<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:courier,monaco,monospace,sans-serif;font-size:12pt">The hard part was getting the srtp seamlessly integrated<br>into our RTP stack. We had 3 brands of phones to test<br>with while implementing and this was was the only way<br>they all supported.<br><br>There is clearly a feud on how to exchange keys out there<br>and we will end up implementing each of them as they become <br>popular.<br><br>As a developer, I can only implement what I have to test<br>with. Do you know any devices that support MIKEY<br>to test against? There is a LGPL libmikey out there<br>so it's a strong possibility we can implement it<br>as long as we have a test bed and some indication that<br>it will be widely accepted and desired by people.<br><br><br><br><br><div> </div><div>Anthony Minessale II<br><br><span>FreeSWITCH <a target="_blank"
href="http://www.freeswitch.org/">http://www.freeswitch.org/</a></span><br><span>ClueCon <a target="_blank" href="http://www.cluecon.com/">http://www.cluecon.com/</a></span><br><br>AIM: anthm<br>MSN:anthony_minessale@hotmail.com<br>GTALK/JABBER/PAYPAL:anthony.minessale@gmail.com<br>IRC: irc.freenode.net #freeswitch</div><div><br>FreeSWITCH Developer Conference<br>sip:888@conference.freeswitch.org<br>iax:guest@conference.freeswitch.org/888<br>googletalk:conf+888@conference.freeswitch.org<br>pstn:213-799-1400</div><div style="font-family: courier,monaco,monospace,sans-serif; font-size: 12pt;"><br><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">----- Original Message ----<br>From: Alois Komenda <alois.komenda@esk.fraunhofer.de><br>To: freeswitch-users@lists.freeswitch.org<br>Sent: Friday, January 25, 2008 6:20:19 AM<br>Subject: Re: [Freeswitch-users] MIKEY-Support<br><br>
How can you ever be sure TLS is really used end-to-end?<br>Even if TLS is used "end-to-end" i.e. on every hop, every involved
proxy can read your keys. <br><br>So if you can trust all proxys that route your messages, SDES is
secure.<br><br>--<br>Alois Komenda<br>Fraunhofer-Einrichtung für Systeme der Kommunikationstechnik ESK<br><br><br><br><br>-----Ursprüngliche Nachricht-----<br>Von: <a ymailto="mailto:freeswitch-users-bounces@lists.freeswitch.org" href="mailto:freeswitch-users-bounces@lists.freeswitch.org">freeswitch-users-bounces@lists.freeswitch.org</a>
[mailto:<a ymailto="mailto:freeswitch-users-bounces@lists.freeswitch.org" href="mailto:freeswitch-users-bounces@lists.freeswitch.org">freeswitch-users-bounces@lists.freeswitch.org</a>] Im Auftrag von Brian
West<br>Gesendet: Freitag, 25. Januar 2008 12:09<br>An: <a ymailto="mailto:freeswitch-users@lists.freeswitch.org" href="mailto:freeswitch-users@lists.freeswitch.org">freeswitch-users@lists.freeswitch.org</a><br>Betreff: Re: [Freeswitch-users] MIKEY-Support<br><br>How on earth is it not secure? The keys are exchanged over a secure
TLS channel. That is secure. Read section 8.3 again.<br><br>"Thus, IT IS REQUIRED that MIME secure multiparts, IPsec, TLS, or some
other data security service be used to provide message authentication
for the encapsulating protocol that carries the SDP messages having a
crypto attribute (a=crypto)."<br><br>It does however say in 8.3<br><br>"When the communication path of the SDP message is routed through
intermediate systems that inspect parts of the SDP message, security
protocols such as [IPsec] or TLS SHOULD NOT be used for encrypting and/ or
authenticating the security description."<br><br>This can clearly be seen don't trust it if TLS isn't used end to end
for the sip signaling channel. SDES seems to be the most widely used
method at this point as you pointed out. I feel the security afforded by
using SDES + TLS is way more than you'll ever get elsewhere. We do
accept patches. ;)<br><br>/b<br><br>On Jan 25, 2008, at 12:15 AM, Alois Komenda wrote:<br><br>> I don't think SDES over TLS can be called secure. And according to
RFC <br>> 4568 this combination should not be used.<br>> (Anyway this seems to be the mostly used configuration at the
moment.)<br>><br>> Even if MIKEY is not a perfect soloution for the problem, it provides
<br>> end-to-end security for keying material.<br>><br>> Regards<br>><br>> --<br>> Alois Komenda<br>> Fraunhofer-Einrichtung für Systeme der Kommunikationstechnik ESK<br><br><br>_______________________________________________<br>Freeswitch-users mailing list<br><a ymailto="mailto:Freeswitch-users@lists.freeswitch.org" href="mailto:Freeswitch-users@lists.freeswitch.org">Freeswitch-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br><br>_______________________________________________<br>Freeswitch-users mailing list<br><a
ymailto="mailto:Freeswitch-users@lists.freeswitch.org" href="mailto:Freeswitch-users@lists.freeswitch.org">Freeswitch-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></div><br></div></div><br>
<hr size=1>Looking for last minute shopping deals? <a href="http://us.rd.yahoo.com/evt=51734/*http://tools.search.yahoo.com/newsearch/category.php?category=shopping">
Find them fast with Yahoo! Search.</a></body></html>