*VidMid-VC-AuthN/Z Conference Call*
May 14, 2002
Steve Olshansky -- Internet2
Tom Barton -- Memphis
Samir Chatterjee -- CGU
Jill Gemmill -- UAB
Keith Hazelton -- Wisconsin
Bob Morgan -- Washington
Doug Sicker -- Colorado
Ann West -- EDUCAUSE/Internet2
- redefinition of goals -
After long and detailed discussion in a well-attended session at the Internet2 Member Meeting, the assembled decided that the problem as stated was difficult nearly to the point of intractability in the near-term. Making an authentication method compatible with everything which can be made to work across the range of H.323 and SIP obstacles and clients is an extremely difficult problem.
There was some discussion about what sort of narrowing of scope or of goals would be sufficient to make the problem more easily solved in an immediate sense. One of the ways to do this is to look at anecdotes of current implementational workarounds in the wild as a basis for creating a more permanent solution. Questions were posed by the group about how much PKI could be assumed in a realistic model, as well.
SIP seemed to the group like an interesting place to focus work, given the amount of effort being placed in the continuing evolution of the specs and abilities of the protocol. There was some dispute within the group whether it would be preferable to work alongside the vendors and creators of existing SIP clients, or to develop clients and proxies to demonstrate the proof of concept.
A few quick suggestions were development of a mechanism which places information into the registration database which SIP agents utilize, then the user-agent could start up using that. Bob offered Pubcookie as an example of an application which could support this model; this WebISO system has users log on centrally before exporting a separate package of information about the user to an application server, which can then use the information as though it had just authenticated the user itself.
Creation of a front-end which deposits information into a registration database may be a workable solution, and could work well in concert with other Internet2 projects. An intermediary system with a well-defined and flexible API would allow for this to be extensible and useful to other implementations.
Carrying this information from the database to the remote SIP proxy is simple; a signed XML package with appropriate information can be sent as an S/MIME type and easily transported with current protocols. Bob expressed the inter-domain trust model by saying, "Here's Samir. The nice, trustworthy proxy at CGU says Bob wants to talk to you." This is fully supported by the protocol, and doesn't seem unreasonably insecure or complex. The assumption is trust of the regional source to assert well, not unlike the federated models being developed for other projects. [AI] Bob offered to find or produce a writeup of the wireless authentication Pubcookie application written at the University of Washington as an example of a direction development could go.
1. [AI] 14-May-02 Bob offered to find or produce a writeup of the wireless authentication Pubcookie application written at the University of Washington as an example of a direction development could go.