Re: [Sip] comments on draft-kupwade-sip-iba-00
Michael Thomas <mat@cisco.com> Thu, 28 February 2008 21:01 UTC
Return-Path: <sip-bounces@ietf.org>
X-Original-To: ietfarch-sip-archive@core3.amsl.com
Delivered-To: ietfarch-sip-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D264328C475; Thu, 28 Feb 2008 13:01:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.328
X-Spam-Level:
X-Spam-Status: No, score=-1.328 tagged_above=-999 required=5 tests=[AWL=-0.891, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XsLYEH7NcGHX; Thu, 28 Feb 2008 13:01:57 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B622828C192; Thu, 28 Feb 2008 13:01:57 -0800 (PST)
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 43E8B28C15E for <sip@core3.amsl.com>; Thu, 28 Feb 2008 13:01:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wmCUCID8TquX for <sip@core3.amsl.com>; Thu, 28 Feb 2008 13:01:52 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 7111E3A6A99 for <sip@ietf.org>; Thu, 28 Feb 2008 13:01:52 -0800 (PST)
Received: from sjc12-sbr-sw3-3f5.cisco.com (HELO imail.cisco.com) ([172.19.96.182]) by sj-iport-6.cisco.com with ESMTP; 28 Feb 2008 13:01:45 -0800
Received: from dhcp-171-71-97-210.cisco.com (dhcp-171-71-97-210.cisco.com [171.71.97.210]) by imail.cisco.com (8.12.11/8.12.10) with ESMTP id m1SKmACV030680; Thu, 28 Feb 2008 12:48:11 -0800
Message-ID: <47C7213A.5090000@cisco.com>
Date: Thu, 28 Feb 2008 13:01:46 -0800
From: Michael Thomas <mat@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.9) Gecko/20071031 Thunderbird/2.0.0.9 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Dean Willis <dean.willis@softarmor.com>
References: <20080227170702.5A5C05081A@romeo.rtfm.com> <132324.81291.qm@web65509.mail.ac4.yahoo.com> <20080227171901.8EAE95081A@romeo.rtfm.com> <47C7017D.5020301@softarmor.com>
In-Reply-To: <47C7017D.5020301@softarmor.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2425; t=1204231691; x=1205095691; c=relaxed/simple; s=oregon; h=To:Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mat@cisco.com; z=From:=20Michael=20Thomas=20<mat@cisco.com> |Subject:=20Re=3A=20[Sip]=20comments=20on=20draft-kupwade-s ip-iba-00 |Sender:=20 |To:=20Dean=20Willis=20<dean.willis@softarmor.com>; bh=NGZTqyKV7TcGV6wnI/ja1cJPO2vULJFDGvAWzNu5Wv4=; b=P/RmfJuLQfQJtHQZWUmS6jkArlaG0K3Sreze8VBFzO6VOGrmyyjHKh2oLs 0Zgcr6iF2jn7RqiEKhifLk80sPULFDrKpTV7nwGjyyUtR+1DyRvJTFiKLNVl HGzHvu45uV;
Authentication-Results: imail.cisco.com; header.From=mat@cisco.com; dkim=pass ( sig from cisco.com/oregon verified; );
Cc: sip@ietf.org
Subject: Re: [Sip] comments on draft-kupwade-sip-iba-00
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
Dean Willis wrote:
> [] The enrollment
> process could include a KG interaction.
This to my mind is the _actual_ problem hindering deployment. Does
this scheme help that problem or just rearrange the deck chairs? Something
that posits yet another trust anchor would strike me as the latter.
From the conclusion:
The advantages with the proposed methods are:
1. Key size: Elliptic-curve cryptography arguably provides
equivalent security with smaller operands than the RSA technique
typically used with [7 <http://tools.ietf.org/html/draft-kupwade-sip-iba-00#ref-7>]. This provides some advantage for
resource-constrained environments such as mobile telephones. It
also reduces the cryptographic load on large-scale devices doing
frequent authentication checks.
You can do this with PKI or key-centric schemes too.
2. Key discovery: Callers can generate the public key of the callee
from the identity (SIP URI) of the callee and vice versa. This
eliminates a requirement for a key discovery mechanism using
external sources, making deployment significantly easier.
Or you can ship the key or cert in the signaling too.
3. Certificate validation: As a result caller or callee need not go
through the complex path construction process to retrieve the
public keys of a chain of CAs from the public key depositories
which are controlled by the respective CAs. This allows
deployment in a peer-to-per modality without a need to route SIP
messages through a centralized identity service or trust peer
nodes to operate as identity services.
What is the KG if not a centralized entity? I guess I don't
understand this part.
4. Revocation: The ease of minting new identities and discovering
keys allows short-lived identities, reducing the need for
certificate revocation lists and the checking thereof. This
offers very large operational advantages in resource constrained
environments.
I don't understand why this is "easy". Enrollment is
"hard" unless there's something really new here. And
if I wanted a short-lived identity, I could just gin
up a new public key pair and use that as the identity
too. But I thought that the real problem was dealing with
long term identities like, oh say, mat@cisco.com.
Mike
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Harsh Kupwade
- [Sip] comments on draft-kupwade-sip-iba-00 Jonathan Rosenberg
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 James M. Polk
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Harsh Kupwade
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Harsh Kupwade
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 James M. Polk
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Michael Thomas
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Michael Thomas
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Harsh Kupwade
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Hadriel Kaplan
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Dean Willis
- Re: [Sip] comments on draft-kupwade-sip-iba-00 Eric Rescorla