On 7/9/08 1:10 PM, Paul Kyzivat wrote:
Well,
ssh without certs requires that I share a secret with each destination
I want to connect to. That isn't going to fly for phones.
And while https doesn't require the client to have a cert, it still
requires the server to have one. So that isn't going to fly (for e2e)
either.
And as soon as you say "well, maybe it doesn't have to be e2e" then
you end up back where we are.
You're completely missing my point.
We, the IETF, have developed various security mechanisms with varying
properties and different levels of complexity.
Even the dirt-simple, well-deployed, proven ones -- like server
authentication and hop-by-hop confidentiality -- are being ignored by
the ITSPs.
If they're ignoring the no-brainers, why do we think they'll pay
attention to anything with even a slight bit of complexity (like signing
P-Asserted-Identity)?
/a
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
