[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sip] Signing P-Asserted-Identity
- To: Adam Roach <adam at nostrum.com>
- To: Adam Roach <adam at nostrum.com>
- Subject: Re: [Sip] Signing P-Asserted-Identity
- From: Paul Kyzivat <pkyzivat at cisco.com>
- From: Paul Kyzivat <pkyzivat at cisco.com>
- Date: Fri, 11 Jul 2008 12:52:09 -0400
- Date: Fri, 11 Jul 2008 12:52:09 -0400
- Authentication-results: rtp-dkim-2; header.From=pkyzivat at cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
- Authentication-results: rtp-dkim-2; header.From=pkyzivat at cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
- Cc: sip at ietf.org, "DRAGE, Keith \(Keith\)" <drage at alcatel-lucent.com>, Michael Thomas <mat at cisco.com>, "Elwell, John" <john.elwell at siemens.comFrom sip-bounces at ietf.org Fri Jul 11 09:51:05 2008
- Cc: sip at ietf.org, "DRAGE, Keith \(Keith\)" <drage at alcatel-lucent.com>, Michael Thomas <mat at cisco.com>, "Elwell, John" <john.elwell at siemens.com>, Dan W>, Dan Wing <dwing at cisco.com>
- Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
- Delivered-to: sip at core3.amsl.com
- Delivered-to: ietfarch-sip-archive at core3.amsl.com
- Delivered-to: sip at core3.amsl.com
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1635; t=1215795080; x=1216659080; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pkyzivat at cisco.com; z=From:=20Paul=20Kyzivat=20<pkyzivat at cisco.com> |Subject:=20Re=3A=20[Sip]=20Signing=20P-Asserted-Identity |Sender:=20 |To:=20Adam=20Roach=20<adam at nostrum.com>; bh=S7tubT6ix+dcARAxICw++4X0j1BmjsILj/2oJ3KTjI8=; b=0G1Fe2g74uJ5XsrgPXA0vDQ5f2cHYbyW60q37mcnkWD9uJV6vCHYW4t2Gw v4FirB8PiSDpzjNBeTWPfoQX+cO6izQ8chdGdRn6rUpnt89zqf5VtXiM7amQ 0WkX25nn4w;
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1635; t=1215795080; x=1216659080; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pkyzivat at cisco.com; z=From:=20Paul=20Kyzivat=20<pkyzivat at cisco.com> |Subject:=20Re=3A=20[Sip]=20Signing=20P-Asserted-Identity |Sender:=20 |To:=20Adam=20Roach=20<adam at nostrum.com>; bh=S7tubT6ix+dcARAxICw++4X0j1BmjsILj/2oJ3KTjI8=; b=0G1Fe2g74uJ5XsrgPXA0vDQ5f2cHYbyW60q37mcnkWD9uJV6vCHYW4t2Gw v4FirB8PiSDpzjNBeTWPfoQX+cO6izQ8chdGdRn6rUpnt89zqf5VtXiM7amQ 0WkX25nn4w;
- In-reply-to: <4877812B.1090802@nostrum.com>
- In-reply-to: <4877812B.1090802@nostrum.com>
- List-help: <mailto:sip-request@ietf.org?subject=help>
- List-id: Session Initiation Protocol <sip.ietf.org>
- List-post: <mailto:sip@ietf.org>
- List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
- List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
- References: <E6C2E8958BA59A4FB960963D475F7AC30EEDF3C361@mail.acmepacket.com> <4873B3C5.4020202@cisco.com> <E6C2E8958BA59A4FB960963D475F7AC30EEDF3CD21@mail.acmepacket.com> <4873C037.5050203@cisco.com> <E6C2E8958BA59A4FB960963D475F7AC30EEDFAA52E@mail.acmepacket.com> <4873ECF2.5030908@nostrum.com> <102a01c8e150$3e05a610$c2f0200a@cisco.com> <48742BC9.2090701@nostrum.com> <051701c8e1d8$de07fc70$c2f0200a@cisco.com> <4874E1A9.1030106@nostrum.com> <029401c8e209$70e52e70$eaa36b80@cisco.com> <48752F47.8060905@nostrum.com> <048901c8e20d$1dddda70$eaa36b80@cisco.com> <48753393.5090307@nostrum.com> <48753605.5010604@cisco.com> <487536D9.900@nostrum.com> <48753B83.40205@cisco.com> <5D1A7985295922448D5550C94DE291800210D663@DEEXC1U01.de.lucent.com> <0D5F89FAC29E2C41B98A6A762007F5D0E3B735@GBNTHT12009MSX.gb002.siemens.net> <4877812B.1090802@nostrum.com>
- References: <E6C2E8958BA59A4FB960963D475F7AC30EEDF3C361@mail.acmepacket.com> <4873B3C5.4020202@cisco.com> <E6C2E8958BA59A4FB960963D475F7AC30EEDF3CD21@mail.acmepacket.com> <4873C037.5050203@cisco.com> <E6C2E8958BA59A4FB960963D475F7AC30EEDFAA52E@mail.acmepacket.com> <4873ECF2.5030908@nostrum.com> <102a01c8e150$3e05a610$c2f0200a@cisco.com> <48742BC9.2090701@nostrum.com> <051701c8e1d8$de07fc70$c2f0200a@cisco.com> <4874E1A9.1030106@nostrum.com> <029401c8e209$70e52e70$eaa36b80@cisco.com> <48752F47.8060905@nostrum.com> <048901c8e20d$1dddda70$eaa36b80@cisco.com> <48753393.5090307@nostrum.com> <48753605.5010604@cisco.com> <487536D9.900@nostrum.com> <48753B83.40205@cisco.com> <5D1A7985295922448D5550C94DE291800210D663@DEEXC1U01.de.lucent.com> <0D5F89FAC29E2C41B98A6A762007F5D0E3B735@GBNTHT12009MSX.gb002.siemens.net> <4877812B.1090802@nostrum.com>
- Sender: sip-bounces at ietf.org
- User-agent: Thunderbird 2.0.0.14 (Windows/20080421)
- User-agent: Thunderbird 2.0.0.14 (Windows/20080421)
Or, we could put the "original-From" in From, the "original-To" in To, etc.
Paul
Adam Roach wrote:
On 7/11/08 2:56 AM, Elwell, John wrote:
I understand that some service providers expect PAI to identify the
charged user, so accepting any PAI value outside the legitimate range of
the authenticated entity from which the request is received (e.g.,
authenticated at the IPSEC or TLS level) causes them grief. Hence,
considering an enterprise network to be part of their trust domain is
problematic for these service providers. In my opinion, the From URI is
more likely to pass through unchanged than the PAI. But perhaps the best
chance of success is to place the e2e-authenticated identity in some
other header field.
P-Original-From?
Actually, that would work pretty well -- if we add "P-Original-Call-Id,"
"P-Original-CSeq," "P-Original-Contact," and "P-Original-Identity," we
could use RFC 4474 with just minor modification.
Or, even better, we could do away with P-Original-* headers altogether,
and put the relevant header fields (including Identity) in an
application/sipfrag body part. Then, you could use a normal RFC4474
identity service, and add a security mangler to make the signature
SBC-safe.
/a
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip
ing <dwing at cisco.com>
Subject: Re: [Sip] Signing P-Asserted-Identity
X-BeenThere: sip at ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>,
<mailto:sip-request at ietf.org?subject=unsubscribe>
List-Post: <mailto:sip at ietf.org>
List-Help: <mailto:sip-request at ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>,
<mailto:sip-request at ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: sip-bounces at ietf.org
Errors-To: sip-bounces at ietf.org
Or, we could put the "original-From" in From, the "original-To" in To, etc.
Paul
Adam Roach wrote:
On 7/11/08 2:56 AM, Elwell, John wrote:
I understand that some service providers expect PAI to identify the
charged user, so accepting any PAI value outside the legitimate range of
the authenticated entity from which the request is received (e.g.,
authenticated at the IPSEC or TLS level) causes them grief. Hence,
considering an enterprise network to be part of their trust domain is
problematic for these service providers. In my opinion, the From URI is
more likely to pass through unchanged than the PAI. But perhaps the best
chance of success is to place the e2e-authenticated identity in some
other header field.
P-Original-From?
Actually, that would work pretty well -- if we add "P-Original-Call-Id,"
"P-Original-CSeq," "P-Original-Contact," and "P-Original-Identity," we
could use RFC 4474 with just minor modification.
Or, even better, we could do away with P-Original-* headers altogether,
and put the relevant header fields (including Identity) in an
application/sipfrag body part. Then, you could use a normal RFC4474
identity service, and add a security mangler to make the signature
SBC-safe.
/a
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip