Dean Willis wrote:
I've been informed that despite what I incorrectly thought, transitive
signing doesn't require any modification to RFC 4474.
The 4474 spec requires that the subject of the cert used to sign
correspond to the domain of the From. This is different from requiring
that the common names match. So any SBC can re-sign anything at any
time and break nothing, at the expense of some crypto work.
So, let's say [EMAIL PROTECTED] calls [EMAIL PROTECTED] Nostrum's AS might
sign Adam's INVITE. Cisco's SBC might verify the signature, munge the
fields, mint itself a cert with a subject of "nostrum.com" (using its
well-known Nostrum CA key to sign that cert!) , and then sign the
request (replacing the Nostrum signature) using the new cert. Then
[EMAIL PROTECTED] would verify Cisco's signature, and transitive trust is
created. Of course this doesn't say anything about why Michael should
trust that signature, although in this simplest case the rationale is
obvious. But for a 3rd service provider "in the middle", it is much
less obvious.
I've been informed that the above is also completely wrong. So I'm going
to shut up until I can beat the truth out of somebody.
And we wonder why implementors have trouble with our specs!
--
Dean
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
