> -----Original Message----- > From: Eric Rescorla [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 05, 2008 9:11 AM > To: Dan Wing > Cc: 'Eric Rescorla'; 'Elwell, John'; 'Hadriel Kaplan'; > 'Jonathan Rosenberg'; 'Cullen Jennings'; 'SIP IETF'; 'Uzelac, Adam' > Subject: Re: [Sip] Thoughts on SIP Identity issues > > At Tue, 5 Aug 2008 08:54:16 -0700, > Dan Wing wrote: > > > I haven't spent a long time examining > > > draft-kaplan-sip-baiting, but as > > > I recall, it's not the fault of 4474 failing to sign > > > something that > > > it should have but rather that it's inherent in the > > > message-oriented > > > nature of SIP. > > > > That distinction is not relevant to the victim. > > No, the distinction is relevant to the people responsible for > technically addressing the issue, namely us.
My interpretation of what you are saying is "SIP is message- oriented, so SIP is vulnerable to baiting as described in draft-kaplan-sip-baiting, and we can't fix it". I don't know if that is what you intended to say; if not, please clarify. > > > With that said, ISTM that this cuts against your argument > > > that we should > > > be signing less of the message, since the failure of RFC > 4474 (to the > > > extent there is one) in this case is that it doesn't protect > > > *enough* information. > > > > Neither draft-fischer-sip-e2e-sec-media and > > draft-wing-sip-identity-media > > simply "sign less" -- please do not mis-characterize the > > proposals. Both > > proposals require a public key exchange with the remote > > party -- which > > is far stronger than just using the IP address of the remote party > > as is done by RFC4474. > > I don't actually think this characterization of 4474 is that accurate. > RFC 4474 does not use the IP address for authenticating the media. > Rather, it authenticates the IP address as well as the rest of the > SDP Which draft-kaplan-sip-baiting shows is insufficient at its intended purpose. > and leaves the question of authenticating the media to other > parts of the system. -d _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
