At Tue, 5 Aug 2008 08:54:16 -0700, Dan Wing wrote: > > I haven't spent a long time examining draft-kaplan-sip-baiting, but as > > I recall, it's not the fault of 4474 failing to sign something that > > it should have but rather that it's inherent in the message-oriented > > nature of SIP. > > That distinction is not relevant to the victim.
No, the distinction is relevant to the people responsible for technically addressing the issue, namely us. > > With that said, ISTM that this cuts against your argument > > that we should > > be signing less of the message, since the failure of RFC 4474 (to the > > extent there is one) in this case is that it doesn't protect > > *enough* information. > > Neither draft-fischer-sip-e2e-sec-media and draft-wing-sip-identity-media > simply "sign less" -- please do not mis-characterize the proposals. Both > proposals require a public key exchange with the remote party -- which > is far stronger than just using the IP address of the remote party > as is done by RFC4474. I don't actually think this characterization of 4474 is that accurate. RFC 4474 does not use the IP address for authenticating the media. Rather, it authenticates the IP address as well as the rest of the SDP and leaves the question of authenticating the media to other parts of the system. -Ekr _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
