[VOIPSEC] DKIM Domain Key Identified Mail

Tyler Johnson trjohns1 at email.unc.edu
Mon Nov 28 02:45:19 GMT 2005 

I personally do not think that domain to domain authentication really 
meets the business needs of many. For example, if I am expecting a 
communication from Duke University Hospital about the results of my lab 
tests, knowing that a message is from Duke does not tell me if it is 
from the Hospital or some student. Similarly, getting a message 
'verified by Time Warner Cable' tells me just about nothing about the 
authenticity of the message, other than the sender paid 50 bucks to Time 
Warner Cable (maybe).

I appreciate the difficulties with end user PKI, though I think it is 
the ultimate solution and we should pursue it. However, SAML offers 
similar advantages (i.e. end to end) without requiring end to end PKI.

I think we have a responsbility to ensure that end to end security is a 
core functionality now, and not put that problem off for later.


Simon Horne wrote:

> Dan,
> 
> sip identity I think is quite different to DKIM. In sip identity you are 
> authenticating both UA's using the SIP servers The DKIM is just 
> authenticating the sending server and not the actual sender (or caller). To 
> include a SIP server signature in the invite message is quite simple, the 
> calling UA is already authenticated with the sip server, then all that is 
> required is the receiving server to authenticate the sending server.  Since 
> the person being called is already authenticated with the receiving SIP 
> server then you have common trust.
> 
> I notice this also covers end user end-to-end authentication however....
>  From draft-ietf-sip-identity-06.txt
> ....
> To maximize end-to-end security, it is obviously preferable for end users 
> to acquire their own certificates and corresponding private keys; if they 
> do, they can act as an authentication service.  However, end-user 
> certificates may be neither practical nor affordable, given the 
> difficulties of establishing a PKI that extends to end users....
> ...Accordingly, in the initial use of this mechanism, it is likely that 
> intermediaries will instantiate the authentication service role....
> 
> Ideally. This it what we're trying to port to SIP, the UA's act as their 
> own authentication service.:(
> 
> Also I noticed that it may take 6 messages to authenticate both parties and 
> then on top of that you may have to download 2 certificates. If parties are 
> a distance apart (say 150ms delay) then it maybe in excess of 1.5 sec just 
> to authenticate each other, is that acceptable?
> 
> 
> Simon
> 
> At 08:51 AM 25/11/2005, Dan Wing wrote:
> 
>>draft-ietf-sip-identity-06.txt is arguably similar to DKIM, and applies to
>>SIP.
>>
>>I believe it has been approved by the IESG and is the RFC Editor's queue
>>(which means it'll soon be an RFC).
>>
>>-d
>>
>>
>>
>>>-----Original Message-----
>>>From: Voipsec-bounces at voipsa.org
>>>[mailto:Voipsec-bounces at voipsa.org] On Behalf Of Simon Horne
>>>Sent: Thursday, November 24, 2005 12:22 AM
>>>To: voipsec at voipsa.org
>>>Subject: [VOIPSEC] DKIM Domain Key Identified Mail
>>>
>>>
>>>Came across this draft to the IETF being used to authenticate
>>>email and
>>>prevent spoofing.
>>>
>>>http://bgp.potaroo.net/ietf/idref/draft-allman-dkim-base/
>>>Interesting idea for a domain server to sign outgoing emails
>>>and have the
>>>receiving server validate them with the sender domain's public key
>>>retrieved from DNS.
>>>
>>>It's very light weight and I wonder whether it would
>>>applicable to use
>>>between SIP servers
>>>ie the server signs the invite message and the receiver validates the
>>>signature before routing the message.
>>>
>>>I don't think storing in DNS and retrieving as required is a
>>>good idea for
>>>real time communication however having a central repository
>>>might be an
>>>idea which the SIP servers can put down every day or so. This
>>>will save a
>>>lot of work compared to each server maintaining a large ACL
>>>
>>>
>>>Simon
>>>
>>>
>>>_______________________________________________
>>>Voipsec mailing list
>>>Voipsec at voipsa.org
>>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> 
> *************************************************************
> Simon Horne
> Director
> International Secure Virtual Offices (Asia) Pte Ltd
> 1 Liang Seah St                 Virteos H323COMtools
> #04-24 Liang Seah St
> Singapore 189022                    Timezone (+8 GMT)
> http://www.isvo.net             Ph:  +65 6837 3326
> 
> ************************************************************
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

-- 
Tyler Johnson
http://www.unc.edu/~trjohns1

More information about the Voipsec mailing list