[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] Signing P-Asserted-Identity

To: Dan Wing <dwing at cisco.com>
Subject: Re: [Sip] Signing P-Asserted-Identity
From: Michael Thomas <mat at cisco.com>
Date: Tue, 08 Jul 2008 16:38:22 -0700
Authentication-results: imail.cisco.com; header.From=mat at cisco.com; dkim=pass ( sig from cisco.com/oregon verified; );
Cc: sip at ietf.org
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=4647; t=1215558996; x=1216422996; c=relaxed/simple; s=oregon; h=To:Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mat at cisco.com; z=From:=20Michael=20Thomas=20<mat at cisco.com> |Subject:=20Re=3A=20[Sip]=20Signing=20P-Asserted-Identity |Sender:=20 |To:=20Dan=20Wing=20<dwing at cisco.com>; bh=U8SGklNgIAiPEG7TMTYlmNFW2Z17wRCQqIix6WEfEcU=; b=RGCupHkYX2fdE5t/DcOtRYgAJBJO20Aa5Nqr34T9iasGgEQ4PqLDwFRTJR PCHOefsFgimyxf0Gj8GuG6YO7FRRVmg6mA+9aTN7DEg37WjZjvRkKzodXyK7 awVtQobWBh;
In-reply-to: <102b01c8e150$bf0aabc0$c2f0200a@cisco.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <E6C2E8958BA59A4FB960963D475F7AC30EEDF3C361@mail.acmepacket.com><4873B3C5.4020202@cisco.com><E6C2E8958BA59A4FB960963D475F7AC30EEDF3CD21@mail.acmepacket.com><4873C037.5050203@cisco.com><E6C2E8958BA59A4FB960963D475F7AC30EEDFAA552@mail.acmepacket.com><4873D830.30808@cisco.com><E6C2E8958BA59A4FB960963D475F7AC30EEDFAA659@mail.acmepacket.com> <4873E5FB.3030106@cisco.com> <102b01c8e150$bf0aabc0$c2f0200a@cisco.com>
Sender: sip-bounces at ietf.org
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.14) Gecko/20080421 Thunderbird/2.0.0.14 Mnenhy/0.7.5.666

Dan Wing wrote:

...
So let me get this, um, straight: what people really want isto be able
to trust the callerid but that's precisely what we can't provide. Hmm.
And many of things that you point out about breakage with 4474 is
not _really_ a fault of 4474 per se, it's that you're hopingessentially for the impossible: having a signature survive througha b2bua sausage factory.
Sounds all too familiar.
It sounds familiar because email has similar problem.

SIP's B2BUA 'sausage factory' is akin to email's mailing list 'sausage
factory'.  DKIM managed to engineer a solution to email's mailing list
sausage factory, yes?


In  a general way? No not really. If you have any way to make SIP
play better with manglers in a systematic way, I'd seriously consider
it. DKIM didn't have that luxury, or more specifically we didn't think

anything that tried to get the installed base to do anything other thanadd a

signature header somewhere in the pipeline was feasible. B2BUA's
(etc) are still relatively new critters so you might have say about what
constitutes a "well behaved B2BUA".

(I have a whitelist for * at amazon.com, but only if it came via
one of Amazon's mailers.  This is because spammers learned that
many people, such as me, had such a whitelist.  Criminals that,
today, send email that looks like it came from my bank are likely,
tomorrow, to initiate VoIP calls with an E.164s that belong to
my bank.  I would like to have cryptographic identity standardized
when that happens so that we do not incur an additional two year
delay in getting it standardized and then another year delay to
get it into products.)


I'm sorry, but whitelisting your bank's e.164 seems wacky, Dan. I have
no clue what my bank's e.164 is. Why exactly do I want to perpetuate
my clueless about their numbers into the future with super-signed but
still unrecognizable identifiers? Even with my cell phone it doesn't annoy
me with the e.164 of anybody I'd whitelist; it tells me their name.

I swear that there's something really circular going on here, but I'm just
too dull witted to figure it out.

      Mike

-d
I agree with the "blame me" stance, and I'm
not dissing the idea of 4474 being more flexible in what headers it
can sign. It's just that this is all very tangled with the possible,
the impossible and the unknown.
Waiting-and-seeing what the reputation folks actually need
versus guessing
what they might need, maybe, someday seems prudent to me. That's
doubly true because there's not been much if any uptake of 4474 and
I'm guessing that lack of coverage of P-A-I is not one of
the reasons.
Concentrating on _that_ problem seem to me the paramount concern.
There has not been any uptake of 4474 for a bunch of
reasons, not the least of which is there's no problem yet,and for some/many cases we know it won't work. I have nodoubt a PASS signature is not the be-all-end-all solution.But I do know it takes years to get something spec'ed,implemented, tested, and deployed in any scale that willmatter. So I'm trying to do a short-cut, instead of waitingfor a problem: thus, an informational P-header.
A short cut! Run away! :)
Seriously, if you want a short cut, you too could hack on oneof the open
source versions of DKIM and have something that can sign your P-A-I
(in a fit of dementia, I have actually DKIM-signed SIPmessages for grins).DKIM is probably less brittle than 4474, but it too isimperfect againstb2bua
grinders.

Which all rather begs the question of what problems for what audience
we're really solving for. If it's for reputation people, I'mnot sure that
P-A-I signed/unsigned makes a big difference. Of course it's no secret
that I think that lipstick on the tel: uri pig is prettyuseless, so I'mstruggling
if there's anything more here than trying to slay the unslayable.

       Mike
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip


_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] Signing P-Asserted-Identity
  - From: Dan Wing

References:
- [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Michael Thomas
- Re: [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Michael Thomas
- Re: [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Michael Thomas
- Re: [Sip] Signing P-Asserted-Identity
  - From: Hadriel Kaplan
- Re: [Sip] Signing P-Asserted-Identity
  - From: Michael Thomas
- Re: [Sip] Signing P-Asserted-Identity
  - From: Dan Wing

Prev by Date: Re: [Sip] Signing P-Asserted-Identity
Next by Date: Re: [Sip] Signing P-Asserted-Identity
Previous by thread: Re: [Sip] Signing P-Asserted-Identity
Next by thread: Re: [Sip] Signing P-Asserted-Identity
Index(es):
- Date
- Thread