[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] What 4474 signs part-3 [was: Proposal to Revise RFC 4474]

To: "Hadriel Kaplan" <HKaplan at acmepacket.com>, "Cullen Jennings" <fluffy at cisco.com>, "Dean Willis" <dean.willis at softarmor.com>
Subject: Re: [Sip] What 4474 signs part-3 [was: Proposal to Revise RFC 4474]
From: "Fischer, Kai" <kai.fischer at siemens.com>
Date: Mon, 21 Apr 2008 12:59:42 +0200
Cc: SIP IETF <sip at ietf.org>, jon.peterson at neustar.biz
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <E6C2E8958BA59A4FB960963D475F7AC30BD035B2D0 at mail.acmepacket.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <97736536-E91D-4CF8-90AF-07C30A39C647 at softarmor.com><29F55447-26D1-4DFB-BBC7-6AB20112F15B at cisco.com><E6C2E8958BA59A4FB960963D475F7AC30BCFCE6720 at mail.acmepacket.com><E6C2E8958BA59A4FB960963D475F7AC30BCFCE75E5 at mail.acmepacket.com> <E6C2E8958BA59A4FB960963D475F7AC30BD035B2D0 at mail.acmepacket.com>
Sender: sip-bounces at ietf.org
Thread-index: AcieP0/LxeHkmxVcTcSS+BethEerDAAWDIQgACpzRAAAjZM9IACIsRcQ
Thread-topic: [Sip] What 4474 signs part-3 [was: Proposal to Revise RFC 4474]

 

> -----Original Message-----
> From: sip-bounces at ietf.org [mailto:sip-bounces at ietf.org] On 
> Behalf Of Hadriel Kaplan
> Sent: Freitag, 18. April 2008 22:42
> To: Cullen Jennings; Dean Willis
> Cc: SIP IETF; jon.peterson at neustar.biz
> Subject: [Sip] What 4474 signs part-3 [was: Proposal to 
> Revise RFC 4474]
> 
> ...
> 
> So... I propose that once again the originator of the request 
> be given an option: it can sign the MIME body, or not, based 
> on its preference.  This can be done in another parameter or 
> param value of the Identity-Info header, similar to the 
> Contact one proposed in part-2 of this thread; and again this 
> parameter does not need to be signed itself because forging 
> it or removing it implicitly breaks the signature calc 
> anyway.  The authenticator can likewise decide if it wants to 
> accept a request with this parameter or not.

I think the flexibility of elements covered by a (RFC4474bis) signature
is an interesting idea. RFC 4474 shall be applied for different
scenarios and therefore the set of elements which needs to be signed
vary. For the protection of the DTLS-SRTP fingerprint only a few
elements need to be signed. However, the flexibility causes also some
interoperability issues like B expected header field x to be signed
whereas A doesn't sign it. The risk exists that both parties fall back
to the least common denominator (all mandatory elements), which is not
applicable resp. secure for all intended scenarios. So it could be
useful to define some RFC4474 signature profiles. These profiles are
also extendable for future use cases without a need to revise RFC4474bis
again.

Kai

> 
> The semantics of this are such that the authenticator is 
> saying "me.com verified user foo at me.com generated this 
> request with these To, From, and Date, but not necessarily 
> the SDP."  This would be useful for spam avoidance, but not 
> much more. (just as 4474 arguably is)
> If a srtp fingerprint is also signed, then it means a lot more.
> 
> Alternatively, we could just recommend that such an 
> originator simply send offerless-Invite's, since that is 
> perfectly legal in 4474 and avoids this issue.  But somehow I 
> don't think that would be such a good idea. ;)
> 
> -hadriel
> _______________________________________________
> Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors at cs.columbia.edu for questions on current sip
> Use sipping at ietf.org for new developments on the application of sip
> 
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

References:
- [Sip] Proposal to Revise RFC 4474
  - From: Dean Willis
- Re: [Sip] Proposal to Revise RFC 4474
  - From: Cullen Jennings
- [Sip] What 4474 signs part-2 [was: Proposal to Revise RFC 4474]
  - From: Hadriel Kaplan
- [Sip] What 4474 signs part-3 [was: Proposal to Revise RFC 4474]
  - From: Hadriel Kaplan

Prev by Date: Re: [Sip] E.164 - who owns it
Next by Date: Re: [Sip] E.164 - who owns it
Previous by thread: [Sip] What 4474 signs part-3 [was: Proposal to Revise RFC 4474]
Next by thread: [Sip] Thoughts on gateways, user=phone, and the Identity/DTLS-SRTP problem
Index(es):
- Date
- Thread