[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] Signing P-Asserted-Identity

To: Paul Kyzivat <pkyzivat at cisco.com>, Adam Roach <adam at nostrum.com>
Subject: Re: [Sip] Signing P-Asserted-Identity
From: "Elwell, John" <john.elwell at siemens.com>
Date: Fri, 11 Jul 2008 17:52:48 +0100
Cc: sip at ietf.org, Michael Thomas <mat at cisco.com>, "DRAGE, Keith $Keith$" <drage at alcatel-lucent.com>, Dan Wing <dwing at cisco.com>
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <48778FB9.4070206@cisco.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <E6C2E8958BA59A4FB960963D475F7AC30EEDF3C361@mail.acmepacket.com> <4873B3C5.4020202@cisco.com> <E6C2E8958BA59A4FB960963D475F7AC30EEDF3CD21@mail.acmepacket.com> <4873C037.5050203@cisco.com> <E6C2E8958BA59A4FB960963D475F7AC30EEDFAA52E@mail.acmepacket.com> <4873ECF2.5030908@nostrum.com> <102a01c8e150$3e05a610$c2f0200a@cisco.com> <48742BC9.2090701@nostrum.com> <051701c8e1d8$de07fc70$c2f0200a@cisco.com> <4874E1A9.1030106@nostrum.com> <029401c8e209$70e52e70$eaa36b80@cisco.com> <48752F47.8060905@nostrum.com> <048901c8e20d$1dddda70$eaa36b80@cisco.com> <48753393.5090307@nostrum.com> <48753605.5010604@cisco.com> <487536D9.900@nostrum.com> <48753B83.40205@cisco.com> <5D1A7985295922448D5550C94DE291800210D663@DEEXC1U01.de.lucent.com> <0D5F89FAC29E2C41B98A6A762007F5D0E3B735@GBNTHT12009MSX.gb002.siemens.net> <4877812B.1090802@nostrum.com> <48778FB9.4070206@cisco.com>
Sender: sip-bounces at ietf.org
Thread-index: AcjjdlmeB9rpr7lOSmaNAkXZy3I3HwAACGqQ
Thread-topic: [Sip] Signing P-Asserted-Identity

Which would be ideal, if we were sure of getting them through service
providers unchanged.

John 

> -----Original Message-----
> From: Paul Kyzivat [mailto:pkyzivat at cisco.com] 
> Sent: 11 July 2008 17:52
> To: Adam Roach
> Cc: Elwell, John; sip at ietf.org; Michael Thomas; DRAGE, Keith 
> (Keith); Dan Wing
> Subject: Re: [Sip] Signing P-Asserted-Identity
> 
> Or, we could put the "original-From" in From, the 
> "original-To" in To, etc.
> 
> 	Paul
> 
> Adam Roach wrote:
> > On 7/11/08 2:56 AM, Elwell, John wrote:
> >> I understand that some service providers expect PAI to identify the
> >> charged user, so accepting any PAI value outside the 
> legitimate range of
> >> the authenticated entity from which the request is received (e.g.,
> >> authenticated at the IPSEC or TLS level) causes them grief. Hence,
> >> considering an enterprise network to be part of their 
> trust domain is
> >> problematic for these service providers. In my opinion, 
> the From URI is
> >> more likely to pass through unchanged than the PAI. But 
> perhaps the best
> >> chance of success is to place the e2e-authenticated 
> identity in some
> >> other header field.
> >>   
> > 
> > P-Original-From?
> > 
> > Actually, that would work pretty well -- if we add 
> "P-Original-Call-Id," 
> > "P-Original-CSeq," "P-Original-Contact," and 
> "P-Original-Identity," we 
> > could use RFC 4474 with just minor modification.
> > 
> > Or, even better, we could do away with P-Original-* headers 
> altogether, 
> > and put the relevant header fields (including Identity) in an 
> > application/sipfrag body part. Then, you could use a normal RFC4474 
> > identity service, and add a security mangler to make the signature 
> > SBC-safe.
> > 
> > /a
> > _______________________________________________
> > Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> > This list is for NEW development of the core SIP Protocol
> > Use sip-implementors at cs.columbia.edu for questions on current sip
> > Use sipping at ietf.org for new developments on the application of sip
> > 
> 
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] Signing P-Asserted-Identity
  - From: Michael Thomas

References:
- [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Michael Thomas
- Re: [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Michael Thomas
- Re: [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach
- Re: [Sip] Signing P-Asserted-Identity
  - From: Dan Wing
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach
- Re: [Sip] Signing P-Asserted-Identity
  - From: Dan Wing
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach
- Re: [Sip] Signing P-Asserted-Identity
  - From: Dan Wing
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach
- Re: [Sip] Signing P-Asserted-Identity
  - From: Dan Wing
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach
- Re: [Sip] Signing P-Asserted-Identity
  - From: Jonathan Rosenberg
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach
- Re: [Sip] Signing P-Asserted-Identity
  - From: Jonathan Rosenberg
- Re: [Sip] Signing P-Asserted-Identity
  - From: DRAGE, Keith $Keith$
- Re: [Sip] Signing P-Asserted-Identity
  - From: Elwell, John
- Re: [Sip] Signing P-Asserted-Identity
  - From: Adam Roach
- Re: [Sip] Signing P-Asserted-Identity
  - From: Paul Kyzivat

Prev by Date: Re: [Sip] Signing P-Asserted-Identity
Next by Date: Re: [Sip] Signing P-Asserted-Identity
Previous by thread: Re: [Sip] Signing P-Asserted-Identity
Next by thread: Re: [Sip] Signing P-Asserted-Identity
Index(es):
- Date
- Thread