Keith: Please see inline.
DRAGE, Keith (Keith) wrote:
(As WG chair)
http://www.ietf.org/internet-drafts/draft-dotson-sip-certificate-auth-03
.txt
Describes a set of requirements for:
[...]
(Before we go any further, please forget all about the solutions
document - that comes later and we are not dealing with it now)
We need to decide whether there is support for a body of work in this
area, and therefore whether we should charter some requirements work in
the SIP WG.
(Because this is security related we have agreed that SIP does the
requirements drafting and not SIPPING)
So can I hear opinions of the WG on:
- whether this represents a problem space that the working group
should draft requirements on?
I must confess that on an initial reading of the draft, I was
lost on the need for requirements that add certificate
authentication to SIP. Using TLS, a registrar and a UAC and
exchange certificates today and authenticate each other,
without resorting to a shared secret, right?
I beleive the use case that the author is going for has to do with
using the hop-by-hop signaling path through a SIP proxy mesh to a
registrar, but being able to exchange certificates directly
between the UAC and the registrar. As such, the title of the
draft ought to be reflective of this; something along the lines
of "Requirements for direct registrar authentication in the
Session Initiation Protocol (SIP) by a User Agent Client (UAC)".
- whether the problem space exists but is something slightly
different, and if so what is that problem space?
If the problem space is defined as coming up with requirements
for direct registrar authentication in SIP by a UAC over a
normal SIP proxy mesh, then that is a reasonable problem space,
IMHO.
- whether there is a more general problem that the security area
should be addressing, rather than the SIP group addressing something
specific?
I beleive that this is fairly specific to SIP, but will defer
to the chairs and the rest of the WG.
- based on your answers to the first three questions, whether this
draft is essentially in the right direction to be adopted as the WG
draft assuming we create the charter item, or whether we need to seek
some other input draft?
This draft also talks about interpreting the contents of the
certificates (S3, requirement 8). As such, some of the work Scott
Lawrence and I have done in domain-certs provides more
guidelines on this particular aspect. We received good feedback
from the pkix WG in Prague when we presented domain-certs
there; we are in the process of revising the domain-certs draft
to include a discrete set of steps that can be programmed to
do certificate validation. We should be sending a revised
version of this draft out by tomorrow.
- and finally, whether (assuming we go ahead with this work) there
is any work in any other IETF WG that we should take account of?
domain-certs, as mentioned above. In addition, sip-sipsec could
provide a possible solution set; it appears to fit some of the
requirements.
Thanks.
- vijay
--
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA)
Email: [EMAIL PROTECTED],bell-labs.com,acm.org}
WWW: http://www.alcatel-lucent.com/bell-labs
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
