Steve Dotson wrote:
Hi Jonathan,
The use case we are looking at is where the registrar is separate from
the edge proxy.
Sure. I think that is a valid case.
While the edge proxy could validate the UA has access to
a cert issued by a trusted root, it doesn't necessarily mean the UA has
a valid subscription to network services.
No. But, such a proxy could assert the identity it verified.
The edge proxy may/would not
have access to this type of registration data, thus the need to
authenticate from UA to registrar.
You lost me here. With mutual TLS, the client can authenticate itself to
the edge proxy. The edge proxy can assert the authenticated identity
towards the registrar, ala P-A-ID or even better, SIP Identity. THe
registrar then authorizes access, and rejects the request if the user is
not authorized.
-Jonathan R.
--
Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza
Cisco Fellow Parsippany, NJ 07054-2711
Cisco Systems
[EMAIL PROTECTED] FAX: (973) 952-5050
http://www.jdrosen.net PHONE: (973) 952-5000
http://www.cisco.com
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
