[dispatch] Review of draft-campbell-sip-messaging-smime-00

Cullen Jennings <fluffy@iii.ca> Mon, 06 November 2017 14:53 UTC

Return-Path: <fluffy@iii.ca>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 2257513FC2C for <dispatch@ietfa.amsl.com>; Mon, 6 Nov 2017 06:53:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 2KOQrmbMgMN2 for <dispatch@ietfa.amsl.com>; Mon, 6 Nov 2017 06:53:30 -0800 (PST)
Received: from smtp64.ord1c.emailsrvr.com (smtp64.ord1c.emailsrvr.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9050B13F698 for <dispatch@ietf.org>; Mon, 6 Nov 2017 06:53:30 -0800 (PST)
Received: from smtp25.relay.ord1c.emailsrvr.com (localhost []) by smtp25.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id DBCF9204BA; Mon, 6 Nov 2017 09:53:29 -0500 (EST)
X-Auth-ID: fluffy@iii.ca
Received: by smtp25.relay.ord1c.emailsrvr.com (Authenticated sender: fluffy-AT-iii.ca) with ESMTPSA id 833052044D; Mon, 6 Nov 2017 09:53:29 -0500 (EST)
X-Sender-Id: fluffy@iii.ca
Received: from [] ([UNAVAILABLE]. []) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by (trex/5.7.12); Mon, 06 Nov 2017 09:53:29 -0500
From: Cullen Jennings <fluffy@iii.ca>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 06 Nov 2017 06:54:17 -0800
Message-Id: <D70CF5C7-5B3C-4C4D-97A7-84CF0D3AFA71@iii.ca>
Cc: Ben Campbell <ben@nostrum.com>
To: DISPATCH <dispatch@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/rReK0CYIW2SKp8lWlAZni1k4pi4>
Subject: [dispatch] Review of draft-campbell-sip-messaging-smime-00
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 14:53:32 -0000

Relevant comments ...

I have implement S/MIME for encryption with SIP and Simple and I think this document provides some excellent clarifications and updates. 

I agree with the the new MTI ciphers. 

Overall, I think the update in this draft improves the security defined in SIMPLE and MSRP. 

Some random food for thought ....

Getting a cert that says sip:fluffy@cisco.com signed by a LE^H^H some CA is hard. However, getting a cert that says fluffy._sip._users.cisco.com is easy and now can be highly automated. Why not allow certs that looks like that. I realize this is going to cause people to just go "that is so wrong", issues certs with the right thing. But back up for a second and ask what the hardest part of any PKI is.  If th cisco.com domain issues me the email address fluffy, it is pretty easy for it to also publish the TXT records I need for domain validation with the CA. This suggestion does not relevantly reduce the security and is is pretty pragmatic.  The problem is not making it hard for the bad guys, the thing we need most is making it easy for the good guys.