On Apr 4, 2008, at 9:01 PM, Michael Thomas wrote: > I have more to say here (sorry), but one thing leaps out at me: > > Dean Willis wrote: >>>> But when the identity assertion is coming from a PSTN caller ID, >>>> it's >>>> significantly less authoritative statement: "I, the identity >>>> service >>>> at example.com, think that this request came from +12142821376 >>>> because >>>> this is the calling party identifier presented to my telephony >>>> interface." >>> >>> Why is this limited to just the PSTN? Given your average megacorp or >>> telephant, >>> the possibility for spoofing of the local part seems pretty >>> significant >>> when you're >>> talking about bulk signers. Weakening the guarantees to "you can >>> complain >>> to my SIP admins" is a lot easier to achieve in real life. >> >> Might be. But we've currently established the expectation that an >> Identity header serves to authenticate the calling party for access >> to confidential records like voice mail, access to conference >> calls, and so on. We can certainly go back and write in some >> guidance about the meaningfulness of the assertion, if that's what >> we choose to do. >> > Wait a minute: are we talking about cross-domain Identity being > used as credentials to access voice mail in another domain? Because > if it's only within a given domain's administrative control, it can > know > the name space layout through out of band means. That is, it can know > if the names that it generates to gateway e.164 addresses are bogus > addresses to get at voice mail, etc. > > If it's the cross domain case, can you tell me the use case? >
RFC 4474 is a cross-domain authenticator. Use case: sip:[EMAIL PROTECTED] calls his voice mail provider's message retrieval box, sip:messages.example.net Since example.net trusts example.com's RFC 4474 assertions, the voicemail box at messages.example.net does not authenticate JoeBobs' request. Instead, it accepts on trust that example.com authenticated him, and plays out JoeBob's messages. This is AFAIK a valid use case for RFC 4474. Now, assume JoeBob is instead named "[EMAIL PROTECTED]". All of the above works fine, until somebody calls into example.com's PSTN gateway from a spoofed Caller-ID of "18005551212" and asks said gateway to connect them to messages.example.net Here example.net needs to t be able to tell the difference between a call that originated on the IP network from 18005551212 and was properly authenticated (making a strong RFC 4474 assertion), and a call that originated on the PSTN and therefore has a weak identity assertion requiring further authentication. -- dean _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
