headers
Adam Roach | 1 Sep 2004 01:38
Favicon

Re: MSRP: Contributor ID

hisham.khartabil <at> nokia.com wrote:

>- Rohan will write up a separate internet draft describing the header approach with its security considerations.
>
>- Robert will kick off an internet draft describing the body approach (be it CPIM or something else) and its
security considerations.
>

Just to be clear: Section 4.1.1 of RFC 2779 absolutely, unambiguously, 
and without recourse for appeal binds SIMPLE to support CPIM in MSRP. 
Section 4.1.2 similarly requires us to be able to identify the sender. 
These mechansims, simply put, must be in MRSP, or it dies in IESG review.

Full stop.

So, I want to clear up any misunderstanding that this might be an 
either-or decision -- an impression Hisham's note may have given some 
particpants.

The support of CPIM _will_ be part of MSRP, it _will_ contain mechanisms 
for identifying the sender, and there's not a thing any member of this 
working group can do about it.

At this point, we're just debating whether there will be a redundant 
mechanism for doing the same thing.

/a
Permalink | Reply | 0 comments |
headers
Robert Sparks | 1 Sep 2004 21:47

Re: Minutes/proceedings - IETF60

Folks,

I received no comments on these draft minutes. I'm submitting them
as-is to the proceedings today.

Thanks,

RjS

On Aug 19, 2004, at 9:02 AM, Robert Sparks wrote:

> The slides from San Diego are on softarmor at
> http://www.softarmor.com/simple/meets/ietf60/slides/
> and in the draft proceedings at
> http://www.ietf.org/proceedings/04aug/index.html
>
> Draft minutes are attached.
>
> Please provide feedback/correction no later than 8/31.
>
> Thanks,
>
> RjS
>
>
> <minutes>_______________________________________________
> Simple mailing list
> Simple <at> ietf.org
> https://www1.ietf.org/mailman/listinfo/simple
(Continue reading)

Permalink | Reply | 0 comments |
headers
Orit Levin | 1 Sep 2004 21:58
Picon
Favicon

RE: MSRP: Contributor ID

A clarification to the clarification.

We are not debating "a redundant mechanism for doing the same thing".
I don't think that there has been a doubt that MSRP entities MUST
support CPIM and MUST be able to receive and process it.

The ongoing debate is whether
- the CPIM technique can work for both centralized conferencing and
peer-to-peer security/privacy in the same time
OR
- MSRP needs to define additional means for conferencing support (in
order to be able to use CPIM for its original purpose!)

Orit.

> -----Original Message-----
> From: simple-bounces <at> ietf.org 
> [mailto:simple-bounces <at> ietf.org] On Behalf Of Adam Roach
> Sent: Tuesday, August 31, 2004 4:39 PM
> To: hisham.khartabil <at> nokia.com
> Cc: simple <at> ietf.org
> Subject: Re: [Simple] MSRP: Contributor ID
> 
> hisham.khartabil <at> nokia.com wrote:
> 
> >- Rohan will write up a separate internet draft describing 
> the header approach with its security considerations.
> >
> >- Robert will kick off an internet draft describing the body 
> approach (be it CPIM or something else) and its security
(Continue reading)

Permalink | Reply | 0 comments |
headers
Robert Sparks | 2 Sep 2004 22:25

Partial Publish as WG item

OK - there appear to be several people willing to comment on this 
mechanism now and
rough consensus to take it on as a working group item, with
draft-lonnfors-simple-partial-publish-01 as a starting point.

Those folks who have chimed in with explicit support and concerns: we 
will be
  calling on you to review and comment.

Thanks,

RjS
Permalink | Reply | 0 comments |
headers
Faisal Adeem Siddiqui | 7 Sep 2004 14:02
Picon

Regarding the SIP register messages in SIP for Networked Appliances

I want to know why the To and From addresses are same in this (see below) Register message ? Do we really need the "To" address ? Shouldn't the "To" address be "registrar <at> home.net" ?
Please explain.
 
To: [slp:/d=alarmclock, r=bedroom,u=stanm] <at> ua.stan.home.net
From: [slp:/d=alarmclock, r=bedroom,u=stanm] <at> ua.stan.home.net
Content-type: application/ddp
[Device Address]
 
Thanks in advance.
Faisal.
_______________________________________________
Simple mailing list
Simple <at> ietf.org
https://www1.ietf.org/mailman/listinfo/simple
Permalink | Reply | 1 comment |
headers
hisham.khartabil | 7 Sep 2004 14:41
Picon

RE: Partial Publish as WG item

We will be producing a new version of the Patrial Publish internet draft as a WG item soon. Please review the
current version and report any issues you find. The draft can be found at:

http://www.ietf.org/internet-drafts/draft-lonnfors-simple-partial-publish-01.txt

There is one open issue known to the authors, and that is the behaviour at the server when there are XML errors.

Regards,
Hisham

> -----Original Message-----
> From: simple-bounces <at> ietf.org 
> [mailto:simple-bounces <at> ietf.org]On Behalf
> Of ext Robert Sparks
> Sent: 02.September.2004 23:26
> To: simple <at> ietf.org
> Cc: Ted Hardie
> Subject: [Simple] Partial Publish as WG item
> 
> 
> OK - there appear to be several people willing to comment on this 
> mechanism now and
> rough consensus to take it on as a working group item, with
> draft-lonnfors-simple-partial-publish-01 as a starting point.
> 
> Those folks who have chimed in with explicit support and concerns: we 
> will be
>   calling on you to review and comment.
> 
> Thanks,
> 
> RjS
> 
> 
> 
> _______________________________________________
> Simple mailing list
> Simple <at> ietf.org
> https://www1.ietf.org/mailman/listinfo/simple
>
Permalink | Reply | 0 comments |
headers
Paul Kyzivat | 7 Sep 2004 17:09
Picon
Favicon

Re: Regarding the SIP register messages in SIP for Networked Appliances


Faisal Adeem Siddiqui wrote:
> I want to know why the To and From addresses are same in this (see 
> below) Register message ? Do we really need the "To" address ? Shouldn't 
> the "To" address be "registrar <at> home.net <mailto:registrar <at> home.net>" ?
> Please explain.

- The To-URI identifies the address of record that is to be modified
  by the registration.

- The Request-URI identifies the registrar that is intended to process
  the registration. Often it is obtained by stripping the user part from
  the To-URI. But it is up the the UAC to do this, or otherwise
  determine what it is.

- The From-URI identifies the Address of record of the UAC that is
  sending the REGISTER message. It is certainly a very common case
  for this to be the same as the To-URI, but it need not be the
  case.

The technique of deriving the Request-URI is indeed odd and inconsistent
with what is typically done for other sip messages. I believe it is just
an artifact of the way that sip has evolved. But that is the way it is.

	Paul

> REGISTER registrar <at> home.net <mailto:registrar <at> home.net>
> To: [slp:/d=alarmclock, r=bedroom,u=stanm] <at> ua.stan.home.net
> From: [slp:/d=alarmclock, r=bedroom,u=stanm] <at> ua.stan.home.net
> Content-type: application/ddp
> [Device Address]
>  
> Thanks in advance.
> Faisal.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Simple mailing list
> Simple <at> ietf.org
> https://www1.ietf.org/mailman/listinfo/simple
Permalink | Reply | 0 comments |
headers
Paul Kyzivat | 7 Sep 2004 20:06
Picon
Favicon

Re: MSRP: Contributor ID

Sorry for delayed response - I've been on vacation, but am now back.

Orit Levin wrote:
> Paul,
> The answer to "why" in each of the cases relates to the fact that
> different cases belong to same architecture/possible deployment. Even
> when you see a solution to one case - you are unintentionally missing
> another unless you go through the exercise of defining the full
> conferencing architecture.
> 
> Instead, if we step back and try to look at the problem from the top,
> CPIM is a simple means for peer-to-peer private communications with
> non-trusted intermediates (e.g. GW, MCUs) potentially present in the
> middle. Using CPIM for communications between users and the
> intermediates themselves (and still being able to use CPIM for what it
> had been designed for) without defining standard ubiquitous means for
> distinguishing between the cases - is close to impossible.

I'm still not convinced of why the recipient needs to be able to 
distinguish the cases.

If a message is received, it could have:
- no indication of source. All that is known is the identification
   of the other end of the signaling path.

- it could have a single CPIM wrapper, unsigned, unencrypted,
   that identifies the source. The recipient doesn't know if this
   came from the actual sender, or from some intermediary. But
   does it matter? In either case it can't be authenticated.

- it could have a single CPIM wrapper, signed by the actual
   sender.

- it could have a single CPIM wrapper, signed by the mixer.

- it could have two CPIM wrappers, one signed by the sender,
   one signed by the mixer.

In all of the signed cases, what is the value in knowing via the 
protocol whether a signature came from the mixer or the sender? What is 
really important is who is signing and whether you can authenticate the 
signature. If you have multiple signatures that you trust, and the 
corresponding CPIM wrappers disagree about who the sender is, then you 
have to decide which to trust, or else just display them both. If you 
want to pick one, does it really help to know whether it came from the 
mixer or not?

> On the RTP note, RTP is different from MSRP in many aspects:

True. The analogy can only be stretched so far.

> - RTP doesn't use CPIM and as a result doesn't have this problem to
> start from :-)

True. That of course wasn't the analogy I was considering.

My point was that in a conference, the sender uses RTP/RTCP to talk to 
the mixer, including its capabilities for identifying the sender. Then 
the mixer uses RTP/RTCP to talk to the recipient, again using its 
capabilities for identifying the sender. There isn't one way for the 
sender to identify itself to the recipient and a different way for the 
mixer to represent its notion of the sender to the recipient.

An analogous same state of affairs could be achieved using CPIM, if the 
mixer refuses to accept encrypted messages that it cannot decrypt. It 
could then receive messages, remove any incoming CPIM wrapper, then add 
and sign a CPIM wrapper for the recipient.

> - SSRC is used as a stream identifier only. In the core RTP, there is no
> multiplexing inside the UDP connection (which is 1-to-1 with the RTP
> session). In MSRP, the from-path value is used as the part of the "MSRP
> session identifier" for multiplexing inside a TCP tunnel.

This is all true. But I don't see how it affects the discussion at hand.

> - in addition to the RTP "mixer" mode being implemented today, RTP also
> defines the "translator" mode - which is much closer to what happening
> in IM conferencing case. It this mode, the original SSRC is PRESERVED by
> translators (and the CSRC list is not created because it doesn't have
> any meaning at all).

This would be analogous to an MSRP mixer passing CPIM messages thru 
unmodified. Note that the description of translator mode in RFC 3550 
mentions that when it is used the recipient can't tell that a translator 
is present.

Note that RTP doesn't ever address the case where the sender doesn't 
provide CNAME info, or when it is wrong. Our case in MSRP of having the 
focus provide identification of the sender when the sender didn't 
provide that information is functionality not considered in RTP.

 > As it was stated earlier, voice and video
> conferencing vendors got away with it only because the user can guess
> the source by his/her voice or video. This doesn't work for IM unless an
> advanced conferencing protocol (e.g. XCON) is being used by ALL
> participants.

Agreed that it is more important to receive sender identification with 
MSRP than it is with RTP. But then we are free to work out what the 
extended needs are.

	Paul

> Orit.   
> 
> 
>>-----Original Message-----
>>From: Paul Kyzivat [mailto:pkyzivat <at> cisco.com] 
>>Sent: Thursday, August 26, 2004 12:00 PM
>>To: Orit Levin
>>Cc: Ben Campbell; Adam Roach; Alan Johnston; simple <at> ietf.org
>>Subject: Re: [Simple] MSRP: Contributor ID
>>
>>
>>
>>Orit Levin wrote:
>>
>>> 
>>>
>>>>If
>>>>the message already had a cpim wrapper, then the focus 
>>>
>>could choose to 
>>
>>>>leave it alone, or put it inside yet another wrapper.
>>>>(You can have nested cpim wrappers.)
>>>>
>>>
>>>To accommodate the end-to-end encrypted CPIM, it will need to be 
>>>something like:
>>>If the message already had a cpim wrapper and the destination is 
>>>conference-aware, then the focus puts it inside yet another clear 
>>>wrapper (that is in order to provide mapping to conferencing 
>>>extensions).
>>>If the message already had a cpim wrapper and the destination is 
>>>conference-unaware (e.g. doesn't use XCON) leave it alone 
>>
>>(that is in 
>>
>>>order to not confuse the receiving client with conferencing 
>>>information vs. peer-to-peer information).
>>
>> >
>>
>>>This is VERY DIFFERENT from the existing today conferencing 
>>>architecture where the focus logic is NOT dependant on the 
>>>participant's ability to understand or actively support 
>>
>>conferencing extensions and protocols.
>>
>>I don't understand why you are splitting out different 
>>behaviors for conference aware and unaware participants.
>>
>>If the focus wants to ensure that messages are properly 
>>identified as to source, then it will either have to add a 
>>CPIM wrapper, or else inspect and approve one that is already 
>>present. If the message is encrypted e2e so that the focus 
>>can't decrypt, then it doesn't matter whether the encrypted 
>>body is CPIM or not. Either way the focus will have to wrap 
>>the encrypted body in a new CPIM wrapper.
>>
>>It can only avoid this if it doesn't feel it is necessary to 
>>identify the message sender. It will be up to the conference 
>>arch to decide about that. Maybe it will depend on whether 
>>the recipient is conference aware, maybe not.
>>
>>
>>>Yet "MY MAJOR PROBLEM" with using CPIM wrapper for 
>>
>>conferencing/focus 
>>
>>>can be summarised as following:
>>>There is no (well-defined simple) way in the CPIM header to 
>>>distinguish whether a particular CPIM is being used for 
>>
>>intermediate 
>>
>>>(e.g. focus,
>>>GW) vs. for peer-to-peer needs. A user may have very 
>>
>>different privacy 
>>
>>>policies regarding each.  In the case of conference-unaware 
>>
>>user - the 
>>
>>>UA will not even have the ability to distinguish between 
>>
>>the two cases.
>>
>>Why should there be? there isn't any way to do this for 
>>RTP/RTCP. There isn't any ability to have both kinds. And it 
>>is up to the mixer whether it preserves the IDs provided by 
>>the sender or puts in artificial ones. 
>>The recipient can't tell which is the case.
>>
>>
>>>Which identity will the user put in the requested CPIM header? The 
>>>private (for peer-to-peer) or the public for the focus use? How the 
>>>receiving participant (which can be conference unaware as 
>>
>>well) will 
>>
>>>undertsand what kind of identity he is looking at?
>>
>>If there are multiple unsigned and unencrypted identities, 
>>then the recipient should probably display them all, or maybe 
>>none of them if it is untrusting. If some or all of the 
>>identities are signed, then it could choose to only display 
>>ones signed by somebody it trusts.
>>
>>	Paul
>>
>>
> 
> 
> _______________________________________________
> Simple mailing list
> Simple <at> ietf.org
> https://www1.ietf.org/mailman/listinfo/simple
>
Permalink | Reply | 503 comments |
headers
Goeman Stefan | 8 Sep 2004 16:01
Picon

Device priority

Hello All,

I have a small question.
Suppose I have two devices, a laptop and a mobile phone with the same communication means ( they use same communication addresses). However, if both devices are active (and registered), I would like to receive IM on my laptop, and not on my phone.

Is there a way to express to express the priority of the laptop over the mobile phone for receiving IMs? I do not (immediately) find this in the relevant RFC and IDs.

The way I understand the format of the presence document (RFC3863) is that it groups a number of communication addresses (contact means + contact address), and these communication addresses are decoupled from the devices or user agents (which is not a bad idea I think).

 
Can someone enlighten my here?
Thanks in advance!

Greetings,

Stefan Goeman

_______________________________________________
Simple mailing list
Simple <at> ietf.org
https://www1.ietf.org/mailman/listinfo/simple
Permalink | Reply | 2 comments |
headers
Robert Sparks | 8 Sep 2004 17:20

Security Review of draft-ietf-simple-message-sessions-07

Folks:

At Ted's request, Sam Hartman performed a security review of the MSRP 
base specification.
Sam's identified some things we need to do, and several things we need 
to talk about.
The chairs, our technical advisor, or the editors of these drafts will 
be sending messages to
the list responding to these points individually over the next few 
days, either with proposed text
or starting a discussion on the topic.

Please read this carefully and send your comments to the list.

Thanks,

RjS

Begin forwarded message:

>> This document reviews draft-ietf-simple-message-sessions-07.txt.  That
>> document specifies the MSRP protocol.
>>
>> 			  Protocol Overview
>>
>> The MSRP protocol is a deceptively simple protocol for transporting
>> messages in an instant messaging session.  It provides two operations:
>> a send request and a report request.  Each request can generate a
>> response.    Each endpoint is defined by a MSRP URL.  The URL contains
>> the typical  host and port, as well as a resource that identifies the
>> specific destination of a message.  For example  if Alice and Bob are
>> talking, they will both have MSRP URLs corresponding to their
>> identities.  MSRP specifies the optional use of TLS for transport
>> level protection.
>>
>> However the security picture is actually a lot more complicated.
>> First, the knowledge of the MSRP URL serves as authentication and
>> authorization information.   Since clients do not typically have TLS
>> certificates, a server knows it is talking to the right party based on
>> the URL that party sends to and possibly based on the response URL
>> listed in the message.    The URLs are used for authorization in that
>> layers above MSRP deal with preventing spam  and so it is important
>> that only parties authorized to send messages have the MSRP URL.   So
>> MSRP URLs need to be chosen with a strong random component and if
>> message integrity  is desired, they need to be
>> transported with confidentiality.
>> SIP, the layer above MSRP is responsible for mapping SIP or CPIM URLs
>> into MSRP URLs to set up a message session.  This mapping is security
>> critical because users are probably going to add SIP or CPIM URLs to
>> their contact lists.  So, to securely establish a connection, the
>> combination of SIP and MSRP must securely map the user-entered URL to
>> an MSRP URL.
>>
>> MSRP also involves S/MIME and CPIM identities.  If S/MIME is used to
>> get end-to-end encryption then the names of the chosen certificates
>> must be verified.  If message/cpim entities are sent, then the from
>> and to fields in these messages must be matched.  Typically the cpim
>> identities will be instant inbox URLs although perhaps they could also
>> be SIP URLs in some cases.
>>
>> One final identity is important for MSRP security.  The MSRP
>> specification requires that if TLS is used, the server certificate be
>> for the hostname in the destination MSRP URL.  This requirement for
>> the TLS identity has important security implications.
>>
>>
>> 			Security Requirements
>>
>> The draft does not specify a set of security requirements.  IT seems
>> reasonable to refer back to RFC 2779 for security requirements for
>> this protocol.
>>
>> I explicitly choose to distinguish confidentiality protection at the
>> transport layer from end-to-end confidentiality/integrity protection.
>> RFC 2779 doesn't quite explicitly make this distinction, but it does
>> require both integrity protection and support for digital signatures.
>> This distinction seems reasonable for several reasons.  First, other
>> IM protocols including XMPP and APEX support both levels of
>> protection.  We've found with email that end-to-end encryption and
>> transport level encryption are both useful; it seems likely that we
>> will see the same thing with IM.
>>
>> I also introduce the concept of parties sharing a deployed
>> authentication infrastructure.  Ideally, we'd have some authentication
>> infrastructure we could use to exchange key material with anyone on
>> the Internet.  In practice, we do not yet have this level of security
>> integration.  However we should try to provide security in
>> environments where we can do so.  Note that it is not acceptable to
>> force people to deploy a new authentication infrastructure for your
>> protocol if they already have an adequate infrastructure for some
>> other purpose.  If you can work within that infrastructure, then you
>> significantly decrease deployment costs of making your protocol
>> secure.
>>
>> 1)  In order to provide integrity protection, the protocol must
>> describe how identifiers  entered by the user are securely mapped  to
>> identifiers  used in the protocol.  The protocol must describe
>> necessary verifications of these mappings that recipients of messages
>> need to perform  in order to make sure they all refer to the same 
>> principal.
>>
>> 2) When two parties share an appropriate authentication
>> infrastructure,then the protocol will provide a way for them to get
>> hop-by-hop confidentiality and integrity.
>>
>> 3) When two parties share an appropriate authentication
>> infrastructure, then the protocol will provide a mechanism for
>> end-to-end confidentiality and integrity.
>>
>> 4) Even when no authentication infrastructure is shared, the protocol
>> will provide  protection against passive attacks.
>>
>> 			 Security Evaluation
>>
>> This document does not define, nor as far as I can tell, reference a
>> concrete procedure for mapping an instant inbox (im: URL) to a SIP
>> URL.  If clients can enter in im: URLs, then the related protocols
>> must specify a mechanism for  securely performing this mapping.
>>
>> The protocol specifies how SDP is used to map SIP URLs to MSRP URLs.
>> I do not have enough information about practical SIP deployments to
>> know whether this mapping is secure in practice.    IT seems possible
>> to secure this mapping if the SDP information is encrypted.
>>
>> This document does not specify how to  validate the certificates
>> encrypted or signed messages.    How do I know that a particular
>> certificate corresponds to a particular principal?  Should it include
>> an im: URL, a sip: URL, an msrp: URL or some combination?  Where
>> should these addresses be placed?
>> If the MSRP protocol is used to transport message/cpim content, the
>> recipient needs to confirm that the sender address in the message/cpim
>> corresponds to the expected sender.  This is especially important in
>> the case of signed messages.   The protocol needs to specify a
>> procedure for securely mapping an im: URL found in  the message/cpim
>> to  the appropriate MSRP URL  to validate the sender.
>>
>> The assumption that certificates used for TLS authentication for MSRP
>> should belong to the host seems flawed.  This might be a reasonable
>> assumption for the relay mode, but seems incorrect for the
>> peer-to-peer mode of the protocol.  IN a peer-to-peer configuration,
>> there may be multiple instances of MSRP on a given host in
>> significantly different security domains.  It seems necessary to
>> authenticate MSRP, SIP ,r IM peers rather than to authenticate hosts.
>>
>>
>> In practice, MSRP does not provide transport security in the
>> peer-to-peer mode.  The protocol allows for the use of TLS.  However
>> the spec points out that MSRP peers are not expected to have TLS
>> certificates or stable hostnames for these certificates to be bound
>> to.  The lack of deployable transport security is a critical
>> deficiency in the peer-to-peer mode of
>>  of MSRP.  Transport security has proven an important part of securing
>> XMPP.    Most other message transport protocols in the IETF, including
>> IMAP, SMTP, XMPP and APEX support transport security.
>> The protocol provides support for S/MIME for end-to-end security.
>> This is adequate to meet requirement 3 if the certificate naming
>> issues are addressed.
>>
>> The protocol does not provide a mechanism to protect against passive
>> attacks unless sufficient authentication infrastructure is available
>> to use TLS.
>>
>> 			   Recommendations
>>
>> 1) Decide on procedures for mapping im: URLs to sip: URLs.  These
>>    procedures are not part of MSRP, but MSRP needs a normative
>>    reference to them.  Note that RFC 3861 does not really answer this
>>    question.  That specification tells  you what machine to talk to in
>>    order to deliver an instant message.  It does not tell you what
>>    sip: URL to present to that system.
>> 2) Clearly state guidelines for dealing with the identities of message
>>    recipients and senders in S/MIME messages and message/cpim
>>    messages.  Look at section 6 of draft-ietf-xmpp-e2e for examples of
>>    the types of things such guidelines need to say.
>>
>> 3)  Re-examine the decision to use msrp: URLs.  It is my understanding
>>     from the change history that previous versions of the draft simply
>>     used sip: URLs.  That would be much easier to deal with from a
>>     security standpoint.  If the working group does decide to use
>>     msrp: URLs, then  the mapping needs to be carefully considered.
>>
>> 4)  Reconsider the decision to split relay functionality into its own
>>     draft.  I agree that for many configurations it is impossible to
>>     get good transport security without relay operation.  Rather than
>>     relaxing the requirement for transport security, I believe that
>>     the working group should come to the conclusion that relay mode is
>>     an integral part of the protocol.   Also, the current split does
>>     not work well because authentication to a relay is different than
>>     authentication to a peer.  In authenticating to a relay, you are
>>     authenticating to a specific service running on a host.  However
>>     when you authenticate to a peer, you are authenticating to a
>>     specific IM principal.  The current draft does not properly handle
>>     this distinction  and I don't think a split proposal can easily do
>>     so.  Note that I have not evaluated the security of the relay
>>     proposal, but I have considered what security is possible to
>>     achieve given solutions to the relay problem.
>>
>> 5)  Support SASL authentication and security layers for transport
>>     security in addition to TLS.  This should be done for
>>     compatibility with the other IETF messaging protocols.  In
>>     addition, some SASL modes  such as digest-md5 or the user-to-user
>>     Kerberos mechanism could work well for peer-to-peer
>>     authentication.  Providing implementers with this flexibility
>>     would be good.
>>
>> 6) Support TLS in an anonymous mode  for protection against passive
>>    attacks.  It's easy to do this  given that you already support TLS
>>    and will provide  useful benefits.
>>
>> 7) Consider handling of messages that appear to come from the same
>>    sender but are delivered over paths with different security
>>    properties.  For example, Alice is in a conversation with
>>    im:bob <at> example.com over an MSRP session using both TLS and
>>    end-to-end S/MIME.  How should Alice's client handle a message
>>    coming in over a different MSRP session using a different MSRP URL
>>    for the sender if that sender also maps back to im:bob <at> example.com?
>>    When is this acceptable from a security standpoint?
>>
>>
>> 		     Architectural Considerations
>>
>> While reviewing a document for security considerations, one often runs
>> into issues unrelated to security.  I discovered two such issues with
>> this document:
>>
>> 1) No mechanism is provided for discovery of future extensions.
>>     However, section 12 anticipates that future IETF action may define
>>     such extensions.  Significant experience has shown me that you
>>     want at least minimal discovery in your protocol.  You want to be
>>     able to add a negotiation mechanism later and discover its
>>     presence.  I recommend that MSRP clearly specify behavior if a
>>     client  uses an undefined method.  I recommend that this behavior
>>     be sufficient  to discover whether the peer implements some method
>>     in the future.
>>
>> 2) Section 6 of RFC 3862 lists several application considerations that
>>    applications using RFC 3862 need to address.  RFC 3860 does not
>>    address these considerations so MSRP must do so in order to
>>    completely specify the use of message/cpim.
Permalink | Reply | 0 comments |

Gmane