> Hadriel Kaplan wrote: > > > Eric (I think) and I are not talking about having no dtls-srtp > > fingerprint - that's an SDP attribute. We're talking about not > > having the rfc4474 signature signing that fingerprint attribute. > > Even without the rfc4474 signature, an attacker has to be able to > > modify that SDP fingerprint attribute to succeed, and thus be in the > > signaling path. The rfc4474 signature just prevents anyone between > > the signer and verifier from being able to do so.
Said another way: Without RFC4474, DTLS-SRTP (and TLS-comedia [RFC4572]) are vulnerable to an active attacker if that attacker is on both the media path (to modify the (D)TLS handshake) and the signal path (the modify the a=fingerprint). > Ok, I missed this. > > I really thought DTLS-SRTP required an RFC 4474 Identity > header. That's why I asked the question several times, both in > person (with EKR) and on the list. It depends on if you want protection from active attackers; if you do, you need RFC4474. If you don't, you don't need RFC4474. -d _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
