Re: [dispatch] Fwd: New Version Notification for draft-johansson-dispatch-dane-sip-00.txt

On 1/2/14 5:16 AM, Olle E. Johansson wrote:
> Hi!
> I have renamed my draft and resubmitted it again. Adding DNSsec/DANE support to SIP is not a bad idea in my point of view.

It seems like a really good idea to me.

I have a question about backward compatibility, as discussed in section 9:

You say that that servers can use certificates that support both DANE 
and 5922 style validation. And IIUC that will be necessary in order to 
handle clients that don't support DANE validation.

But the Intro explains that one of the important reasons for introducing 
DANE authentication is because of various logistic problems providing 
certificates for 5922 style validation. Providing backward compatibility 
negates that advantage.

Have you considered the migration path? Presumably those currently using 
5922 already have a certificate that works for that. Will they be able 
to get a cert that continues that and also supports DANE validation?

What about those coming to this without any history of 5922 support?

ISTM that there is need to get ubiquitous client support for this 
deployed. For that we have the usual chicken/egg scenario.

	Thanks,
	Paul

> If the view gets larger we might want to focus a bit more on security aspects of SIP in the RAI area. There are many issues to look at. Why isn't S/MIME deployed, how do we get more TLS - if that's what we want? Can we improve upon MD5 digest authentication? Do we want to fix SIP identity that many claim is broken? Is it possible to set up sessions with end2end security?
>
> Happy New Year!
>
> /O
>
>
>
> Begin forwarded message:
>>
>> A new version of I-D, draft-johansson-dispatch-dane-sip-00.txt
>> has been successfully submitted by Olle E. Johansson and posted to the
>> IETF repository.
>>
>> Name:		draft-johansson-dispatch-dane-sip
>> Revision:	00
>> Title:		TLS sessions in SIP using DNS-based Authentication of Named Entities (DANE) TLSA records
>> Document date:	2014-01-02
>> Group:		Individual Submission
>> Pages:		9
>> URL:            http://www.ietf.org/internet-drafts/draft-johansson-dispatch-dane-sip-00.txt
>> Status:         https://datatracker.ietf.org/doc/draft-johansson-dispatch-dane-sip/
>> Htmlized:       http://tools.ietf.org/html/draft-johansson-dispatch-dane-sip-00
>>
>>
>> Abstract:
>>    Use of TLS in the SIP protocol is defined in multiple documents,
>>    starting with RFC 3261.  The actual verification that happens when
>>    setting up a SIP TLS connection to a SIP server based on a SIP URI is
>>    described in detail in RFC 5922 - SIP Domain Certificates.
>>
>>    In this document, an alternative method is defined, using DNS-Based
>>    Authentication of Named Entities (DANE).  By looking up TLSA DNS
>>    records and using DNSsec protection of the required queries,
>>    including lookups for NAPTR and SRV records, a SIP Client can verify
>>    the identity of the TLS SIP server in a different way, matching on
>>    the SRV host name in the X.509 PKIX certificate instead of the SIP
>>    domain.  This provides more scalability in hosting solutions and make
>>    it easier to use standard CA certificates (if needed at all).
>>
>>    This document updates RFC 5922.
>>
>>
>
> _______________________________________________
> dispatch mailing list
> dispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/dispatch
>