Re: [Sip] comments on draft-kupwade-sip-iba-00
Michael Thomas <mat@cisco.com> Thu, 28 February 2008 21:01 UTC
Return-Path: <sip-bounces@ietf.org>
X-Original-To: ietfarch-sip-archive@core3.amsl.com
Delivered-To: ietfarch-sip-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D264328C475; Thu, 28 Feb 2008 13:01:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.328
X-Spam-Level:
X-Spam-Status: No, score=-1.328 tagged_above=-999 required=5 tests=[AWL=-0.891, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XsLYEH7NcGHX; Thu, 28 Feb 2008 13:01:57 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B622828C192; Thu, 28 Feb 2008 13:01:57 -0800 (PST)
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 43E8B28C15E for <sip@core3.amsl.com>; Thu, 28 Feb 2008 13:01:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wmCUCID8TquX for <sip@core3.amsl.com>; Thu, 28 Feb 2008 13:01:52 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 7111E3A6A99 for <sip@ietf.org>; Thu, 28 Feb 2008 13:01:52 -0800 (PST)
Received: from sjc12-sbr-sw3-3f5.cisco.com (HELO imail.cisco.com) ([172.19.96.182]) by sj-iport-6.cisco.com with ESMTP; 28 Feb 2008 13:01:45 -0800
Received: from dhcp-171-71-97-210.cisco.com (dhcp-171-71-97-210.cisco.com [171.71.97.210]) by imail.cisco.com (8.12.11/8.12.10) with ESMTP id m1SKmACV030680; Thu, 28 Feb 2008 12:48:11 -0800
Message-ID: <47C7213A.5090000@cisco.com>
Date: Thu, 28 Feb 2008 13:01:46 -0800
From: Michael Thomas <mat@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.9) Gecko/20071031 Thunderbird/2.0.0.9 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Dean Willis <dean.willis@softarmor.com>
References: <20080227170702.5A5C05081A@romeo.rtfm.com> <132324.81291.qm@web65509.mail.ac4.yahoo.com> <20080227171901.8EAE95081A@romeo.rtfm.com> <47C7017D.5020301@softarmor.com>
In-Reply-To: <47C7017D.5020301@softarmor.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2425; t=1204231691; x=1205095691; c=relaxed/simple; s=oregon; h=To:Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mat@cisco.com; z=From:=20Michael=20Thomas=20<mat@cisco.com> |Subject:=20Re=3A=20[Sip]=20comments=20on=20draft-kupwade-s ip-iba-00 |Sender:=20 |To:=20Dean=20Willis=20<dean.willis@softarmor.com>; bh=NGZTqyKV7TcGV6wnI/ja1cJPO2vULJFDGvAWzNu5Wv4=; b=P/RmfJuLQfQJtHQZWUmS6jkArlaG0K3Sreze8VBFzO6VOGrmyyjHKh2oLs 0Zgcr6iF2jn7RqiEKhifLk80sPULFDrKpTV7nwGjyyUtR+1DyRvJTFiKLNVl HGzHvu45uV;
Authentication-Results: imail.cisco.com; header.From=mat@cisco.com; dkim=pass ( sig from cisco.com/oregon verified; );
Cc: sip@ietf.org
Subject: Re: [Sip] comments on draft-kupwade-sip-iba-00
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
Dean Willis wrote: > [] The enrollment > process could include a KG interaction. This to my mind is the _actual_ problem hindering deployment. Does this scheme help that problem or just rearrange the deck chairs? Something that posits yet another trust anchor would strike me as the latter. From the conclusion: The advantages with the proposed methods are: 1. Key size: Elliptic-curve cryptography arguably provides equivalent security with smaller operands than the RSA technique typically used with [7 <http://tools.ietf.org/html/draft-kupwade-sip-iba-00#ref-7>]. This provides some advantage for resource-constrained environments such as mobile telephones. It also reduces the cryptographic load on large-scale devices doing frequent authentication checks. You can do this with PKI or key-centric schemes too. 2. Key discovery: Callers can generate the public key of the callee from the identity (SIP URI) of the callee and vice versa. This eliminates a requirement for a key discovery mechanism using external sources, making deployment significantly easier. Or you can ship the key or cert in the signaling too. 3. Certificate validation: As a result caller or callee need not go through the complex path construction process to retrieve the public keys of a chain of CAs from the public key depositories which are controlled by the respective CAs. This allows deployment in a peer-to-per modality without a need to route SIP messages through a centralized identity service or trust peer nodes to operate as identity services. What is the KG if not a centralized entity? I guess I don't understand this part. 4. Revocation: The ease of minting new identities and discovering keys allows short-lived identities, reducing the need for certificate revocation lists and the checking thereof. This offers very large operational advantages in resource constrained environments. I don't understand why this is "easy". Enrollment is "hard" unless there's something really new here. And if I wanted a short-lived identity, I could just gin up a new public key pair and use that as the identity too. But I thought that the real problem was dealing with long term identities like, oh say, mat@cisco.com. Mike _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Harsh Kupwade
- [Sip] comments on draft-kupwade-sip-iba-00 Jonathan Rosenberg
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 James M. Polk
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Harsh Kupwade
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Harsh Kupwade
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 James M. Polk
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Michael Thomas
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Michael Thomas
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Harsh Kupwade
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Hadriel Kaplan
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla