> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean > Willis > > We've realized we have a specification mutual exclusion. > > RFC 4474 as written precludes the insertion of an Identity header by > an authentication service into a SIP message produced by a PSTN > gateway. However, DTLS-SRTP as written needs such an Identity header > in order to be able to verify that the media key fingerprint has not > been altered by a MITM who is also attacking on the media path.
It's not just DTLS-SRTP fingerprints, it's non-SDP mime bodies as well. For example the body of a MESSAGE request. Middle-boxes have no need to change such bodies in transit, and we shouldn't want them to. But as it stands right now, some middle-boxes would either break the signature or need to re-sign (if possible), simply because they modify the call-id. It is debatable if changing the call-id has any real security implications for 4474, or if they're so minor that we're cutting off our nose to spite our face. -hadriel _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
