Markdown Version | Session Recording

Session Date/Time: 23 Jul 2025 12:30

STIR Working Group Meeting - IETF 123

Summary

The STIR working group met to discuss three main topics: Certificate Transparency for STIR certificates, JWT Claim Constraints for ACME, and the Vesper framework. The group also addressed administrative updates including document status and a reference update for RFC 8588. Key discussions focused on the applicability and threat model for certificate transparency in the STIR context, and progress on the Vesper framework simplification.

Key Discussion Points

Document Status Updates

• RFC 9795 on RCD is now published
• Two documents currently with IESG: one approved and waiting for final actions, RFC 4916 update pending author actions
• Certificate OCSP document in IETF last call
• Certificate short-lived document completed working group last call, awaiting shepherd write-up

Certificate Transparency for STIR

• Threat Model Discussion: Extensive debate on the specific threats CT addresses in STIR context vs. WebPKI
  • Missisuance of SPC codes in certificates
  • Incorrect telephone number validation by CAs
  • Rogue CA certificate issuance
• Competition Concerns: Discussion about potential for CT policies to favor certain classes of entities over others in pluralist environments
• Technical Benefits:
  • Detection of certificates issued with unauthorized service provider codes
  • Monitoring capability for legitimate certificate holders
  • Forensic value for investigating certificate misuse
• Implementation Details: Focus on profiling RFC 6962 for STIR context rather than redefining CT mechanisms

JWT Claim Constraints in ACME

• Informational Update: Progress on ACME draft for authority token profiles
• Technical Approach: Two certificate extensions defined in RFC 8226, creating authority token profile for potential RCD and delegate certificate usage
• Examples Provided: Basic RCD usage patterns with permitted and excluded claim values
• Status: Moving toward adoption in ACME working group with positive feedback

Vesper Framework

• Major Simplification: Wholesale revision based on IETF 122 feedback to focus on current STIR tools and scope
• Scope Definition: Limited to delegate certificates with telephone number scope, TN and JWT claim constraints usage
• Architecture: Framework for authority token management, number assignment validation, and KYC/vetting processes
• Privacy Features: Hash mechanisms to protect sensitive data while maintaining integrity verification
• Modularity: Suggestion to make certificate transparency support more modular rather than tightly coupled

RFC 8588 Reference Update

• Issue: Referenced ATIS specification version no longer available due to ATIS versioning practices
• Solution: Update to persistent reference for current v3 version, potentially hosted by SIP Forum
• Process: New draft submitted to address reference issues and incorporate incremental updates

Decisions and Action Items

• Certificate Transparency: No formal objection to call for adoption - proceeding with adoption process
• Vesper Framework: Not calling for adoption yet, seeking additional feedback round before proceeding
• RFC 8588 Update: Chris Wendt to initiate mailing list discussion on the reference update draft
• ACME JWT Constraints: Continue progress in ACME working group with STIR awareness

Next Steps

• Issue call for adoption on Certificate Transparency draft
• Solicit additional feedback on Vesper framework before adoption consideration
• Begin mailing list discussion on RFC 8588 reference update
• Continue ACME working group process for JWT claim constraints
• Incorporate feedback on certificate transparency modularity suggestions for Vesper