> -----Original Message----- > From: Cullen Jennings [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 05, 2008 7:54 PM > To: Dan Wing > Cc: 'Eric Rescorla'; 'Elwell, John'; 'Hadriel Kaplan'; > 'Jonathan Rosenberg'; 'SIP IETF'; 'Uzelac, Adam' > Subject: Re: [Sip] Thoughts on SIP Identity issues > > > On Aug 5, 2008, at 10:26 , Dan Wing wrote: > > >>>> > >>>> With that said, ISTM that this cuts against your argument > >>>> that we should > >>>> be signing less of the message, since the failure of RFC > >> 4474 (to the > >>>> extent there is one) in this case is that it doesn't protect > >>>> *enough* information. > >>> > >>> Neither draft-fischer-sip-e2e-sec-media and > >>> draft-wing-sip-identity-media > >>> simply "sign less" -- please do not mis-characterize the > >>> proposals. Both > >>> proposals require a public key exchange with the remote > >>> party -- which > >>> is far stronger than just using the IP address of the remote party > >>> as is done by RFC4474. > >> > >> I don't actually think this characterization of 4474 is that > >> accurate. > >> RFC 4474 does not use the IP address for authenticating the media. > >> Rather, it authenticates the IP address as well as the rest of the > >> SDP > > > > Which draft-kaplan-sip-baiting shows is insufficient at its intended > > purpose. > > I probably disagree but to sort that out ... What exactly do you see > as the purpose of 4474 which the baiting draft shows it does not meet?
The purpose of 4474 is to identity the calling party. I believe that is its primary purpose. The baiting draft describes how an attacker can use a validly-signed 4474 message to fool a victim into thinking the calling party is calling them. > I'm trying to focus this conversation over to the > requirements instead > of the taking about solution mechanisms before we can agree what the > problem is. > > Cullen <in my individual contributor role> Thanks. -d _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
