[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] Signing P-Asserted-Identity

To: Michael Thomas <mat at cisco.com>
Subject: Re: [Sip] Signing P-Asserted-Identity
From: Hadriel Kaplan <HKaplan at acmepacket.com>
Date: Tue, 8 Jul 2008 15:08:23 -0400
Accept-language: en-US
Acceptlanguage: en-US
Cc: "sip at ietf.org" <sip at ietf.org>
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <4873B3C5.4020202@cisco.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <E6C2E8958BA59A4FB960963D475F7AC30EEDF3C361@mail.acmepacket.com> <4873B3C5.4020202@cisco.com>
Sender: sip-bounces at ietf.org
Thread-index: AcjhKXqI7FtHzSElR2mBfJedTEFvCQAAwwYA
Thread-topic: [Sip] Signing P-Asserted-Identity

> -----Original Message-----
> From: Michael Thomas [mailto:mat at cisco.com]
>
> I thought that the beauty of P-A-I was that my telco can happily claim
> that
> I'm the Queen of the Night without all the bother of checking to see if
> I'm a soprano, or can even sing that many notes in a row. So I guess
> I don't see what the point is being extra sure that the fiction is a super
> reliable fiction.

It identifies who wrote the fiction, and the receiver can decide if they believe the writer (e.g., based on a reputation system); or if it is fiction can know who wrote it and let them know. (most operators don't intend to write fiction :)

And I should note 4474 has a similar issue - the signer can change the From to whatever before signing - except at least 4474 constrains the scope of that fictional identity to the signer's domain name in the URI.  In theory that makes it pretty good, because the signer can only lie about their own users, but in practice if the URI is treated as an E.164 then the scope isn't constrained.


> And since it seems to only be within a given administrative realm, why
> isn't TLS or many other possible techniques adequate?

It's not within a given administrative domain - it's within a PAI trust-domain, which in practice often contains multiple administrative domains.

-hadriel
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] Signing P-Asserted-Identity
  - From: Michael Thomas

References:
- [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Michael Thomas

Prev by Date: Re: [Sip] On the need for a visual identifier of trusted identity - Fwd: I-D Action:draft-york-sip-visual-identifier-trusted-identity-00.txt
Next by Date: Re: [Sip] Signing P-Asserted-Identity
Previous by thread: Re: [Sip] Signing P-Asserted-Identity
Next by thread: Re: [Sip] Signing P-Asserted-Identity
Index(es):
- Date
- Thread