> -----Original Message----- > From: Dean Willis [mailto:[email protected]] > Sent: Monday, March 30, 2009 2:18 PM > To: Hadriel Kaplan > > RFC 4474 can be used end to end. It all depends on which cert is used > to sign the identity, where that signing occurs, and where it gets > checked. For stupid legacy phones, it can be signed and checked at > middleboxes operating under some level of transitive trust. For > smarter devices, it happens in the endpoint.
Ummm.... nafaik. If your AoR is of the form [email protected], then even if your UA endpoint has a cert and signs the request, any middlebox which has a cert for "domain.com", or "*.domain.com", can willy-nilly replace your signature and do lawful interception. > Signing and checking at the endpoint, coupled with the DTLS > fingerprint check. enables end-to-end verification of media integrity > and privacy. Once you start ripping these signatures out in the middle > of the network and replacing them, we have lost this absolutely > critical property. If transit providers even think it MIGHT be > reasonable to rip out the signatures, then we have lost the key > functionality. Removing signatures MUST BE FORBIDDEN. Adding new ones > might be ok. I don't think anyone wants to remove signatures. (of course mandating they don't get removed is like mandating to set the evil bit if you're bad :) -hadriel _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
