RE: Last Call: draft-ietf-simple-msrp-sessmatch (Session Matching Update for the Message Session Relay Protocol (MSRP)) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

The intention is not to "mandate" that MSRP allows man in the middle attacks. The text simply states that it doesn't change what can already be done.

If you think that the text gives a wrong picture regarding that, and what is possible what to protect with SIP, I am happy to modify the text.

Regards,

Christer



________________________________________
From: ietf-bounces@xxxxxxxx [ietf-bounces@xxxxxxxx] On Behalf Of Cullen Jennings [fluffy@xxxxxxxxx]
Sent: Monday, June 07, 2010 7:31 PM
To: IETF Mailing List; IESG IESG
Subject: Re: Last Call: draft-ietf-simple-msrp-sessmatch (Session Matching      Update for the Message Session Relay Protocol (MSRP)) to        Proposed Standard

This draft is a standards track update to MSRP that mandates that MSRP allow man in the middle attacks. I am strongly opposed to this change and feel that it would be a violation of the spirit of BCP 61 as well as just a bad idea.

The "security is OK" is based on the idea that MITM attacks are already possible so this makes it now worse - see section 5 where it says

   However, since a
   man-in-the-middle would in any case be able to modify the domain
   information in both the SDP and the MSRP messages"

I don't agree with the assumption that SIP can not protect against MITM attacks and therefore it is OK to mandate support for MITM attacks in MSRP. Who did the security review for this draft?

Cullen <MSRP co author>

On Jun 7, 2010, at 8:40 AM, The IESG wrote:

> The IESG has received a request from the SIP for Instant Messaging and
> Presence Leveraging Extensions WG (simple) to consider the following document:
>
> - 'Session Matching Update for the Message Session Relay Protocol (MSRP) '
>   <draft-ietf-simple-msrp-sessmatch-06.txt> as a Proposed Standard
>
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action.  Please send substantive comments to the
> ietf@xxxxxxxx mailing lists by 2010-06-21. Exceptionally,
> comments may be sent to iesg@xxxxxxxx instead. In either case, please
> retain the beginning of the Subject line to allow automated sorting.
>
> The file can be obtained via
> http://www.ietf.org/internet-drafts/draft-ietf-simple-msrp-sessmatch-06.txt
>
>
> IESG discussion can be tracked via
> https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=19446&rfc_flag=0
>
> _______________________________________________
> IETF-Announce mailing list
> IETF-Announce@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/ietf-announce


Cullen Jennings
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html



_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]