[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] comments on draft-kupwade-sip-iba-00

To: Dean Willis <dean.willis at softarmor.com>
Subject: Re: [Sip] comments on draft-kupwade-sip-iba-00
From: Michael Thomas <mat at cisco.com>
Date: Thu, 28 Feb 2008 13:01:46 -0800
Authentication-results: imail.cisco.com; header.From=mat at cisco.com; dkim=pass ( sig from cisco.com/oregon verified; );
Cc: sip at ietf.org
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=2425; t=1204231691; x=1205095691; c=relaxed/simple; s=oregon; h=To:Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mat at cisco.com; z=From:=20Michael=20Thomas=20<mat at cisco.com> |Subject:=20Re=3A=20[Sip]=20comments=20on=20draft-kupwade-s ip-iba-00 |Sender:=20 |To:=20Dean=20Willis=20<dean.willis at softarmor.com>; bh=NGZTqyKV7TcGV6wnI/ja1cJPO2vULJFDGvAWzNu5Wv4=; b=P/RmfJuLQfQJtHQZWUmS6jkArlaG0K3Sreze8VBFzO6VOGrmyyjHKh2oLs 0Zgcr6iF2jn7RqiEKhifLk80sPULFDrKpTV7nwGjyyUtR+1DyRvJTFiKLNVl HGzHvu45uV;
In-reply-to: <47C7017D.5020301 at softarmor.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <20080227170702.5A5C05081A at romeo.rtfm.com> <132324.81291.qm at web65509.mail.ac4.yahoo.com> <20080227171901.8EAE95081A at romeo.rtfm.com> <47C7017D.5020301 at softarmor.com>
Sender: sip-bounces at ietf.org
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.9) Gecko/20071031 Thunderbird/2.0.0.9 Mnenhy/0.7.5.666

Dean Willis wrote:
> [] The enrollment
> process could include a KG interaction. 

This to my mind is the _actual_ problem hindering deployment. Does
this scheme help that problem or just rearrange the deck chairs? Something
that posits yet another trust anchor would strike me as the latter.

 From the conclusion:

  The advantages with the proposed methods are:

   1.  Key size: Elliptic-curve cryptography arguably provides
       equivalent security with smaller operands than the RSA technique
       typically used with [7 <http://tools.ietf.org/html/draft-kupwade-sip-iba-00#ref-7>].  This provides some advantage for
       resource-constrained environments such as mobile telephones.  It
       also reduces the cryptographic load on large-scale devices doing
       frequent authentication checks.

You can do this with PKI or key-centric schemes too.

   2.  Key discovery: Callers can generate the public key of the callee
       from the identity (SIP URI) of the callee and vice versa.  This
       eliminates a requirement for a key discovery mechanism using
       external sources, making deployment significantly easier.

Or you can ship the key or cert in the signaling too.

   3.  Certificate validation: As a result caller or callee need not go
       through the complex path construction process to retrieve the
       public keys of a chain of CAs from the public key depositories
       which are controlled by the respective CAs.  This allows
       deployment in a peer-to-per modality without a need to route SIP
       messages through a centralized identity service or trust peer
       nodes to operate as identity services.

What is the KG if not a centralized entity? I guess I don't
understand this part.

   4.  Revocation: The ease of minting new identities and discovering
       keys allows short-lived identities, reducing the need for
       certificate revocation lists and the checking thereof.  This
       offers very large operational advantages in resource constrained
       environments.

I don't understand why this is "easy". Enrollment is 
"hard" unless there's something really new here. And 
if I wanted a short-lived identity, I could just gin 
up a new public key pair and use that as the identity
too. But I thought that the real problem was dealing with
long term identities like, oh say, mat at cisco.com.

		Mike

_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Dean Willis

References:
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Harsh Kupwade
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00
  - From: Dean Willis

Prev by Date: [Sip] draft-ietf-sip-body-handling-01
Next by Date: [Sip] Revised agenda for SIP -- needs more work yet
Previous by thread: Re: [Sip] comments on draft-kupwade-sip-iba-00
Next by thread: Re: [Sip] comments on draft-kupwade-sip-iba-00
Index(es):
- Date
- Thread