many good suggestions were make in the Gen-ART Review by Vijay Gurbani. It can be found at: http://www.alvestrand.no/ietf/gen/reviews/ … [Ballot comment] Many good suggestions were make in the Gen-ART Review by Vijay Gurbani. It can be found at: http://www.alvestrand.no/ietf/gen/reviews/ draft-ietf-sip-consent-framework-03-gurbani.txt |
2007-12-20
|
04 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded by Russ Housley |
2007-12-20
|
04 | Dan Romascanu | [Ballot Position Update] New position, No Objection, has been recorded by Dan Romascanu |
2007-12-20
|
04 | Jari Arkko | [Ballot Position Update] New position, No Objection, has been recorded by Jari Arkko |
2007-12-20
|
04 | Mark Townsley | [Ballot Position Update] New position, No Objection, has been recorded by Mark Townsley |
2007-12-20
|
04 | Chris Newman | [Ballot discuss] While I am not a SIP expert, I believe this creates a spam-friendly environment and thus will be problematic in production. My understanding, … [Ballot discuss] While I am not a SIP expert, I believe this creates a spam-friendly environment and thus will be problematic in production. My understanding, based on this document, is that a "SIP Relay" in the SIP world performs a function similar to a mailing list expander in the email world (at least that functionality would be a kind of "SIP Relay"). The consent-based framework for mailing lists has evolved over time as the spam threat has evolved. Current practice is as follows: 1. Lists that allow any sender to post are less common and require a manual moderator in practice to be useful. 2. Lists that allow only list members to post are more common. 3. Lists that are juicy attack targets and perform 2, also have to provide a subscription mechanism that is difficult to automate. Given the present situation with Windows worms on the Internet, I presume spammers have (illegitimate) access to legitimate client credentials so client authentication is not a sufficient defense. Given those assumptions, this proposal is presently too rigid to adapt to the spam threat. Please consider the following three changes: * Provide a way to limit the sender to the set of recipient URIs, or make sure the protocol can accommodate that change in the future. * I find the use of HTTP URLs to mean something other than "point your web browser at this page and have the user do what appears on the page" highly problematic in this context because that is the mechanism likely necessary to address issue 3. * I find the mandate for a SIP URL to be problematic -- specifically the text "At least one of these URIs MUST be a SIP or SIPS URI." If spammers attack, there's likely to be a requirement that a SIP URI not be provided in some cases in order to require HTTP-based captcha or similar mechanisms that are difficult to automate. I recommend making this a SHOULD. Also, the security considerations should contain an informative reference to draft-ietf-sipping-spam-05.txt. |
2007-12-20
|
04 | Chris Newman | [Ballot Position Update] New position, Discuss, has been recorded by Chris Newman |
2007-12-19
|
04 | Tim Polk | [Ballot discuss] What are the semantics of a 470 (Consent Needed) response when the Permission-Missing header field is absent? Section 5.9.2 implies that the Permission-Missing … [Ballot discuss] What are the semantics of a 470 (Consent Needed) response when the Permission-Missing header field is absent? Section 5.9.2 implies that the Permission-Missing header field is optional ("should the response carry one") but it is unclear what a client would do with such a response. |
2007-12-19
|
04 | Tim Polk | [Ballot Position Update] New position, Discuss, has been recorded by Tim Polk |
2007-12-19
|
04 | Ron Bonica | [Ballot Position Update] New position, No Objection, has been recorded by Ron Bonica |
2007-12-18
|
04 | Lars Eggert | [Ballot discuss] Section 5.3.1., paragraph 6: > Content-Type: application/auth-policy+xml DISCUSS: XML doesn't validate. |
2007-12-18
|
04 | Lars Eggert | [Ballot Position Update] Position for Lars Eggert has been changed to Discuss from Undefined by Lars Eggert |
2007-12-18
|
04 | Lars Eggert | [Ballot Position Update] Position for Lars Eggert has been changed to Undefined from Discuss by Lars Eggert |
2007-12-18
|
04 | Lars Eggert | [Ballot discuss] Section 5.3.1., paragraph 6: > Content-Type: application/auth-policy+xml DISCUSS: XML doesn't validate. |
2007-12-18
|
04 | Lars Eggert | [Ballot Position Update] New position, Discuss, has been recorded by Lars Eggert |
2007-12-13
|
04 | Cullen Jennings | State Changes to IESG Evaluation from Waiting for AD Go-Ahead by Cullen Jennings |
2007-12-13
|
04 | Cullen Jennings | State Changes to Waiting for AD Go-Ahead from Waiting for Writeup by Cullen Jennings |
2007-12-13
|
04 | Cullen Jennings | Placed on agenda for telechat - 2007-12-20 by Cullen Jennings |
2007-12-13
|
04 | Cullen Jennings | [Ballot Position Update] New position, Yes, has been recorded for Cullen Jennings |
2007-12-13
|
04 | Cullen Jennings | Ballot has been issued by Cullen Jennings |
2007-12-13
|
04 | Cullen Jennings | Created "Approve" ballot |
2007-12-10
|
04 | (System) | State has been changed to Waiting for Writeup from In Last Call by system |
2007-12-07
|
04 | Samuel Weiler | Request for Last Call review by SECDIR Completed. Reviewer: Kurt Zeilenga. |
2007-11-28
|
04 | Amanda Baber | IANA Last Call comments: Action 1 (section 6.1): Upon approval of this document, the IANA will make the following assignments in the "Session Initiation Protocol … IANA Last Call comments: Action 1 (section 6.1): Upon approval of this document, the IANA will make the following assignments in the "Session Initiation Protocol (SIP) Parameters " registry located at http://www.iana.org/assignments/sip-parameters sub-registry "Response Codes" Response Code Reference ------------- --------- [tbd (470)] Consent Needed [RFC-sip-consent-framework-03] Action 2 (sections 6.3, 6.2): Upon approval of this document, the IANA will make the following assignments in the "Session Initiation Protocol (SIP) Parameters " registry located at http://www.iana.org/assignments/sip-parameters sub-registry "Header Fields" Header Name compact Reference ----------------- ------- --------- Permission-Missing [RFC-sip-consent-framework-03] Trigger-Consent [RFC-sip-consent-framework-03] Action 3 (section 6.4): Upon approval of this document, the IANA will make the following assignments in the "Session Initiation Protocol (SIP) Parameters " registry located at http://www.iana.org/assignments/sip-parameters sub-registry "Header Field Parameters and Parameter Values" Predefined Header Field Parameter Name Values Reference ---------------------------- --------------------------- ---------- --------- Trigger-Consent target-uri No [RFC-sip-consent-framework-03] We understand the above to be the only IANA Actions for this document. |
2007-11-27
|
04 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Kurt Zeilenga |
2007-11-27
|
04 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Kurt Zeilenga |
2007-11-19
|
04 | Amy Vezza | Last call sent |
2007-11-19
|
04 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2007-11-16
|
04 | Cullen Jennings | State Changes to Last Call Requested from AD Evaluation::AD Followup by Cullen Jennings |
2007-11-16
|
04 | Cullen Jennings | Last Call was requested by Cullen Jennings |
2007-11-16
|
04 | (System) | Ballot writeup text was added |
2007-11-16
|
04 | (System) | Last call text was added |
2007-11-16
|
04 | (System) | Ballot approval text was added |
2007-11-13
|
04 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2007-11-13
|
03 | (System) | New version available: draft-ietf-sip-consent-framework-03.txt |
2007-10-06
|
04 | Cullen Jennings | State Changes to AD Evaluation::Revised ID Needed from AD Evaluation by Cullen Jennings |
2007-09-10
|
04 | Cullen Jennings | Merged with draft-ietf-sip-multiple-refer by Cullen Jennings |
2007-09-10
|
04 | Cullen Jennings | State Changes to AD Evaluation from Publication Requested by Cullen Jennings |
2007-09-10
|
04 | Cullen Jennings | State Change Notice email list have been change to sip-chairs@tools.ietf.org, draft-ietf-sip-consent-framwork@tools.ietf.org from sip-chairs@tools.ietf.org |
2007-09-10
|
04 | Cullen Jennings | [Note]: 'Keith Drage is proto shepherd. ' added by Cullen Jennings |
2007-07-13
|
04 | Dinara Suleymanova | PROTO Write-up (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, … PROTO Write-up (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, does he or she believe this version is ready for forwarding to the IESG for publication? Keith Drage The document has been reviewed and is ready for forwarding to IESG for publication. (1.b) Has the document had adequate review both from key WG members and from key non-WG members? Does the Document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? Document history: - draft-rosenberg-sipping-consent-framework-00 was submitted 8th July 2004 and expired 6th January 2005. - draft-ietf-sipping-consent-framework-00 was submitted 18th October 2004 and expired 18th April 2005. - draft-ietf-sipping-consent-framework-01 was submitted 20th February 2005 and expired 21st August 2005. - draft-ietf-sipping-consent-framework-02 was submitted 18th July 2005 and expired 19th January 2006. - draft-ietf-sipping-consent-framework-03 was submitted 5th October 2005 and expired 8th April 2006. - draft-ietf-sipping-consent-framework-04 was submitted 25th February 2006 and expired 29th August 2006. - draft-ietf-sipping-consent-framework-05 was submitted 12th June 2006 and expired 14th December 2006. - draft-ietf-sip-consent-framework-00 was submitted 17th September 2006 and expired 21st March 2007. - draft-ietf-sip-consent-framework-01 was submitted 26th November 2006 and expired 30th May 2007. - draft-ietf-sip-consent-framework-02 was submitted 5th July 2007 and expires 6th January 2007. WGLC was initiated in the SIP WG on draft-ietf-sip-consent-framework-00 on 25th September 2006 with comments requested by 17th October 2006. Review was made and comments were received from: Jeroen van Bemmel, Shida Schubert, Ben Campbell, AC Mahendran, Mary Barnes. During the course of the work comments have also been made by: Dean Willis, Andrew Allen, Cullen Jennings, Paul Kyzivat, Adam Roach, Geoffrey Dawirs, Miguel Garcia. The document was moved from the SIPPING WG to the SIP WG in conformance with RFC 3427 because it defines new header fields and a response code. Prior review and discussion therefore took place in the SIPPING group. Key discussions have taken place about which methods to use for various parts of the consent framework. The document is closely related with: - draft-ietf-sipping-consent-format-03; - draft-ietf-sipping-pending-additions-02; - draft-ietf-sipping-uri-services-06; - draft-ietf-sip-uri-list-message-01; - draft-ietf-sip-uri-list-subscribe-01; - draft-ietf-sip-uri-list-conferencing-01; - draft-ietf-sip-multiple-refer-01. Both OMA and 3GPP use the uri-list documents (as documented in their PROTO writeups). As these documents have a mandatory normative dependence on the consent framework, then they also need the consent framework. (1.c) Does the Document Shepherd have concerns that the document needs more review from a particular or broader perspective, e.g., security, operational complexity, someone familiar with AAA, internationalization, or XML? The document defines mechanisms that are entirely internal to the Session Initiation Protocol (SIP). The document shepherd considers that no external review from an external specialist is necessary, apart from as follows. While the document was generated as a result of a request from security advisers concerning the original uri-list documents (see above), the document has not had a separate security review, and that should there occur. (1.d) Does the Document Shepherd have any specific concerns or issues with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. Has an IPR disclosure related to this document been filed? If so, please include a reference to the disclosure and summarize the WG discussion and conclusion on this issue. The document defines a new SIP protocol extension for a particular purpose in a form that has been used for many other extensions. The document shepherd has no concerns with the document. There have been no IPR disclosures on this document. (1.e) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? While the document has been reviewed by appropriate SIP experts, the level of readership of the SIP working group has apparently been low. This may lead one to assume that the contents for this solution are correct, but potentially there could have been other solutions out there that have been missed. (1.f) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarize the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is entered into the ID Tracker.) None indicated. (1.g) Has the Document Shepherd personally verified that the document satisfies all ID nits? (See http://www.ietf.org/ID-Checklist.html and http://tools.ietf.org/tools/idnits/.) Boilerplate checks are not enough; this check needs to be thorough. Has the document met all formal review criteria it needs to, such as the MIB Doctor, media type, and URI type reviews? If the document does not already indicate its intended status at the top of the first page, please indicate the intended status here. The document has been reviewed against the guidelines in RFC 4485 and it is believed that the document is conformant with those guidelines. While the document defines a new SIP response code, and two new SIP header fields, these have been performed as a SIP working group item, and therefore this draft is in conformance with RFC 3427. For ID-NITS the checks against idnits 2.04.09 report no NITS found. (1.h) Has the document split its references into normative and informative? Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the strategy for their completion? Are there normative references that are downward references, as described in [RFC3967]? If so, list these downward references to support the Area Director in the Last Call procedure for them [RFC3967]. The document has separate sections for normative and informative references. The normative references have been checked and found to be normative. (1.i) Has the Document Shepherd verified that the document's IANA Considerations section exists and is consistent with the body of the document? If the document specifies protocol extensions, are reservations requested in appropriate IANA registries? Are the IANA registries clearly identified? If the document creates a new registry, does it define the proposed initial contents of the registry and an allocation procedure for future registrations? Does it suggest a reasonable name for the new registry? See [RFC2434]. If the document describes an Expert Review process, has the Document Shepherd conferred with the Responsible Area Director so that the IESG can appoint the needed Expert during IESG Evaluation? The document defines the following values that require registration: * Trigger-Consent header field * Permission-Missing header field * target-uri header field parameter to Trigger-Consent header field * 470 response code Section 6 of the document provides the IANA considerations section, and this defines the above. (1.j) Has the Document Shepherd verified that sections of the document that are written in a formal language, such as XML code, BNF rules, MIB definitions, etc., validate correctly in an automated checker? The document defines two items in ABNF (Trigger-Consent and Permission-Missing). These augment the ABNF defined in RFC 3261. Both these items pass Bill Fenner's ABNF parser in the tools webpage. (1.k) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary Relevant content can frequently be found in the abstract and/or introduction of the document. If not, this may be an indication that there are deficiencies in the abstract or introduction. Working Group Summary Was there anything in the WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? Document Quality Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type, or other Expert Review, what was its course (briefly)? In the case of a Media Type Review, on what date was the request posted? Personnel Who is the Document Shepherd for this document? Who is the Responsible Area Director? If the document requires IANA experts(s), insert 'The IANA Expert(s) for the registries in this document are .' Technical summary. The Session Initiation Protocol (SIP) supports communications across many media types, including real-time audio, video, text, instant messaging, and presence. In its current form, it allows session invitations, instant messages, and other requests to be delivered from one party to another without requiring explicit consent of the recipient. Without such consent, it is possible for SIP to be used for malicious purposes, including amplification, and DoS (Denial of Service) attacks. This document identifies a framework for consent-based communications in SIP. Working group summary. There is consensus in the working group to publish this document. The document came about due to security area concerns about the need to protect against denial of service attacks and amplification attacks when various relay and uri-list mechanisms are used in SIP. Document Quality There has been no indication of implementation. Personnel The document shepherd for this document was Keith Drage. The responsible Area Director was Cullen Jennings. 'The IANA Expert(s) for the registries in this document are . |
2007-07-13
|
04 | Dinara Suleymanova | Draft Added by Dinara Suleymanova in state Publication Requested |
2007-07-05
|
02 | (System) | New version available: draft-ietf-sip-consent-framework-02.txt |
2006-11-27
|
01 | (System) | New version available: draft-ietf-sip-consent-framework-01.txt |
2006-09-24
|
00 | (System) | New version available: draft-ietf-sip-consent-framework-00.txt |