Lewis Adam-CAL022
2011-11-08 13:51:31 UTC
Hi all,
rfc4474 describes how an Authentication Service - which might be
implemented in a SIP proxy - can make digital signatures which provide
assurance for SIP applications that the asserted SIP identity is valid.
It recommends implementing this service within a SIP proxy since the SIP
proxy 1) is likely to have a private signing key, and 2) has access to
SIP registrar services. It is the second part I have a question about.
If a network has a dedicated SIP proxy and a dedicated SIP registrar,
and a SIP user registers with the SIP registrar using HTTP digest, then
how does this help the SIP proxy validate the identity of the SIP user,
such that it can add a digital signature to SIP messages received from
the UE? A few things come to mind:
* User can authenticates separately to the SIP proxy and create an
authenticated user session with it
* Something like IMS, where successful registration with the S-CSCF
results in an authenticated IPsec SA between the UE and P-CSCF
* Co-located SIP proxy and SIP registrar in the same box
* Others?
I'm guessing that the RFC intentionally did not address the "how" of
this and leaves it to implementation, just want to make sure I'm not
missing something. Are there any other well known ways to solve this
other than those I mention above?
Tx!
adam
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is essentially closed and only used for finishing old business.
Use sip-***@cs.columbia.edu for questions on how to develop a SIP implementation.
Use ***@ietf.org for new developments on the application of sip.
Use ***@ietf.org for issues related to maintenance of the core SIP specifications.
rfc4474 describes how an Authentication Service - which might be
implemented in a SIP proxy - can make digital signatures which provide
assurance for SIP applications that the asserted SIP identity is valid.
It recommends implementing this service within a SIP proxy since the SIP
proxy 1) is likely to have a private signing key, and 2) has access to
SIP registrar services. It is the second part I have a question about.
If a network has a dedicated SIP proxy and a dedicated SIP registrar,
and a SIP user registers with the SIP registrar using HTTP digest, then
how does this help the SIP proxy validate the identity of the SIP user,
such that it can add a digital signature to SIP messages received from
the UE? A few things come to mind:
* User can authenticates separately to the SIP proxy and create an
authenticated user session with it
* Something like IMS, where successful registration with the S-CSCF
results in an authenticated IPsec SA between the UE and P-CSCF
* Co-located SIP proxy and SIP registrar in the same box
* Others?
I'm guessing that the RFC intentionally did not address the "how" of
this and leaves it to implementation, just want to make sure I'm not
missing something. Are there any other well known ways to solve this
other than those I mention above?
Tx!
adam
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is essentially closed and only used for finishing old business.
Use sip-***@cs.columbia.edu for questions on how to develop a SIP implementation.
Use ***@ietf.org for new developments on the application of sip.
Use ***@ietf.org for issues related to maintenance of the core SIP specifications.