Hi, The intention is not to "mandate" that MSRP allows man in the middle attacks. The text simply states that it doesn't change what can already be done. If you think that the text gives a wrong picture regarding that, and what is possible what to protect with SIP, I am happy to modify the text. Regards, Christer ________________________________________ From: ietf-bounces@xxxxxxxx [ietf-bounces@xxxxxxxx] On Behalf Of Cullen Jennings [fluffy@xxxxxxxxx] Sent: Monday, June 07, 2010 7:31 PM To: IETF Mailing List; IESG IESG Subject: Re: Last Call: draft-ietf-simple-msrp-sessmatch (Session Matching Update for the Message Session Relay Protocol (MSRP)) to Proposed Standard This draft is a standards track update to MSRP that mandates that MSRP allow man in the middle attacks. I am strongly opposed to this change and feel that it would be a violation of the spirit of BCP 61 as well as just a bad idea. The "security is OK" is based on the idea that MITM attacks are already possible so this makes it now worse - see section 5 where it says However, since a man-in-the-middle would in any case be able to modify the domain information in both the SDP and the MSRP messages" I don't agree with the assumption that SIP can not protect against MITM attacks and therefore it is OK to mandate support for MITM attacks in MSRP. Who did the security review for this draft? Cullen <MSRP co author> On Jun 7, 2010, at 8:40 AM, The IESG wrote: > The IESG has received a request from the SIP for Instant Messaging and > Presence Leveraging Extensions WG (simple) to consider the following document: > > - 'Session Matching Update for the Message Session Relay Protocol (MSRP) ' > <draft-ietf-simple-msrp-sessmatch-06.txt> as a Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > ietf@xxxxxxxx mailing lists by 2010-06-21. Exceptionally, > comments may be sent to iesg@xxxxxxxx instead. In either case, please > retain the beginning of the Subject line to allow automated sorting. > > The file can be obtained via > http://www.ietf.org/internet-drafts/draft-ietf-simple-msrp-sessmatch-06.txt > > > IESG discussion can be tracked via > https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=19446&rfc_flag=0 > > _______________________________________________ > IETF-Announce mailing list > IETF-Announce@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf-announce Cullen Jennings For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf