At Wed, 26 Mar 2008 10:16:08 -0700,
Paul Hoffman wrote:
>
> Greetings. Robert Sparks mentioned to me that this document is in WG
> Last Call. I am familiar with PKIX and make these comments based on
> my knowledge of PKIX, not based on my small knowledge of SIP.
>
> In general, this document seems fine. However, there are some points
> worth noting.
>
> - Steve Kent's comment about domain names in the CN is right: there
> is no reason for this group to standardize on allowing domain names
> in CNs. We have found almost no CA software that in practice today
> will only put a domain name in the CN; those that even allow doing so
> (which thankfully is few) have an option for putting it in the
> subjectAltName. Because of this, I suggest taking out this option
> everywhere in the document; you'll get much better interoperability
> if you do.
So, I have no brief for one design or the other, but I think
we can agree that it's imperative that this work with certs
from commodity CAs. Has someone published a survey of which
CAs will give you SAN?
> - The document incorrectly talks about Digest authentication as the
> only way that a SIP server running TLS can authenticate a client.
> Basic authentication is just as good in such a case, and has many
> properties that make it better than Digest when used under TLS. The
> document should only talk about HTTP authentication, not Digest or
> Basic.
SIP is not HTTP, and does not support Basic authentication. See S 28.1
of RFC 3261:
o Basic authentication has been removed entirely and its usage
forbidden.
-Ekr
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
