> -----Original Message----- > From: Dean Willis [mailto:[EMAIL PROTECTED] > > You MUST sign in order to be able to use DTLS-SRTP effectively. This > means that even PSTN-grade identities have to be signed. So we we either > have to change DTLS-SRTP to not have this dependency, or we have to find > a way to mark the PSTN-grade ones appropriately so that they are not > taken seriously as a strong identity.
No, you don't have to rfc4474 sign dtls-srtp fingerprint attributes. Rfc4474 signing them prevents SIP devices between the signer and the verifier from modifying the attribute to become a dtls-srtp man-in-the-middle. If a MitM can re-sign without the verifier detecting it, then rfc4474 signing is pointless, even for the DTLS-SRTP fingerprint attribute. And that is the problem with e164. If foo.com can receive sip:[EMAIL PROTECTED], and change it to sip:[EMAIL PROTECTED], and the UAS only displays "+12128675309" or the human only cares about that part because they think it's a phone number, then there's little point in signing. > Adam's approach solves this better than us1ing PAID, as 1) we could NOT > have DTLS-SRTP (a standareds-track doc) with a normative reference to > RFC 3325 (an informational track doc). Further, the same problem applies > -- even with RFC 3325, it would be good to differentiate strong > identities from PSTN-grade identities. You wouldn't need to reference rfc3325 in dtls-srtp-framework (and it's the framework this is about, btw, not dtls-srtp). PAID has nothing to do with the fingerprint - it has to do with identity. My point was you already do have PSTN-grade identities: PAID is it. -hadriel _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
