On Oct 9, 2013, at 9:28 PM, Christian Huitema <[email protected]> wrote:
>> For me, the question is: Nobody uses SIP/TLS now. Using SIP/TLS >> would add some value. How can we make it more likely they do use >> SIP/TLS? > > Define "nobody," please. Microsoft Lync uses SIP/TLS by default. That must > be more than "nobody." > > -- Christian Huitema And it used by the other nobody, Cisco I realize it may be less common on service providers private networks but the carriers assume they have adequate protection for the attacks they care about just by controlling who has access to the private network. The only reason I mention this is that some people do read our stuff, read our security sections, and try to make a rational decision. The rational decisions for many places that Cisco and Microsoft PBX's deploy is to turn on TLS. The rational decision after reading the security sections we wrote for the service provider private networks may actually be to not use TLS. (note I'm not arguing private networks are private, or that firewalls work, or anything like that - I'm say that people make have thought about the security and decided they had adequate protection against the attacks they cared about - which to be clear were probably toll fraud and not confidentiality of the media ) A threat models change, deployments do to. I'm pretty confident more than a few business are rethinking the threat model of how much nations state grade attackers might be sharing data with their competitors, or do that in the future, and what they might do about that. _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
