[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] comments on draft-kupwade-sip-iba-00

To: Eric Rescorla <ekr at networkresonance.com>
Subject: Re: [Sip] comments on draft-kupwade-sip-iba-00
From: Michael Thomas <mat at cisco.com>
Date: Thu, 28 Feb 2008 12:14:02 -0800
Authentication-results: imail.cisco.com; header.From=mat at cisco.com; dkim=pass ( sig from cisco.com/oregon verified; );
Cc: sip at ietf.org, Dean Willis <dean.willis at softarmor.com>
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=3016; t=1204228827; x=1205092827; c=relaxed/simple; s=oregon; h=To:Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mat at cisco.com; z=From:=20Michael=20Thomas=20<mat at cisco.com> |Subject:=20Re=3A=20[Sip]=20comments=20on=20draft-kupwade-s ip-iba-00 |Sender:=20 |To:=20Eric=20Rescorla=20<ekr at networkresonance.com>; bh=QQ6ZAtLSnUSBFcAHt5F9QfvjJ12Jo+e4RXkzUiBj6lw=; b=nBkb/NdTagFoKR+IkjBR8X6fP9lbu9LHVB5+n8cPgQzWUqa5NRpGqQ37CD BBNaC3Hg1Zavv6RHKLs4O0uMj8x66eU7EBbNu90+EWlKccbCnjcqyjQSmIHb A0YN6I4J6p;
In-reply-to: <20080228191408.677435081A at romeo.rtfm.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <20080227170702.5A5C05081A at romeo.rtfm.com> <132324.81291.qm at web65509.mail.ac4.yahoo.com> <20080227171901.8EAE95081A at romeo.rtfm.com> <47C7017D.5020301 at softarmor.com> <20080228191408.677435081A at romeo.rtfm.com>
Sender: sip-bounces at ietf.org
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.9) Gecko/20071031 Thunderbird/2.0.0.9 Mnenhy/0.7.5.666

Eric Rescorla wrote:
> At Thu, 28 Feb 2008 12:46:21 -0600,
> Dean Willis wrote:
>   
>>
>> A global or semi-global KG makes excellent sense in large domains,
>> especially where there are significant resource constraints.
>>     

Are we talking about a trust anchor that isn't DNS and isn't shipped in
web browsers currently?
>> Consider, for example, the 3GPP world of GSM phones. A KG hierarchy
>> rooted at the GSMA with each operator then having a subordinate KG could
>> make a lot of sense. We could get end-to-end security with significantly
>> fewer bits being transmitted than if users had to send copies of their
>> certificates along with every message.
>>
>> Similar characteristics apply in peer-to-peer cases. The enrollment
>> process could include a KG interaction. The resulting identity could be
>> used with IBS for node identification in the overlay as well as message
>> source verification ("identity" in and RFC 4474 context). This helps
>> prevent a number of the easy attacks on P2P infrastructure.
>>     
>
> Yes, and this is all equally possible with PKI systems. As I
> said at the beginning, the only thing that IBS is bringing
> to the party here is a smaller credential. As far as I'm
> awre, the size of the cert is not the primary reason for lack
> of adoption of any of these schemes 
>
> Again, what does IBS bring to the party except compression? [0].
>   

I just read through this too and I saw that in the abstract, and
also thought the size of credentials might be  "a problem" but isn't
"THE PROBLEM" with deployment.

Reading (quickly) through draft, I didn't get a sense for what
other problems this solves if any. I'll mention that in addition to
compression you can also use other methods to make key/name
bindings too which don't rely on krufty ASN.1 blobs to make
the point.
>   
>> And of
>> course, IBE could provide for message privacy as well as integrity
>> across the untrusted peers that will be serving as proxies.
>>     
>
> And now we're talking about something totally different: IBE.
> I agree that IBE has significantly different characteristics from
> PKI. The problems with IBE in SIP are totally different: namely
> not knowing the actual identity of the recipietn of the message.
> This is the norm in both SIP (retargeting) and P2P (churn)
> systems.
>   

So there's no majick here seemingly. Darn.

       Mike
> -Ekr
>
> [0] It's worth noting that the combination of using ECC and 
> doing LZW on certificates would significantly shrink the
> size of the cert. I haven't done the math, but I suspect down
> to the point where it's not the dominant factor.
>
> _______________________________________________
> Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors at cs.columbia.edu for questions on current sip
> Use sipping at ietf.org for new developments on the application of sip
>   

_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Dean Willis

References:
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Harsh Kupwade
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Eric Rescorla

Prev by Date: Re: [Sip] Contact header in 1xx responses/updates remote target or not?
Next by Date: Re: [Sip] Doc we need to have draft-ietf-sip-dtls-srtp-framework-01 on the -71 agenda?
Previous by thread: Re: [Sip] comments on draft-kupwade-sip-iba-00
Next by thread: Re: [Sip] comments on draft-kupwade-sip-iba-00
Index(es):
- Date
- Thread