3 May 2005 19:52
RE: Problems with draft-ietf-mmusic-sdescriptions-09.txt
Blumenthal, Uri <uri.blumenthal <at> intel.com>
2005-05-03 17:52:55 GMT
2005-05-03 17:52:55 GMT
> I guess this work could be used by many application protocols but the one I > am most interested in is SIP so let me answer your question for that one. Most likely it will be used by SIP. > The application, a SIP UA, in this case needs to decide how it wants the > material to be protected - if it does not care, it could just send it. If it > wants to enforce all hops use hop by hop protection, it would use a sips > URL, it it wanted to enforce end to end protection, it could use the S/MIME > stuff. All these are somewhat described in 3261. I haven't touched SIP for quite a while - and I don't think may SIP applications (especially those from 3GPP/3GPP2) support S/MIME. Since this proposal suggests sending keys themselves - unless it is demonstrated how the application will *enforce* end-to-end security, the proposed protocol has a nice hop-to-hop hole in it. > I imagine for other application that use this the answer would be similar.> Any application that has keying material needs to decide how and when to > protect it and not much some lower level thing can do about that. Especially since there is no pre-defined lower-level stuff. On 5/2/05 8:59 AM, "Marcus Leech" <mleech <at> nortel.com> wrote: > One of my colleagues pointed me at this document. Quite apart from > whatever problems might exist in the protocol itself, it makes an assumption > that it will always run of "some kind of secure channel". It's not clear > how that's enforced, and given that this protocol is carrying keying material > for SRTP, it makes me nervous. I don't think it can be enforced from within SIP. Also, I question appropriate-ness of hop-to-hop security for keying material, even if it could be enforced (which I think it can't). > Can others take a look and tell me whether I'm out to lunch or not? [In > this specific case, not the more general case of me being out to lunch, > since I already know that
RSS Feed