Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cullen Jennings fluffy@cisco.com S/MIME Certificates Cullen Jennings fluffy@cisco.com.

Published bySherman Knight Modified over 6 years ago

Similar presentations

Presentation on theme: "Cullen Jennings fluffy@cisco.com S/MIME Certificates Cullen Jennings fluffy@cisco.com."— Presentation transcript:

1 Cullen Jennings fluffy@cisco.com
S/MIME Certificates Cullen Jennings

2 E2E SIP Security Requires S/MIME
In order to use S/MIME you need to discover certificates for your peers This is not Somebody Else’s Problem If there is no viable work to make certificates available in typical SIP deployments, we can’t base our security on it Strong, ubiquitous, identity is one of the best tools in dealing with SPAM

3 What the certs draft provides
No extra work on the part of the human using a UA No extra expense for end user certificates Enterprise only need to run a web commerce style web server A revocation mechanism that works

4 Mechanism a.com b.com 4 2 1 Caller Callee 3 Callee with address publishes public certificate at b.com Does with HTTPS PUT with Digest authentication Caller wants to call and gets the certificate from b.com Done with HTTPS GET. Caller encrypts stuff for Callee Uses S/MIME in SIP Callee fetches caller certificate (from a.com) to verify Caller certificate Uses HTTPS GET This is easier than - it is an online problem with no long term storage aspect

5 Analysis Callee Caller b.com 2 (HTTPS) 1 (HTTPS+Digest) 3 (S/MIME+SIP) Callee trusts it is talking to b.com because of the HTTPS certificate. B.com trusts it is bob because of the digest authentication. Transaction is privacy and integrity protected by HTTPS Caller trusts that it is talking to b.com because of HTTPS certificate and trusts the certificate for is really the right one for bob because it came from b.com S/MIME is used to encrypt data for Bob using the public key from the certificate for A similar scheme can be done in reverse so the caller can sign This is easier than - it is an online problem with no long term storage aspect

6 Relationship with Identity
Identity provides a mechanism to leverage the domains certificate for asserting identity Certs leverages the domains certificate to provide encryption and signing The key thing in Identity is that it describes how to describe certain assertions and put them in messages. It’s not as worried about getting the crypto credentials to do this other than it needs them. The key thing in Certs is getting the crypto credentials for S/MIME.

7 Relationship to PKIX & Sacred
This work uses the PKIX and SACRED frameworks and security Using SACRED to move private keys off the UA and onto the server could be done Generally poor form to have private keys floating around Will not work for FIPS compliant phones that need to keep the private key in tamper resistant hardware Certs has good security including revocation.

8 Next Steps - Pick one of below:
Security folks agree this will work from a security point of view. The SIPish folks need to decide if it is deployable. Move forward with this work Define transports, HTTP, XCAP, SIP, … Find an alternative way to use S/MIME Pursue some web of trust model? Abandon S/MIME Find an alternative way to meet the needs. Kerberos?

9 Questions for the WG Can we deprecate S/MIME?
Is it OK just saying every end user needs to buy a certificate and securely install it in all their devices? Do we have any other alternatives? What do we need to fix to move forward with this work?

Download ppt "Cullen Jennings fluffy@cisco.com S/MIME Certificates Cullen Jennings fluffy@cisco.com."

Similar presentations

Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.

CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
David L. Wasley Office of the President University of California Maybe it’s not PKI … Musings on the business case for PKI EDUCAUSEEDUCAUSE PKI Summit.

David L. Wasley Office of the President University of California Maybe it’s not PKI … Musings on the business case for PKI EDUCAUSEEDUCAUSE PKI Summit.
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.

PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.
Cryptography 101 Frank Hecker

Cryptography 101 Frank Hecker
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.

The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
P2P SIP Names & Security Cullen Jennings

P2P SIP Names & Security Cullen Jennings
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Similar presentations

Ads by Google