[VOIPSEC] Client authentication

Mark Baugher mbaugher at cisco.com
Thu Apr 13 17:49:08 PDT 2006


Joe,
   I think SIPS might be fine for some things, such as authorizing a  
connection to a remote proxy.  Maybe the only thing that needs to be  
known is that the particular proxy is certified to use a certain  
domain name such as phone.example.com.  A site cert can do that.

   What SIPS not good for IMHO is as a transport for plaintext keys  
and sensitive information (e.g. call party identities).  In this  
case, we may be giving the proxy way too much information about the  
call and violate users' privacy while doing so.  Thus, my comment  
about SIPS (just like starttls in SMTP) should be that it's fine for  
a specific type of access control, but just because I elect to route  
my signaling message through that proxy does not mean I want to share  
every possible piece of information about the call, notably the SRTP  
keys.


Mark
On Apr 12, 2006, at 7:01 AM, Varghese, George (Joe) wrote:

> Mark,
>
> Could you elaborate on why SIPS does not offer great security?  I  
> thought SIPS doesn't rule out site or client certification, and  
> arguably needed to achieve the needed hop-by-hop protection e.g.,  
> recent contribution to IETF:
>
> http://www.ietf.org/internet-drafts/draft-gurbani-sip-tls-use-00.html
>
> Seemed with proper implementation, one can achieve great security  
> with SIPS ... ?
>
> Thanks,
>
> joe varghese
>
>> -----Original Message-----
>> From: Voipsec-bounces at voipsa.org [mailto:Voipsec- 
>> bounces at voipsa.org]On
>> Behalf Of Mark Baugher
>> Sent: Wednesday, April 12, 2006 8:04 AM
>> To: Christoph Fürstaller
>> Cc: voipsec at voipsa.org
>> Subject: Re: [VOIPSEC] Client authentication
>>
>>
>> If you don't use client certs then how can you tell who is on
>> the other
>> side of the connection?  I admit that sips does not offer great
>> security.  But why use it at all if you are not going to
>> control access
>> when making a connection.  Wouldn't you require something like a site
>> cert?
>>
>> Mark
>> On Apr 12, 2006, at 5:29 AM, Christoph Fürstaller wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Hi,
>>>
>>> I'm testing SIPS for increased security during the call
>> establishment.
>>>
>>> Is it a good idea to use client certs (for TLS connection)?
>> Or is the
>>> effort to realice that to much? Cause the benefits from
>> authenticating
>>> a
>>> client only for the TLS connection isn't that much.
>> Authenticating the
>>> client against a DB is done later on in the PBX, so authentication
>>> would
>>> be done twice.
>>>
>>> What do you think about that?
>>>
>>> chris...
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.1 (GNU/Linux)
>>> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>>>
>>> iD8DBQFEPPKtR0exH8dhr/YRAoFcAKDGbRw7qVz/XNF7IMipfd//6KtuIQCgg9oQ
>>> sOPz+PX13wg7eRFrjXNfKQI=
>>> =6+DK
>>> -----END PGP SIGNATURE-----
>>>
>>> _______________________________________________
>>> Voipsec mailing list
>>> Voipsec at voipsa.org
>>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>>
>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>




More information about the Voipsec mailing list