Hannes Tschofenig
2018-04-04 13:28:26 UTC
Hi all,
I have a remark for the RD draft: Section 5.3 defines the registration procedure and indicates that the endpoint name is "mostly mandatory".
I would prefer it is defined as "optional". Section 8.1 highlights the security issues with using this unauthenticated identifier quite nicely. However, it comes up with a strange conclusion IMHO. Here is what it says:
"
Therfore, Endpoints MUST include the Endpoint identifier in the
message, and this identifier MUST be checked by a resource directory
to match the Endpoint identifier included in the Registration
message.
"
I would argue that under normal operation there is no reason to include the endpoint name since it is not authenticated and there will be a security protocol used (which offers authenticated endpoint identification). For this reason I would argue that the endpoint name has to be optional and I prefer that it is stated that it will be used only for debugging purposes or for those cases where the identifiers used in the security protocol are insufficient for endpoint identification.
Ciao
Hannes
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
I have a remark for the RD draft: Section 5.3 defines the registration procedure and indicates that the endpoint name is "mostly mandatory".
I would prefer it is defined as "optional". Section 8.1 highlights the security issues with using this unauthenticated identifier quite nicely. However, it comes up with a strange conclusion IMHO. Here is what it says:
"
Therfore, Endpoints MUST include the Endpoint identifier in the
message, and this identifier MUST be checked by a resource directory
to match the Endpoint identifier included in the Registration
message.
"
I would argue that under normal operation there is no reason to include the endpoint name since it is not authenticated and there will be a security protocol used (which offers authenticated endpoint identification). For this reason I would argue that the endpoint name has to be optional and I prefer that it is stated that it will be used only for debugging purposes or for those cases where the identifiers used in the security protocol are insufficient for endpoint identification.
Ciao
Hannes
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.