[sipcore] rfc4244bis #44 (new): 4244bis-02: security section misleading
"sipcore issue tracker" <trac@tools.ietf.org> Sun, 07 November 2010 02:41 UTC
Return-Path: <trac@tools.ietf.org>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 14AA63A68D2 for <sipcore@core3.amsl.com>; Sat, 6 Nov 2010 19:41:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8qeAfFY5xbq6 for <sipcore@core3.amsl.com>; Sat, 6 Nov 2010 19:41:06 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (unknown [IPv6:2001:1890:1112:1::2a]) by core3.amsl.com (Postfix) with ESMTP id 6AF103A67D0 for <sipcore@ietf.org>; Sat, 6 Nov 2010 19:41:05 -0700 (PDT)
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.72) (envelope-from <trac@tools.ietf.org>) id 1PEvC6-0002A3-4Y; Sat, 06 Nov 2010 19:41:22 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: sipcore issue tracker <trac@tools.ietf.org>
X-Trac-Version: 0.11.7
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: hkaplan@acmepacket.com
X-Trac-Project: sipcore
Date: Sun, 07 Nov 2010 02:41:22 -0000
X-URL: http://tools.ietf.org/sipcore/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/sipcore/trac/ticket/44
Message-ID: <064.81e343374deecdf821a6bab2507a302c@tools.ietf.org>
X-Trac-Ticket-ID: 44
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: hkaplan@acmepacket.com, sipcore@ietf.org
X-SA-Exim-Mail-From: trac@tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Cc: sipcore@ietf.org
Subject: [sipcore] rfc4244bis #44 (new): 4244bis-02: security section misleading
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Nov 2010 02:41:07 -0000
#44: 4244bis-02: security section misleading Section 9 says: With the level of security provided by TLS (SEC-req-3), the information in the History-Info header can thus be evaluated to determine if information has been removed by evaluating the indices for gaps (SEC-req-1, SEC-req-2). It would be up to the application to define whether it can make use of the information in the case of missing entries. No, TLS doesn't do that. TLS only guarantees you that the next-hop or previous-hop is who its cert claims it to be (assuming you trust its anchor), and prevents tampering by something in-between you and that previous-hop or next-hop. That doesn't mean that previous-hop or next- hop, or some upstream/downstream entity beyond it, did not modify the H-I entries - including in ways which you cannot possibly detect. For example it could have renumbered them, changed their content, etc. This section-9 paragraph is wrong, and we won't be able to satisfy the security requirements in appendix A.1 That's *OK*. We're not going to get better than that. In fact, we basically need that behavior, since we need PSTN Gateways to be able to generate H-I entries based on ISUP info (even for numbers they don't own); and we need Diversion interworked to H-I too. -- ------------------------------------+--------------------------------------- Reporter: hkaplan@… | Owner: Type: defect | Status: new Priority: minor | Milestone: milestone1 Component: rfc4244bis | Version: 2.0 Severity: In WG Last Call | Keywords: ------------------------------------+--------------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/sipcore/trac/ticket/44> sipcore <http://tools.ietf.org/sipcore/>
- [sipcore] rfc4244bis #44 (new): 4244bis-02: secur… sipcore issue tracker
- Re: [sipcore] rfc4244bis #44 (new): 4244bis-02: s… Mary Barnes
- Re: [sipcore] rfc4244bis #44 (new): 4244bis-02: s… Mary Barnes