Takumi Ohba wrote:
> Hi,
>
>>If you want to verify the authenticity of the caller, the right way to
>>do that is end-to-end authentication. Unfortunately, that is quite
>>hard,
>>since you frequently receive calls from people you don't know, and
>>therefore some kind of user level PKI needs to be around in deployed,
>>which is not the case.
>>
>>Relying on hbh transitivity of trust for authenticated user identities
>>can also work, but is risky IMHO and not very likely.
>>
>
> In case of full privacy, the calling user doesn't want to reveal his/her
> ide
> ntification to the called user.
> So, isn't end-to-end authentication suitable for this case?
For full privacy, no, the caller would not authenticate themselves to
the called party.
>
> IMHO, the proxy that serves to the calling party is responsibe for
> checking
> the contents of the From header, if the network want to assure the
> correctn
> ess of the From header.
The network is responsible for inserting R-P-ID, it is not clear to me
that it is its job to filter the From field. From is who the caller
claims they are, period.
If the caller is trying to fake its identity by putting a false From in,
plus requesting full privacy, then the far end would either (1)
authenticate it, and thus realize its false, or (2) not authenticate it,
in which case the user knows that the From field cannot be verified.
-Jonathan R.
--
Jonathan D. Rosenberg, Ph.D. 72 Eagle Rock Avenue
Chief Scientist First Floor
dynamicsoft East Hanover, NJ 07936
[EMAIL PROTECTED] FAX: (973) 952-5050
http://www.jdrosen.net PH: (973) 952-5000
http://www.dynamicsoft.com
_______________________________________________
Sip-implementors mailing list
[EMAIL PROTECTED]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
