IETF Logo Mail Archive

Re: [stir] Permitted spoofing

Dave Crocker <dhc2@dcrocker.net> Tue, 11 June 2013 21:43 UTC

Return-Path: <dhc2@dcrocker.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCBD421F99FE for <stir@ietfa.amsl.com>; Tue, 11 Jun 2013 14:43:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jkwSMOqk7Rwi for <stir@ietfa.amsl.com>; Tue, 11 Jun 2013 14:43:02 -0700 (PDT)
Received: from sbh17.songbird.com (sbh17.songbird.com [72.52.113.17]) by ietfa.amsl.com (Postfix) with ESMTP id C4F4C21F99ED for <stir@ietf.org>; Tue, 11 Jun 2013 14:43:02 -0700 (PDT)
Received: from [10.2.4.14] ([64.9.249.125]) (authenticated bits=0) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id r5BLgwX4025593 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 11 Jun 2013 14:43:02 -0700
Message-ID: <51B799DD.6070705@dcrocker.net>
Date: Tue, 11 Jun 2013 14:42:53 -0700
From: Dave Crocker <dhc2@dcrocker.net>
Organization: Brandenburg InternetWorking
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Wilhelm Wimmreuter <wilhelm@wimmreuter.de>
References: <CDDD0303.1CE56%brian.rosen@neustar.biz> <35573943-5A08-4CAB-AEA7-559B5F870F41@wimmreuter.de>
In-Reply-To: <35573943-5A08-4CAB-AEA7-559B5F870F41@wimmreuter.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.66]); Tue, 11 Jun 2013 14:43:02 -0700 (PDT)
Cc: "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] Permitted spoofing
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dcrocker@bbiw.net
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stir>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2013 21:43:08 -0000

On 6/11/2013 2:35 PM, Wilhelm Wimmreuter wrote:
>   OK, but server authentication is definitely next.
> DNS is the only way to reach these servers today. We are farther on the Internet than typical PSTN paradigms allow us to follow.
>
>   SIP does not have decent server authentication and therefore one can pretend to be your telecom server of choice.


Well...

Server authentication is needed if the model is trust via the channel.

It isn't needed if the trust goes with the data object, independent of 
the channel.

DNSSec and DKIM are object-based.  Of course, TLS is channel-based.

d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

v2.23.0 | Report a Bug | By Email