Re: [Sip] Toward the Evolution of SIP and Related Working Groups

["Dan Wing" <dwing at cisco.com>]

To summarize your email:  anybody that needs SIP security will use TLS between
their own proxies.  That does seem to be the consensus.  Perhaps how that
works should be written up -- as in, does that mean when I have a TLS
connection with boeing.com, I should only allow or only expect From: addresses
that end in @boeing.com, and not @big-airplane.boeing.com and not
@rolls-royce.com?

-d
 

> -----Original Message-----
> From: Hannes Tschofenig [mailto:Hannes.Tschofenig at gmx.net] 
> Sent: Tuesday, June 24, 2008 1:17 AM
> To: Dan Wing
> Cc: 'Dean Willis'; 'Hadriel Kaplan'; sip at ietf.org; 'Paul Kyzivat'
> Subject: Re: [Sip] Toward the Evolution of SIP and Related 
> Working Groups
> 
> Many of the SIP security mechanisms share the same fate: They are far 
> ahead of the actual SIP deployment. This is true for SIP 
> Identity, SIP 
> CERT, SIP SAML, End-to-End Security, etc. When we started the 
> SAML work 
> we looked at what was going on at that time in the HTTP 
> space. Without 
> doubt the entire application layer identity management space 
> found a lot 
> of excitement. There is a lot of standardization being done 
> and also a 
> lot of deployment taking place. With the SIP space that was 
> obviously a 
> bit different and deployments today focus largely on voice (and there 
> not even on end-to-end SIP-based communication).
> 
> For example: Look at what is being used in XMPP. There is no 
> equalivalent of SIP Identity -- folks are currently looking into 
> providing certificates for server-to-server communication.
> 
> Even though they are, from a deployment point of view, ahead they are 
> not even close to where we are with our documents.
> 
> Ciao
> Hannes
> 
> PS: I also believe that the SIP Identity case isn't an easy 
> one either. 
> The guys that would make use of SIP Identity for a deployment 
> where the 
> two SIP proxies talk to each other there would not be a need for SIP 
> Identity since you are essentially replicating what TLS 
> provides you at 
> a lower layer already. In cases where there many SIP proxies 
> along the 
> path SIP Identity would be useful since it provides 
> protection against 
> any one of them being malicious. However, the guys who favour such a 
> deployment model are the onces that believe very much in the chain of 
> trust (hop-by-hop security). They have no interest in using 
> SIP Identity.
> 
> 
> 
> Dan Wing wrote:
> >>> draft-ietf-sip-saml
> >>>       
> >> -- I'm not sure this one is ever getting done.
> >>
> >> So I'm not sure there's enough there to justify a WG.
> >>
> >> How about an "Identity in SIP" working group that takes on 
> >> fixing RFC 4474 for gateways/b2buas and possibly considers 
> >> identity/role assertion using SAML?
> >>     
> >
> > I agree we need that.  I have tried, and so far failed, to
> > initiate activity towards such an effort.
> >
> > -d
> >
> > _______________________________________________
> > Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> > This list is for NEW development of the core SIP Protocol
> > Use sip-implementors at cs.columbia.edu for questions on current sip
> > Use sipping at ietf.org for new developments on the application of sip
> >   
> 

_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip