ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call: draft-ietf-simple-msrp-sessmatch (Session Matching Update for the Message Session Relay Protocol (MSRP)) to Proposed Standard

2010-06-07 12:36:02
from [Cullen Jennings] [Permanent Link] 

This draft is a standards track update to MSRP that mandates that MSRP allow 
man in the middle attacks. I am strongly opposed to this change and feel that 
it would be a violation of the spirit of BCP 61 as well as just a bad idea. 

The "security is OK" is based on the idea that MITM attacks are already 
possible so this makes it now worse - see section 5 where it says 

   However, since a
   man-in-the-middle would in any case be able to modify the domain
   information in both the SDP and the MSRP messages"

I don't agree with the assumption that SIP can not protect against MITM attacks 
and therefore it is OK to mandate support for MITM attacks in MSRP. Who did the 
security review for this draft? 

Cullen <MSRP co author>

On Jun 7, 2010, at 8:40 AM, The IESG wrote:


The IESG has received a request from the SIP for Instant Messaging and 
Presence Leveraging Extensions WG (simple) to consider the following document:

- 'Session Matching Update for the Message Session Relay Protocol (MSRP) '
  <draft-ietf-simple-msrp-sessmatch-06.txt> as a Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action.  Please send substantive comments to the
ietf(_at_)ietf(_dot_)org mailing lists by 2010-06-21. Exceptionally, 
comments may be sent to iesg(_at_)ietf(_dot_)org instead. In either case, 
please 
retain the beginning of the Subject line to allow automated sorting.

The file can be obtained via
http://www.ietf.org/internet-drafts/draft-ietf-simple-msrp-sessmatch-06.txt


IESG discussion can be tracked via
https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=19446&rfc_flag=0

_______________________________________________
IETF-Announce mailing list
IETF-Announce(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-announce



Cullen Jennings
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: The point is to change it: Was: IPv4 depletion makes CNN, ned+ietf
Next by Date:  Re: [Simple] Last Call: draft-ietf-simple-msrp-acm (An Alternative Connection Model for the Message Session Relay Protocol (MSRP)) to Proposed Standard, Cullen Jennings
Previous by Thread:  Re: SCTP Mulithoming Communication PATHS Query, Randall Stewart
Next by Thread:  RE: Last Call: draft-ietf-simple-msrp-sessmatch (Session Matching Update for the Message Session Relay Protocol (MSRP)) to Proposed Standard, Christer Holmberg
Indexes:  [Date] [Thread] [Top] [All Lists]