[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements

To: Dan York <dyork at voxeo.com>
Subject: Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
From: Richard Barnes <rbarnes at bbn.com>
Date: Fri, 02 May 2008 09:18:50 -0400
Cc: 'SIP IETF' <sip at ietf.org>, Dan Wing <dwing at cisco.com>
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <DDD632E2-1EE2-4023-98AD-20A02BF673C7@voxeo.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <036701c8a3dc$b0779a20$c2f0200a@cisco.com> <DDD632E2-1EE2-4023-98AD-20A02BF673C7@voxeo.com>
Sender: sip-bounces at ietf.org
User-agent: Thunderbird 2.0.0.14 (Windows/20080421)

Hi Dan,

Response below...

> If I recall previous discussions  
> correctly, the major concern was that we didn't want to get in a  
> situation where in order to use a key management protocol all parties  
> were *required* to obtain certificates signed by a formal Certificate  
> Authority.   
 >
> DY> So I think the *intent* of the requirement - as I understand it -  
> is still important to capture.  What about merging R12 and R-CERTS by  
> simply replacing the "CA-issued" with "3rd-party-signed", as in:
> 
>    R-CERTS:  If the media security key management protocol
>          employs certificates, it MUST be able to make use of both
>          self-signed and 3rd-party-signed certificates.
> 
> DY> Or is that muddying things up even more?

Yes :)

The issue here is that "self-signed" certificates and "3rd-party-issued" 
certificates are indistinguishable -- in order to be an issuer for a 
certificate (including itself!) a certificate MUST be a CA certificate, 
so all self-signed certs are CA certs.

And that means that there's no technical means to distinguish between 
"self-signed" certs and "3rd-party-issued" certs, so any protocol that 
tried to would be non-sensical regardless of this requirement.

Really, the issue of which parties are trusted sign certificates is an 
issue of local authorization policy, not of protocol design.  Regardless 
of the data items carried in the protocol, it is up to the communicating 
peers to decide which certificates are acceptable and which aren't.

That means that this requirement has no effect as a selector among 
protocols (no protocol would violate it), and it creates precisely the 
confusion that you have described, namely that the question of which 
certificates are authorized signers is one of protocol design, not local 
policy.  This is why I think that the requirement should just be 
removed: It's a no-op technically, and it creates confusion.

--Richard


_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
  - From: Dan York
- Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
  - From: Dan Wing

References:
- [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
  - From: Dan Wing
- Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
  - From: Dan York

Prev by Date: Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
Next by Date: [Sip] draft-dotson-sip-mutual-auth-02
Previous by thread: Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
Next by thread: Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
Index(es):
- Date
- Thread