> -----Original Message----- > From: Francois Audet [mailto:[email protected]] > Sent: Friday, April 03, 2009 1:47 PM > To: Dan Wing; Dean Willis; Jiri Kuthan > Cc: SIP List; Uzelac,Adam > Subject: RE: [Sip] francois' comments and why RFC4474 not > used in the field > > I'm not sure I agree with the logic. > > It seems to me when e2e security of media, then DTS-SRTP (for > UDP) and TLS > (for TCP) makes perfect sense.
I agree that (D)TLS is best, and that it protects from all sorts of attacks. > If we allow transcoding, then I don't see the point in e2e > security, since > it obviously is not e2e. I don't understand what ICE gives > you in this case. The public key challange/response, described in draft-wing-sip-identity-media-02, provides better identity assurance than signing IP address and UDP port (as done by RFC4474). Obviously the media is still un-encrypted, though, and encrypted media is better than un-encrypted media. > If we need transcoding, then we might want instead to have a > security mechanism with the transcoder instead. > > For example, we could use DTLS-SRTP where Alice is using the > 4474-like mechanism, > but the transcoder is using it's own cert (instead of a > self-signed one). That > cert's credentials would already be provisioned in Alice's > device. That would > seem like a simple way to do this. Ignoring SRTP for a moment, the complexities involved there are asounding. For example call forwarding and call transfers might need to invoke, or remove, a translator, in a far-removed service provider or enterprise (e.g., forwarding your work calls to your house). -d > > -----Original Message----- > > From: Dan Wing [mailto:[email protected]] > > Sent: Friday, April 03, 2009 10:44 > > To: Audet, Francois (SC100:3055); 'Dean Willis'; 'Jiri Kuthan' > > Cc: 'SIP List'; 'Uzelac,Adam' > > Subject: RE: [Sip] francois' comments and why RFC4474 not > > used in the field > > > > > > All 5 techniques described in > > > > > > > > > > http://tools.ietf.org/html/draft-wing-sip-identity-media-02#section-4 > > > > accomplish that using TLS, DTLS-SRTP, ICE, HIP, or ZRTP > -- any of > > > > those choices has different tradeoffs. > > > > > > I'm puzzled by why we would do anything but the DTLS-SRTP > > (and TLS for > > > TCP traffic). > > > > I also prefer TLS. RFC4474 doesn't require TLS, so ICE is in > > the draft to demonstrate it is possible to have identity even > > through a translator and have identity with just RTP (RFC4474 > > provides identity with just RTP). > > > > However, if we used TLS/DTLS-SRTP for identity it would (a) > > break transcoding (as discussed) and (b) require deploying > > SRTP. If doubt we are willing to do > > (a) and (b). > > > > -d > > > > _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
