On Apr 7, 2008, at 5:43 PM, Eric Rescorla wrote: > At Fri, 04 Apr 2008 11:50:53 +0300, > Hannes Tschofenig wrote: >> >> This issue is totally independent from E.164 >> >> I don't like the idea of requiring DTLS-SRTP to provide proof of >> possession of the keying material. > > To be honest, I'm not even sure what this means. DTLS-SRTP inherently > provides a proof that the peer you're encrypting to has keying > material that matches whatever was in the fingerprint. That's > a distinct question from whether the fingerprint is cryptographically > bound to the message.
Right. The only dependency between DTLS-SRTP and RFC 4474 is integrity protection of the key's fingerprint, not the actual key itself. The fingerprint is shipped in the SDP, and the key is negotiated in the media channel itself using a partial-key combination approach (aka D-H). The fingerprint is used to relate signaling to media. This works even without RFC 4474. What RFC 4474 does is reduce the opportunity for somebody on the signaling AND media paths to replace the key, and use this to tap the media flow without being noticed by endpoints. It is somewhat arguable as to how useful this integrity protection is. Of course, given that the usual implementation of RFC 4474 is for the authentication service that puts in the RFC 4474 Identity header to be a proxy that's on the signaling path, this would make it fairly easy for that proxy to collude in tapping the call. But if RFC 4474 is used end-to-end with client keys, the it provides fairly comprehensive protection. -- Dean _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
