> -----Original Message----- > From: Elwell, John [mailto:[EMAIL PROTECTED] > > Part of the straw man proposal was "If a user is identified by a phone > number, its domain can sign with an RFC 4474 signature if it believes > that calls to that number will reach the user". > So yes, an intervening domain can change the domain name and resign, > which is fine as long as you can get back to that E.164 number via that > domain. As far as DTLS-SRTP is concerned, it means media are secured as > far as that domain. It is slightly better than PAI because it signs the > fingerprint of the certificate to be used for DTLS.
Right, but any domain can do this, whether they're right or wrong or lying on purpose. As far as the UAS or UAC know, there is a long chain of trust in the middle, or a chain with no trust whatsoever. Since any domain anywhere can do it, without repercussion, knowing that DTLS-SRTP is working to/from that random domain has little value. It means nothing about the end-to-end security of the media or signaling or message contents. It would naturally devolve to only believing the signature of your next-hop domain, at which point there is no need to sign anything using rfc4474 - you might as well just believe PAI and the fingerprint attribute your next-hop gave you. -hadriel _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
