22 apr 2013 kl. 23:33 skrev Warren Kumari <[email protected]>: > > On Apr 21, 2013, at 6:27 AM, Olle E. Johansson <[email protected]> wrote: > >> Hi! >> >> Looking at the DANE SRV draft with my SIP eyes I realize that there's a lot >> of work to be done to get this >> to work with SIP. > > Thank you. > >> >> SIP has no StartTLS, we use NAPTR records to select transport. The NAPTR >> points to a SRV >> name that resolves into a set of host names. >> >> The SIP Domain certificates RFC - http://tools.ietf.org/html/rfc5922 - >> specificies matching a >> given SIP URI with a certificate. The matching is done on service domain >> either with >> a ALT name URI, like sip:ietf.org or a DNS name, like ietf.org - but not the >> host name. >> >> I personally agree with the policy in the DANE SRV draft that we should >> match on the >> SRV hostname used to get A/AAAA records when using DNSsec. For this to work, >> the path from the SIP URI over NAPTR to SRV and hostnames needs to be fully >> signed in and verified in the DNS. This is going to require an update to >> 5922. >> >> The final question is how to handle this without SNI. The certificates for >> both >> DANE verification and RFC 5922 plus "old-style" verification with the sip >> domain in the CN seems like a complicated mess to manage. >> >> Food for thought on a sunny Sunday. >> >> The SRV draft is not clear on how to use Subject AltNames of various types, >> and doesn't mention NAPTR. I am not personally aware of other protocols using >> this setup, so maybe this requires a very SIP specfic draft, > > So, when we were writing the DANE protocol document we decided to describe > the general case and that there would likely be a whole set of "How to do > DANE with $foo protocol" documents. > > Your mail backs up that decision, and also sounds like you are volunteering > to start the "How to do DANE with SIP" draft... Well, I started with trying to map the area and gather data. The RAI area wants this work to be done in the sipcore working group and there is a discussion going on (based on the same e-mail) in the RAI dispatch wg.
> >> following the wake of the >> smtp work. > > or, better yet, in parallel with the smtp work? :-) Right. :-) There is also work going on with XMPP that is similar to SIP, so there are many drafts to digest. /O > > W > > >> >> /O >> >> >> _______________________________________________ >> dane mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/dane >> > > -- > "Go on, prove me wrong. Destroy the fabric of the universe. See if I care." > -- Terry Prachett > _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
