Maybe this is naïve, but doesn't this alter the operator trust model? I always envisioned P-A-ID (as an example) as a way for a home network to tell a 3rd party service "trust this one, they are authenticated", as long as the home network and the service had a relationship. Having an edge proxy in a visited domain telling the home network "trust this one" seems to turn things around.
Steve. -----Original Message----- From: Jonathan Rosenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 8:40 PM To: Steve Dotson Cc: Dean Willis; IETF SIP List; DRAGE,Keith (Keith) Subject: Re: [Sip] Certificate authentication in SIP Steve Dotson wrote: > Hi Jonathan, > > The use case we are looking at is where the registrar is separate from > the edge proxy. Sure. I think that is a valid case. > While the edge proxy could validate the UA has access to a cert issued > by a trusted root, it doesn't necessarily mean the UA has a valid > subscription to network services. No. But, such a proxy could assert the identity it verified. > The edge proxy may/would not > have access to this type of registration data, thus the need to > authenticate from UA to registrar. You lost me here. With mutual TLS, the client can authenticate itself to the edge proxy. The edge proxy can assert the authenticated identity towards the registrar, ala P-A-ID or even better, SIP Identity. THe registrar then authorizes access, and rejects the request if the user is not authorized. -Jonathan R. -- Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza Cisco Fellow Parsippany, NJ 07054-2711 Cisco Systems [EMAIL PROTECTED] FAX: (973) 952-5050 http://www.jdrosen.net PHONE: (973) 952-5000 http://www.cisco.com _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
