It would appear that participants of the SIPPING working group have a
different opinion on the utility of TLS than do participants of the
MARID working group.
From Section 3.11 of draft-rosenberg-sipping-spam-00:
3.11 Sender Checks
In email, there has been a lot of interest in defining new DNS
resource records that will allow a domain that receives a message to
verify that the sender is a valid MTA for the sending domain.
Standards are now being developed for this within the MARID working
group in the IETF [14].
Are these techniques useful for SIP? They can be used for SIP but
are
not necessary. In email, there are no standards established for
securely identifying the identity of the sending domain of a
message.
In SIP, however, TLS with mutual authentication can be used
inter-domain. A provider receiving a message can then reject any
message coming from a domain that does not match the asserted
identity of the sender of the message. Such a policy only works in
the "trapezoid" model of SIP, whereby there are only two domains in
any call - the sending domain, which is where the originator
resides,
and the receiving domain.
Thus, instead of creating DNS entries containing the IP address of
each legitimate relay for a domain, the provider can give each
legitimate relay a certificate that allows them to authenticate
themselves as coming from that domain. Such a technique would work
even in the face of IP address spoofing, which the marid techniques
are susceptible to.
From a thread on the MARID list:
http://www.imc.org/ietf-mxcomp/mail-archive/msg02466.html
(not to be picking on Roy... others expressed similar feelings)
I question that peer authentication is commonplace (although I don't
doubt that it happens every day). I get the impression most people
use self-signed certs with STARTTLS.
STARTTLS for ESMTP has been around for some time. In fact, it is not
uncommon for my mail streams to be encrypted via TLS (such as my
message exchanges with the MARID mailing list MTA) but have neither the
server nor the client use TLS for authentication.
-andy