[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sip] Signing P-Asserted-Identity
- To: "Elwell, John" <john.elwell at siemens.com>
- Subject: Re: [Sip] Signing P-Asserted-Identity
- From: Michael Thomas <mat at cisco.com>
- Date: Fri, 11 Jul 2008 11:48:10 -0700
- Authentication-results: imail.cisco.com; header.From=mat at cisco.com; dkim=pass ( sig from cisco.com/oregon verified; );
- Cc: sip at ietf.org, "DRAGE, Keith \(Keith\)" <drage at alcatel-lucent.com>, Paul Kyzivat <pkyzivat at cisco.com>, Adam Roach <adam at nostrum.com>, Dan Wing <dwing at cisco.com>
- Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
- Delivered-to: sip at core3.amsl.com
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1301; t=1215800775; x=1216664775; c=relaxed/simple; s=oregon; h=To:Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mat at cisco.com; z=From:=20Michael=20Thomas=20<mat at cisco.com> |Subject:=20Re=3A=20[Sip]=20Signing=20P-Asserted-Identity |Sender:=20 |To:=20=22Elwell,=20John=22=20<john.elwell at siemens.com>; bh=OgBjU8vjzw1ZUi0YfSh6TLsKy5JRxwU827QvINnq9bg=; b=E+IKnWAWByysZtKGKQi/X346IgmnqkX9yMDlc+CZz6LLiOeNdtuc6oEBSr lswuATyyMZiixTfyAG0e/D5bsWwTURxaVuFk8jVcN4Si4x0PNb1ph5SDcJdW WevbT+lpDQ;
- In-reply-to: <0D5F89FAC29E2C41B98A6A762007F5D0E3BC54@GBNTHT12009MSX.gb002.siemens.net>
- List-help: <mailto:sip-request@ietf.org?subject=help>
- List-id: Session Initiation Protocol <sip.ietf.org>
- List-post: <mailto:sip@ietf.org>
- List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
- List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
- References: <E6C2E8958BA59A4FB960963D475F7AC30EEDF3C361@mail.acmepacket.com> <4873B3C5.4020202@cisco.com> <E6C2E8958BA59A4FB960963D475F7AC30EEDF3CD21@mail.acmepacket.com> <4873C037.5050203@cisco.com> <E6C2E8958BA59A4FB960963D475F7AC30EEDFAA52E@mail.acmepacket.com> <4873ECF2.5030908@nostrum.com> <102a01c8e150$3e05a610$c2f0200a@cisco.com> <48742BC9.2090701@nostrum.com> <051701c8e1d8$de07fc70$c2f0200a@cisco.com> <4874E1A9.1030106@nostrum.com> <029401c8e209$70e52e70$eaa36b80@cisco.com> <48752F47.8060905@nostrum.com> <048901c8e20d$1dddda70$eaa36b80@cisco.com> <48753393.5090307@nostrum.com> <48753605.5010604@cisco.com> <487536D9.900@nostrum.com> <48753B83.40205@cisco.com> <5D1A7985295922448D5550C94DE291800210D663@DEEXC1U01.de.lucent.com> <0D5F89FAC29E2C41B98A6A762007F5D0E3B735@GBNTHT12009MSX.gb002.siemens.net> <4877812B.1090802@nostrum.com> <48778FB9.4070206@cisco.com> <0D5F89FAC29E2C41B98A6A762007F5D0E3BC54@GBNTHT12009MSX.gb002.siemens.net>
- Sender: sip-bounces at ietf.org
- User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.14) Gecko/20080421 Thunderbird/2.0.0.14 Mnenhy/0.7.5.666
Elwell, John wrote:
Which would be ideal, if we were sure of getting them through service
providers unchanged.
Therein lies the conundrum with intermediate manglers like B2BUA's
and mailing lists managers, etc. On the one hand, you can sign very little
and be far more successful at surviving the mangler. However, that's buying
you very, very little since things that the manglers mangle are the very
things
that you want to protect. So why bother.
An alternate approach is "you break it, you own it". That is, if you must
break the signature, all you can do is resign it and hope that your own
reputation is enough to convince the called party to accept the call. Yes,
this is messy and unsatisfying at many levels and leaves many unanswered
questions. But fundamentally what people are asking for here is impossible
if you insist on b2bua manglers.
Lastly, if you want e2e security the conversation needs to be... e2e. Be it
straight over the top of the internet, through a tunnel -- however you can
route opaque packets to and from the two ends -- that is the only way to
have any both security as well as robustness. If we'd just get over that,
our heads would eventually stop hurting from repeatedly bashing them
up against this brick wall.
Mike
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip