IETF Logo Mail Archive

RE: [Sip] p-asserted-identity security harmful

Michael Thomas <mat@cisco.com> Thu, 04 July 2002 20:01 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA23922 for <sip-archive@odin.ietf.org>; Thu, 4 Jul 2002 16:01:25 -0400 (EDT)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id QAA07475 for sip-archive@odin.ietf.org; Thu, 4 Jul 2002 16:02:15 -0400 (EDT)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id PAA06628; Thu, 4 Jul 2002 15:38:15 -0400 (EDT)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id PAA06596 for <sip@optimus.ietf.org>; Thu, 4 Jul 2002 15:38:11 -0400 (EDT)
Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.24.11]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA23457 for <sip@ietf.org>; Thu, 4 Jul 2002 15:37:21 -0400 (EDT)
Received: from mira-sjc5-7.cisco.com (IDENT:mirapoint@mira-sjc5-7.cisco.com [171.71.163.27]) by sj-msg-core-2.cisco.com (8.12.2/8.12.2) with ESMTP id g64JbbhI028042; Thu, 4 Jul 2002 12:37:37 -0700 (PDT)
Received: from thomasm-u1.cisco.com (thomasm-u1.cisco.com [128.107.140.53]) by mira-sjc5-7.cisco.com (Mirapoint) with ESMTP id ABZ72652; Thu, 4 Jul 2002 12:34:51 -0700 (PDT)
Received: (thomasm@localhost) by thomasm-u1.cisco.com (8.8.8-Cisco List Logging/CISCO.WS.1.2) id MAA20620; Thu, 4 Jul 2002 12:37:36 -0700 (PDT)
From: Michael Thomas <mat@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <15652.41984.294506.256017@thomasm-u1.cisco.com>
Date: Thu, 04 Jul 2002 12:37:36 -0700
To: "Peterson, Jon" <jon.peterson@neustar.biz>
Cc: 'Michael Thomas' <mat@cisco.com>, sip@ietf.org
Subject: RE: [Sip] p-asserted-identity security harmful
In-Reply-To: <15A2739B7DAA624D8091C65981D7DA810A02DD@STNTEXCH2>
References: <15A2739B7DAA624D8091C65981D7DA810A02DD@STNTEXCH2>
X-Mailer: VM 6.72 under 21.1 (patch 6) "Big Bend" XEmacs Lucid
X-Face: &, heK/V66p?[2!i|tVn, 9lN0TUvEv7:9FzXREj/AuzN4m<D]vnFJ>u!4x[/Z4t{V}~L]+Sk @RFNnJEg~WZ/(8<`5a), -7ukALWa^&?&D2R0CSG3kO5~#6JxLF\d, g">$%B!0w{W)qIhmwhye104zd bUcI'1!
Content-Transfer-Encoding: 7bit
Sender: sip-admin@ietf.org
Errors-To: sip-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Session Initiation Protocol <sip.ietf.org>
X-BeenThere: sip@ietf.org
Content-Transfer-Encoding: 7bit

Jon,

I am not the only one who was confused by this and
before you start copping attitude you might
consider whether REQUIREMENTS LANGUAGE in EXAMPLES
is a recipe for an understandable document.

	    Mike

Peterson, Jon writes:
 > Um, did you perhaps not see the word 'Example' in the title of section 11?
 > The document only requires that a Spec(T) be defined, and provides one in
 > section 11 for illustrative purposes. Or as it says in the beginning of
 > section 11:
 > 
 >    The remainder of this section presents an example Spec(T), which is
 >    not normative in any way.
 > 
 > Thanks as always for your reasoned analysis of our work in this group.
 > 
 > Jon Peterson
 > NeuStar, Inc.
 > 
 > > -----Original Message-----
 > > From: Michael Thomas [mailto:mat@cisco.com]
 > > Sent: Wednesday, July 03, 2002 8:41 AM
 > > To: sip@ietf.org
 > > Subject: [Sip] p-asserted-identity security harmful
 > > 
 > > 
 > > 
 > > From Section 11.3 of draft-ietf-sip-asserted-identity-01:
 > > 
 > > >    Connections between nodes within the Trust Domain and 
 > > between UAs and
 > > >    nodes in the Trust Domain MUST use TLS using a cipher suite of
 > > >    RSA_WITH_AES_128_CBC_SHA1.  Mutual authentication 
 > > between nodes in the
 > > >    trust domain MUST be performed and confidentiality MUST 
 > > be negotiated.
 > > > 
 > > 
 > > 
 > > It's just come to my attention that TLS was
 > > mandated in the asserted identity draft. Not only
 > > was TLS mandated, but certain cipher suites and
 > > _AUTHENTICATION_ mechanisms were made necessary
 > > not only to implement, but to deploy. This is
 > > utterly bogus. This also places new requirements
 > > on UA's, which are not part of the base SIP spec.
 > > That too is bogus, and has been slipped in with
 > > no discussion.
 > > 
 > > First, it ignores the possible use of IPsec as an
 > > alternate mechanism to protect the bits on the
 > > wire, but far more bogus doesn't allow for the
 > > proper latitude with authentication mechanisms
 > > needed in real life. I know that a lot of people
 > > here think that the PKI kool aide is going to
 > > solve world thirst, but reality has shown that to
 > > be a complete myth. SIP should not be mandating
 > > things for *deployment* which are manifestly
 > > undeployable as the only possible mechanism.
 > > Thirdly, it places new requirements on UA's of not
 > > only implementation, but *deployment* as
 > > well. This is extremely harmful.
 > > 
 > > This section should either be struck in its
 > > entirety, or refer back to the base SIP spec's
 > > proxy requirements (which are likely to be harmful
 > > too, but at least the damage will be limited to a
 > > single document).
 > > 
 > > 	Mike
 > > 
 > > _______________________________________________
 > > Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
 > > This list is for NEW development of the core SIP Protocol
 > > Use sip-implementors@cs.columbia.edu for questions on current sip
 > > Use sipping@ietf.org for new developments on the application of sip
 > > 
 > 
 > _______________________________________________
 > Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
 > This list is for NEW development of the core SIP Protocol
 > Use sip-implementors@cs.columbia.edu for questions on current sip
 > Use sipping@ietf.org for new developments on the application of sip

_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

v2.23.0 | Report a Bug | By Email