Jonathan Rosenberg wrote:
Steve Dotson wrote:
Maybe this is naïve, but doesn't this alter the operator trust model?
I always envisioned P-A-ID (as an example) as a way for a home
network to tell a 3rd party service "trust this one, they are
authenticated", as long as the home network and the service had a
relationship. Having an edge proxy in a visited domain telling the
home network "trust this one" seems to turn things around.
P-A-ID asserts identity between providers with trust, yes that is true.
SIP Identity works with lesser degrees of trust, but if you don't trust
the signing domain, of course it doesn't work.
However, my point is, one of the two following scenarios always apply:
1. the edge proxy is trusted by the home proxy, in which case you can
use mutual TLS to authenticate the client to the edge proxy, and then
P-A-ID or SIP Identity from edge proxy to home proxy, *OR*
2. there is no trust at all between visited and home networks. In this
case, you shouldn't be connectign to a visited proxy in the first place.
COnnect to the home proxy in your home network. Then, case 1 applies again.
Wrongo.
3) There is no trust between the edge proxy and the
point-of-service-delivery (which MIGHT be a proxy, or might not, and we
don't know and don't care). But you have to use the edge proxy, because
it's the only one that can get you out of your little
nat/firewall/whatever administrative island.
--
Dean
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
