> -------- Original Message --------
> Subject: [Sip] Comments draft-ietf-sip-saml-02
> Date: Thu, 21 Jun 2007 16:47:46 +0200
> From: Willekens, Marc <[EMAIL PROTECTED]>
> To: <[email protected]>
>
>
> [Page30] Security considerations
>
> Is it possible to redirect messages to an own authentication service by
> manipulating the end-device?
hm, do you mean e.g. that the receiving proxy UAS might, acting as an AS, issue
a "407 Proxy authentication request" back up the signaling path?
> How can the called party trust the
> authentication service assigned by the caller?
Well, this is more of an overall question and thus falls into the realm of "sip
identity" rfc4474. I think that the best we have at this time is section "13.4.
Domain Names and Subordination" of rfc4474. Note that it references out to
the Security Considerations section of rfc3280 "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List (CRL) Profile".
Note also that rfc4474 sec 13.4 notes in it's 2nd-to-last paragraph that..
"Some federations of service
providers, for example, might only trust certificates that have been
provided by a certificate authority operated by the federation."
perhaps that's the best we can do for now.
Perhaps we need to explain this better in -sip-saml-xx.
=JeffH
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
