Last Call Review of draft-ietf-stir-passport-divert-07
review-ietf-stir-passport-divert-07-secdir-lc-hallam-baker-2019-11-30-00

Request Review of draft-ietf-stir-passport-divert
Requested rev. no specific revision (document currently at 07)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2019-12-02
Requested 2019-11-18
Authors Jon Peterson
Draft last updated 2019-11-30
Completed reviews Opsdir Last Call review of -07 by Linda Dunbar
Genart Last Call review of -07 by Pete Resnick
Secdir Last Call review of -07 by Phillip Hallam-Baker
Assignment Reviewer Phillip Hallam-Baker
State Completed
Review review-ietf-stir-passport-divert-07-secdir-lc-hallam-baker-2019-11-30
Posted at https://mailarchive.ietf.org/arch/msg/secdir/W4SAX3ULRunvER1SJTvrOtXyLP0
Reviewed rev. 07
Review result Has Issues
Review completed: 2019-11-30

Review
review-ietf-stir-passport-divert-07-secdir-lc-hallam-baker-2019-11-30

Section 1: Introduction

"If Alice calls Bob, for example, Bob might attempt to ..."

Alice, Bob and Carol are people. People do not emit JSON strings, create signatures or do any of the things they are described as being engaged in. Only the machines the people might possess can do such things. Anthropomorphising Turing machines results in language that is hard to follow at best and renders any attempt to consider UI issues impossible.

Section 12: Security Considerations

Is this going to create new means of injecting spam? It looks like it might. Consider the case in which Sue the spammer sets up a single genuine call between X and Y, then creates forwarding associations for 10,000 endpoints Z0-9999. Also consider reflection type attacks in which callers responding to spam have their numbers harvested for spoof source addresses for further spam.