[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] Signing P-Asserted-Identity

To: "DRAGE, Keith (Keith)" <drage at alcatel-lucent.com>, Jonathan Rosenberg <jdrosen at cisco.com>, Adam Roach <adam at nostrum.com>
Subject: Re: [Sip] Signing P-Asserted-Identity
From: "Elwell, John" <john.elwell at siemens.com>
Date: Fri, 11 Jul 2008 08:56:47 +0100
Cc: sip at ietf.org, Michael Thomas <mat at cisco.com>, Dan Wing <dwing at cisco.com>
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <5D1A7985295922448D5550C94DE291800210D663@DEEXC1U01.de.lucent.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <E6C2E8958BA59A4FB960963D475F7AC30EEDF3C361@mail.acmepacket.com> <4873B3C5.4020202@cisco.com> <E6C2E8958BA59A4FB960963D475F7AC30EEDF3CD21@mail.acmepacket.com> <4873C037.5050203@cisco.com> <E6C2E8958BA59A4FB960963D475F7AC30EEDFAA52E@mail.acmepacket.com> <4873ECF2.5030908@nostrum.com> <102a01c8e150$3e05a610$c2f0200a@cisco.com> <48742BC9.2090701@nostrum.com> <051701c8e1d8$de07fc70$c2f0200a@cisco.com> <4874E1A9.1030106@nostrum.com> <029401c8e209$70e52e70$eaa36b80@cisco.com> <48752F47.8060905@nostrum.com> <048901c8e20d$1dddda70$eaa36b80@cisco.com> <48753393.5090307@nostrum.com> <48753605.5010604@cisco.com> <487536D9.900@nostrum.com> <48753B83.40205@cisco.com> <5D1A7985295922448D5550C94DE291800210D663@DEEXC1U01.de.lucent.com>
Sender: sip-bounces at ietf.org
Thread-index: AcjiEx0tMIFXsvUCRxyJeJPkCxhyyQAX0B7wAC4YxCA=
Thread-topic: [Sip] Signing P-Asserted-Identity

Keith,

I understand that some service providers expect PAI to identify the
charged user, so accepting any PAI value outside the legitimate range of
the authenticated entity from which the request is received (e.g.,
authenticated at the IPSEC or TLS level) causes them grief. Hence,
considering an enterprise network to be part of their trust domain is
problematic for these service providers. In my opinion, the From URI is
more likely to pass through unchanged than the PAI. But perhaps the best
chance of success is to place the e2e-authenticated identity in some
other header field.

John

> -----Original Message-----
> From: sip-bounces at ietf.org [mailto:sip-bounces at ietf.org] On 
> Behalf Of DRAGE, Keith (Keith)
> Sent: 10 July 2008 10:56
> To: Jonathan Rosenberg; Adam Roach
> Cc: sip at ietf.org; Michael Thomas; Dan Wing
> Subject: Re: [Sip] Signing P-Asserted-Identity
> 
> If you are talking enterprise to some sort of public service provider
> you will get both cases happening, and possibly on the same interface
> between the two providers.
> 
> It may well be distinguished based on whether the traffic is public
> network traffic or private network traffic, see the definitions in 
> 
> http://www.ietf.org/internet-drafts/draft-vanelburg-sipping-pr
> ivate-netw
> ork-indication-01.txt
> (revision expected shortly)
> 
> For public network traffic, the situation you are talking 
> about has wide
> acceptance for the PSTN in the US, but virtually no appearance in the
> PSTNs of some European countries. When these operators go to 
> IP, you can
> expect the same approach to P-Asserted-Identity. 
> 
> For private network traffic, I would expect the trust domain to
> encompass the enterprise and the public service provider for 
> the support
> of such a capability to make any sense, but there are still 
> some awkward
> public service providers out there.
> 
> Regards
> 
> Keith
> 
> > -----Original Message-----
> > From: sip-bounces at ietf.org [mailto:sip-bounces at ietf.org] On 
> > Behalf Of Jonathan Rosenberg
> > Sent: Wednesday, July 09, 2008 11:28 PM
> > To: Adam Roach
> > Cc: sip at ietf.org; 'Michael Thomas'; Dan Wing
> > Subject: Re: [Sip] Signing P-Asserted-Identity
> > 
> > I had assumed enterprises would be part of the trust domain 
> > of the provider.
> > 
> > -Jonathan R.
> > 
> > Adam Roach wrote:
> > > On 7/9/08 5:04 PM, Jonathan Rosenberg wrote:
> > >> Bringing this back to the original topic:
> > >>
> > >> I did not think Hadriels draft was proposing that PAI get 
> > stripped at 
> > >> that boundary.
> > > 
> > >  From the abstract: "The use of these extensions is only 
> applicable 
> > > inside a set of administrative domains with previously 
> agreed-upon 
> > > policies for generation, transport and usage of such information."
> > > 
> > > This means that there's either an agreement with the ITSPs 
> > (which I'm 
> > > arguing have demonstrably no interest in making this 
> > happen), or the 
> > > information is stripped before handing to the ITSPs. Or am 
> > I missing 
> > > something?
> > > 
> > > /a
> > > 
> > 
> > -- 
> > Jonathan D. Rosenberg, Ph.D.                   499 Thornall St.
> > Cisco Fellow                                   Edison, NJ 08837
> > Cisco, Voice Technology Group
> > jdrosen at cisco.com
> > http://www.jdrosen.net                         PHONE: (408) 902-3084
> > http://www.cisco.com
> > _______________________________________________
> > Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> > This list is for NEW development of the core SIP Protocol Use 
> > sip-implementors at cs.columbia.edu for questions on current sip 
> > Use sipping at ietf.org for new developments on the application of sip
> > 
> _______________________________________________
> Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors at cs.columbia.edu for questions on current sip
> Use sipping at ietf.org for new developments on the application of sip
> 
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach

References:
- [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Michael Thomas
- Re: [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Michael Thomas
- Re: [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach
- Re: [Sip] Signing P-Asserted-Identity
  - From: Dan Wing
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach
- Re: [Sip] Signing P-Asserted-Identity
  - From: Dan Wing
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach
- Re: [Sip] Signing P-Asserted-Identity
  - From: Dan Wing
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach
- Re: [Sip] Signing P-Asserted-Identity
  - From: Dan Wing
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach
- Re: [Sip] Signing P-Asserted-Identity
  - From: Jonathan Rosenberg
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach
- Re: [Sip] Signing P-Asserted-Identity
  - From: Jonathan Rosenberg
- Re: [Sip] Signing P-Asserted-Identity
  - From: DRAGE, Keith $Keith$

Prev by Date: Re: [Sip] SUBSCRIBE and From
Next by Date: Re: [Sip] SUBSCRIBE and From
Previous by thread: Re: [Sip] Signing P-Asserted-Identity
Next by thread: Re: [Sip] Signing P-Asserted-Identity
Index(es):
- Date
- Thread