On Aug 14, 2007, at 12:12 PM, Matt Lepinski wrote:
This is related to a point that someone [My apologies for not
remember who] raised at the Chicago meeting:
What problem will sipsec solve that existing (and not well
deployed) security measures do not solve?
The goal of SIPSEC is eliminating the requirement of transitive
trust. We still have a reliance on request routing functionality to
make the initial delivery of the CONNECT message, but after that the
only attack that an intermediate proxy could launch would be to stop
forwarding messages. This is much less insidious than subtly altering
the contents of messages in order to delivery the appearance of
normality when in fact an attack has been effected, or of disclosing
sensitive elements of the messages to third parties so that attacks
can be effected by those parties.
While the documented-but-undeployed S/MIME approach appears to offer
protection from proxies that subtly alter the bodies of messages, the
protection for header-level alteration is weaker, and even in the
best case a great deal of information potentially useful to attackers
is visible to the proxies (and hence potentially compromised to
attackers). SIPSEC appears to offer fairly complete integrity and
privacy protection for all headers and body parts following the
initial CONNECT message, and the initial CONNECT is designed to
disclose as little sensitive information as possible.
Given that current transitive-trust models of security are well-
deployed, my inclination is that it is important to provide
guidance to on the strengths and weaknesses of transitive-trust
models (in the hope that we can dissuade people from making false
assumptions about the systems they are deploying). I'm less
convinced that it's important to move forward with a brand new
security measure, unless we have good reason to believe that it
will be more effective than existing mechanisms.
Yes, that's exactly the goal of the proposal that started this
thread: to find a way to more completely describe the strengths and
weaknesses of the current transitive trust models and then require
new extensions to document how the extension interacts with those
aspects of the operational environment. Whether we like the current
operational environment or no, we still need to understand it very
clearly, because it is real and we live in it today. More so, we need
to clearly understand the security impacts of new extensions.
--
Dean
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
