Eric Rescorla wrote:
The only real defense against this sort of downgrade is to only
give people URLs that start with https: and assume that they will
do the right thing.
. . .
As with https: the fix is that your AOR has to somehow signal
to everyone that you expect to be contacted over TLS. This is
what sips: does (though of course it's not the only way to do
it).
But the current draft doesn't. It implies that if you have a SIPS: AOR
and a SIPS: contact registered to that AOR, that is still OK to send
SIP: traffic. I requote:
Because registering with a SIPS contact header field implies a
binding to both a SIPS Contact and a corresponding SIP Contact . . .
So this is the equivalent of only giving people https:, and assuming
that they will do the WRONG thing.
--
Dean
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip
