Hi Eron,
For the server, TLS is more for the data transport security than client authentication. Client authentication is done at application layer by challenging the user (this happens if the SIP message didnt contain correct credentials). I think the certificates can-not be associated with an IP address. certificates are assigned to an entity by a trusted CA. When we verify the certificate, we'll have to verify if the certificate presented by the peer is signed by the trusted CA. It need not be verified against any IP address. B'cause certificates are not assigned for IP address but to some functional entities. regards, Shetti "Eron Stein" <[EMAIL PROTECTED]> on 03/11/2003 06:37:32 PM To: [EMAIL PROTECTED], [EMAIL PROTECTED] cc: (bcc: Shrinivas Shetti/HSSBLR) Subject: [Sipping] TLS and sip messages Hi, I want to implement sip over TLS and I have encountered a problematic question: The question concerns a situation where an incoming connection has to be authenticated with TLS, that is TLS handshake with client certificates. (That might be the situation between two proxies). As I understand it the side that initiated the connection has no problem authenticating the certificate since it knows the connection's desired destination, and can compare that destination address to the addresses found in the certificate. The problem is with the side that receives the connection (the server). What domain-name/ip should that proxy use to check if the certificate matches the connection address. One possibility is to check the certificate against the source address of the incoming connection, that option might be problematic if the certificate contains a FQDN rather than a specific IP address. Another possibility is to wait for the first message on the connection and compare the host field from the VIA header the the common name in the certificate. I would appreciate any comments, ideas or real world implementation data on the matter. Regards, Eron Stein. _________________________________________________________________ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail _______________________________________________ Sipping mailing list https://www1.ietf.org/mailman/listinfo/sipping This list is for NEW development of the application of SIP Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments of core SIP _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
