Adam, > -----Original Message----- > From: Adam Roach [mailto:[EMAIL PROTECTED] > Sent: 11 July 2008 16:50 > To: Elwell, John > Cc: DRAGE, Keith (Keith); Jonathan Rosenberg; [email protected]; > Michael Thomas; Dan Wing > Subject: Re: [Sip] Signing P-Asserted-Identity > > On 7/11/08 2:56 AM, Elwell, John wrote: > > I understand that some service providers expect PAI to identify the > > charged user, so accepting any PAI value outside the > legitimate range of > > the authenticated entity from which the request is received (e.g., > > authenticated at the IPSEC or TLS level) causes them grief. Hence, > > considering an enterprise network to be part of their trust > domain is > > problematic for these service providers. In my opinion, the > From URI is > > more likely to pass through unchanged than the PAI. But > perhaps the best > > chance of success is to place the e2e-authenticated identity in some > > other header field. > > > > P-Original-From? [JRE] I was thinking more of the proposal in the Fischer draft.
> > Actually, that would work pretty well -- if we add > "P-Original-Call-Id," > "P-Original-CSeq," "P-Original-Contact," and > "P-Original-Identity," we > could use RFC 4474 with just minor modification. [JRE] It depends what we are trying to achieve. The Fischer draft is aimed mainly at providing some authentication of the source of the fingerprint of the certificate used to secure the media, rather than a more general integrity protection of all these various bits of a SIP request in general. John > > Or, even better, we could do away with P-Original-* headers > altogether, > and put the relevant header fields (including Identity) in an > application/sipfrag body part. Then, you could use a normal RFC4474 > identity service, and add a security mangler to make the > signature SBC-safe. > > /a > _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
