[NEW Module] SIP Identity

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[NEW Module] SIP Identity

Adrian Georgescu
I imagine one would want to use this mechanism exactly between two  
legitimate hops to make sure that no intermediate has tempered with  
the messages, isn't it?

Adrian

Bogdan-Andrei Iancu wrote:
 > Hi Victor,
 >
 > I think this "limitation" is part of the mechanism :).
 >
 > it is the same as for secure sip and TLS

not really -- changes to payload by legitimate SIP hops work with TLS
but not with RFC4474.
That was Victor's point.

-jiri

 > - if you get on the path a node
 > with not TLS support, the call will fail. In this case, if a hop does
 > not understand SIP identity and changes the message, the call will be
 > denied.
 >
 > Regards,
 > Bogdan
 >
 > Victor Pascual Ávila wrote:
 >> On Tue, Feb 10, 2009 at 10:11 PM, Adrian Georgescu <ag at ag-
projects.com> wrote:
 >>
 >>> Beyond being plain interesting, it is the most cost-efective way to
 >>> implement secure identity between SIP Proxies serving different  
domains.
 >>>
 >> Unless you had a node along the path breaking the signature
 >>
 >
 >
 > _______________________________________________
 > Users mailing list
 > Users at lists.opensips.org
 > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
 >



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: [NEW Module] SIP Identity

Bogdan-Andrei Iancu
and in my understanding, if a hope changes something in the body, It
should be authorized to do that and also it needs to update the Identity..

Regards,
Bogdan


Adrian Georgescu wrote:

> I imagine one would want to use this mechanism exactly between two  
> legitimate hops to make sure that no intermediate has tempered with  
> the messages, isn't it?
>
> Adrian
>
> Bogdan-Andrei Iancu wrote:
>  > Hi Victor,
>  >
>  > I think this "limitation" is part of the mechanism :).
>  >
>  > it is the same as for secure sip and TLS
>
> not really -- changes to payload by legitimate SIP hops work with TLS
> but not with RFC4474.
> That was Victor's point.
>
> -jiri
>
>  > - if you get on the path a node
>  > with not TLS support, the call will fail. In this case, if a hop does
>  > not understand SIP identity and changes the message, the call will be
>  > denied.
>  >
>  > Regards,
>  > Bogdan
>  >
>  > Victor Pascual Ávila wrote:
>  >> On Tue, Feb 10, 2009 at 10:11 PM, Adrian Georgescu <ag at ag-
> projects.com> wrote:
>  >>
>  >>> Beyond being plain interesting, it is the most cost-efective way to
>  >>> implement secure identity between SIP Proxies serving different  
> domains.
>  >>>
>  >> Unless you had a node along the path breaking the signature
>  >>
>  >
>  >
>  > _______________________________________________
>  > Users mailing list
>  > Users at lists.opensips.org
>  > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>  >
>
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: [NEW Module] SIP Identity

Victor Pascual Avila
On Fri, Feb 20, 2009 at 6:27 PM, Bogdan-Andrei Iancu
<[hidden email]> wrote:
> and in my understanding, if a hope changes something in the body, It
> should be authorized to do that and also it needs to update the Identity..

Nodes that modify parts of the signed information simply break the
signature. Intermediate domains could re-sign but this assumes that
the intermediate domains support RFC4474 while it introduces a
transitive trust.

Cheers,
--
Victor Pascual Ávila

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users