[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sip] SIPS: why not S/MIME instead?

To: IETF SIP List <sip at ietf.org>
Subject: [Sip] SIPS: why not S/MIME instead?
From: Michael Thomas <mat at cisco.com>
Date: Mon, 30 Oct 2006 09:11:44 -0800
Authentication-results: sj-dkim-4.cisco.com; header.From=mat@cisco.com; dkim=pass ( sig from cisco.com verified; );
Dkim-signature: a=rsa-sha1; q=dns; l=1159; t=1162228302; x=1163092302; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mat@cisco.com; z=From:Michael=20Thomas=20<mat@cisco.com> |Subject:SIPS=3A=20why=20not=20S/MIME=20instead?; X=v=3Dcisco.com=3B=20h=3DQEo/pdZzHptNF5xooPgDaqxLsww=3D; b=nRqBMdaVRM0WWFGP2la6FZAxjTR/OXcltev58JV05mOU7ap0Avua+tcCdD4YJ5MoMHltsPeY BfSVr4Hyvf4T6QBK3IW2K7uK2NMczGIzTuEG0ojA0yU1OYryqruQWxKq;
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; rv:1.7.3) Gecko/20040913 Thunderbird/0.8 Mnenhy/0.7.2.0

As an alternative of my previous proposal, there seems to be quite a bit of unhappiness of the general bogosity of the last hop (UAS) exception of SIPS. If we remove that restriction, I guess I have to ask the question if you want integrity/confidentiality along the path where you ultimately have no real control over the transport chosen by middle proxies -- why don't you just get/learn the cert of the intended party and use S/MIME which actually give you the security properties that you're most likely hoping for with SIPS?

It seems to me that either S/MIME directly to the UAS or to some trusted
upstream agent for the UAS would be a *lot* better than hoping that you'll
get TLS the whole path, not least  of which is that it eliminates the lying
middle proxy problem. And if you're going to insist on TLS, you need
certs in all of those things anyway, so why not just ignore the TLS aspect
and use S/MIME?

Which isn't to say that TLS is not useful, but SIPS is trying to approximate
what S/MIME gets you, so it's not clear why you shouldn't we shouldn't
be promoting it instead of the obvious hack that SIPS is.

      Mike

_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- RE: [Sip] SIPS: why not S/MIME instead?
  - From: Hadriel Kaplan

Prev by Date: Outbound-05: Proxy STUN keepalive support flag (was: "RE: [Sip] Outbound Issues: slides 3 and 4")
Next by Date: RE: [Sip] New I-D on UA loose routing
Previous by thread: [Sip] One big concern with outbound-05
Next by thread: RE: [Sip] SIPS: why not S/MIME instead?
Index(es):
- Date
- Thread