On 10/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> I find the whole problem statement mysterious. The stated problem is,
> "How do I find a person's SIP URI without having them present to ask?"
1) How do I find a person's SIP URI without having them present to ask.
2) When the person is present, how do we exchange our SIP URIs and
possibly other information easily. I.e., simply by typing a name we get the
phones paired.
Note that the protocol can be used for requesting any combination of
various identifiers from the target phone. For example, you will probably
need a Mobile IPv6 home address too. In this case, you will request
a SIP URI and a Mobile IPv6 home address (concurrently) from the
target phone.
and "How do I prevent unauthorized people from obtaining this
> information?"
Obviously, a message with the querier user's name will be
displayed on the target phone:
Pairing request from
Michael Jordan. Accept? [YES/NO]
Of course, authentication needed between cell phone operators.
If a cerfiticate is unknown, the target user should be warned.
The first part is a general phone book problem. But by hypothesis, it
> requires relatively little authentication of me to obtain the SIP URI.
> Yes, you can propose a step where the inquiry is passed to the target
> for approval, but that means that anyone who attempts a lookup can
> annoy the target person -- a direct failure of the privacy goal, since
> the inquirer has just contacted the target!
This is a very good question. Here is an abstract solution:
Before the pairing request can be displayed on the target screen,
the querier "user" will need to solve a challenge. For example a CAPTCHA.
The attack that you mention above is similar to knocking at the door
of someone and running away. This could happen (I myself did that, I confess
:-/ ).
In our case the attack is even more stupid because the attacker
has to solve a difficult problem before disturbing someone!
If you want people to be interested in this, you're going to have to
> assemble a much better problem statement and at least one plausible
> solution, I think.
One plausible solution to me (a serverless one) can be based on mDNS, but
for wireless local use only.
Dean Willis is suggesting a solution based on SIP consent framework.
Others see it as extension to LDAP.
DNS based solutions are also being mentioned.
My suspicion is that treating the SIP URI itself has having strong
> privacy requirements, but not treating the information needed to look
> up the SIP URI as not having strong privacy requirements, is not going
> to make any difference unless the process that maps between the two
> has strong authentication of the inquirer.
I hope that I could answer this above.
Thanks,
pars
Dale
>
>
> _______________________________________________
> Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use [EMAIL PROTECTED] for questions on current sip
> Use [EMAIL PROTECTED] for new developments on the application of sip
>
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
