On Apr 21, 2013, at 6:27 AM, Olle E. Johansson <[email protected]> wrote:
> Hi! > > Looking at the DANE SRV draft with my SIP eyes I realize that there's a lot > of work to be done to get this > to work with SIP. Thank you. > > SIP has no StartTLS, we use NAPTR records to select transport. The NAPTR > points to a SRV > name that resolves into a set of host names. > > The SIP Domain certificates RFC - http://tools.ietf.org/html/rfc5922 - > specificies matching a > given SIP URI with a certificate. The matching is done on service domain > either with > a ALT name URI, like sip:ietf.org or a DNS name, like ietf.org - but not the > host name. > > I personally agree with the policy in the DANE SRV draft that we should match > on the > SRV hostname used to get A/AAAA records when using DNSsec. For this to work, > the path from the SIP URI over NAPTR to SRV and hostnames needs to be fully > signed in and verified in the DNS. This is going to require an update to 5922. > > The final question is how to handle this without SNI. The certificates for > both > DANE verification and RFC 5922 plus "old-style" verification with the sip > domain in the CN seems like a complicated mess to manage. > > Food for thought on a sunny Sunday. > > The SRV draft is not clear on how to use Subject AltNames of various types, > and doesn't mention NAPTR. I am not personally aware of other protocols using > this setup, so maybe this requires a very SIP specfic draft, So, when we were writing the DANE protocol document we decided to describe the general case and that there would likely be a whole set of "How to do DANE with $foo protocol" documents. Your mail backs up that decision, and also sounds like you are volunteering to start the "How to do DANE with SIP" draft... > following the wake of the > smtp work. or, better yet, in parallel with the smtp work? :-) W > > /O > > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane > -- "Go on, prove me wrong. Destroy the fabric of the universe. See if I care." -- Terry Prachett _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
