Dropping in late here ... Olle, I think you're misunderstanding the role of DANE here. Regardless of the SRV strategy, there's no need to update RFC 5922. DANE just binds a cert to a name; it doesn't say what needs to go in that cert. So just like RFC 6125 didn't need to change for general TLS services, RFC 5922 doesn't need to change for SIP. DANE might make some of the things in RFC 5922 redundant (since you've got two ways to say what domain you're bound to), but that's not something that urgently needs to be changed.
--Richard On Sun, Apr 21, 2013 at 6:27 AM, Olle E. Johansson <[email protected]> wrote: > Hi! > > Looking at the DANE SRV draft with my SIP eyes I realize that there's a > lot of work to be done to get this > to work with SIP. > > SIP has no StartTLS, we use NAPTR records to select transport. The NAPTR > points to a SRV > name that resolves into a set of host names. > > The SIP Domain certificates RFC - http://tools.ietf.org/html/rfc5922 - > specificies matching a > given SIP URI with a certificate. The matching is done on service domain > either with > a ALT name URI, like sip:ietf.org or a DNS name, like ietf.org - but not > the host name. > > I personally agree with the policy in the DANE SRV draft that we should > match on the > SRV hostname used to get A/AAAA records when using DNSsec. For this to > work, > the path from the SIP URI over NAPTR to SRV and hostnames needs to be fully > signed in and verified in the DNS. This is going to require an update to > 5922. > > The final question is how to handle this without SNI. The certificates for > both > DANE verification and RFC 5922 plus "old-style" verification with the sip > domain in the CN seems like a complicated mess to manage. > > Food for thought on a sunny Sunday. > > The SRV draft is not clear on how to use Subject AltNames of various types, > and doesn't mention NAPTR. I am not personally aware of other protocols > using > this setup, so maybe this requires a very SIP specfic draft, following the > wake of the > smtp work. > > /O > > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane >
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
