Re: Last Call: draft-ietf-simple-msrp-sessmatch (Session Matching Update for the Message Session Relay Protocol (MSRP)) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This draft is a standards track update to MSRP that mandates that MSRP allow man in the middle attacks. I am strongly opposed to this change and feel that it would be a violation of the spirit of BCP 61 as well as just a bad idea. 

The "security is OK" is based on the idea that MITM attacks are already possible so this makes it now worse - see section 5 where it says 

   However, since a
   man-in-the-middle would in any case be able to modify the domain
   information in both the SDP and the MSRP messages"

I don't agree with the assumption that SIP can not protect against MITM attacks and therefore it is OK to mandate support for MITM attacks in MSRP. Who did the security review for this draft? 

Cullen <MSRP co author>

On Jun 7, 2010, at 8:40 AM, The IESG wrote:

> The IESG has received a request from the SIP for Instant Messaging and 
> Presence Leveraging Extensions WG (simple) to consider the following document:
> 
> - 'Session Matching Update for the Message Session Relay Protocol (MSRP) '
>   <draft-ietf-simple-msrp-sessmatch-06.txt> as a Proposed Standard
> 
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action.  Please send substantive comments to the
> ietf@xxxxxxxx mailing lists by 2010-06-21. Exceptionally, 
> comments may be sent to iesg@xxxxxxxx instead. In either case, please 
> retain the beginning of the Subject line to allow automated sorting.
> 
> The file can be obtained via
> http://www.ietf.org/internet-drafts/draft-ietf-simple-msrp-sessmatch-06.txt
> 
> 
> IESG discussion can be tracked via
> https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=19446&rfc_flag=0
> 
> _______________________________________________
> IETF-Announce mailing list
> IETF-Announce@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/ietf-announce


Cullen Jennings
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html



_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]