[Sip] Question on rfc4474

Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> Tue, 08 November 2011 13:52 UTC

Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: sip@ietfa.amsl.com
Delivered-To: sip@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6F57021F8BF6 for <sip@ietfa.amsl.com>; Tue, 8 Nov 2011 05:52:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.089
X-Spam-Status: No, score=-1.089 tagged_above=-999 required=5 tests=[AWL=2.510, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id FyMeWTQM+FMO for <sip@ietfa.amsl.com>; Tue, 8 Nov 2011 05:52:03 -0800 (PST)
Received: from DB3EHSOBE004.bigfish.com (db3ehsobe004.messaging.microsoft.com []) by ietfa.amsl.com (Postfix) with ESMTP id 89A2221F8A7E for <sip@ietf.org>; Tue, 8 Nov 2011 05:52:02 -0800 (PST)
Received: from mail74-db3-R.bigfish.com ( by DB3EHSOBE004.bigfish.com ( with Microsoft SMTP Server id; Tue, 8 Nov 2011 13:51:39 +0000
Received: from mail74-db3 (localhost.localdomain []) by mail74-db3-R.bigfish.com (Postfix) with ESMTP id AD27D1CA0174 for <sip@ietf.org>; Tue, 8 Nov 2011 13:51:52 +0000 (UTC)
X-SpamScore: -7
X-BigFish: VPS-7(zz14ffOzz1202hzzz2fh2a8h668h839h944h)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPVD:NLI; H:motgate3.mot-solutions.com; RD:motgate3.mot-solutions.com; EFVD:NLI
X-FB-SS: 0,13,
Received-SPF: pass (mail74-db3: domain of motorolasolutions.com designates as permitted sender) client-ip=; envelope-from=Adam.Lewis@motorolasolutions.com; helo=motgate3.mot-solutions.com ; olutions.com ;
Received: from mail74-db3 (localhost.localdomain []) by mail74-db3 (MessageSwitch) id 1320760312596901_30972; Tue, 8 Nov 2011 13:51:52 +0000 (UTC)
Received: from DB3EHSMHS002.bigfish.com (unknown []) by mail74-db3.bigfish.com (Postfix) with ESMTP id 83CFF191804E for <sip@ietf.org>; Tue, 8 Nov 2011 13:51:52 +0000 (UTC)
Received: from motgate3.mot-solutions.com ( by DB3EHSMHS002.bigfish.com ( with Microsoft SMTP Server (TLS) id; Tue, 8 Nov 2011 13:51:34 +0000
Received: from il27exr01.cig.mot.com ([]) by motgate3.mot-solutions.com (8.14.3/8.14.3) with ESMTP id pA8DpsMp001136 for <sip@ietf.org>; Tue, 8 Nov 2011 06:51:54 -0700 (MST)
Received: from il27exr01.cig.mot.com (il27vts01.cig.mot.com []) by il27exr01.cig.mot.com (8.13.1/Vontu) with ESMTP id pA8Dps6H017920 for <sip@ietf.org>; Tue, 8 Nov 2011 07:51:54 -0600 (CST)
Received: from de01exm70.ds.mot.com (de01exm70.am.mot.com []) by il27exr01.cig.mot.com (8.13.1/8.13.0) with ESMTP id pA8DpsVk017912 for <sip@ietf.org>; Tue, 8 Nov 2011 07:51:54 -0600 (CST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 8 Nov 2011 08:51:31 -0500
Message-ID: <1F9250DB00086D4E90A7FBC13C5EAF540F585ED9@de01exm70.ds.mot.com>
Thread-Topic: Question on rfc4474
Thread-Index: AcyeHYWaphH17IbhTpyY48Rqbh9JNQ==
From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
To: <sip@ietf.org>
X-CFilter-Loop: Reflected
X-OriginatorOrg: motorolasolutions.com
Subject: [Sip] Question on rfc4474
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2011 13:52:03 -0000

Hi all,

rfc4474 describes how an Authentication Service - which might be
implemented in a SIP proxy - can make digital signatures which provide
assurance for SIP applications that the asserted SIP identity is valid.
It recommends implementing this service within a SIP proxy since the SIP
proxy 1) is likely to have a private signing key, and 2) has access to
SIP registrar services.  It is the second part I have a question about.

If a network has a dedicated SIP proxy and a dedicated SIP registrar,
and a SIP user registers with the SIP registrar using HTTP digest, then
how does this help the SIP proxy validate the identity of the SIP user,
such that it can add a digital signature to SIP messages received from
the UE?  A few things come to mind:

* User can authenticates separately to the SIP proxy and create an
authenticated user session with it
* Something like IMS, where successful registration with the S-CSCF
results in an authenticated IPsec SA between the UE and P-CSCF
* Co-located SIP proxy and SIP registrar in the same box
* Others?

I'm guessing that the RFC intentionally did not address the "how" of
this and leaves it to implementation, just want to make sure I'm not
missing something.  Are there any other well known ways to solve this
other than those I mention above?