Paul Kyzivat wrote:
Well,
ssh without certs requires that I share a secret with each destination
I want to connect to. That isn't going to fly for phones.
Not true, or at least misleading. Anything you can do with a cert, you can
do with raw keys too which shouldn't be surprising since certs are just a
particular manifestation of a key/name binding mechanism.
SSH is a real life example of a mutually authenticated e2e crypto scheme
that basically just appeared at out nowhere to quickly rid ourselves of
ftp and rsh. The fact that IETF keeps ignoring why SSH works and
nothing else does remains a serious problem.
Key centric, leap of faith, and "good enough" manifestly work in real
life. Everything else is suspect.
Mike
And while https doesn't require the client to have a cert, it still
requires the server to have one. So that isn't going to fly (for e2e)
either.
And as soon as you say "well, maybe it doesn't have to be e2e" then
you end up back where we are.
Paul
Adam Roach wrote:
On 7/9/08 12:49 PM, Michael Thomas wrote:
Adam Roach wrote:
Stupid security, on the other hand, isn't something you'll find
anyone who knows the first thing about computers doing. No one uses
stock FTP or telnet for real tasks any more -- it's all scp and
ssh. But ITSPs don't deploy SIP over TLS for reasons I can't
fathom. Anyone who knows the first thing about IP networks
recognizes that it is laughable to authenticate based on source IP
address. And yet ITSPs insist on doing so. The most popular
application on the internet has a well-exercised,
certificate-based, crypto-secure means of determining the identity
of a server (TLS). SIP, from its inception, has been able to
leverage this exact mechanism at least for authentication of
servers and for confidentiality of signaling. ITSPs aren't
deploying it.
Maybe it's the certificates. If ssh required certs to operate, do
you think it
would have the massive uptake that it's seen? I don't.
https?
/a
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
