[Sip] RE: Question on draft-ietf-sip-identity-01
"Peterson, Jon" <jon.peterson@neustar.biz> Fri, 13 June 2003 14:51 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA08641 for <sip-archive@odin.ietf.org>; Fri, 13 Jun 2003 10:51:46 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h5DEpJF17471 for sip-archive@odin.ietf.org; Fri, 13 Jun 2003 10:51:19 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5D7a6a14183; Fri, 13 Jun 2003 03:36:06 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5D7Zhm14167 for <sip@optimus.ietf.org>; Fri, 13 Jun 2003 03:35:43 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA23998 for <sip@ietf.org>; Fri, 13 Jun 2003 03:35:41 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19Qj41-0002OY-00 for sip@ietf.org; Fri, 13 Jun 2003 03:33:33 -0400
Received: from pine.neustar.com ([209.173.57.70]) by ietf-mx with esmtp (Exim 4.12) id 19Qj41-0002OT-00 for sip@ietf.org; Fri, 13 Jun 2003 03:33:33 -0400
Received: from chiimc01.npac.com ([10.32.90.4]) by pine.neustar.com (8.11.0/8.11.0) with ESMTP id h5D7YWN07922; Fri, 13 Jun 2003 07:34:35 GMT
Received: by CHIIMC01 with Internet Mail Service (5.5.2653.19) id <KFCZ9C5N>; Fri, 13 Jun 2003 02:37:13 -0500
Message-ID: <0449D80A0E9B614A83FA9031B07E8D3B257B2D@stntexch2.va.neustar.com>
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: 'Marco Aime' <m.aime@polito.it>
Cc: sip@ietf.org
Date: Fri, 13 Jun 2003 02:34:56 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Subject: [Sip] RE: Question on draft-ietf-sip-identity-01
Sender: sip-admin@ietf.org
Errors-To: sip-admin@ietf.org
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Hi, Yes, the consequences of placing an authentication token into a SIP header have been considered in the past. There were really three significant factors that led to the architecture used in draft-ietf-sip-identity (in which the authentication token appears in a body instead): - The tokens themselves can be quite large and complicated. Following the recommendation in the AIB draft (draft-ietf-sip-authid-body), a token might contain numerous headers which are required for reference integrity. Compound that with a digital signature. Compound that with an appended certificate for verifying the signature (common in CMS applications). All together, the size of one of these tokens would be considerably larger that conventional SIP headers. While technically, headers are unbounded in size, from a practical perspective chunks of data over a certain threshhold are more suitable for the body of a message than a header. A proxy handling a header that was, say, over 1K in size could conceivably hiccup. Encoding a header that contained multiple SIP headers and a digital signature and a certificate could also be challenging. - For additional reference integrity, some tokens may want to place signatures around actual message bodies, notably SDP. This is a general motivation for the use of S/MIME for identity. Replicating bodies in headers would be... silly. - Headers are frequently manipulated by proxy servers - bodies, however, MUST NOT be modified by proxy servers (per RFC3261 16.6). A great deal of emphasis in the SIP security work was placed on end-to-end security properties. While headers can be marked unmodifiable (by omitting the 'amd's in the famous Table 2 of RFC3261), the guidelines for bodies are more strict. Jon Peterson NeuStar, Inc. > -----Original Message----- > From: Marco Aime [mailto:m.aime@polito.it] > Sent: Tuesday, June 10, 2003 9:21 AM > To: jon.peterson@neustar.biz > Cc: sip@ietf.org > Subject: Question on draft-ietf-sip-identity-01 > > > Hi Jon, > > regarding draft-ietf-sip-identity-01, I'm wondering what can be the > problems trying to place the authentication token into a SIP header > rather than the body: has the consequences of this option been > investigated already? > > Thanks in advance > Bye > Marco Aime > > -- > ------------------------------------------------------------------ > Marco AIME > Dipartimento di Automatica e Informatica > Politecnico di Torino > Addr: Via Cardinal Massaia 83, Torino, Italy > Tel: +39 011 22102-44 > Fax: +39 011 22102-29 > Mail: m.aime@polito.it (marcodomenico.aime@polito.it) > ------------------------------------------------------------------ > _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- [Sip] Question on draft-ietf-sip-identity-01 Marco Aime
- [Sip] RE: Question on draft-ietf-sip-identity-01 Peterson, Jon