RE: [Sip] Re: RLS and identity

This creates a number of problems for 3GPP which I think need to be discussed further. I also think the current IESG diktat needs fleshing out with more words on the issues they have with a wider specification of available methods, as I don't believe I have seen that on the list yet. 

Adam is also making generalisations when he states "inherently insecure P-Asserted-Identity mechanism". Noone has made any justification of this statement. I accept that P-Asserted-Identity has a restricted applicability, in that it needs a trust domain, and needs to fulfil a number of criteria, as listed by the template at the back of RFC 3325, but that does not make it insecure. Any mechanism is insecure if you do not follow the rules.

Back to the problems. Identity is not ready yet. Yet 3GPP needs RLS in release 6. Creating a normative dependency on identity means that RLS cannot get out in due time.

Moreover, to use identity in 3GPP, we need to examine the interdependence of P-Asserted-Identity and the identity draft, as they need to coexist. We are not in a position to just rip one out and replace it with another, and any suggestion that this should be done is an expression of bad faith on behalf of IETF from when RFC 3325 was created. Identity still only solves half the issues that 3GPP use P-Asserted-Identity to solve. The author of the identity draft appears to have accepted the need to study and document this interdependency, as it is one of the identified open issues for completion of that draft.

Once we have done that, I am perfectly prepared to look at specifying use of identity in 3GPP release 7, but we need to solve the problem of allowing release 6 implementations to have an RLS and that are conformant with IETF RFCs.

I do not want to have to get to the position of 3GPP having to specify something that is not IETF compliant, but that seems to be where they are being driven at the moment.

regards

Keith

Keith Drage
Lucent Technologies
drage@lucent.com
tel: +44 1793 776249

> -----Original Message-----
> From: sip-bounces@ietf.org [mailto:sip-bounces@ietf.org]On Behalf Of
> Adam Roach
> Sent: 25 November 2004 03:18
> To: Adam Roach
> Cc: SIP WG; Aki Niemi
> Subject: Re: [Sip] Re: RLS and identity
> 
> 
> Adam Roach wrote:
> 
> > Based on Rohan's suggestion, the text will effectively say:
> >
> > - Jon's Identity draft will be mandatory to implement, 
> optional to use.
> >
> > - Other mechanisms that have properties such that they can 
> adequately
> >   convey the identity of the subscriber and the permission 
> of the RLS
> >   to subscribe on the user's behalf can also be used.
> 
> As a clarification, I have received specific guidance from the area 
> directors that the draft cannot contain anything about such alternate 
> mechanisms, even if they are not specifically mentioned by 
> name. The use 
> of e.g. P-Asserted-Identity will need to be a modification that 3GPP 
> specifically calls out relative to the draft.
> 
> Of course, since the identity work is basically done and 
> works so much 
> better than P-Asserted-Identity, there could be a very valid argument 
> made that 3GPP R6 should abandon the inherently insecure 
> P-Asserted-Identity mechanism in favor of the 
> cryptographically secure 
> SIP Identity mechanism.
> 
> /a
> 
> _______________________________________________
> Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors@cs.columbia.edu for questions on current sip
> Use sipping@ietf.org for new developments on the application of sip
> 

_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip