2011/10/1 Olle E. Johansson <o...@edvina.net>: > The SIP identity RFC 4474 talks about "SIP Domain certificates" but doesn't > really specify the syntax. There's a lot of text about them and parts are a > bit confusing, mixing "host name" with "domain". It mentions "subject alt > names" in one part, but not in the important parts that only talks about the > "Subject" of the certificate. > > The SIP domain certificates RFC approaches this (RFC 5922) but says clearly: > > The discussion in this document is pertinent to an X.509 PKIX- > compliant certificate used for a TLS connection; this document does > not define use of such certificates for any other purpose (such as > Secure/Multipurpose Internet Mail Extensions (S/MIME)). > > > So this document does not update RFC 4474 because it only talks about TLS > connections, not certificates for domains for signing. It seems like the idea > is to have multiple certificates, which sounds impractical. One for HTTPS, > one for SIP/TLS and another one for SIP Identity. > > Shouldn't RFC 5922 really have updated RFC 4474 so we got a better > specification of the actual X.509v3/PKIX certificate used for Identity > headers?
Sure. Anyhow I've never seen a SIP "element" checking the SubjectAltName entries in a certificate, most of them just inspect the Subject (which requires having a separate certificate for each served domain... ever worse... a SIP TLS server listening in a single IP:port can only present a single certificate). But well... the TLS usage in SIP is... poor, as any other security mechanism (SRTP, ICE...). And much better if we don't talk about the dissaster of SIPS schema! Then WebRTC will mandate SRTP and ICE, and within next 2 years Firefox 19 will be safer (in the media plane) than any SIP phone in the world. Sad. Lazzy SIP vendors which are happy enough with their pseudo-security based on wallen gardens or intranets. Nowadays that XMPP/Jingle requires ICE, it happens that ICE (which *was* initially designed for SIP) is more used by XMPP clients (Gtalk) than by SIP devices. So sad... "SIP, where security does not matter as we work in wallen gardens or behind expensive SBC's". "SIP, not a secure protocol for Internet, use XMPP/Jingle instead please". Bad, SIP vendors/implementors, very bad. -1 -- Iñaki Baz Castillo <i...@aliax.net> _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
