2011/5/3 Olle E. Johansson <[email protected]>: > In that case you have only validated the domain of the From URI.
I must recheck RFC 5922. Perhaps the destination proxy could check the domain in PAI header if present. > With SIP identity, the Atlanta proxy tells biloxi that "Yes, I have all > reasons to believe that Alice is alice and have the right to use the URI > [email protected]" Let's suppose Atlanta server holds the following domains, and all o them are included in its TLS certificate: - atlanta.org - atlanta.com - alicehome.net So it's supposed that if Atlanta routes a call to Biloxi, the From domain (or PAI domain maybe) of the request will be one of these domains (as Atlanta should do relay for users not belonging to its domains => open relay?). Biloxi receives the TLS certificate from Atlanta and verifies that the request From domain (or PAI domain) matches a domain within the certificate. So Biloxi knows that the request has been received from a proxy responsible for the originator identity/domain. And it's also expected that, in that case, Atlanta has asserted the identity of the originator. Ok ok... now I understand what you mean: An outbound proxy before Atlanta could add an Identity header to ensure that the request From is not modified in a proxy after it. Is it? And when the request arrives to Atlanta it would use TLS mechanism for the communication with Biloxi, am I right? Then, in case Alice directly speaks with Atlanta, could Identity be useful? > ALso remember that Bob has no idea about the certificate Atlanta used to > identify itself to Biloxi. In the case Alice-->Atlanta--->Biloxi--->Bob: - Identity header is added by Atlanta, so it's obvious that Atlanta is not going to spoof the From header. - And Biloxi is the proxy responsible for Bob so it's supposed that it will not spoo the From header. Would Identity make sense in this scenario? Thanks a lot. -- Iñaki Baz Castillo <[email protected]> _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
