[SIPForum-techwg] Interoperability Draft v3 - scope and conformance

Henry Sinnreich henry at pulver.com
Wed Dec 14 22:37:03 EST 2005 

> should we make PKI a MUST?

The sad track record of some of the IETF security approaches should make us
skeptical of any standard that is not authored by practicing security
developers themselves.
 
I would invite any one on this list to share their _personal_ experience
with PKI, some _personal_ war stories, before a decision is made. If not one
comes forward with such personally experienced security implementations,
then please just don't mention PKI any more, since we could not prove the
assertion on why it is such a good idea, except shift the accountability to
some reference standard document.

The right mental approach is if I cannot make it work myself - for my
customers, there will soon be no paycheck.

My vote of confidence goes to the SIP certificate service
http://www.ietf.org/internet-drafts/draft-ietf-sipping-certs-02.txt 

The SIP cert service relieves users from managing any certificates or indeed
ever seeing a certificate.

Thanks, Henry


 

-----Original Message-----
From: techwg-bounces at sipforum.org [mailto:techwg-bounces at sipforum.org] On
Behalf Of Jay Batson
Sent: Wednesday, December 14, 2005 8:39 PM
To: Alan Johnston; Horvath Ernst; SIP Forum Tech WG
Subject: Re: [SIPForum-techwg] Interoperability Draft v3 - scope and
conformance

Guys --

Regarding the snipped portion of the thread below.  I've been having  
to work on security a bit in another domain, and seeing discussions  
about why, when such good technology ideas are around for security,  
so few of the "good" security solutions get deployed.

There is a camp that would say that pretty good security is better  
than excellent if pretty-good is easier to deploy.  This is generally  
brought up in the context of PKI, along with a complaint that getting  
public key certificates set up "right" is just the tiniest bit more  
of a nuisance than people are willing to spend time on.  So, few  
people do it.

And SSH's "leap of faith" model is touted as a good-enough model that  
doesn't require PKI, and has succeeded wildly.

Now granted, one could say that "SSH and Enterprise / SP connectivity  
are different," and our application really needs PKI.  Or, maybe it's  
mandated by the use of other choices we've made.

But my question is, should we make PKI a MUST?  Or, should it be a  
SHOULD, and allow providers / enterprises to agree on an option that  
allows something more like the SSH leap-of-faith model for  
authentication?

I *could* be totally dumb here, and not realize how this technical  
approach wouldn't apply / couldn't be done in this instance.  If so,  
toss this out.

But, if not, should we allow for it?

-jb


On Dec 13, 2005, at 12:00 PM, Alan Johnston wrote:
>> - Mandatory PKI support is implied by text on TLS, but the only
>> reference related to PKI is RFC 2560 (OCSP). Why was this  
>> particular one
>> picked - an implementation can use other ways of checking a  
>> certificate.
>> Should other PKI RFCs be added as well?
>>
>>
> I don't agree that mandatory PKI support is required by this  
> recommendation.  I do agree that the text only mentioning OCSP is  
> not quite right.   I  think it should say something like the  
> following:
>
> Certificates received over TLS MUST be verfied and MAY be  
> validated.  Verification steps include verifying that the  
> certificate has not expired, that the issuing CA is one the PBX  
> trusts, and finally that the subject of the certificate matches the  
> server's host name or SIP URI.  Validation can be performed using a  
> CRL, OCSP, or other approaches.
>
> If you agree with a statement such as the one above, are there any  
> other PKI RFCs that need to be referenced?

_______________________________________________
techwg mailing list
Send mail to: techwg at sipforum.org
Unsubscribe or edit options at:  http://sipforum.org/mailman/listinfo/techwg

More information about the techwg mailing list