On Nov 25, 2008, at 3:32 PM, Sumanth Channabasappa wrote: > Scott, > > I had additional offline discussions with Ekr and Cullen last week. > Ekr > indicated that the proposed I-D does not align with the SIP security > model (UE <=> next-hop authentication; no need for UE <=> > <authentication beyond next hop>). >
Huh? We have long held that there may be multiple proxies (possibly in different domains) challenging a given request. This has been a hallmark of scenarios such as the "hotel proxy" that doesn't do authentication or act as a an identity server but that does do local firewall control. So somebody is confused about something. Who knows, might be me, occasionally I wake up in a different time-space continuum, but AFAIK, we've always intended to support authentication more than one hop away. In fact, I recall design discussions with Pingtel and 3Com people about that as far back as 1999. Robert Sparks had a lot to say about it, IIRC. [S] My understanding -- based on the offline discussions -- is that the proxy can still challenge the UA. However, the UA trusts its connection with the next-hop and does not need to authenticate any elements beyond the next-hop. In other words, mutual authentication is not necessary (I used <=> to indicate mutual authentication). [[ Today, we allow for the Authentication-Info header that allows the UA to authenticate the registrar (even after it has established TLS with the next-hop proxy), which also breaks this model. ]] - S _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
