Re: [Sip] media-security-requirements and lawful intercept

["Dean Willis" <dean.willis at softarmor.com>]

> Our security requirements and implementation MUST include use cases that
> involve true end-to-end security that does not include the ability for
> eavesdropping of any kind, let alone LI.

So when your service provider asks you for your session key, do not tell them. Whether they allow the call or not, we're all happy because our principles and 
use cases have been upheld. However, some people DO want to use service providers that will require key disclosure. Should we deny their use case?

The approach Dan has suggested allows the user to decide whether or not they wish to disclose their keys. And it allows service providers to decide whether or 
not they will require the disclosure of session keys. It works in enterprises that are subject to auditing. It also works in regulated networks subject to LI. 
And it works in classified networks with maximal security requirements. It does all this with one code base, one protocol, and full interoperability between 
domains.

What use cases does this exclude?

--
dean


_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip