Thanks for pointing this out..
I went and looked at gruu-reg-event draft and saw what kind
of security consideration text is there, the text described a
authorization
policy limiting only allowing subscription to those who actually
registered
and requested the temp-gruu.
I do agree that implication of reg-event and some consideration for
the implementors will be beneficial and will add some text in the
security
consideration.
Many Thanks
Shida
On 17-Feb-09, at 5:51 PM, Michael Procter wrote:
Just a minor point: Is it worth adding (either in section 4.1 or 6)
that a temp-gruu might not be as anonymous as you might hope? An
observer using RFC 3680 (reg-event) with gruu extensions would be able
to correlate temp-gruus with AoRs and contacts, should they be so
authorised.
There is some text in RFC 3680 warning of the risks of reg-event, but
that is probably of more direct interest to registrar authors. A
reminder of the risk in this document might highlight it for UA
authors,
so that they can consider the wider implications.
Best regards,
Michael
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [email protected] for questions on current sip
Use [email protected] for new developments on the application of sip
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [email protected] for questions on current sip
Use [email protected] for new developments on the application of sip
