Greetings. Robert Sparks mentioned to me that this document is in WG Last Call. I am familiar with PKIX and make these comments based on my knowledge of PKIX, not based on my small knowledge of SIP.
In general, this document seems fine. However, there are some points worth noting. - Steve Kent's comment about domain names in the CN is right: there is no reason for this group to standardize on allowing domain names in CNs. We have found almost no CA software that in practice today will only put a domain name in the CN; those that even allow doing so (which thankfully is few) have an option for putting it in the subjectAltName. Because of this, I suggest taking out this option everywhere in the document; you'll get much better interoperability if you do. - The logic in item 1 of section 7.1 is confusing. If there is no sip: URI, but there is a DNS name, why is accepting it a MAY? Shouldn't this be a MUST for interoperability? If it is only a MAY, where else would the relying party get a useful SIP host identity? - The document incorrectly talks about Digest authentication as the only way that a SIP server running TLS can authenticate a client. Basic authentication is just as good in such a case, and has many properties that make it better than Digest when used under TLS. The document should only talk about HTTP authentication, not Digest or Basic. --Paul Hoffman, Director --VPN Consortium _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
