[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] draft-ietf-sip-media-security-requirements-05

To: Dan Wing <dwing at cisco.com>
Subject: Re: [Sip] draft-ietf-sip-media-security-requirements-05
From: Dan York <dyork at voxeo.com>
Date: Tue, 13 May 2008 08:38:33 -0400
Cc: 'IETF SIP List' <sip at ietf.org>, "'Fries, Steffen $CT$'" <steffen.fries at siemens.com>, 'Dean Willis' <dean.willis at softarmor.com>
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <03f901c8afde$ee9398f0$c3f0200a@cisco.com>
List-archive: <https://www.ietf.org/mailman/private/sip>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <066701c8af02$2445f8e0$c3f0200a@cisco.com> <20080506000110.499525081A@romeo.rtfm.com> <03f901c8afde$ee9398f0$c3f0200a@cisco.com>
Sender: sip-bounces at ietf.org

>
Dan,

> The wordsmithing task falls to me, I suppose.
>
> Here is another straw man, which I think captures your sentence
> above your signature and your [0] comment:
>
>      R-CERTS:
>
>      The media security key management protocol MUST NOT require
>      using a trust anchor to validate credentials (e.g., a
>      certificate) or to obtain credentials (e.g., a private key)
>      used in the protocol.

Your wordsmithing is fine by me.  I also liked the discussion you  
included in section 4.9 which explains the rationale for this  
requirement more.

  	4.9. Certificates	
				
			The discussion in this section relates to R-CERTS.	
				
			On the Internet and on some private networks, validating another	
			peer's certificate is often done through a trust anchor -- a list of	
			Certificate Authorities that are trusted. It can be difficult or	
			expensive for a peer to obtain these certificates. In all cases,	
			both parties to the call would need to trust the same trust anchor	
			(i.e., "certificate authority"). For these reasons, it is important	
			that authentication mechanisms that utilize trust anchors not rely	
			exclusively on such Certificate Authority-issued certificates, but  
to	
			also allow self-signed certificates. By allowing the use of such	
			self-signed certificates, an out-of-band mechanism (e.g., manual	
			configuration) can be used to trust a peer's certificate.

Regards,
Dan

-- 
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO    Voxeo Corporation     dyork at voxeo.com
Phone: +1-407-455-5859  Skype: danyork  http://www.voxeo.com
Blogs: http://blogs.voxeo.com  http://www.disruptivetelephony.com

Build voice applications based on open standards.
Find out how at http://www.voxeo.com/free





_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] draft-ietf-sip-media-security-requirements-05
  - From: Eric Rescorla

References:
- [Sip] draft-ietf-sip-media-security-requirements-05
  - From: Dan Wing
- Re: [Sip] draft-ietf-sip-media-security-requirements-05
  - From: Eric Rescorla
- Re: [Sip] draft-ietf-sip-media-security-requirements-05
  - From: Dan Wing

Prev by Date: Re: [Sip] draft-ietf-sip-outbound
Next by Date: Re: [Sip] draft-ietf-sip-media-security-requirements-05
Previous by thread: Re: [Sip] draft-ietf-sip-media-security-requirements-05
Next by thread: Re: [Sip] draft-ietf-sip-media-security-requirements-05
Index(es):
- Date
- Thread