[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sip] comments on draft-kupwade-sip-iba-00

To: IETF SIP List <sip at ietf.org>
Subject: [Sip] comments on draft-kupwade-sip-iba-00
From: Jonathan Rosenberg <jdrosen at cisco.com>
Date: Tue, 26 Feb 2008 21:18:07 -0500
Authentication-results: sj-dkim-2; header.From=jdrosen at cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=2159; t=1204078698; x=1204942698; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jdrosen at cisco.com; z=From:=20Jonathan=20Rosenberg=20<jdrosen at cisco.com> |Subject:=20comments=20on=20draft-kupwade-sip-iba-00 |Sender:=20; bh=b5t9939LKmuQBnAMTT9eZXtM+qT2knmgyeCSwGTaGFU=; b=nTgNf8D4m2/S+k7By3xC087A+JIhFD05AiTKtpb0nMUdoNqcOlq2fiLOpr D3R0ceS4kUp6nUai2m9AkeaQVZnp59IyiP1Z6BTo6vPmMBAI0GefG1mzwaMw s28GIbyM3K;
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <http://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <http://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
Sender: sip-bounces at ietf.org
User-agent: Thunderbird 2.0.0.9 (Windows/20071031)

Harsh, Dean,

Thanks much for this document. Its great to see folks trying to tackle 
new areas of work, especially tough ones like identity.

The concept of identity based security is a new one to me; how mature is 
this stuff? Are there any commercial uses yet? What about intellectual 
property issues? Has it been well-studied by experts to assess its 
robustness? i.e., have folks been trying to crack it, and so far its 
held up?

The document talks about encrypting the signature for the target but I 
don't see what security benefit this brings. Indeed, encrypting content 
in the signaling for an intended target has proven very problematic. 
Besides the (so-far) hugely hard cert problem, there is also the issue 
of retargeting. Also you have cases of multiple receiving devices - 
forking for example. Maybe Dean is just hoping it goes away, but how 
would this solution work there? Then there are things like shared lines, 
  contact centers, etc...

I agree with Ekr that the primary advantage from a pure signature 
perspective is the ability to eliminate the fetching of the certificate. 
I think this is more beneficial than just 'compression'. Identity-Info 
presents the certificate by reference. The increasing numbers of NAT and 
firewalls and SBCs are making me increasingly worried that the ability 
to reach across the network, back to the originator, and fetch ANYTHING 
over http, will be really hard in SIP deployments. So there is value in 
eliminating this IMHO.

I must say I didn't understand how revocation works. From the 
description of the algorithm it seemed untenable. The verifier never 
needs to obtain a cert and the public key is generated statically from 
the identity. Once they have the private key, the sender can always sign 
with it, so I don't see how revocation is possible.

Thanks,
Jonathan R.
-- 
Jonathan D. Rosenberg, Ph.D.                   499 Thornall St.
Cisco Fellow                                   Edison, NJ 08837
Cisco, Voice Technology Group
jdrosen at cisco.com
http://www.jdrosen.net                         PHONE: (408) 902-3084
http://www.cisco.com
_______________________________________________
Sip mailing list  http://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Eric Rescorla

Prev by Date: [Sip] Review of draft-kupwade-sip-iba-00
Next by Date: Re: [Sip] comments on draft-kupwade-sip-iba-00
Previous by thread: [Sip] Review of draft-kupwade-sip-iba-00
Next by thread: Re: [Sip] comments on draft-kupwade-sip-iba-00
Index(es):
- Date
- Thread