[Sip] comments on draft-kupwade-sip-iba-00

Jonathan Rosenberg <jdrosen@cisco.com> Wed, 27 February 2008 02:18 UTC

Return-Path: <sip-bounces@ietf.org>
X-Original-To: ietfarch-sip-archive@core3.amsl.com
Delivered-To: ietfarch-sip-archive@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 1C95328C3C5; Tue, 26 Feb 2008 18:18:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.248
X-Spam-Status: No, score=-1.248 tagged_above=-999 required=5 tests=[AWL=-0.811, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id GHSmNma3js1n; Tue, 26 Feb 2008 18:18:27 -0800 (PST)
Received: from core3.amsl.com (localhost []) by core3.amsl.com (Postfix) with ESMTP id A19B828C2EA; Tue, 26 Feb 2008 18:18:27 -0800 (PST)
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id B88793A69CD for <sip@core3.amsl.com>; Tue, 26 Feb 2008 18:18:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id IftlvyfJ+8N2 for <sip@core3.amsl.com>; Tue, 26 Feb 2008 18:18:24 -0800 (PST)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com []) by core3.amsl.com (Postfix) with ESMTP id ABE513A6CAB for <sip@ietf.org>; Tue, 26 Feb 2008 18:18:24 -0800 (PST)
Received: from sj-dkim-2.cisco.com ([]) by sj-iport-1.cisco.com with ESMTP; 26 Feb 2008 18:18:17 -0800
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com []) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m1R2IIcK026677 for <sip@ietf.org>; Tue, 26 Feb 2008 18:18:18 -0800
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com []) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id m1R2IICH023771 for <sip@ietf.org>; Wed, 27 Feb 2008 02:18:18 GMT
Received: from xfe-sjc-212.amer.cisco.com ([]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 26 Feb 2008 18:18:18 -0800
Received: from [] ([]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 26 Feb 2008 18:18:18 -0800
Message-ID: <47C4C85F.4050000@cisco.com>
Date: Tue, 26 Feb 2008 21:18:07 -0500
From: Jonathan Rosenberg <jdrosen@cisco.com>
User-Agent: Thunderbird (Windows/20071031)
MIME-Version: 1.0
To: IETF SIP List <sip@ietf.org>
X-OriginalArrivalTime: 27 Feb 2008 02:18:18.0135 (UTC) FILETIME=[04156A70:01C878E7]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2159; t=1204078698; x=1204942698; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jdrosen@cisco.com; z=From:=20Jonathan=20Rosenberg=20<jdrosen@cisco.com> |Subject:=20comments=20on=20draft-kupwade-sip-iba-00 |Sender:=20; bh=b5t9939LKmuQBnAMTT9eZXtM+qT2knmgyeCSwGTaGFU=; b=nTgNf8D4m2/S+k7By3xC087A+JIhFD05AiTKtpb0nMUdoNqcOlq2fiLOpr D3R0ceS4kUp6nUai2m9AkeaQVZnp59IyiP1Z6BTo6vPmMBAI0GefG1mzwaMw s28GIbyM3K;
Authentication-Results: sj-dkim-2; header.From=jdrosen@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Subject: [Sip] comments on draft-kupwade-sip-iba-00
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org

Harsh, Dean,

Thanks much for this document. Its great to see folks trying to tackle 
new areas of work, especially tough ones like identity.

The concept of identity based security is a new one to me; how mature is 
this stuff? Are there any commercial uses yet? What about intellectual 
property issues? Has it been well-studied by experts to assess its 
robustness? i.e., have folks been trying to crack it, and so far its 
held up?

The document talks about encrypting the signature for the target but I 
don't see what security benefit this brings. Indeed, encrypting content 
in the signaling for an intended target has proven very problematic. 
Besides the (so-far) hugely hard cert problem, there is also the issue 
of retargeting. Also you have cases of multiple receiving devices - 
forking for example. Maybe Dean is just hoping it goes away, but how 
would this solution work there? Then there are things like shared lines, 
  contact centers, etc...

I agree with Ekr that the primary advantage from a pure signature 
perspective is the ability to eliminate the fetching of the certificate. 
I think this is more beneficial than just 'compression'. Identity-Info 
presents the certificate by reference. The increasing numbers of NAT and 
firewalls and SBCs are making me increasingly worried that the ability 
to reach across the network, back to the originator, and fetch ANYTHING 
over http, will be really hard in SIP deployments. So there is value in 
eliminating this IMHO.

I must say I didn't understand how revocation works. From the 
description of the algorithm it seemed untenable. The verifier never 
needs to obtain a cert and the public key is generated statically from 
the identity. Once they have the private key, the sender can always sign 
with it, so I don't see how revocation is possible.

Jonathan R.
Jonathan D. Rosenberg, Ph.D.                   499 Thornall St.
Cisco Fellow                                   Edison, NJ 08837
Cisco, Voice Technology Group
http://www.jdrosen.net                         PHONE: (408) 902-3084
Sip mailing list  http://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip