Elwell, John wrote:
In conclusion, I do not think that RFC4474 can be of any help
(other than in controlled environments which beats its purpose)
as long as IP/port in SDP are message-integrity-protected.
[JRE] Exactly. Moreover, when media are secured by some means (SRTP in
the case of RTP) and if SDP contains a fingerprint of the certificate
used to secure the media, there is absolutely no need to sign the IP
address/port. They can quite happily change without impacting the
security of media. Of course, if media isn't secured, it is a slightly
different matter, but I doubt that signing the IP address and port
really buys us much. So you might as well not include IP address and
port in the signature, and if they are changed by intermediate SBCs, no
problem.
John
Yes, that's the point. -jiri
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [email protected] for questions on current sip
Use [email protected] for new developments on the application of sip
