Adam Roach wrote:
On 7/9/08 9:16 AM, Jonathan Rosenberg wrote:
I'm pretty sure its not malice at work here. Rather, I think its
that, there are lots of practical issues that got in the way of
deploying SIP in the 'pure' way it was originally envisioned. I have
no doubt that folks with working SIP networks would welcome a
security solution that improves upon the current situation and is
actually deployable. So the choice we have to make is - do we
continue to produce specifications that ignore SIP as it is deployed,
guaranteeing that these documents are of academic interest only, or
do we consider "works with actual deployments" as a legitimate
engineering constraint?
My point is that we *do* have security mechanisms that are
*deployable*, like TLS. Not mutually-authenticated-TLS (which is not
very widely deployed in any protocol), but the normal TLS that
_pervades_ the WWW. Vijay points out a handful of reasons why these
approaches are not perfect from a security perspective, but they're
certainly an improvement over having no security.
So, why aren't *they* deployed?
TLS isn't very widely used on the net though. It's only used on as-needed
basis. SIP is probably not any different in that regard, and even worse
in some ways since there's not any one entity whose self interest is wrapped
up around "this needs to be safer". If you could convince banks, ecommerce,
etc users of SIP to only accept secured calls then you might get some uptake
just like the web, but until then...
Mike
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
