Re: [martini] #46: Security Directorate review of draft-ietf-martini-reqs-07.txt
"martini issue tracker" <trac@tools.ietf.org> Sun, 27 June 2010 18:43 UTC
Return-Path: <trac@tools.ietf.org>
X-Original-To: martini@core3.amsl.com
Delivered-To: martini@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F141B3A6971 for <martini@core3.amsl.com>; Sun, 27 Jun 2010 11:43:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.032
X-Spam-Level:
X-Spam-Status: No, score=-101.032 tagged_above=-999 required=5 tests=[AWL=-1.259, BAYES_50=0.001, NO_RELAYS=-0.001, SARE_SUB_OBFU_Q1=0.227, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eLpBc+fD-T0X for <martini@core3.amsl.com>; Sun, 27 Jun 2010 11:43:21 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (unknown [IPv6:2001:1890:1112:1::2a]) by core3.amsl.com (Postfix) with ESMTP id 185363A696E for <martini@ietf.org>; Sun, 27 Jun 2010 11:43:21 -0700 (PDT)
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.72) (envelope-from <trac@tools.ietf.org>) id 1OSwpG-00078s-QT; Sun, 27 Jun 2010 11:43:30 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: martini issue tracker <trac@tools.ietf.org>
X-Trac-Version: 0.11.7
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: john.elwell@siemens-enterprise.com, bernard_aboba@hotmail.com
X-Trac-Project: martini
Date: Sun, 27 Jun 2010 18:43:30 -0000
X-URL: http://tools.ietf.org/martini/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/martini/trac/ticket/46#comment:1
Message-ID: <066.59dbf53932a2640ef2457faff8b1e98f@tools.ietf.org>
References: <057.f6f86a244cf71c330f658826f6f7debc@tools.ietf.org>
X-Trac-Ticket-ID: 46
In-Reply-To: <057.f6f86a244cf71c330f658826f6f7debc@tools.ietf.org>
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: john.elwell@siemens-enterprise.com, bernard_aboba@hotmail.com, martini@ietf.org
X-SA-Exim-Mail-From: trac@tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Cc: martini@ietf.org
Subject: Re: [martini] #46: Security Directorate review of draft-ietf-martini-reqs-07.txt
X-BeenThere: martini@ietf.org
X-Mailman-Version: 2.1.9
List-Id: Discussion of en-mass SIP PBX registration mechanisms <martini.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/martini>, <mailto:martini-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/martini>
List-Post: <mailto:martini@ietf.org>
List-Help: <mailto:martini-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/martini>, <mailto:martini-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Jun 2010 18:43:22 -0000
#46: Security Directorate review of draft-ietf-martini-reqs-07.txt -----------------------------------+---------------------------------------- Reporter: ho@… | Owner: john.elwell@… Type: defect | Status: closed Priority: minor | Milestone: milestone1 Component: reqs | Version: 1.0 Severity: Submitted WG Document | Resolution: fixed Keywords: | -----------------------------------+---------------------------------------- Changes (by bernard_aboba@…): * status: new => closed * resolution: => fixed Comment: I think requirement 15 should say something about how the two entites are expected to agree on an authentication method.... [JRE] I am reluctant to make any changes here. We don't anticipate any new security mechanism, and indeed the solution that is moving forward in the WG allows use of TLS, which is already allowed for in SIP. For authentication it allows both TLS mutual authentication or SIP digest authentication + TLS server authentication, again, in line with what is already allowed in SIP. SIP has a wealth of material in this area, including aspects of RFC 3263 and RFC 3329. I don't think it worthwhile adding a bunch of requirements that in the end will not lead to any new mechanisms or influence use of existing mechanisms. REQ14 and REQ15 I think are sufficient pointers to needs in this area. REQ15 - The mechanism MUST support authentication of the SIP-PBX by the SSP and vice versa. I'd also add that it MUST support termination of authenticaton and re-authentication. [JRE] I am not sure exactly what you are looking for here. Is this referring to what happens when a certificate expires, say? Again, I would doubt we really need to add anything here, since we don't anticipate new security mechanisms. Minor non-security things: Requirement 4 has a triple negative ("not" "prevent" "without"), and I'm not sure what the heck it means. [JRE] Yes, in the next version I will change it to: "The mechanism MUST allow UAs attached to a SIP-PBX to register with the SIP-PBX for AORs based on assigned telephone numbers, in order to receive requests targeted at those telephone numbers, without needing to involve the SSP in the registration process." Requirement 5 has a typo, probably "internally" for "internal". [JRE] It intentionally says "internally" at present - an adverb modifying the verb "handle". I am not sure how to reword it to prevent misinterpretation. -- Ticket URL: <http://trac.tools.ietf.org/wg/martini/trac/ticket/46#comment:1> martini <http://tools.ietf.org/martini/>
- [martini] #46: Security Directorate review of dra… martini issue tracker
- Re: [martini] #46: Security Directorate review of… martini issue tracker