> Hadriel Kaplan wrote:
>
> > Eric (I think) and I are not talking about having
no dtls-srtp
> > fingerprint - that's an SDP attribute. We're
talking about not
> > having the rfc4474 signature signing that
fingerprint attribute.
> > Even without the rfc4474 signature, an attacker
has to be able to
> > modify that SDP fingerprint attribute to succeed,
and thus be in the
> > signaling path. The rfc4474 signature just
prevents anyone between
> > the signer and verifier from being able to do so.
Said another way:
Without RFC4474, DTLS-SRTP (and TLS-comedia [RFC4572]) are
vulnerable
to an active attacker if that attacker is on both the media
path
(to modify the (D)TLS handshake) and the signal path (the
modify
the a=fingerprint).
> Ok, I missed this.
>
> I really thought DTLS-SRTP required an RFC 4474
Identity
> header. That's why I asked the question several times,
both in
> person (with EKR) and on the list.
It depends on if you want protection from active attackers;
if
you do, you need RFC4474. If you don't, you don't need
RFC4474.
-d
_______________________________________________
Sip mailing list https://www
.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors cs.columbia.edu for questions on current
sip
Use sippingietf.org for new developments on the application of
sip
|
