On Tue, 2009-12-01 at 11:06 -0500, Paul Mossman wrote: > Bob wrote: > > > http://track.sipfoundry.org/browse/XX-6961, we need > > sipXbridge to add > > > a signed X-Sipx-Authidentity header to TLS calls it presents to the > > > proxy, containing the appropriate special trusted peer user id > > > configured for that connection. > > > I am trying to understand what the relationship is here. > > > Does it make sense to add the peer user id into each itsp-account > > > section of sipxbridge.xml, as follows? > > > > > > <itsp-account> > > > <itsp-proxy-domain>othertrusteddomain.com</itsp-proxy-domain> > > > <itsp-proxy-address>othertrusteddomain.com</itsp-proxy-address> > > > <peer-user>~~peer~othertrusteddomain.com</peer-user> > > > > > > How many of these special peer users do we expect to have? > > > just one (in which case we have one ~~peer~trusteddomain > > special user) > > > or one per "peer system configured" (in which case we have > > something > > > like > > > ~~peer~<peer>). Any other suggestions for xml tag name or > > sipx user > > > id? > > > > I'd say that peers should be on a per ITSP account basis. > > Also, two distinct TSP accounts should be allowed to use the > > same peer. > > Looking at XX-6398... The authenticated peer system may be another > instance of sipXecs, in which case the 'border element' will be > sipXproxy, and not sipXbridge. > > I think the sipXbridge approach is as follows: > - Add a central location to add/delete/modify "Authenticated Peer > Identities". > - Add a "Use Authenticated Peer Identity" property to SIP Trunk, > allowing one of these identities to be selected. (sipXbridge will > attach a corresponding X-Sipx-Authidentity to each incoming call that > passes mutual TLS authentication.) > > What is the approach for sipXproxy? i.e. Is it able determine which > peer identity to use as it does TLS authentication? > > Would the same peer identity ever be used for both a remote sipXecs > system and an ITSP?
No, but since the associations are the same, we might want to make the configuration common (one file used by both). What we need to associate is a TLS subject identifier with an internal ~~id~<something> identity. _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
