[SIPForum-techwg] Interoperability Draft v3 - scope and conformance

Klaus Darilion klaus.mailinglists at pernau.at
Thu Dec 15 05:42:44 EST 2005 

I'm not sure if I undertand the problem correctly, but using the PKI 
model does not requires well known CAs, it can also be used with self 
signed certificates.

E.g. the PBX/SIP Proxy should allow specifying the enterprise private 
key and certificate, and the trusted CA certs per service provider.

E.g. the enterprise imports the CA certificates of the service 
providers, and let its public key sign from the service providers CA.

This way, the service provider and the entrprise has to support only one 
trust model (PKI, not SSH style) which can be used with well known CAs 
(verisign ... $$$) or with self signed certificates.

regards
klaus

Henry Sinnreich wrote:
>>should we make PKI a MUST?
> 
> 
> The sad track record of some of the IETF security approaches should make us
> skeptical of any standard that is not authored by practicing security
> developers themselves.
>  
> I would invite any one on this list to share their _personal_ experience
> with PKI, some _personal_ war stories, before a decision is made. If not one
> comes forward with such personally experienced security implementations,
> then please just don't mention PKI any more, since we could not prove the
> assertion on why it is such a good idea, except shift the accountability to
> some reference standard document.
> 
> The right mental approach is if I cannot make it work myself - for my
> customers, there will soon be no paycheck.
> 
> My vote of confidence goes to the SIP certificate service
> http://www.ietf.org/internet-drafts/draft-ietf-sipping-certs-02.txt 
> 
> The SIP cert service relieves users from managing any certificates or indeed
> ever seeing a certificate.
> 
> Thanks, Henry
> 
> 
>  
> 
> -----Original Message-----
> From: techwg-bounces at sipforum.org [mailto:techwg-bounces at sipforum.org] On
> Behalf Of Jay Batson
> Sent: Wednesday, December 14, 2005 8:39 PM
> To: Alan Johnston; Horvath Ernst; SIP Forum Tech WG
> Subject: Re: [SIPForum-techwg] Interoperability Draft v3 - scope and
> conformance
> 
> Guys --
> 
> Regarding the snipped portion of the thread below.  I've been having  
> to work on security a bit in another domain, and seeing discussions  
> about why, when such good technology ideas are around for security,  
> so few of the "good" security solutions get deployed.
> 
> There is a camp that would say that pretty good security is better  
> than excellent if pretty-good is easier to deploy.  This is generally  
> brought up in the context of PKI, along with a complaint that getting  
> public key certificates set up "right" is just the tiniest bit more  
> of a nuisance than people are willing to spend time on.  So, few  
> people do it.
> 
> And SSH's "leap of faith" model is touted as a good-enough model that  
> doesn't require PKI, and has succeeded wildly.
> 
> Now granted, one could say that "SSH and Enterprise / SP connectivity  
> are different," and our application really needs PKI.  Or, maybe it's  
> mandated by the use of other choices we've made.
> 
> But my question is, should we make PKI a MUST?  Or, should it be a  
> SHOULD, and allow providers / enterprises to agree on an option that  
> allows something more like the SSH leap-of-faith model for  
> authentication?
> 
> I *could* be totally dumb here, and not realize how this technical  
> approach wouldn't apply / couldn't be done in this instance.  If so,  
> toss this out.
> 
> But, if not, should we allow for it?
> 
> -jb
> 
> 
> On Dec 13, 2005, at 12:00 PM, Alan Johnston wrote:
> 
>>>- Mandatory PKI support is implied by text on TLS, but the only
>>>reference related to PKI is RFC 2560 (OCSP). Why was this  
>>>particular one
>>>picked - an implementation can use other ways of checking a  
>>>certificate.
>>>Should other PKI RFCs be added as well?
>>>
>>>
>>
>>I don't agree that mandatory PKI support is required by this  
>>recommendation.  I do agree that the text only mentioning OCSP is  
>>not quite right.   I  think it should say something like the  
>>following:
>>
>>Certificates received over TLS MUST be verfied and MAY be  
>>validated.  Verification steps include verifying that the  
>>certificate has not expired, that the issuing CA is one the PBX  
>>trusts, and finally that the subject of the certificate matches the  
>>server's host name or SIP URI.  Validation can be performed using a  
>>CRL, OCSP, or other approaches.
>>
>>If you agree with a statement such as the one above, are there any  
>>other PKI RFCs that need to be referenced?
> 
> 
> _______________________________________________
> techwg mailing list
> Send mail to: techwg at sipforum.org
> Unsubscribe or edit options at:  http://sipforum.org/mailman/listinfo/techwg
> 
> 
> 
> _______________________________________________
> techwg mailing list
> Send mail to: techwg at sipforum.org
> Unsubscribe or edit options at:  http://sipforum.org/mailman/listinfo/techwg
> 
>

More information about the techwg mailing list