S/MIME and Certs Cullen Jennings

Slides:

Advertisements

Similar presentations

August 2, 2005SIPPING WG IETF 63 ETSI TISPAN ISDN simulation services Roland Jesske Denis Alexeitsev Miguel Garcia-Martin.

Advertisements

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.

RPKI Standards Activity Geoff Huston APNIC February 2010.

Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen.

User Profile Framework draft-ietf-sipping-config-framework-00.txt Dan Petrie

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

Service Identification Jonathan Rosenberg Cisco. Agenda Service Identification Architecture draft (draft-rosenberg-sipping-service- identification) Media.

Steps to Recover Private Encryption Keys

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

Generic Request History Capability - Requirements Mary Barnes Mark Watson Cullen Jennings

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

SIP Security Michael Thomas Status First Cut of Requirements Draft –draft-thomas-sip-sec-reqt-00.txt –Will be basis going forward –Design.

SIP-SAML assisted Diffie-Hellman MIKEY IETF 65 MSEC Mar 21, 2006 Robert Moskowitz.

Application of Attribute Certificates in S/MIME Greg Colla & Michael Zolotarev Baltimore Technologies 47 th IETF Conference Adelaide, March 2000.

PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

S/MIME Certificates Cullen Jennings

Secure Credential Manager Claes Nilsson - Sony Ericsson

RVP Protocol for Real-Time Presence Information Sonu Aggarwal Lead Program Manager, Exchange Instant Messaging Microsoft Corporation

1 R 255 G 211 B 8 R 255 G 175 B 0 R 127 G 16 B 162 R 163 G 166 B 173 R 137 G 146 B 155 R 175 G 0 B 51 R 52 G 195 B 51 R 0 G 0 B 0 R 255 G 255 B 255 Primary.

Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner

Cullen Jennings Certificate Directory for SIP.

November 2006IETF67 - GEOPRIV1 A Location Reference Event Package for the Session Initiation Protocol (SIP) draft-schulzrinne-geopriv-locationref-00 Henning.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

1 IETF 72 SIP WG meeting SIP Identity issues John Elwell et alia.

App Interaction Framework Jonathan Rosenberg dynamicsoft.

1 IETF 88 (Vancouver) November 6, 2013 Cullen Jennings V3.

1 Secure VoIP: call establishment and media protection Johan Bilien, Erik Eliasson, Joachim Orrblad, Jon-Olov Vatn Telecommunication Systems Laboratory.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Patrik Fältström. ITU Tutorial Workshop on ENUM. Feb 8, 2002, Geneva Explanation of ENUM (RFC 2916) Patrik Fältström Area Director, Applications Area,

Pairing Based Cryptography Standards Terence Spies VP Engineering Voltage Security

IETF 69 SIPPING WG Meeting Mohammad Vakil Microsoft An Extension to Session Initiation Protocol (SIP) Events for Pausing and Resuming.

Caller Prefs and Friends Jonathan Rosenberg dynamicsoft.

SIP Connection Reuse Efficiency Rohan Mahy—Airespace

Simo Veikkolainen Simple Application Configuration Protocol draft-veikkolainen-sipping-app-config-00 Simo Veikkolainen APP area open meeting.

SIP PUBLISH Method Jonathan Rosenberg dynamicsoft.

End-to-middle Security in SIP draft-ono-sipping-end2middle-security-04 Kumiko Ono IETF62.

- 1 -P. Kyzivatdraft-sipping-gruu-reg-event-00 Reg Event Package Extensions draft-sipping-gruu-reg-event-00 IETF64 Nov-2005.

RFC3261 (Almost) Robert Sparks. SIPiT 10 2 Status of the New SIP RFC Passed IETF Last Call In the RFC Editor queue Author’s 48 hours review imminent IMPORTANT:

Name that User John Elwell Cullen Jennings Venkatesh Venkataramanan

A Framework for Session Initiation Protocol User Agent Profile Delivery (draft-ietf-sipping-config-framework-11) SIPPING – IETF 68 Mar 19, 2007 Sumanth.

Connected Party ID (considered evil) Who I’m Talking To Cullen Jennings

SIP file directory draft-garcia-sipping-file-sharing-framework-00.txt draft-garcia-sipping-file-event-package-00.txt draft-garcia-sipping-file-desc-pidf-00.txt.

1 A mechanism for file directory with SIP draft-garcia-sipping-resource-sharing-framework-01.txt draft-garcia-sipping-resource-event-package-01.txt draft-garcia-sipping-resource-desc-pidf-00.txt.

Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.

Outbound draft-ietf-sip-outbound-01 Cullen Jennings.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

The “application” Profile Type (draft-channabasappa-sipping-app-profile-type-01) Sumanth Channabasappa Josh Littlefield Salvatore Loreto 70th IETF, Vancouver,

SIPPING Drafts Jonathan Rosenberg dynamicsoft. Conferencing Package Issues Only one – scope Depends on broader work in conferencing May include –Participant.

Draft-ietf-behave-nat-udp-00 NAT Behavioral Requirements for Unicast UDP draft-ietf-behave-nat-upd-00 François Audet - Cullen Jennings.

REFER Are security mechanisms beyond those in bis-09 needed?

Session-Independent Policies draft-ietf-sipping-session-indep-policy-02 Volker Hilt Jonathan Rosenberg Gonzalo.

Cullen Jennings S/MIME Certificates Cullen Jennings

SIP Configuration Issues: IETF 57, SIPPING

RELO: Retrieving End System Location Information draft-schulzrinne-geopriv-relo-03 Henning Schulzrinne March 2007 IETF68 - GEOPRIV.

App Interaction Framework

Transcoding Framework

Requirements and Implementation Options for the Multiple Line Appearance Feature using the Session Initiation Protocol (SIP) draft-johnston-bliss-mla-req-00.

SIP Identity issues John Elwell, Jonathan Rosenberg et alia

Transcoding Framework

RELO: Retrieving End System Location Information draft-schulzrinne-geopriv-relo-03 Henning Schulzrinne March 2007 IETF68 - GEOPRIV.

call completion services

The Unintended Consequences of Spam Prevention

Presentation transcript:

S/MIME and Certs Cullen Jennings

What changed since IETF 59 Asked to resolve difference and similarities between “cert” draft and “identity” draft. Many possibilities considered. Focus on cleanly separating orthogonal parts of the problem. Came to solution that we can migrate to given what is deployed today.

Model Callee Caller b.com 1.Callee with address publishes public certificate at b.com (or retrieves certificate + private key) –Does with SIP Publish with Identity 2.Caller wants to call and gets the certificate from –Done with SIP Subscribe with Identity 3.Caller encrypts stuff for Callee –Uses S/MIME in SIP 4.Callee fetches caller certificate (from a.com) to verify Caller certificate –Use SIP Subscribe with Identity a.com 4

The Sacred Choice Earlier versions had each device having it’s own credentials. Required caller to encrypt with all possible credentials. Decided this was unworkable. Moved to model where an AOR has (mostly) one credential and moves it using the Sacred framework. Is this OK?

Fetching Credentials Need to use notify to find out the credential has changed Could use notification or config framework to receive credentials

Fetching Certificates Current draft: –Identity mechanism provides strong identity and integrity protection of body. –Subscribe/Notify provides revocation notices. Previous Versions: –HTTPS requires some additional UA check on domain of AOR and HTTP host. –Only revocation mechanism is to have a limited lifetime of certificate. –Could be used by other services that don’t have SIP.

Moving forward … People want to implement this What do we need to do before we decide we want to move forward? Other proposals? Reasons this will not work? Harm this causes?