Hello everyone, I started looking into SIP over the past months because I find it quite interesting protocol, and after I saw a talk from Olle Johansson. I have went through various RFCs and technical documents and I have some questions that might be naive, but due to lack of experience I need some guidance and clarifications. Also, I hope I am in the right place asking those questions.
1) What's the status of SIP Federation? It seems like there is no official standard in there, but do we need it in order to achieve it ? The Secure Telephone Identity Revisited IETF group [0] has done some amazing work over the past years regarding SIP authentication (especially from the callee side). Is that enough for having secure SIP Federation, or are there missing pieces in the puzzle? 2) The WebRTC seems like it's taking a completely different road regarding federation [1]. There, it seems like the signaling protocol (which is not defined yet, but SIP is a major candidate), is used only for passing over the user identities, and then the actual federation checks take place inside the browser. I guess that's needed in case you don't trust the site you are sitting on, like a poker site, but still need to communicate with your friends, and verify that these are your friends (that their identity might belong to a completely different server/domain from you). But still, that's quite different with SIP, so how is SIP interoperability is going to work with that? Has anyone give a thought? Feels super important to me that these 2 don't divert. 3) Olle Johannson, in a talk in Kamailio conference, said that SIP still hasn't solved the end-to-end encryption and integrity, mostly because, at some point the route might go through a non TLS connection. Well that's not an easy problem to solve, but I think that [0] has solved most of that (the integrity part), or am I wrong ? I mean, sure the SIP request might be come with the headers stripped off, but that's something that the callee SIP server shouldn't trust much. If it has the necessary headers though (the passport), then the caller should be who says it is. Of course the encryption is still remaining open, but is this solvable at all? Anyone working on that that ? 4) How people do authentication mostly in SIP, when some kind of federation is needed? Is RFCs from [0] a common practice now? Is DANE (which from what I understand depends on DNSSEC) something that is used at all ? Something else ? I guess I fired too many questions, but I would love to get back some clarifications. [0] https://datatracker.ietf.org/wg/stir/documents/ [1] https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-20 [2] https://www.youtube.com/watch?v=FO1N6gEjxUo _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
