90 likes | 271 Views
End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-04 draft-ono-sipping-end2middle-security-03. Kumiko Ono ono.kumiko@lab.ntt.co.jp. IETF61. Requirements. draft-ietf-sipping-e2m-sec-reqs-04. Changes since 03. Section 2.1: Examples of Scenarios
E N D
End-to-middle Security in SIPdraft-ietf-sipping-e2m-sec-reqs-04draft-ono-sipping-end2middle-security-03 Kumiko Ono ono.kumiko@lab.ntt.co.jp IETF61
Requirements draft-ietf-sipping-e2m-sec-reqs-04
Changes since 03 • Section 2.1: Examples of Scenarios • Removed the text that overlapped with the scope of session policies • Removed the text that described an illegal behavior of a proxy server
Changes since 03 (cont’d) • Section 4: Requirements for a Solution • Added notes to describe the requirements met by session policies • Added a note to describe the requirements met by an existing mechanism, digest authentication • Changed "SHOULD" to "MAY“ REQ-CONF-4: It MAY allow a UA to request that the recipient UA disclose information to the proxy server, which requesting UA is disclosing the information to. The request itself SHOULD be secure. • Added the conditions of the requirements. • References • Divided references to normative and informative.
In WG LC till Nov.20 • Feedbacks are appreciated.
Mechanism draft-ono-sipping-end2middle-security-03
Open Issue#1: Labeling the target body for “middle” OptionA-1. A new SIP header i.e.: “Proxy-Required-Body" Option A-2. A new parameter in a SIP header i.e.: "content-id" param in Route header Option B-1. A new MIME header i.e.: "Content-Target" Option B-2. A new parameter in a MIME header i.e.: "required-entity" param in "Content-Disposition" My Proposal: Option A-1. A new SIP header
Open Issue#2: Notification with a new error code Proxy should have a way to notify a UA about e2m security utilization in addition to using UAC driven method, such as session policy package. 1) When a proxy server needs to view an encrypted data sent by UAC, it requires end-to-middle confidentiality. • An existing error code, "493 Undecipherable“ and target content type in Warning header 2) When a proxy server needs to validate the data integrity of the message, it requires end-to-middle integrity. • 403? • A new error code, such as "495 Signature required" and target content type in Warning header
Next Step • Can we adopt this as a WG item?