Comments on draft-audet-sip-sips-guidelines-03.txt

Hi Hadriel,

   Inline.

   I am leaving cipher-suite consideration with SIPS, till I
publish
next version, and we get some consensus.

Thx
Samir

> 
> What else is there to require?  The sips scheme already
requires a
proxy
> to
> follow sips rules.

Problem is with retargeting etc, which is of the RECOMMENDED
strength in
the draft. UAC doesn't have control, which I put in another
comment.

> >    Proxies cannot pretend use of TLS, unless two
adjacent proxies
> > collaborate. Proxy at next hop can verify the
Transport on which
packet
> > is received with the transport being put by the
proxy in via header.
> 
> Here we go again.    What you
say is true - it takes 2 to conspire,
and
> that should be noted.  But of course such a
"conspiracy" is not
unlikely
> for
> this use case.
> 

You agree two to conspire. So statement in the draft needs
the
modification.
 
> 
> If that's the case, then SIPS is moot as well.  We
have no deployments
to
> speak of, and it has so many caveats one wonders what
security it ends
up
> providing beyond a feel-good story for RFCs. (sorry,
didn't mean to go
> down
> that rat-hole again, but I couldn't help it 
> 

S/MIME is older than SIPS   


_______________________________________________
Sip mailing list  https://ww
w1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementorscs.columbia.edu for questions on current
sip
Use sippingietf.org for new developments on the application of
sip

> -----Original Message-----
> From: Samir Srivastava [mailto:samirsrnortel.com]
> >
> > What else is there to require?  The sips scheme
already requires a
> proxy
> > to
> > follow sips rules.
> 
> Problem is with retargeting etc, which is of the
RECOMMENDED strength in
> the draft. UAC doesn't have control, which I put in
another comment.

When you say "retargeting" do you mean recursing
on a 3xx, or the proxy
changing the req-URI due to local routing policies?  The
former is all the
draft says a proxy is recommended not to do from sips to
sip.  The 3xx case
is an interesting situation, since the sips UAS has
essentially granted
permission to retarget to sip.  So you'd need a require
header to tell the
UAS not to do that, vs. proxy require.

If you put a proxy-require, then all the proxies along the
path have to
support that proxy-require.  That would be another barrier
to getting sips
used.

If you meant retarget due to a local routing policy, then
the UAC does not
have control, and adding a proxy-require won't give it to
him.  The sips
scheme is essentially a faith-based model.  The UAC and UAS
are putting
their faith into the proxies to do the right thing.  If a
proxy decides it
knows better, due to local policy, then that same proxy
would know better
about a proxy-require and ignore it too.

If a proxy retargets to a non-sips target, it probably has
some good reason
(it thinks) for doing it.  For example, it wants to send
your call to
voicemail which may be directly attached in the same rack,
or it wants to
send your call to a local PSTN gateway, or to an operator,
or whatever.
After all there's probably some reason people use
retargeting proxies, no?

-hadriel



_______________________________________________
Sip mailing list  https://ww
w1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementorscs.columbia.edu for questions on current
sip
Use sippingietf.org for new developments on the application of
sip