inline.
Dean Willis wrote:
So what? I think thats what ought to happen. I'd like to see some
specific use cases where this can't work with the edge proxy
performing the authentication. Keep in mind, we are talking about
*certificate* authentication; that doesn't (by definition) required
any kind of pre-arranged secret - only a common root CA.
My edge proxy might be provided by MCI, but I might be using a chat
service from another provider overseas. This other provider might be
willing to trust the certificate for authentication (given that I have a
signed cert from MCI, who in turn has a signed CA cert from a recognized
op-level CA). However, the chat provider might not be willing to just
accept P-Asserted-Identity from MCI as an authentication mechanism,
since said provider does not have a trusted peering arrangement with MCI
and therefore ANYBODY could spoof my P-Asserted-Identity.
In a case where your chat provider has no relationship whatsoever with
this edge proxy, for what purpose would you be connecting to it in the
first place? You should connect directly to your chat provider offering
the service. Then, if you have a cert - great - authenticate to it using
mutual TLS.
-Jonathan R.
--
Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza
Cisco Fellow Parsippany, NJ 07054-2711
Cisco Systems
[EMAIL PROTECTED] FAX: (973) 952-5050
http://www.jdrosen.net PHONE: (973) 952-5000
http://www.cisco.com
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
