[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] Enrollment in SIP services (and should we undeprecate basicauth)

To: Michael Thomas <mat@cisco.com>
Subject: Re: [Sip] Enrollment in SIP services (and should we undeprecate basicauth)
From: Jonathan Rosenberg <jdrosen@dynamicsoft.com>
Date: Mon, 30 Dec 2002 16:59:50 -0500
Cc: Cullen Jennings <fluffy@cisco.com>, sip@ietf.org
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/sip>,<mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>,<mailto:sip-request@ietf.org?subject=unsubscribe>
Organization: dynamicsoft
References: <004401c2a85e$99855700$618d6b80@amer.cisco.com> <3E0375E7.1080608@dynamicsoft.com> <15888.48055.267146.65154@thomasm-u1.cisco.com>
Sender: sip-admin@ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826

inline.

Michael Thomas wrote:

Jonathan Rosenberg writes:
> I have been thinking about undeprecating basic, but for a totally > different reason (which was suggested by Christian some time back). When > you do authentication over TLS, there is no security benefits to digest > as opposed to basic. However, with basic, it is easier to integrate with > back-end AAA systems, because you don't need to assume that they've > stored the password in the form described in rfc 2617.
> > Of course, if the server doing the authentication is several hops beyond > the one you've terminated your TLS connection to, you've got problems. > The combination of sips and basic would always work, however.

While not passing judgement one way or the other,
basic is clearly less secure than digest even with
TLS. With digest, intermediate devices don't see
the cleartext password -- including a directly
adjacent (SIPwise) proxy. The AAA benefit you list
specifically takes advantage of lowering the
security bar (eg, so that the proxy can form a
CHAP/PAP authenticator to send to a AAA).

OK, a good point.

My sense
is that if there are reasons people want to take
advantage of basic, it might be better to consider
the root causes first rather than rushing headlong
into undeprecating (precating?) basic.

I wasn't arguing to rush into anything. It was just a thought.

-Jonathan R.


--
Jonathan D. Rosenberg, Ph.D.                72 Eagle Rock Ave.
Chief Scientist                             First Floor
dynamicsoft                                 East Hanover, NJ 07936
jdrosen@dynamicsoft.com                     FAX:   (973) 952-5050
http://www.jdrosen.net                      PHONE: (973) 952-5000
http://www.dynamicsoft.com

_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

References:
- [Sip] Enrollment in SIP services (and should we undeprecate basic auth)
  - From: Cullen Jennings
- Re: [Sip] Enrollment in SIP services (and should we undeprecate basicauth)
  - From: Jonathan Rosenberg
- Re: [Sip] Enrollment in SIP services (and should we undeprecate basicauth)
  - From: Michael Thomas

Prev by Date: Re: [Sip] SIP backward compatibility issue
Next by Date: Re: [Sip] INFO considered harmful
Previous by thread: Re: [Sip] Enrollment in SIP services (and should we undeprecate basicauth)
Next by thread: [Sip] Slides for IETF 55
Index(es):
- Date
- Thread