[VOIPSEC] DKIM Domain Key Identified Mail

Simon Horne s.horne at isvo.net
Fri Nov 25 04:15:13 GMT 2005 

Dan,

sip identity I think is quite different to DKIM. In sip identity you are 
authenticating both UA's using the SIP servers The DKIM is just 
authenticating the sending server and not the actual sender (or caller). To 
include a SIP server signature in the invite message is quite simple, the 
calling UA is already authenticated with the sip server, then all that is 
required is the receiving server to authenticate the sending server.  Since 
the person being called is already authenticated with the receiving SIP 
server then you have common trust.

I notice this also covers end user end-to-end authentication however....
 From draft-ietf-sip-identity-06.txt
....
To maximize end-to-end security, it is obviously preferable for end users 
to acquire their own certificates and corresponding private keys; if they 
do, they can act as an authentication service.  However, end-user 
certificates may be neither practical nor affordable, given the 
difficulties of establishing a PKI that extends to end users....
...Accordingly, in the initial use of this mechanism, it is likely that 
intermediaries will instantiate the authentication service role....

Ideally. This it what we're trying to port to SIP, the UA's act as their 
own authentication service.:(

Also I noticed that it may take 6 messages to authenticate both parties and 
then on top of that you may have to download 2 certificates. If parties are 
a distance apart (say 150ms delay) then it maybe in excess of 1.5 sec just 
to authenticate each other, is that acceptable?


Simon

At 08:51 AM 25/11/2005, Dan Wing wrote:
>draft-ietf-sip-identity-06.txt is arguably similar to DKIM, and applies to
>SIP.
>
>I believe it has been approved by the IESG and is the RFC Editor's queue
>(which means it'll soon be an RFC).
>
>-d
>
>
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org
> > [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Simon Horne
> > Sent: Thursday, November 24, 2005 12:22 AM
> > To: voipsec at voipsa.org
> > Subject: [VOIPSEC] DKIM Domain Key Identified Mail
> >
> >
> > Came across this draft to the IETF being used to authenticate
> > email and
> > prevent spoofing.
> >
> > http://bgp.potaroo.net/ietf/idref/draft-allman-dkim-base/
> > Interesting idea for a domain server to sign outgoing emails
> > and have the
> > receiving server validate them with the sender domain's public key
> > retrieved from DNS.
> >
> > It's very light weight and I wonder whether it would
> > applicable to use
> > between SIP servers
> > ie the server signs the invite message and the receiver validates the
> > signature before routing the message.
> >
> > I don't think storing in DNS and retrieving as required is a
> > good idea for
> > real time communication however having a central repository
> > might be an
> > idea which the SIP servers can put down every day or so. This
> > will save a
> > lot of work compared to each server maintaining a large ACL
> >
> >
> > Simon
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

*************************************************************
Simon Horne
Director
International Secure Virtual Offices (Asia) Pte Ltd
1 Liang Seah St                 Virteos H323COMtools
#04-24 Liang Seah St
Singapore 189022                    Timezone (+8 GMT)
http://www.isvo.net             Ph:  +65 6837 3326

************************************************************

More information about the Voipsec mailing list