----- Original Message -----
From: "Duane" <[EMAIL PROTECTED]>
Sent: Monday, July 24, 2006 1:40 PM
Duane wrote:
[...]
Hmmm should have read a little further, there is a GPL lib, if this can
be used in asterisk or not (more political then technical I'm guessing)
www.minisip.org says that Minisip's _libraries_ (among which, I suppose,
libmikey) are LGPL'd, not GPL'd, which should be acceptable by Digium: no
GPL "infection" would propagate to the rest of Asterisk's dual-licensed
code.
and use a DH key exchange would get us to the point of opportunistic
encryption, pre-shared secrets and PKI without needing TCP SIP support
as far as I can tell...
http://www.minisip.org/develop_build.html#libmikey
Yes, MIKEY would be fine, but if I read the section 3.3 of RFC3830
(http://www.faqs.org/rfcs/rfc3830.html ) correctly, D-H is only supported if
authenticated by the signing certificate in name of initiator and responder
(see the use of SIGNi and SIGNr, and their formal definition in the section
5.2). Now, I'm not arguing here that PKI is evil, but for opportunistic
encryption we should also allow unauthenticated (anonymous) D-H key
exchange. That's why in one of my previous messages I suggested to support
the proposed HMAC-authenticated flavour on MIKEY described at
http://www.ietf.org/internet-drafts/draft-ietf-msec-mikey-dhhmac-11.txt : it
may easily be made anonymous by using a null/zero/well-known shared secret,
and for non-anonymous transactions it may leverage the shared SIP secret as
key for the HMAC...
Cheers --
Enzo
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
Asterisk-Security mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-security
