RE: [Sipping] comments on draft-tschofenig-sipping-captcha-00.txt
"Jeremy Barkan \(DigitalShtick\)" <jeremyb@digitalshtick.com> Fri, 13 July 2007 16:01 UTC
Return-path: <sipping-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I9NZp-0008SW-Ca; Fri, 13 Jul 2007 12:01:05 -0400
Received: from sipping by megatron.ietf.org with local (Exim 4.43) id 1I9NZo-0008SM-4Z for sipping-confirm+ok@megatron.ietf.org; Fri, 13 Jul 2007 12:01:04 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I9NZn-0008S8-NP for sipping@ietf.org; Fri, 13 Jul 2007 12:01:03 -0400
Received: from pro22.abac.com ([66.226.64.23]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1I9NZn-00078w-8X for sipping@ietf.org; Fri, 13 Jul 2007 12:01:03 -0400
Received: from Jeremyb2 (bzq-88-153-73-150.red.bezeqint.net [88.153.73.150]) (authenticated bits=0) by pro22.abac.com (8.13.8/8.13.8) with ESMTP id l6DG0DsP072918; Fri, 13 Jul 2007 09:00:17 -0700 (PDT) (envelope-from jeremyb@digitalshtick.com)
From: "Jeremy Barkan (DigitalShtick)" <jeremyb@digitalshtick.com>
To: 'Jonathan Rosenberg' <jdrosen@cisco.com>, 'IETF Sipping List' <sipping@ietf.org>, 'Hannes Tschofenig' <Hannes.Tschofenig@gmx.net>
Subject: RE: [Sipping] comments on draft-tschofenig-sipping-captcha-00.txt
Date: Fri, 13 Jul 2007 19:00:12 +0300
Organization: DigitalShtick
Message-ID: <000301c7c566$e99e4bf0$6a00a8c0@Jeremyb2>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcfFX+lM8+PHEWhhTCSFi23SuOUS4QABq8sg
In-Reply-To: <469795C7.5030108@cisco.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c3a18ef96977fc9bcc21a621cbf1174b
Cc: 'David Schwartz' <David.Schwartz@Kayote.com>
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
Errors-To: sipping-bounces@ietf.org
Hi Jonathan - At a first glance - CAPTCHA can be susceptible to all the attacks one can get in a challenge type protocol - such as man-in-the-middle, replay and so on. HASHCASH uses a hash that includes SIP header fields from the current SIP Session - and we should think about how to make sure that the CAPTCHA is also linked to the session and would not be reused. Is this addressed in the app interaction framework you refer to ? There are some other general CAPTCHA security issues that are important to consider as well [ there has to be a wide enough set of CAPTCHA to make dictionary attacks unfeasible and so on ] Regards Jeremy -----Original Message----- From: Jonathan Rosenberg [mailto:jdrosen@cisco.com] Sent: Friday, July 13, 2007 6:10 PM To: IETF Sipping List Subject: [Sipping] comments on draft-tschofenig-sipping-captcha-00.txt Interesting draft, a few comments. Firstly, I disagree strongly that the app interaction framework cannot be reused for this. The draft makes several statements about its applicability, all of which are wrong: > Since there are different > solutions for different cases, the UAC needs to indicate the > supported application user interaction mechamisms when issuing a SIP > request. This might be too a heavy requirement for solving the user > interaction needs related to SPIT challenges. Firstly, it wasn't clear to me how the proposed mechanism solves this either. WHen the server rejects the request and provides the captcha challenge, how does it know which challenge to issue? It depends on the capabilities of the user and UA. So, same problem. Secondly this hardly seems like a hard problem to solve. The INVITE contains an Accept contact header field with the object types it can use. The draft also says: > Also, the application > interaction framework requires that a dialog exists before initiating > or accepting any user interaction requests. In case of SPIT > challenges the user interaction must happen during the dialog > establishment so it seems that the application interaction framework > cannot be directly used as a solution. This is false. THe dialog can be early. The application would send a provisional response and then issue the REFER to an HTTP URL, which can be used to retrieve exactly the same object you have specified, if you like. Using the dialog event package also allows better performance since you don't have to retry the INVITE, the call just proceeds. My second comment is, I'm not convinced a separate object format is needed for the challenge. Certainly in email systems today and web systems there is not; its just an HTTP interaction. I suspect you are worried about more limited user interfaces that don't have a general purpose web browser? You might want to motivate this a bit. -JOnathan R. -- Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza Cisco Fellow Parsippany, NJ 07054-2711 Cisco Systems jdrosen@cisco.com FAX: (973) 952-5050 http://www.jdrosen.net PHONE: (973) 952-5000 http://www.cisco.com _______________________________________________ Sipping mailing list https://www1.ietf.org/mailman/listinfo/sipping This list is for NEW development of the application of SIP Use sip-implementors@cs.columbia.edu for questions on current sip Use sip@ietf.org for new developments of core SIP _______________________________________________ Sipping mailing list https://www1.ietf.org/mailman/listinfo/sipping This list is for NEW development of the application of SIP Use sip-implementors@cs.columbia.edu for questions on current sip Use sip@ietf.org for new developments of core SIP
- [Sipping] comments on draft-tschofenig-sipping-ca… Jonathan Rosenberg
- RE: [Sipping] comments on draft-tschofenig-sippin… Jeremy Barkan (DigitalShtick)