[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Evaluation: draft-ietf-sipping-3pcc - Best Current Practices for Third Party Call Control in the Session Initiation Protocol
Yes No-Objection Discuss Abstain
Erik Nordmark [ ] [ ] [ x ] [ ]
I'd like to understand two things better.
In section 10 on click to dial the example shows an HTTP POST which magically
makes the controller aware of the SIP URI for user's phone.
I'm concerned about the privacy implications if this is implemented
in a fashion that is easy to use - a single button to click - since
that presumably implies that every HTTP POST will contain the user's phone
number. The alternative - a form to fill out with the SIP URI for each
click to type - is too hard to use.
An alternative where the user receives the SIP URI of the customer service rep
and performs the call itself doesn't have this issue, but assumes that there
is VoIP in the user's computer and not a separate POTS phone.
Section 12.2 second paragraph says
So long as it is
not attempting to explicitly disable these mechanisms, the protocols
will properly operate end-to-end, resulting in a secure media session
that even the controller cannot eavesdrop or modify.
The sentence reads as the worst case being a controller causing a denial of
service. But can't the controller trivially be a MiTM for the media session(s)
in this case?
Erik