[asterisk-security] Pinemango -- Authorization API

Johansson Olle E oej at edvina.net
Sat Oct 11 14:01:46 CDT 2008


I must say that I'm a bit shocked by the lack of interest on this  
topic. I can agree that it may not be part of the
Pinemango project itself, but I would not accept Pinemango inclusion  
without a proper API in the Asterisk core.

The fact that Russell, who's the current maintainer of Asterisk, votes  
for taking authorization out of the
picture is very disappointing to me.

For a long time, we've discussed enhancing manager, agi and cli  
confidentiality, authentication and
authorization. We've added TLS to the manager and http server as a  
first step, and I've seen some
work on the CLI.

To build a new API that exposes even more than we do in the current  
API, and removing
security mechanisms from the picture means that we make Asterisk less  
secure than it is today.

That can't be the goal of the project .

"Asterisk 1.6.x - now with less security than any previous release.  
More fun, more possibilities!"

Well, if that's the goal I'll be happy to rip out the broken TLS  
implementation in chan_sip... ;-)
(couldn't resist that last part, my apologies)

/O



More information about the asterisk-security mailing list