This draft is a standards track update to MSRP that mandates that MSRP allow
man in the middle attacks. I am strongly opposed to this change and feel that
it would be a violation of the spirit of BCP 61 as well as just a bad idea.
The "security is OK" is based on the idea that MITM attacks are already
possible so this makes it now worse - see section 5 where it says
However, since a
man-in-the-middle would in any case be able to modify the domain
information in both the SDP and the MSRP messages"
I don't agree with the assumption that SIP can not protect against MITM attacks
and therefore it is OK to mandate support for MITM attacks in MSRP. Who did the
security review for this draft?
Cullen <MSRP co author>
On Jun 7, 2010, at 8:40 AM, The IESG wrote:
The IESG has received a request from the SIP for Instant Messaging and
Presence Leveraging Extensions WG (simple) to consider the following document:
- 'Session Matching Update for the Message Session Relay Protocol (MSRP) '
<draft-ietf-simple-msrp-sessmatch-06.txt> as a Proposed Standard
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf(_at_)ietf(_dot_)org mailing lists by 2010-06-21. Exceptionally,
comments may be sent to iesg(_at_)ietf(_dot_)org instead. In either case,
retain the beginning of the Subject line to allow automated sorting.
The file can be obtained via
IESG discussion can be tracked via
IETF-Announce mailing list
For corporate legal information go to:
Ietf mailing list