Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)

“…When MSRP is used with SIP, the Identity [17] and Certificates [25] mechanisms provide S/MIMEbased delivery of a secret between A and B. No SIP intermediary except the explicitly trusted authentication service (one per user) can see the secret.…”

“…When used with SDP and SIP, the correct certificate can be verified by passing a fingerprint of the certificate in the SDP and ensuring that the SDP has suitable integrity protection. When SIP is used to transport the SDP, the integrity can be provided by the SIP Identity mechanism [17]. The rest of this section describes the details of this approach.…”

“…When using SIP, the integrity of the fingerprint can be ensured through the SIP Identity mechanism [17]. When a client wishes to use SIP to set up a secure MSRP session with another endpoint, it sends an SDP offer in a SIP message to the other endpoint.…”

“…This offer includes, as part of the SDP payload, the fingerprint of the certificate that the endpoint wants to use. The SIP message containing the offer is sent to the offerer's SIP proxy, which will add an Identity header according to the procedures outlined in [17]. When the far endpoint receives the SIP message, it can verify the identity of the sender using the Identity header.…”

The Message Session Relay Protocol (MSRP)

“…When MSRP is used with SIP, the Identity [17] and Certificates [25] mechanisms provide S/MIMEbased delivery of a secret between A and B. No SIP intermediary except the explicitly trusted authentication service (one per user) can see the secret.…”

“…When used with SDP and SIP, the correct certificate can be verified by passing a fingerprint of the certificate in the SDP and ensuring that the SDP has suitable integrity protection. When SIP is used to transport the SDP, the integrity can be provided by the SIP Identity mechanism [17]. The rest of this section describes the details of this approach.…”

“…When using SIP, the integrity of the fingerprint can be ensured through the SIP Identity mechanism [17]. When a client wishes to use SIP to set up a secure MSRP session with another endpoint, it sends an SDP offer in a SIP message to the other endpoint.…”

“…This offer includes, as part of the SDP payload, the fingerprint of the certificate that the endpoint wants to use. The SIP message containing the offer is sent to the offerer's SIP proxy, which will add an Identity header according to the procedures outlined in [17]. When the far endpoint receives the SIP message, it can verify the identity of the sender using the Identity header.…”

The Message Session Relay Protocol (MSRP)

“…To mitigate identity theft in SIP networks, an inter-domain authentication mechanism based on certificates is proposed in RFC 4474 [10]. Unfortunately, the design of the certificate distribution in this mechanism yields some vulnerabilities.…”

SIP Proxies: New Reflectors in the Internet

The ECRIT Emergency Calling Architecture