ietf-mxcomp
[Top] [All Lists]

comments on draft-rosenberg-sipping-spam-00.txt

2004-07-14 18:51:52

It would appear that participants of the SIPPING working group have a different opinion on the utility of TLS than do participants of the MARID working group.

From Section 3.11 of draft-rosenberg-sipping-spam-00:

3.11  Sender Checks

   In email, there has been a lot of interest in defining new DNS
   resource records that will allow a domain that receives a message to
   verify that the sender is a valid MTA for the sending domain.
   Standards are now being developed for this within the MARID working
   group in the IETF [14].

Are these techniques useful for SIP? They can be used for SIP but are
   not necessary.  In email, there are no standards established for
securely identifying the identity of the sending domain of a message.
   In SIP, however, TLS with mutual authentication can be used
   inter-domain.  A provider receiving a message can then reject any
   message coming from a domain that does not match the asserted
   identity of the sender of the message.  Such a policy only works in
   the "trapezoid" model of SIP, whereby there are only two domains in
any call - the sending domain, which is where the originator resides,
   and the receiving domain.

   Thus, instead of creating DNS entries containing the IP address of
   each legitimate relay for a domain, the provider can give each
   legitimate relay a certificate that allows them to authenticate
   themselves as coming from that domain.  Such a technique would work
   even in the face of IP address spoofing, which the marid techniques
   are susceptible to.

From a thread on the MARID list: http://www.imc.org/ietf-mxcomp/mail-archive/msg02466.html
(not to be picking on Roy... others expressed similar feelings)

I question that peer authentication is commonplace (although I don't
doubt that it happens every day).  I get the impression most people
use self-signed certs with STARTTLS.

STARTTLS for ESMTP has been around for some time. In fact, it is not uncommon for my mail streams to be encrypted via TLS (such as my message exchanges with the MARID mailing list MTA) but have neither the server nor the client use TLS for authentication.

-andy