[MMUSIC] RE: [Sipping] SIP Identity Usage in Enterprise Scenarios
"Dan Wing" <dwing@cisco.com> Thu, 15 September 2005 15:46 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EFvwm-00049L-TO; Thu, 15 Sep 2005 11:46:48 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EFvwj-00048k-Et; Thu, 15 Sep 2005 11:46:45 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA18527; Thu, 15 Sep 2005 11:46:42 -0400 (EDT)
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EFw1W-0004ah-NT; Thu, 15 Sep 2005 11:51:45 -0400
Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-5.cisco.com with ESMTP; 15 Sep 2005 08:46:30 -0700
X-IronPort-AV: i="3.97,114,1125903600"; d="scan'208"; a="212150225:sNHT33934310"
Received: from dwingwxp ([10.32.240.194]) by sj-core-4.cisco.com (8.12.10/8.12.6) with ESMTP id j8FFkNuk014193; Thu, 15 Sep 2005 08:46:24 -0700 (PDT)
Message-Id: <200509151546.j8FFkNuk014193@sj-core-4.cisco.com>
From: Dan Wing <dwing@cisco.com>
To: 'Michael Slavitch' <slavitch@objectworld.com>, 'Jonathan Rosenberg' <jdrosen@cisco.com>
Date: Thu, 15 Sep 2005 08:46:23 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcW59pnOY7S2SF/oTrGQxNuZQ6durgAAFY/QAAU7uiA=
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
In-Reply-To: <4E2DC1ACE541B94A946B8D8657E372C50F2E58@photon.objectworld.com>
X-PMX-Version: 4.7.1.128075
X-from-outside-Cisco: [10.32.240.194]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 1676547e4f33b5e63227e9c02bd359e3
Content-Transfer-Encoding: 7bit
Cc: sipping@ietf.org, 'IETF MMUSIC WG' <mmusic@ietf.org>
Subject: [MMUSIC] RE: [Sipping] SIP Identity Usage in Enterprise Scenarios
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
Sender: mmusic-bounces@ietf.org
Errors-To: mmusic-bounces@ietf.org
... > Using a session certificate asserts that the data streams and all > associated negotiations belong to the same asserted identity > and session all the way down the line. So you're proposing this would occur at the session level so there is only one RSA operation, plus CA validation, that needs to occur and not on per a=candidate line? ... > By tying the ICE negotiating identity to a session cert this makes > everything easier to implement, manage, monitor and debug, as session > and media can be tied together up and down the line. It is > also a tight way of ensuring implementation rigor. I don't agree that certificates and RSA operations are easier to implement, manage, monitor and debug compared to the username/password operations that were in ice-04. How would -sip-identity- fail at providing those same functions? > The recently expired draft-ignjatic-msec-mikey-rsa-r-00 has a proposal > for key management where instigators do not initially know > the keys of the respondent, a use of which is described as a best > practise for identity assertion in > draft-fries-sipping-identity-enterprise-scenario-00.txt. MIKEY with RSA-R doesn't assure identity of the caller, it only provides assurance over the SRTP keys themselves. > As SIP evolves identity assurance is going to be a key pain point, by > taking these steps proactively we will help inoculate the protocol and > its subcomponents from any future pain. I believe that is sip-identity's purpose in life, no? -d > Regards to all, > > Michael > > > > > It is amazing what you can accomplish if you do not care who gets the > credit. > > - Harry S Truman > > -----Original Message----- > From: Jonathan Rosenberg [mailto:jdrosen@cisco.com] > Sent: September 14, 2005 10:07 PM > To: Michael Slavitch > Cc: Fries, Steffen; sipping@ietf.org; IETF MMUSIC WG > Subject: Re: [Sipping] SIP Identity Usage in Enterprise Scenarios > > moving to mmusic since we are now talking about ICE. > > Michael Slavitch wrote: > > > As a further update to my previous email, look at the USERNAME > > provision in the current ID for ICE (draft 05), which I consider a > > weakness of the protocol. > > Firstly, it has been pointed out to me from several sources that the > security mechanism in the most recent ICE draft is severely broken. I > had somehow gotten it into my head that we didnt need to > convey both the > username and password, which is false. > > The next ICE draft will revert to what was there previously; each side > conveys a username fragment and one side provides the password. > > > > > My preference would be to replace that password with some kind of > > MIKEY exchange such that the password is only for that session, > > otherwise you'll see cheap phones or all with the same > password being > > vulnerable, which I suggest is a strong weakness of ICE. > > Why would this happen? The password needs to be selected randomly for > each candidate. Thats a requirement of the protocol. Its not that hard > to create a random number. > > -Jonathan R. > -- > Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza > Director, Service Provider VoIP Architecture Parsippany, NJ > 07054-2711 > Cisco Systems > jdrosen@cisco.com FAX: (973) 952-5050 > http://www.jdrosen.net PHONE: (973) 952-5000 > http://www.cisco.com > > > -- > BEGIN-ANTISPAM-VOTING-LINKS > ------------------------------------------------------ > Teach CanIt if this mail (ID 434640) is spam: > Spam: > http://asteroid.objectworld.com/canit/b.php?c=s&i=434640&m=a2c > 8da4fe0c4 > Not spam: > http://asteroid.objectworld.com/canit/b.php?c=n&i=434640&m=a2c > 8da4fe0c4 > Forget vote: > http://asteroid.objectworld.com/canit/b.php?c=f&i=434640&m=a2c > 8da4fe0c4 > ------------------------------------------------------ > END-ANTISPAM-VOTING-LINKS > > > > _______________________________________________ > Sipping mailing list https://www1.ietf.org/mailman/listinfo/sipping > This list is for NEW development of the application of SIP > Use sip-implementors@cs.columbia.edu for questions on current sip > Use sip@ietf.org for new developments of core SIP _______________________________________________ mmusic mailing list mmusic@ietf.org https://www1.ietf.org/mailman/listinfo/mmusic
- [MMUSIC] Re: [Sipping] SIP Identity Usage in Ente… Jonathan Rosenberg
- [MMUSIC] Re: [Sipping] SIP Identity Usage in Ente… Jonathan Rosenberg
- [MMUSIC] RE: [Sipping] SIP Identity Usage in Ente… Michael Slavitch
- [MMUSIC] RE: [Sipping] SIP Identity Usage in Ente… Dan Wing
- [MMUSIC] FW: [Sipping] SIP Identity Usage in Ente… Michael Slavitch
- RE: [MMUSIC] RE: [Sipping] SIP Identity Usage in … Francois Audet