Hi, I have submitted a draft proposing a solution to secure a DTLS-SRTP handshake and hence SRTP end-to-end (in terms of end-domain to end-domain). As discussed during the last IETF meetings and analyzed by Dan's Identity-Media draft, current solutions like SIP Identity do not protect the authenticity of the fingerprint end-to-end in certain inter-domain scenarios. For example, a modification of SDP m-/c-lines or the From header field by intermediaries breaks the SIP-Identity or Identity-Media signature and causes a re-signing by a domain different to the originating one. The draft proposes a solution for such scenarios without the need to re-sign during domain traversal and which preserves the original identity information. I appreciate your comments and opinions to the draft and the proposed solution. Kai > -----Original Message----- > From: Internet-Drafts at ietf.org [mailto:Internet-Drafts at ietf.org] > Sent: Mittwoch, 23. Januar 2008 10:20 > To: i-d-announce at ietf.org > Subject: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt > > A New Internet-Draft is available from the on-line > Internet-Drafts directories. > > Title : End-to-End Security for DTLS-SRTP > Author(s) : K. Fischer > Filename : draft-fischer-sip-e2e-sec-media-00.txt > Pages : 14 > Date : 2008-01-23 > > The end-to-end security properties of DTLS-SRTP depend on the > authenticity of the certificate fingerprint exchanged in the > signalling channel. In current approaches the authenticity is > protected by SIP-Identity or SIP-Identity-Media. These types of > signatures are broken if intermediaries like Session Border > Controllers in other domains change specific information of the SIP > header or the SIP body. The end-to-end security property between the > originating and terminating domain is lost if these intermediaries > re-sign the SIP message and create a new identity signature using > their own domain credentials. > > This document defines a new signature type 'Fingerprint-Identity' > which is exchanged in the signalling channel. Fingerprint-Identity > covers only those elements of a SIP message necessary to authenticate > the certificate fingerprint and to secure media end-to-end. It is > independent from SIP-Identity and SIP-Identity-Media and can be > applied in parallel to them. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-fischer-sip-e2e-sec- > media-00.txt > > To remove yourself from the I-D Announcement list, send a message to > i-d-announce-request at ietf.org with the word unsubscribe in > the body of > the message. > You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce > to change your subscription settings. > > Internet-Drafts are also available by anonymous FTP. Login with the > username "anonymous" and a password of your e-mail address. After > logging in, type "cd internet-drafts" and then > "get draft-fischer-sip-e2e-sec-media-00.txt". > > A list of Internet-Drafts directories can be found in > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv at ietf.org. > In the body type: > "FILE /internet-drafts/draft-fischer-sip-e2e-sec-media-00.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant > mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. >
Attachment:
ATT2550607.TXT
Description: ATT2550607.TXT
Attachment:
draft-fischer-sip-e2e-sec-media-00.URL
Description: draft-fischer-sip-e2e-sec-media-00.URL
_______________________________________________ I-D-Announce mailing list I-D-Announce at ietf.org https://www1.ietf.org/mailman/listinfo/i-d-announce
_______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors at cs.columbia.edu for questions on current sip Use sipping at ietf.org for new developments on the application of sip