[Sip] Re: I-D ACTION:draft-ietf-sip-identity-03.txt
Adam Roach <adam@nostrum.com> Sun, 07 November 2004 22:28 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA05340 for <sip-web-archive@ietf.org>; Sun, 7 Nov 2004 17:28:31 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CQvWu-0006Xi-1W for sip-web-archive@ietf.org; Sun, 07 Nov 2004 17:29:00 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CQvPE-0003jB-Jd; Sun, 07 Nov 2004 17:21:04 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CQvOU-0003Yx-OW for sip@megatron.ietf.org; Sun, 07 Nov 2004 17:20:18 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA04639 for <sip@ietf.org>; Sun, 7 Nov 2004 17:20:15 -0500 (EST)
Received: from magus.nostrum.com ([69.5.195.2] ident=root) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CQvOr-0006Mr-Dv for sip@ietf.org; Sun, 07 Nov 2004 17:20:44 -0500
Received: from [192.168.0.111] (adsl-209-30-35-14.dsl.rcsntx.swbell.net [209.30.35.14]) (authenticated bits=0) by magus.nostrum.com (8.12.11/8.12.11) with ESMTP id iA7MK5uY047383 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 7 Nov 2004 16:20:07 -0600 (CST) (envelope-from adam@nostrum.com)
Message-ID: <418D6AFE.4060605@nostrum.com>
Date: Sat, 06 Nov 2004 18:23:26 -0600
From: Adam Roach <adam@nostrum.com>
User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Jon Peterson <jon.peterson@neustar.biz>, Cullen Jennings <fluffy@cisco.com>
References: <200409291930.PAA02227@ietf.org>
In-Reply-To: <200409291930.PAA02227@ietf.org>
X-Enigmail-Version: 0.86.1.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.4 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Content-Transfer-Encoding: 7bit
Cc: sip@ietf.org
Subject: [Sip] Re: I-D ACTION:draft-ietf-sip-identity-03.txt
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
X-Spam-Score: 0.4 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Content-Transfer-Encoding: 7bit
This looks really solid. In response to Dean's earlier query, I suspect this is quickly reaching "ready for WGLC" status. When looking over this, though, there are two issues that might need a bit more text (although one is really more of a nit). The first issue revolves around proxy validation of received requests which contain authenticated identity headers, and how these proxies communicate with the user who is the target of the request, and has two sub-issues. Primary among these is a question of how the proxies communicate discrepancies to the recipient. Section 7 requires: > Additionally, the Date, Contact and Call-ID headers MUST be analyzed > in the manner described in Section 14; recipients that wish to verify > Identity signatures MUST support all of the operations described > there. Any discrepancies or violations MUST be reported to the user. If I implement a proxy, it is not clear how I can satisfy this second MUST. A secondary sub-issue arises from the mechanism by which the proxy decides to trust certificates. There is nothing in the current draft that suggests, for example, that trusting self-signed domain certs for the purposes of user authentication might be a Really Bad Idea. (Obvious to security wonks, maybe not so much for your average implementor). The reason this ties into user interaction is that it becomes unclear how a proxy should react if it receives a request; that request has an authenticated identity asserted by a domain; and the root CA for the domain's certificate is not known. With user applications, this is typically handled by saying, "I don't know who blackhelicopers.org is, but they signed this certificate. Click here to examine the cert yourself, and let me know if I should accept this cert as invalid, temporarily valid, or permanently valid." When the check is performed by a proxy, such interaction is really quite difficult. The best a proxy can do is reject the request with a 428 (which seems a bit extreme), or let it through (in which case the proxy's check serves little to no purpose) So, I suggest that the draft probably needs a little more text around proxy handling of requests; further, given the all-or-nothing nature of proxy validation of authenticated identity, we might consider discouraging its use in favor of client validation. The second issue is a tiny nit in that the current draft doesn't specify what to do if you receive a request with an Identity-Info header which contains a URI with a scheme other than sips: or https:. Presumably, recipients should 428 such requests? 400? /a _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- [Sip] I-D ACTION:draft-ietf-sip-identity-03.txt Internet-Drafts
- [Sip] Re: I-D ACTION:draft-ietf-sip-identity-03.t… Adam Roach
- [Sip] RE: I-D ACTION:draft-ietf-sip-identity-03.t… Peterson, Jon