Re: [dispatch] SASL Authentication for SIP
Eric Rescorla <ekr@rtfm.com> Mon, 17 October 2022 13:15 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D2B2C152596 for <dispatch@ietfa.amsl.com>; Mon, 17 Oct 2022 06:15:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajRaEXj6wAYS for <dispatch@ietfa.amsl.com>; Mon, 17 Oct 2022 06:15:58 -0700 (PDT)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11EB6C152590 for <dispatch@ietf.org>; Mon, 17 Oct 2022 06:15:58 -0700 (PDT)
Received: by mail-il1-x133.google.com with SMTP id d14so5782875ilf.2 for <dispatch@ietf.org>; Mon, 17 Oct 2022 06:15:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=iuzMH+IqZCfbuw/QpuowMpe5wBpzJXrWH/mEJtl4FrY=; b=mJ3DtDcKD9iNoUgdvfmSFSnob90NRdd1gF4SfllVmpb9zSEZ1P3Iux7Y6EHVve6D8b GifKUADG0J/azQ18ikv7YHOw3he/Cb8OAO1La53sGLDAy0w9b0MXFLY25DILY9TMw/Xa HPoqwQCbAPhz0qO4L9FNeRYvzF3lbP9XMZmA2hQsJ1FTr4rXCZNMi41Yb/6XyhtfTLZl tyHOG8SGzed53p4yKnK70oznywLzb71YylDnHkdZ8f/zNKs/Y0fltopqbuGPRbDeYHft OjRpitdwuPHCUrEoyalXffAj6PW0wuc8/CY2/5hnhXECH+1DXCh1DLLsq5pcdsaQT4a8 uXRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=iuzMH+IqZCfbuw/QpuowMpe5wBpzJXrWH/mEJtl4FrY=; b=mpQSS6Vh2FtqCst4g+dM1hQBs7vajG1sqff4RUGWWbgzgI139n7hcNe+v6lkt9Io76 NR4LDHCIFNkdCKSJUDWpV3vxJQpFg19jhId6sKqmRSRjHdROd9jpv4IQm/6VZTuSaetM o/V6loXtZo6imkTn/EpVBD6Z1+E4h05Mn620KRcs7BllRDFoi33Tk9kv7NAXmiDjZqFr 7E+fiKxomqdHX7oiacgboX8BLV1ky22NcxSKZIGfAIXuOdqyWjYS5ZVL1AbOkvcmFTun tZ94R3BJs25qz56g9z9wgvbDLoYuNes8Nzj5pzn2Zd+n9CxjH3zUz2/ZsJyPSA9JmGsP girQ==
X-Gm-Message-State: ACrzQf0O2smBd/mT+JWI8SQ/vYXmyK1+KMGcySi754KINElxOtLxhHJQ hVZtGVAWKF2nNQ+KOwznYy49aIrQ4cbVNuFGZZ733dYp/o8=
X-Google-Smtp-Source: AMsMyM730Wwq0fKqJwT3TXvcFUR3hQsajVvbIt9ulu53eJshOeQR2r+Pk6tGSxV/nsESOJ5pAW90L8l2CsEWwt8hfDQ=
X-Received: by 2002:a05:6e02:148f:b0:2fc:54d2:7aa8 with SMTP id n15-20020a056e02148f00b002fc54d27aa8mr4666912ilk.224.1666012556931; Mon, 17 Oct 2022 06:15:56 -0700 (PDT)
MIME-Version: 1.0
References: <20221015195315.GA11346@openfortress.nl> <CABcZeBMHshP_C36+E7UPXfPoug87RAu6faw4EMkQ=qWdCeZzuA@mail.gmail.com> <20221016065327.GA12615@openfortress.nl> <CABcZeBOgiisAm+k=m4tSor-brTeaN5Y22HOz=JBTckcGZt0h9A@mail.gmail.com> <20221017075149.GB15330@openfortress.nl>
In-Reply-To: <20221017075149.GB15330@openfortress.nl>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 17 Oct 2022 06:15:20 -0700
Message-ID: <CABcZeBP0d=NovvnrjMqmMbW+r=vBMuv51KBS3L4WK-S5QsPgGw@mail.gmail.com>
To: dispatch@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a5cec305eb3ac6ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/HBIIhy6VJI7IZe_n7YTq9I6Z_eQ>
Subject: Re: [dispatch] SASL Authentication for SIP
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2022 13:15:58 -0000
On Mon, Oct 17, 2022 at 12:52 AM Rick van Rein <rick@openfortress.nl> wrote: > Hello, > > > I'm not really following this. Users authenticate to domains with > passwords > > (at least sometimes) but I would expect inter-domain authentication to be > > done with TLS mutual auth. > > Ah, yes. TLS is transport protection, usually between the proxies of > a domain. It does not allow end-to-end authentication between the > parties. Also, any encryption or key derivation that might be based on > the end-to-end assurance is lost for the end points. (The proxy may be > operated by an external party.) > The general assumption has been that any end-to-end authentication will be done by digitally signing the SIP messages. Probably the most plausible at the moment is to base it on STIR/Passport. It's not clear to me why SASL would help here. > Also, my sense is that authentication is not the primary barrier to > > inter-domain calling. > > Of course there are more issues; IPv4/IPv6, MTU, and probably more. > I don't think the issues are primarily technical at all, but whether the carriers want to do this. > More or less. It's hard to see the IETF doing successful work in this > space > > if providers aren't interested. > > This is reasonable, but it does yield a catch-22 situation. Can you > explain how this is commonly resolved? > > I can see how a very large vendor would simply push their ideas out, > and not all technical ideas should be standardised. OTOH, there is a > need to have standards before adoption can occur. > What one usually sees is that there is some unofficial discussion between interested parties to get a general sense of the solution space and build up interest. That's what happened in (for instance) MLS, PPM, etc. Sometimes the IETF will create a mailing list for that discussion, though I've also seen it happen in other fora. -Ekr
- [dispatch] SASL Authentication for SIP Rick van Rein
- Re: [dispatch] SASL Authentication for SIP Eric Rescorla
- Re: [dispatch] SASL Authentication for SIP Rick van Rein
- Re: [dispatch] SASL Authentication for SIP Eric Rescorla
- Re: [dispatch] SASL Authentication for SIP Rick van Rein
- Re: [dispatch] SASL Authentication for SIP Eric Rescorla
- Re: [dispatch] SASL Authentication for SIP Rick van Rein
- Re: [dispatch] SASL Authentication for SIP Eric Rescorla