On 7/31/08 2:38 PM, Dan Wing wrote:
Here's the problem... if I trust a B2BUA, it doesn't necessarily mean that I'll trust everything it trusts. If Bob's UA is going to make an informed choice, we need it to be able to examine a chain of custody for the identity, at the very least.The chain would be good, but I would be happy with the first link: who (claims to have) injected the message into the SIP network. Evenif the message transited over some itty-bitty ITSP in a country I had never heard of, it wouldn't matter if I could verify the identity of who injected the message into the SIP 'cloud'.
Sorry, I was a bit unclear. When I talk about this "chain of custody," I mean everything that has performed an action that would invalidate a 4474 signature; everything that has had to re-sign something. Those are the actions that require a level of trust. As long as the ITSP you mention doesn't change 4474-protected fields, I don't care who they are.
/a _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors at cs.columbia.edu for questions on current sip Use sipping at ietf.org for new developments on the application of sip