On Tue, 2009-11-03 at 15:18 -0500, Dale Worley wrote:
> We're starting to talk about supporting TLS. I suspect that this means
> support for communication between the enterprise and remote phones and
> ITSPs using TLS. What do we need to support this at the high level?
> Presumably we need some way to get certificates into the phones, and to
> exchange certificates with ITSPs. This could easily become a deployment
> nightmare if we don't have a well-designed way to handle all this.
'Support for TLS' could encompass many things. I think that the first
ones we should do are:
A. Support for outgoing TLS connections to other proxies, with
required mutual authentication of the SIP domain or host name in
the certificates.
B. Support for incoming TLS connections from other proxies, with
mutual authentication of the SIP domains. This allows
site-to-site authenticated connections between sipXecs systems.
C. Support for incoming TLS connections at the proxy without
authentication of the client (for phones that do not have
certificates but can use TLS for signaling confidentiality).
A & B will require that we be at least able to load new CA certificates.
I don't think that we need to either:
I. Fully support 'sips' urls (which imply a requirement that all
signalling end-to-end is secured).
II. Support authentication of individual user address certificates.
_______________________________________________
sipx-dev mailing list [email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
sipXecs IP PBX -- http://www.sipfoundry.org/
