[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] comments on draft-kupwade-sip-iba-00

To: Eric Rescorla <ekr at networkresonance.com>, Jonathan Rosenberg <jdrosen at cisco.com>
Subject: Re: [Sip] comments on draft-kupwade-sip-iba-00
From: "James M. Polk" <jmpolk at cisco.com>
Date: Wed, 27 Feb 2008 10:02:21 -0600
Authentication-results: sj-dkim-1; header.From=jmpolk at cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: IETF SIP List <sip at ietf.org>
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1076; t=1204128142; x=1204992142; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jmpolk at cisco.com; z=From:=20=22James=20M.=20Polk=22=20<jmpolk at cisco.com> |Subject:=20Re=3A=20[Sip]=20comments=20on=20draft-kupwade-s ip-iba-00 |Sender:=20; bh=sy2Gkh46CV6cP4jgp10hiclirajvL2Xd6Izf70JLnr4=; b=In2ap6WIvnkADmO2o0co5Gf5qjxO+opUBhWGeiebYE5ieUU/Jm7qj0vxlx wDHI/M2cVrIu53fYdjrp26F7s8d5wQB7DEYGQ26pjQTWl4NfQ1Tp3kalgTsP zMgKUS6cz4V/I1XfuFHjAdYB/JXcUPGUEL0xC4Xmq96Sul+J2wPR0=;
In-reply-to: <20080227054105.8A9DE5081A at romeo.rtfm.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <47C4C85F.4050000 at cisco.com> <20080227054105.8A9DE5081A at romeo.rtfm.com>
Sender: sip-bounces at ietf.org

At 11:41 PM 2/26/2008, Eric Rescorla wrote:
> > I must say I didn't understand how revocation works. From the
> > description of the algorithm it seemed untenable. The verifier never
> > needs to obtain a cert and the public key is generated statically from
> > the identity. Once they have the private key, the sender can always sign
> > with it, so I don't see how revocation is possible.
>
>The way this is done is with what's effectively short-lived
>identities (you could do the same thing with short-lived
>certificates) you treat the time as part of the identity.
>E.g., you might be "jdrosen at cisco.com:March-April, 2008". So,
>the user needs to periodically refresh his private key to match
>the new identity. If the key has been revoked you don't issue
>new keys.

naive question

what burden does this put on a peer (or all peers) to (conceivably) 
have to constantly discover JDR's public key, for example (because 
they don't know how long the private key is good for)?

Or is this problem known/expected or solved easily already?


>-Ekr

_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Eric Rescorla

References:
- [Sip] comments on draft-kupwade-sip-iba-00
  - From: Jonathan Rosenberg
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Eric Rescorla

Prev by Date: Re: [Sip] Review of draft-kupwade-sip-iba-00
Next by Date: Re: [Sip] Review of draft-kupwade-sip-iba-00
Previous by thread: Re: [Sip] comments on draft-kupwade-sip-iba-00
Next by thread: Re: [Sip] comments on draft-kupwade-sip-iba-00
Index(es):
- Date
- Thread