[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Plan for moving forward

To: Lakshminath Dondeti <ldondeti@xxxxxxxxxxxx>
Subject: Re: Plan for moving forward
From: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 07 Jun 2007 06:10:55 -0700
Cc: Sam Hartman <hartmans-ietf@xxxxxxx>, Dan Wing <dwing@xxxxxxxxx>, "'Eric Rescorla'" <ekr@xxxxxxxxxxxxxxxxxxxx>, "'Cullen Jennings'" <fluffy@xxxxxxxxx>, ietf-rtpsec@xxxxxxx, "'Tim Polk'" <tim.polk@xxxxxxxx>, jon.peterson@xxxxxxxxxxx
In-reply-to: <4667A2DA.9020805@xxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
References: <07b201c7a737$f0526500$c2f0200a@xxxxxxxxxxxxxx> <tslira2y78y.fsf@xxxxxxx> <4667A2DA.9020805@xxxxxxxxxxxx>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Wed, 06 Jun 2007 23:16:58 -0700,
Lakshminath Dondeti wrote:
> Thanks for your note.  One of the successful models with certs and PKI 
> we have is the https model.  The use case I am putting forth works along 
> those lines.  The caller is the client and the callee is the server; the 
> server, e.g., a calling card server or a priority call processing 
> server, authenticates itself first; the client authentication is 
> optional as DTLS allows and within the secure tunnel the caller sends 
> DTMF tones as RTP packets to enter the calling card information or 
> priority codes.
> 
> That use case came up in a discussion recently.  It is not "future work" 
> in my opinion.  It is also not dramatically different from what we have 
> been discussing either.

It's also totally compatible with DTLS-SRTP as-is.

Remember, the DTLS client and serve authentication here are for
the purposes of binding the DTLS handshake to SIP not necessarily
for the purposes of binding the DTLS-SRTP to an identity. So,
in this case, what would happen is that both parties would
DTLS authenticate with their self-signed certs. Optionally,
callee could use their third-party cert instead. Once the media
stream is established the client enters DTMF over the secure media
stream.

Note that this works no matter which side takes on the DTLS client/server
role, which, btw, is an issue totally orthogonal to who is the callee
or caller.

-Ekr

Follow-Ups:
- Re: Plan for moving forward
  - From: Lakshminath Dondeti

References:
- RE: Plan for moving forward
  - From: Dan Wing
- Re: Plan for moving forward
  - From: Sam Hartman
- Re: Plan for moving forward
  - From: Lakshminath Dondeti

Prev by Date: Re: Plan for moving forward
Next by Date: Re: Additional use cases? (Re: Plan for moving forward)
Previous by thread: Re: Plan for moving forward
Next by thread: Re: Plan for moving forward
Index(es):
- Date
- Thread