On Jun 27, 2007, at 3:43 PM, Jonathan Rosenberg wrote:
Dean Willis wrote:
Jonathan Rosenberg wrote:
Well, I'm going to be contrarian here. I'm not convinced that
this is
needed.
I think certificate based authentication is a great idea.
However, I am
not sure I understand why TLS is not an appropriate solution.
I think it is very simple why TLS is not appropriate. TLS doesn't
work
across proxies, and would therefore require the edge proxy to do
authentication.
So what? I think thats what ought to happen. I'd like to see some
specific use cases where this can't work with the edge proxy
performing the authentication. Keep in mind, we are talking about
*certificate* authentication; that doesn't (by definition) required
any kind of pre-arranged secret - only a common root CA.
My edge proxy might be provided by MCI, but I might be using a chat
service from another provider overseas. This other provider might be
willing to trust the certificate for authentication (given that I
have a signed cert from MCI, who in turn has a signed CA cert from a
recognized op-level CA). However, the chat provider might not be
willing to just accept P-Asserted-Identity from MCI as an
authentication mechanism, since said provider does not have a trusted
peering arrangement with MCI and therefore ANYBODY could spoof my P-
Asserted-Identity.
--
Dean
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
