8 nov 2011 kl. 04:57 skrev Hadriel Kaplan: > > On Nov 7, 2011, at 4:54 PM, Iñaki Baz Castillo wrote: > >> 2011/11/7 Olle E. Johansson <o...@edvina.net>: >>>>> And why do you compare S/MIME in SIP with a unicorn? >>>> >>>> Because both are theoretically possible but have not been found in the >>>> wild? >>> >>> And does anyone see a reason why? Not the unicorns... >> >> The reason: Telcos wallen gardens. SIP is not for the open Internet so >> nobody cares about SIP security (security could make SBC's crazy !!!). > > Heh, you forgot your <joking> tags again. ;) > > S/MIME isn't popular in SIP for some of the same reasons it's not very > popular in email - although at least in email it has some actual security > value and is sometimes even practical/usable, and thus used by some people. > > Some of the reasons S/MIME isn't usable for SIP are described in RFC 3261 > itself, in various places in section 23 and its subsections. Then there's > also the bigger question of what real problem is it solving. > > Other than being impractical and useless, though, it's a great idea. > > RFC 4474 tried it a different way, doing just the authentication aspect > (signing), by having the domain proxies sign using domain certs, instead of > the SIP UAC. It's closer to a DKIM model. The jury's still out though, on > whether rfc4474 provides value and will get widespread use, or not.
Thanks for the feedback, Hadriel. 4474 and S/MIME has two very different security models. In 4474 I have to trust an external service to provide trust for outbound messages. in S/MIME it's end2end. I could talk about bellheads and netheads here, but will not. It's just two very different schemes that both add value. I'm trying to figure out why after more than ten years of SIP in the industry, we're still on the 80's level in regards of security in the implementations. The whole business is still using "telnet SIP" where we should have moved to "ssh SIP". As long as we do that, SIP will stay on private VLANS and Skype will be alone on the Internet. Isn't it time to quote Queen: "I want to break free!". During the last four SIPit's I've been to I've focused a lot on TLS, setting up self-tests, running trainings and helping people. I don't know if it has changed something, but nevertheless, we see many more TLS implementations and actual tests with TLS on every event. On the last SIPit we spent a lot of time setting up interoperability tests for Identity and got it working one way. At least we had two implementations. Hopefully we can get some more to next SIPit and in addtion maybe spend time on S/MIME. /O _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
