[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] Signing P-Asserted-Identity

To: Hadriel Kaplan <HKaplan at acmepacket.com>
Subject: Re: [Sip] Signing P-Asserted-Identity
From: Michael Thomas <mat at cisco.com>
Date: Tue, 08 Jul 2008 12:29:59 -0700
Authentication-results: imail.cisco.com; header.From=mat at cisco.com; dkim=pass ( sig from cisco.com/oregon verified; );
Cc: "sip at ietf.org" <sip at ietf.org>
Delivered-to: ietfarch-sip-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=2232; t=1215544094; x=1216408094; c=relaxed/simple; s=oregon; h=To:Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mat at cisco.com; z=From:=20Michael=20Thomas=20<mat at cisco.com> |Subject:=20Re=3A=20[Sip]=20Signing=20P-Asserted-Identity |Sender:=20 |To:=20Hadriel=20Kaplan=20<HKaplan at acmepacket.com>; bh=pWuV0Il963N5SaB//9atU8aaL0w6fwOcnYESvcVznIc=; b=EjrLowMMppnoaWx9JWuxewy49LQ7rDuP9ATPxNm9suA/3IZWEzehQWsXiZ iKA6vA0iuSMPn3baeVvTt12yYdJkj8a9zKVR0SGc/41G90g1mSBsqS7SBw7C w6bLRorGbh;
In-reply-to: <E6C2E8958BA59A4FB960963D475F7AC30EEDF3CD21@mail.acmepacket.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <E6C2E8958BA59A4FB960963D475F7AC30EEDF3C361@mail.acmepacket.com> <4873B3C5.4020202@cisco.com> <E6C2E8958BA59A4FB960963D475F7AC30EEDF3CD21@mail.acmepacket.com>
Sender: sip-bounces at ietf.org
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.14) Gecko/20080421 Thunderbird/2.0.0.14 Mnenhy/0.7.5.666

Hadriel Kaplan wrote:

-----Original Message-----
From: Michael Thomas [mailto:mat at cisco.com]

I thought that the beauty of P-A-I was that my telco can happily claim
that
I'm the Queen of the Night without all the bother of checking to see if
I'm a soprano, or can even sing that many notes in a row. So I guess
I don't see what the point is being extra sure that the fiction is a super
reliable fiction.


It identifies who wrote the fiction, and the receiver can decide if they believe the writer (e.g., based on a reputation system); or if it is fiction can know who wrote it and let them know. (most operators don't intend to write fiction :)

And I should note 4474 has a similar issue - the signer can change the From to whatever before signing - except at least 4474 constrains the scope of that fictional identity to the signer's domain name in the URI.  In theory that makes it pretty good, because the signer can only lie about their own users, but in practice if the URI is treated as an E.164 then the scope isn't constrained.


Indeed, DKIM has the same constraint as well.  What I'm not entirely
getting is why 4474 isn't sufficient for the overall goal. And if 4474
doesn't cover the needed headers, wouldn't a better fix be to change
4474 to allow more headers to be signed ala DKIM's h= tag instead
of rolling yet another scheme?

In any case, P-A-I still seems like a different animal than 822-like
addresses which at least can be anchored in a given domain. DKIM
has the capability of signing messages that don't necessarily correspond
to any outside header, but AFAIK that capability isn't being used for
much... which sort of implies that it's either useless which SIP should
avoid, or useful which SIP backfill. Since we don't know the answer
to that quesion, wouldn't it be better to wait and see?

      Mike

And since it seems to only be within a given administrative realm, why
isn't TLS or many other possible techniques adequate?


It's not within a given administrative domain - it's within a PAI trust-domain, which in practice often contains multiple administrative domains.

-hadriel


_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Dan York

References:
- [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Michael Thomas
- Re: [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan

Prev by Date: Re: [Sip] Signing P-Asserted-Identity
Next by Date: Re: [Sip] Signing P-Asserted-Identity
Previous by thread: Re: [Sip] Signing P-Asserted-Identity
Next by thread: Re: [Sip] Signing P-Asserted-Identity
Index(es):
- Date
- Thread