[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Plan for moving forward

To: Lakshminath Dondeti <ldondeti@xxxxxxxxxxxx>
Subject: Re: Plan for moving forward
From: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Sat, 02 Jun 2007 15:53:24 -0700
Cc: Hannes Tschofenig <Hannes.Tschofenig@xxxxxxx>, Dan Wing <dwing@xxxxxxxxx>, "'Eric Rescorla'" <ekr@xxxxxxxxxxxxxxxxxxxx>, "'Cullen Jennings'" <fluffy@xxxxxxxxx>, ietf-rtpsec@xxxxxxx, "'Sam Hartman'" <hartmans-ietf@xxxxxxx>, "'Tim Polk'" <tim.polk@xxxxxxxx>, jon.peterson@xxxxxxxxxxx
In-reply-to: <4661F2F1.2080607@xxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
References: <0b5c01c7a53b$a3f367c0$10676b80@xxxxxxxxxxxxxx> <4661BD98.4060407@xxxxxxx> <4661F2F1.2080607@xxxxxxxxxxxx>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Sat, 02 Jun 2007 15:45:05 -0700,
Lakshminath Dondeti wrote:
> 
> Hannes,
> 
> Vesa and I may be talking about two different things.  Vesa, if you are 
> following the list, please see below for a description of the use case I 
> am talking about.
> 
> On 6/2/2007 11:57 AM, Hannes Tschofenig wrote:
> > This discussion very much reminds me to the discussion we had with Vesa 
> > Lehtovirta a little bit more than a month ago.
> > He also had the requirement that "existing credentials" should be 
> > reused. Whether this works or not depends heavily on the architecture 
> > and the way how you would like to integrate them into the overall 
> > solution. If you use, let's say, the UMTS authentication algorithm 
> > between the SIP UA and the P-CSCF then you can obviously use the SIP 
> > Identity mechanisms from the P-CSCF towards the other SIP endpoint.
> > 
> > In our previous discussion with Vesa we requested more details and we 
> > never got them. Now, Lakshminath seems to have also a solution in mind 
> > but without the details it is hard to figure out whether it works.
> 
> I don't have a solution in mind really.  I just came across a use case 
> recently.  All I am saying is that we should facilitate that use case.
> 
> You are familiar with the IKEv2 model: The Initiator authenticates first 
> in the "normal" case.  However, it has an option to skip the 
> authentication and ask the Responder to authenticate first and then use 
> EAP to authenticate itself.
> 
> Let's say I have a phone which has the certificate of a gateway.  Using 
> that phone, I should be able to call that gateway, have the gateway 
> authenticate itself, establish a secure channel, authenticate the phone 
> to the gateway, and securely communicate with that gateway.  How the 
> phone gets access to the SIP network is independent of the 
> authentication credentials used to authenticate to the gateway.

Again, I'm puzzled as to why we would want this authentication to
occur at the media layer as opposed to at the signalling layer. If 
you have the certificate of the gateway, then it should be offering
you authentication via that certificate, regardless of whether you
are doing media. Else how will you get (for instance) secure presence?

-Ekr

References:
- RE: Plan for moving forward
  - From: Dan Wing
- Re: Plan for moving forward
  - From: Hannes Tschofenig
- Re: Plan for moving forward
  - From: Lakshminath Dondeti

Prev by Date: Re: Plan for moving forward
Next by Date: Re: Plan for moving forward
Previous by thread: Re: Plan for moving forward
Next by thread: Re: Plan for moving forward
Index(es):
- Date
- Thread