[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements

To: Dan York <dyork at voxeo.com>, 'Dan Wing' <dwing at cisco.com>, IETF SIP List <sip at ietf.org>
Subject: Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
From: Richard Barnes <rbarnes at bbn.com>
Date: Fri, 02 May 2008 17:16:34 -0400
Delivered-to: ietfarch-sip-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <481B837A.6060103@bbn.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <036701c8a3dc$b0779a20$c2f0200a@cisco.com> <DDD632E2-1EE2-4023-98AD-20A02BF673C7@voxeo.com> <481B14BA.8000803@bbn.com> <EB382A4A-0F6C-46BA-BF7A-2E2C3BAE7F89@voxeo.com> <481B837A.6060103@bbn.com>
Sender: sip-bounces at ietf.org
User-agent: Thunderbird 2.0.0.14 (Windows/20080421)

Oops, minor revision to please the cert police (who will notice that 
trust anchors are not certificates).

R-CERTS:
The media security key management protocol MUST NOT constrain the set of 
trust anchors that a peer can use to validate certificates used in the 
protocol.

--RB



Richard Barnes wrote:
>> DY> I guess I could see the possibility of a "protocol" being created 
>> where it was mandated that the endpoints had to do a check of a cert 
>> against central public CAs.  That's not what I think we want.   Perhaps 
>> I am using a wider definition of a "protocol" than you are.
> 
> Ah, that gives me an idea.  What you're trying to rule out is a protocol 
> that says "You MUST only accept a cert that chains to an issuer X" 
> (where X=Verisign, for example).  What this requirement is really saying 
> is that the protocol needs to stay out of the way of the policy.
> 
> So how about this for a requirement:
> 
> R-CERTS:
> The media security key management protocol MUST NOT constrain the set of 
> certificates that can be used as trust anchors in certificate verification.
> 
> 
> --RB
> 
> _______________________________________________
> Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors at cs.columbia.edu for questions on current sip
> Use sipping at ietf.org for new developments on the application of sip
> 
> 

_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
  - From: Dan Wing
- Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
  - From: Fries, Steffen (CT)
- Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
  - From: Dean Willis

References:
- [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
  - From: Dan Wing
- Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
  - From: Dan York
- Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
  - From: Richard Barnes
- Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
  - From: Dan York
- Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
  - From: Richard Barnes

Prev by Date: Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
Next by Date: Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
Previous by thread: Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
Next by thread: Re: [Sip] R-CERTS in draft-ietf-sip-media-security-requirements
Index(es):
- Date
- Thread