IETF Logo Mail Archive

Re: [stir] current draft charter

Hadriel Kaplan <hadriel.kaplan@oracle.com> Mon, 17 June 2013 06:46 UTC

Return-Path: <hadriel.kaplan@oracle.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04A0421F9A91 for <stir@ietfa.amsl.com>; Sun, 16 Jun 2013 23:46:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.561
X-Spam-Level:
X-Spam-Status: No, score=-6.561 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0m4YSD0NwFG7 for <stir@ietfa.amsl.com>; Sun, 16 Jun 2013 23:46:21 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 09C4821F9A8E for <stir@ietf.org>; Sun, 16 Jun 2013 23:46:21 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r5H6kDKC004982 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 17 Jun 2013 06:46:14 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r5H6kFiv028057 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Jun 2013 06:46:15 GMT
Received: from abhmt117.oracle.com (abhmt117.oracle.com [141.146.116.69]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r5H6kFwn018009; Mon, 17 Jun 2013 06:46:15 GMT
Received: from dhcp-amer-vpn-adc-anyconnect-10-154-171-126.vpn.oracle.com (/10.154.171.126) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 16 Jun 2013 23:46:14 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Hadriel Kaplan <hadriel.kaplan@oracle.com>
In-Reply-To: <51BE9F6D.9030206@dcrocker.net>
Date: Mon, 17 Jun 2013 02:46:15 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <9019932F-C6A3-43B7-9F42-15CDF4A3C779@oracle.com>
References: <CDE3B2F9.211BB%jon.peterson@neustar.biz> <51BE9F6D.9030206@dcrocker.net>
To: dcrocker@bbiw.net
X-Mailer: Apple Mail (2.1508)
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: "stir@ietf.org" <stir@ietf.org>, "Peterson, Jon" <jon.peterson@neustar.biz>
Subject: Re: [stir] current draft charter
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stir>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jun 2013 06:46:27 -0000

On Jun 17, 2013, at 1:32 AM, Dave Crocker <dhc@dcrocker.net> wrote:

>> I addressed that in my last mail. The "guy being validated" provides a
>> pointer to the cert, yes, but whether or not you trust that cert is a fact
>> about your relationship to the CA that issued it.
> 
> Then what is the point in having the pointer, rather than letting the validator decide where to get the cert from?
> I suspect the answer is that it's a search efficiency hack, rather than a required mechanism, helping to find a knowledgeable CA amongst potentially thousands.

No, for 4474 he was talking about the cert belonging to the SIP-identity hash signer, not the CA that signed that cert as the trusted root/issuer.  For example if you receive a message with the From of 'alice@foo.com', then foo.com needs to tell you where to get its cert to prove it is foo.com that signed the SIP From of 'alice@foo.com'.  As the verifier, you have no direct relationship with foo.com, nor know which trusted CA foo.com uses.  So foo.com stores its cert at some web server, which it tells you to get the cert from with this URL.  If the URL was changed by an evil middleman to give you a different cert, then the cert won't be for 'foo.com' so verification correctly fails.

An alternative could have been to just have you automatically go to 'https://foo.com/sipcert' or some such thing, or have you look for some DNS record for foo.com to tell you where to get the cert.  But with the URL being sent in the message then foo.com could use different certs for different calls; for example if it uses different PBXs in multiple branch offices, it could give them each unique keys to sign the SIP messages with, without having to use separate domain names in its SIP From.

-hadriel

v2.23.0 | Report a Bug | By Email