[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Additional use cases? (Re: Plan for moving forward)

To: Lakshminath Dondeti <ldondeti@xxxxxxxxxxxx>
Subject: Re: Additional use cases? (Re: Plan for moving forward)
From: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 07 Jun 2007 06:28:04 -0700
Cc: Dan Wing <dwing@xxxxxxxxx>, ietf-rtpsec@xxxxxxx, "'Sam Hartman'" <hartmans-ietf@xxxxxxx>, "'Tim Polk'" <tim.polk@xxxxxxxx>, jon.peterson@xxxxxxxxxxx
In-reply-to: <46679A8E.1080005@xxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
References: <07b201c7a737$f0526500$c2f0200a@xxxxxxxxxxxxxx> <46679A8E.1080005@xxxxxxxxxxxx>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Wed, 06 Jun 2007 22:41:34 -0700,
Lakshminath Dondeti wrote:
> I guess I talked about the generic case a few times, so let's start with 
> an example.  Consider the use case of using calling cards
> 
> Alice is a SIP Phone, and Uma wants to use it to make a call to Bob 
> (Calling card Server).
> 
> Case 1: Uma registers Alice as an authorized phone with Bob.  The 
> current model of DTLS-SRTP works (although it reverses the client-server 
> relationship).

Why does this reverse the client-server relationship?

1. DTLS-SRTP requires that both sides have certificates, but EITHER
side can have a self-signed cert or a third-party cert. This is true
no matter which side is client or server. 

2. The client-server relationship in DTLS-SRTP is actually independent
of who is the caller. It's controlled by passive/active attributes
in the SDP. In general, it's attractive for the answerer to be the
client, purely for the performance reason that if you're not using
ICE you want the ClientHello to be sent immediately to minimize RTTs.
[With ICE, the performance issues are more complicated and depend
on which side is controlling and whether you are doing aggressive
or regular nomination].

> Case 2: Alice is any SIP Phone and Uma makes a call using it.  Uma may 
> accept Bob's identity asserted through the SIP infrastructure, but wants 
> to authenticate via a secure channel established with Bob authenticated 
> and Uma will authenticate by sending calling card information (username, 
> password, or just password) as DTMF tones in the media path.  (Note: Uma 
> may not necessarily trust Bob's identity asserted through the SIP 
> infrastructure.)
>
> Case 3: Bob's identity is asserted in the media path and Uma enters the 
> calling card information as DTMF tones in the media path.
>
> In other contexts, the terms user-identity and device-identity have also 
> been used.
> 
> Note that priority call placement use case is similar.

I don't understand why you think that any of these cases presents
a problem. 

You just do the ordinary SIP-Identity + DTLS-SRTP handshake,
which are all about protecting the signalling channel and binding
it to the media and then you pass the DTMF or whatever in the
media. This works fine.

-Ekr

Follow-Ups:
- RE: Additional use cases? (Re: Plan for moving forward)
  - From: Francois Audet
- Re: Additional use cases? (Re: Plan for moving forward)
  - From: Lakshminath Dondeti

References:
- RE: Plan for moving forward
  - From: Dan Wing
- Additional use cases? (Re: Plan for moving forward)
  - From: Lakshminath Dondeti

Prev by Date: Re: Plan for moving forward
Next by Date: Re: Plan for moving forward
Previous by thread: Additional use cases? (Re: Plan for moving forward)
Next by thread: Re: Additional use cases? (Re: Plan for moving forward)
Index(es):
- Date
- Thread