To summarize your email: anybody that needs SIP security will use TLS between their own proxies. That does seem to be the consensus. Perhaps how that works should be written up -- as in, does that mean when I have a TLS connection with boeing.com, I should only allow or only expect From: addresses that end in @boeing.com, and not @big-airplane.boeing.com and not @rolls-royce.com?
-d > -----Original Message----- > From: Hannes Tschofenig [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 24, 2008 1:17 AM > To: Dan Wing > Cc: 'Dean Willis'; 'Hadriel Kaplan'; [email protected]; 'Paul Kyzivat' > Subject: Re: [Sip] Toward the Evolution of SIP and Related > Working Groups > > Many of the SIP security mechanisms share the same fate: They are far > ahead of the actual SIP deployment. This is true for SIP > Identity, SIP > CERT, SIP SAML, End-to-End Security, etc. When we started the > SAML work > we looked at what was going on at that time in the HTTP > space. Without > doubt the entire application layer identity management space > found a lot > of excitement. There is a lot of standardization being done > and also a > lot of deployment taking place. With the SIP space that was > obviously a > bit different and deployments today focus largely on voice (and there > not even on end-to-end SIP-based communication). > > For example: Look at what is being used in XMPP. There is no > equalivalent of SIP Identity -- folks are currently looking into > providing certificates for server-to-server communication. > > Even though they are, from a deployment point of view, ahead they are > not even close to where we are with our documents. > > Ciao > Hannes > > PS: I also believe that the SIP Identity case isn't an easy > one either. > The guys that would make use of SIP Identity for a deployment > where the > two SIP proxies talk to each other there would not be a need for SIP > Identity since you are essentially replicating what TLS > provides you at > a lower layer already. In cases where there many SIP proxies > along the > path SIP Identity would be useful since it provides > protection against > any one of them being malicious. However, the guys who favour such a > deployment model are the onces that believe very much in the chain of > trust (hop-by-hop security). They have no interest in using > SIP Identity. > > > > Dan Wing wrote: > >>> draft-ietf-sip-saml > >>> > >> -- I'm not sure this one is ever getting done. > >> > >> So I'm not sure there's enough there to justify a WG. > >> > >> How about an "Identity in SIP" working group that takes on > >> fixing RFC 4474 for gateways/b2buas and possibly considers > >> identity/role assertion using SAML? > >> > > > > I agree we need that. I have tried, and so far failed, to > > initiate activity towards such an effort. > > > > -d > > > > _______________________________________________ > > Sip mailing list https://www.ietf.org/mailman/listinfo/sip > > This list is for NEW development of the core SIP Protocol > > Use [EMAIL PROTECTED] for questions on current sip > > Use [EMAIL PROTECTED] for new developments on the application of sip > > > _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
