On Aug 5, 2008, at 10:26 , Dan Wing wrote:
With that said, ISTM that this cuts against your argument that we should be signing less of the message, since the failure of RFC4474 (to theextent there is one) in this case is that it doesn't protect *enough* information.Neither draft-fischer-sip-e2e-sec-media and draft-wing-sip-identity-media simply "sign less" -- please do not mis-characterize the proposals. Both proposals require a public key exchange with the remote party -- which is far stronger than just using the IP address of the remote party as is done by RFC4474.I don't actually think this characterization of 4474 is that accurate.RFC 4474 does not use the IP address for authenticating the media. Rather, it authenticates the IP address as well as the rest of the SDPWhich draft-kaplan-sip-baiting shows is insufficient at its intended purpose.
I probably disagree but to sort that out ... What exactly do you see as the purpose of 4474 which the baiting draft shows it does not meet?
I'm trying to focus this conversation over to the requirements instead of the taking about solution mechanisms before we can agree what the problem is.
Cullen <in my individual contributor role> _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors at cs.columbia.edu for questions on current sip Use sipping at ietf.org for new developments on the application of sip