On 7/9/08 9:16 AM, Jonathan Rosenberg wrote:
I'm pretty sure its not malice at work here. Rather, I think its that, there are lots of practical issues that got in the way of deploying SIP in the 'pure' way it was originally envisioned. I have no doubt that folks with working SIP networks would welcome a security solution that improves upon the current situation and is actually deployable. So the choice we have to make is - do we continue to produce specifications that ignore SIP as it is deployed, guaranteeing that these documents are of academic interest only, or do we consider "works with actual deployments" as a legitimate engineering constraint?
My point is that we *do* have security mechanisms that are *deployable*, like TLS. Not mutually-authenticated-TLS (which is not very widely deployed in any protocol), but the normal TLS that _pervades_ the WWW. Vijay points out a handful of reasons why these approaches are not perfect from a security perspective, but they're certainly an improvement over having no security.
So, why aren't *they* deployed? /a _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
