Hello everybody, first of all I'm sorry for the late reply. > Since you probably know this better than me, wasn't PGP authentication > removed from SIP? (or are you the person that will resurrect it?) I > read it from http://www.ietf.org/mail-archive/web/sip/current/msg11899.html Mr. Prijono, you're absoloutly right -- PGP was removed from SIP since RFC 3261. In the context of my thesis I have analyzed various possibilities to realize an mutual end-to-end authentication in SIP. That means, the caller has to authenticate himself against the callee and vice versa. Although PGP was removed, I think there are some reasons to resurrect it: - PGP follows a non-hierarchic approach ("web of trust") in contrast to TLS or S/MIME. - For TLS and S/MIME a PKI is necessary. - There might be a lack of security having an Certificate Authority involved (e.g. untrusted/private CAs, insecure certificates freely available). - HTTP Digest is not suitable for an end-to-end authentification, only the caller has to authenticate himself. [1] - TLS is useful only on a single-hop. [2] - The UAC has the possibility to use a SIPS URI to initiate a secure connection. But this means TLS will be established between the UAC and the domain that owns the specified URI only. There is no need to establish a secure connection between the following hops. [3] - S/MIME can be used for an end-to-end authentification, but using S/MIME means to deal with duplicated headers (inner and outer header). Impelemntors have to assure the consistency of these headers. Beside, this causes overhead (by duplicating some header). [4] As result of my analysis, I prefer an authentication schema that is based on a non-hierarchic approach. Thus, I am dealing with the most commenly known one -- namely PGP. I am *not* trying to bring PGP back into SIP as a core element. But I try to offer PGP to all users that prefer this schema. Similar to e-mail, PGP is not a mandatory part of it -- but many users utilise PGP, e.g. via EnigMail plugin within Thunderbird e-mail client. By implementing PGP support into PJSIP, these users can still use the authentication schema they already use in e-mail communication. So once again, I would like to know if someone is aware of the PGP structures beeing in the PJSIP source yet -- or it is just you, Mr. Prijono? Secondly, are you interested in my code? Would you like to use it? Regards Sebastian H?bner [1] RFC 3162, Session Initiation Protocol, Section 22, Page 193 [2] "SIP - Understanding the Session Initiation Protocol", Section 2.5.3, Page 41 [3] RFC 3162, Session Initiation Protocol, Section 19.1, Page 148 [4] RFC 3162, Session Initiation Protocol, Section 23.4.1, Page 207-208
