Hadriel, What I want is the end domain, e.g., my bank. Being assured my call is secured as far as my service provider gives me no confidence it is secured as far as my bank or whatever domain I want to communicate with. That is why "email-style" is so much better than phone-number-based.
John > -----Original Message----- > From: Hadriel Kaplan [mailto:[EMAIL PROTECTED] > Sent: 14 March 2008 19:01 > To: Elwell, John; Dwight, Timothy M (Tim); IETF SIP List > Subject: RE: Straw-man for rfc4474 and e164 > > > > > -----Original Message----- > > From: Elwell, John [mailto:[EMAIL PROTECTED] > > > > Part of the straw man proposal was "If a user is identified > by a phone > > number, its domain can sign with an RFC 4474 signature if > it believes > > that calls to that number will reach the user". > > So yes, an intervening domain can change the domain name and resign, > > which is fine as long as you can get back to that E.164 > number via that > > domain. As far as DTLS-SRTP is concerned, it means media > are secured as > > far as that domain. It is slightly better than PAI because > it signs the > > fingerprint of the certificate to be used for DTLS. > > Right, but any domain can do this, whether they're right or > wrong or lying on purpose. As far as the UAS or UAC know, > there is a long chain of trust in the middle, or a chain with > no trust whatsoever. Since any domain anywhere can do it, > without repercussion, knowing that DTLS-SRTP is working > to/from that random domain has little value. It means > nothing about the end-to-end security of the media or > signaling or message contents. It would naturally devolve to > only believing the signature of your next-hop domain, at > which point there is no need to sign anything using rfc4474 - > you might as well just believe PAI and the fingerprint > attribute your next-hop gave you. > > -hadriel > _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
