Hadriel Kaplan wrote:
-----Original Message-----
From: Michael Thomas [mailto:[EMAIL PROTECTED]
Meaning that it's far from clear how fledgling reputation services are
going to use these identities. What exactly does a signed P-A-I mean
even if we had one? What might a receiver or third party do differently
vs. a signed from, say? Especially when you factor in that P-A-I is
big smelly hack?
Yes, another elephant. :)
A PASS-signed PAI means the asserter generated it for this message. Right now
we have multi-domain exchanges of SIP messages with PAI header fields being
used for caller-id. I don't know what-all a receiver might do with the signed
information (though I could guess). I am only offering to give it more
information. Some folks are telling me they would like to know that the
caller-id is legit. I can't. I can only tell them that a node which generated
a caller-id also owns a cert from a CA they trust, so they have some recourse
if it ends up being wrong. I have no (practical) way to verify the caller-id
directly. (And neither does 4474 or DKIM)
So let me get this, um, straight: what people really want is to be able
to trust the callerid but that's precisely what we can't provide. Hmm.
And many of things that you point out about breakage with 4474 is
not _really_ a fault of 4474 per se, it's that you're hoping essentially
for the impossible: having a signature survive through a b2bua sausage
factory.
Sounds all too familiar. I agree with the "blame me" stance, and I'm
not dissing the idea of 4474 being more flexible in what headers it
can sign. It's just that this is all very tangled with the possible,
the impossible and the unknown.
Waiting-and-seeing what the reputation folks actually need versus guessing
what they might need, maybe, someday seems prudent to me. That's
doubly true because there's not been much if any uptake of 4474 and
I'm guessing that lack of coverage of P-A-I is not one of the reasons.
Concentrating on _that_ problem seem to me the paramount concern.
There has not been any uptake of 4474 for a bunch of reasons, not the least of
which is there's no problem yet, and for some/many cases we know it won't work.
I have no doubt a PASS signature is not the be-all-end-all solution. But I do
know it takes years to get something spec'ed, implemented, tested, and deployed
in any scale that will matter. So I'm trying to do a short-cut, instead of
waiting for a problem: thus, an informational P-header.
A short cut! Run away! :)
Seriously, if you want a short cut, you too could hack on one of the open
source versions of DKIM and have something that can sign your P-A-I
(in a fit of dementia, I have actually DKIM-signed SIP messages for grins).
DKIM is probably less brittle than 4474, but it too is imperfect against
b2bua
grinders.
Which all rather begs the question of what problems for what audience
we're really solving for. If it's for reputation people, I'm not sure that
P-A-I signed/unsigned makes a big difference. Of course it's no secret
that I think that lipstick on the tel: uri pig is pretty useless, so I'm
struggling
if there's anything more here than trying to slay the unslayable.
Mike
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
