[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AW: AW: AW: Digest Authentication: Security issue with https/sips

To: "Beck01, Wolfgang" <BeckW@t-systems.com>
Subject: Re: AW: AW: AW: Digest Authentication: Security issue with https/sips
From: Miguel Garcia <Miguel.An.Garcia@nokia.com>
Date: Fri, 23 Sep 2005 11:06:19 +0300
Cc: radiusext@ops.ietf.org
In-reply-to: <97A461F3EE5284469E41ED3728202F41121EB8@S4DE9JSAAMW.ost.t-com.de>
References: <97A461F3EE5284469E41ED3728202F41121EB8@S4DE9JSAAMW.ost.t-com.de>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

Beck01, Wolfgang wrote:

Miguel,
So if A calls B, it is only A's network that can authenticate and authorize A's call. If A uses a SIPS URI to address B, it just want to have secured signalling connection betweeen A and B, and does not care about the sortages of A's network and not protecting the RADIUS interface.
But A's RADIUS connection is part of the signalling connection
between A and B.

[Miguel] Ok, so here is our point of disagreement. I think you cannot consider the RADIUS interface as part of the signalling connection between A and B. The RADIUS server is just there to provide an authorization, but is not part of the signalling path. So putting a penalty to the end user is wrong in my opinion, and prevents the user to establish a secure connection just because the inability of the network.

And then we come to the normative statements that you are placing for HTTP and SIP, I don't think it is valid for a RADIUS document to contain such statements. The WG that deal with those protocols should attack the problem and extend the protocol, if needed.
Consider the following proposal (section RADIUS client behaviour):
"If the scheme in the digest-uri directive indicates a secure HTTP-style
connection (eg sips, https) and the RADIUS client does not have a secure
connection to its RADIUS server, it MUST act as if it had received an
Access-Reject."
Less comprehensible, but no normative statement for SIP or HTTP.


[Miguel]

Ok, this part would be more acceptable, but we need to solve the first part of the draft, for which I don't agree yet.

BR,

     Miguel

Wolfgang
-- T-Systems Next Generation IP Services and Systems +49 6151 937 2863 Am Kavalleriesand 3 64295 Darmstadt Germany


--
Miguel A. Garcia           tel:+358-50-4804586
sip:miguel.an.garcia@openlaboratory.net
Nokia Research Center      Helsinki, Finland


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: AW: AW: AW: Digest Authentication: Security issue with https/sips
  - From: Bernard Aboba <aboba@internaut.com>

References:
- AW: AW: AW: Digest Authentication: Security issue with https/sips
  - From: "Beck01, Wolfgang" <BeckW@t-systems.com>

Prev by Date: AW: AW: AW: Digest Authentication: Security issue with https/sips
Next by Date: Re: AW: AW: AW: Digest Authentication: Security issue with https/sips
Previous by thread: AW: AW: AW: Digest Authentication: Security issue with https/sips
Next by thread: Re: AW: AW: AW: Digest Authentication: Security issue with https/sips
Index(es):
- Date
- Thread