[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AW: AW: AW: Digest Authentication: Security issue with https/sips
Beck01, Wolfgang wrote:
Miguel,
So if A calls B, it is only A's network that can authenticate and
authorize A's call. If A uses a SIPS URI to address B, it
just want to have secured signalling connection betweeen A and B, and does
not care about the sortages of A's network and not protecting the
RADIUS interface.
But A's RADIUS connection is part of the signalling connection
between A and B.
[Miguel]
Ok, so here is our point of disagreement. I think you cannot consider
the RADIUS interface as part of the signalling connection between A and
B. The RADIUS server is just there to provide an authorization, but is
not part of the signalling path. So putting a penalty to the end user is
wrong in my opinion, and prevents the user to establish a secure
connection just because the inability of the network.
And then we come to the normative statements that you are placing for
HTTP and SIP, I don't think it is valid for a RADIUS document
to contain such statements. The WG that deal with those protocols should
attack the problem and extend the protocol, if needed.
Consider the following proposal (section RADIUS client behaviour):
"If the scheme in the digest-uri directive indicates a secure HTTP-style
connection (eg sips, https) and the RADIUS client does not have a secure
connection to its RADIUS server, it MUST act as if it had received an
Access-Reject."
Less comprehensible, but no normative statement for SIP or HTTP.
[Miguel]
Ok, this part would be more acceptable, but we need to solve the first
part of the draft, for which I don't agree yet.
BR,
Miguel
Wolfgang
--
T-Systems
Next Generation IP Services and Systems
+49 6151 937 2863
Am Kavalleriesand 3
64295 Darmstadt
Germany
--
Miguel A. Garcia tel:+358-50-4804586
sip:miguel.an.garcia@openlaboratory.net
Nokia Research Center Helsinki, Finland
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>