Dean Willis wrote:
On Mar 30, 2009, at 11:59 AM, Jiri Kuthan wrote:
Dean Willis wrote:
On Mar 28, 2009, at 3:02 PM, Jiri Kuthan wrote:
I'm worried this is only a wishful thinking. While perfectly
logical, still even in such constrained setups some bizzar
ALGs do in my experience appear in the middle, change SDP
and make thus the identity worthless.
If they change the SDP, they've changed the identity assertion. They
need to re-assert. There might reasonably be a need to have a stack
of assertions with diffs, so one could go back and see the original
SDP, with its original key fingerprint and original verifiable
signature, but just changing stuff and pretending the associated
identity assertion hasn't changed is fundamentally bogus.
My argument has been that including SDP's IP address and port numbers
in message integrity check is not an identity assertion, but a protocol
shortcoming (certainly well-meant, but making things hard to deploy).
I really think that identity and integrity of SDP are two different
things.
Or do you think that these elements somehow belong to identity assertion?
The argument has been made that these elements might provide additional
clues to identity. For example, if I see something that is coming from
what I know is your IP address, and see that it was signed by your
proxy, whose cert I trust, I might be inclined to believe this assertion
more than I would believe it if the source address were coming from a
node that had a reverse record in alqueda,org.
In the absence of a DTLS or zRTP protection of the media path, I'd be
likely to give fairly heavy weighting to this IP address comparison,
even though we know it's not 100% it is MUCH better than nothing.
Of course, I'd rather have an identity mechanism that actually works
with DTLS than one than doesn't but "works just a little" for
unprotected media.
So personally, I'd be willing to give up signing of IP address/port
numbers when a media key fingerprint is present. But if there's no media
key fingerprint in the signaling (or in the protocol, as zRTP), then I
want to see the address and port numbers included.
I perfectly agree with the suggestion "relax about changed IP/port in SDP
if media secured".
-jiri
--
Dean
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [email protected] for questions on current sip
Use [email protected] for new developments on the application of sip
