Dan Wing wrote:
That wasn't my intent.
Dan: OK; sorry.
Otherwise, for certificate-based authentication
between proxies, some of what you write above is discussed in
the sip-domain-certs draft.
Yes, some of it is there. Can that draft be extended to talk
about validating the From of requests (and maybe responses, I'm
not sure) that come from over a TLS-authenticated connection? Or
would that be out of scope for it?
I believe that validating the From would be out of scope as
the draft currently stands. The draft does discuss how a
receiving proxy (i.e., the one that did the passive accept)
may authenticate the sender (see S7.4,
http://tools.ietf.org/html/draft-ietf-sip-domain-certs-00#section-7.4),
but this discussion does not normatively involve the From
header.
Furthermore, trying to match sender identity as carried in
From to the TLS-level connection identity as carried in the
certificate does not work well in the the hop-by-hop model.
For instance, the sender's From may as well be [EMAIL PROTECTED], but
the last upstream proxy that opened up a connection to the
recipient could be some intermediary (proxy.com) not in the
a.com domain, thus making it impossible to enforce that the
From must match the identity of the last upstream proxy in the
certificate.
Did you have some alternate or new thoughts on this to see if
we can hash out something that would still be in the context
of the domain-certs draft? As it stands, Scott and I are about
to submit a final post WGLC revision on it by next week.
Thanks,
- vijay
--
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA)
Email: [EMAIL PROTECTED],bell-labs.com,acm.org}
WWW: http://www.alcatel-lucent.com/bell-labs
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
