On Aug 5, 2008, at 10:26 , Dan Wing wrote:
With that said, ISTM that this cuts against your argument
that we should
be signing less of the message, since the failure of RFC
4474 (to the
extent there is one) in this case is that it doesn't protect
*enough* information.
Neither draft-fischer-sip-e2e-sec-media and
draft-wing-sip-identity-media
simply "sign less" -- please do not mis-characterize the
proposals. Both
proposals require a public key exchange with the remote
party -- which
is far stronger than just using the IP address of the remote party
as is done by RFC4474.
I don't actually think this characterization of 4474 is that
accurate.
RFC 4474 does not use the IP address for authenticating the media.
Rather, it authenticates the IP address as well as the rest of the
SDP
Which draft-kaplan-sip-baiting shows is insufficient at its intended
purpose.
I probably disagree but to sort that out ... What exactly do you see
as the purpose of 4474 which the baiting draft shows it does not meet?
I'm trying to focus this conversation over to the requirements instead
of the taking about solution mechanisms before we can agree what the
problem is.
Cullen <in my individual contributor role>
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
