Markdown Version | Session Recording

Session Date/Time: 17 Mar 2025 10:00

stir

Summary

The STIR working group meeting covered several topics, including the STICT draft, JWT claim constraints for ACME, Vesper use cases, and a draft on caller ID verification. A significant portion of the meeting was dedicated to a discussion of the STICT draft and its relationship to Certificate Transparency (CT), with concerns raised about potential divergence from the existing CT standard. The Vesper discussion focused on the need for identifying claim validation in addition to telephone identity verification and the various trust models involved. The final topic caller ID verification was considered out of scope for this working group.

Key Discussion Points

• STICT Draft and Certificate Transparency (CT):

  • Ecker raised concerns about replicating data structures from CT in the STICT draft and suggested directly using existing CT logs and protocols to avoid potential forks and inconsistencies.
  • Chris and Rob explained that the intent was to build a persona on top of Trillian for TN authorization list verification.
  • John Peterson pointed out that the definition of mis-issuance differs between web PKI and STIR, influencing the reliance on CT data.
  • The discussion concluded with the understanding that the STICT draft should focus on differentiating aspects from vanilla CT and avoid prescriptive policy statements.

• JWT Claim Constraints for ACME:

  • Chris presented a draft on using JWT claim constraints for ACME challenges in delegate certificates.
  • The draft proposes a new ACME identifier type for JWT claim constraints and authority token validation.
  • The presentation was intended for the ACME working group, with a request for feedback from STIR experts.

• Vesper Use Cases:

  • Chris provided an update on Vesper, focusing on validation of claim information beyond telephone identity, such as rich call data and KYC.
  • Ecker questioned the validity of presenting "Home Depot" as a claim, referencing past failures in the web PKI.
  • John Peterson highlighted the complexities of calling name verification and the potential role of trusted authorities (vetters).
  • A discussion on the trust model occurred, with some participants questioning the need for new code points if existing mechanisms can achieve the same results.

• Caller ID Verification Draft:

  • Fung Hall presented a draft on real-time caller ID verification and security.
  • Discussion centered around the fact that STIR already implements real-time caller ID verification and therefore this draft does not belong in this working group.
  • Concerns regarding statements about shaken, which is an implementation of the STIR standards, but not the protocol itself.

Decisions and Action Items

• STICT Draft:

  • Chris will revise the STICT draft to align with existing CT protocols and data structures, focusing on the differentiating aspects of STIR.
  • The working group will not discuss adoption until the document is restructured to be more CT-compliant.

• Vesper Use Cases:

  • Chris, John, and Ecker will have a side discussion to further refine the Vesper trust model.
  • Clarification of the specific protocol and architecture differences, and whether code point updates are needed.

• Caller ID Verification:

  • This working group will not be working on caller ID verification, as it is already supported by the STIR protocol.

Next Steps

• Chris to revise the STICT draft and present a new iteration.
• Chris to present the JWT claim constraints draft in the ACME working group.
• Chris, John, and Ecker to schedule a side discussion regarding the Vesper trust model.