[SIPForum-techwg] Interoperability Draft v3 - scope and conformance

Alan Johnston ajohnston at tello.com
Thu Dec 15 12:39:26 EST 2005 

My understanding is the same as Klaus.  Perhaps we need some clarifying 
text in the document which says this.

Thanks,
Alan Johnston
sip:ajohnston at tello.com

Klaus Darilion wrote:

> I'm not sure if I undertand the problem correctly, but using the PKI 
> model does not requires well known CAs, it can also be used with self 
> signed certificates.
>
> E.g. the PBX/SIP Proxy should allow specifying the enterprise private 
> key and certificate, and the trusted CA certs per service provider.
>
> E.g. the enterprise imports the CA certificates of the service 
> providers, and let its public key sign from the service providers CA.
>
> This way, the service provider and the entrprise has to support only 
> one trust model (PKI, not SSH style) which can be used with well known 
> CAs (verisign ... $$$) or with self signed certificates.
>
> regards
> klaus
>
> Henry Sinnreich wrote:
>
>>> should we make PKI a MUST?
>>
>>
>>
>> The sad track record of some of the IETF security approaches should 
>> make us
>> skeptical of any standard that is not authored by practicing security
>> developers themselves.
>>  
>> I would invite any one on this list to share their _personal_ experience
>> with PKI, some _personal_ war stories, before a decision is made. If 
>> not one
>> comes forward with such personally experienced security implementations,
>> then please just don't mention PKI any more, since we could not prove 
>> the
>> assertion on why it is such a good idea, except shift the 
>> accountability to
>> some reference standard document.
>>
>> The right mental approach is if I cannot make it work myself - for my
>> customers, there will soon be no paycheck.
>>
>> My vote of confidence goes to the SIP certificate service
>> http://www.ietf.org/internet-drafts/draft-ietf-sipping-certs-02.txt
>> The SIP cert service relieves users from managing any certificates or 
>> indeed
>> ever seeing a certificate.
>>
>> Thanks, Henry
>>
>>
>>  
>>
>> -----Original Message-----
>> From: techwg-bounces at sipforum.org 
>> [mailto:techwg-bounces at sipforum.org] On
>> Behalf Of Jay Batson
>> Sent: Wednesday, December 14, 2005 8:39 PM
>> To: Alan Johnston; Horvath Ernst; SIP Forum Tech WG
>> Subject: Re: [SIPForum-techwg] Interoperability Draft v3 - scope and
>> conformance
>>
>> Guys --
>>
>> Regarding the snipped portion of the thread below.  I've been having  
>> to work on security a bit in another domain, and seeing discussions  
>> about why, when such good technology ideas are around for security,  
>> so few of the "good" security solutions get deployed.
>>
>> There is a camp that would say that pretty good security is better  
>> than excellent if pretty-good is easier to deploy.  This is 
>> generally  brought up in the context of PKI, along with a complaint 
>> that getting  public key certificates set up "right" is just the 
>> tiniest bit more  of a nuisance than people are willing to spend time 
>> on.  So, few  people do it.
>>
>> And SSH's "leap of faith" model is touted as a good-enough model 
>> that  doesn't require PKI, and has succeeded wildly.
>>
>> Now granted, one could say that "SSH and Enterprise / SP 
>> connectivity  are different," and our application really needs PKI.  
>> Or, maybe it's  mandated by the use of other choices we've made.
>>
>> But my question is, should we make PKI a MUST?  Or, should it be a  
>> SHOULD, and allow providers / enterprises to agree on an option that  
>> allows something more like the SSH leap-of-faith model for  
>> authentication?
>>
>> I *could* be totally dumb here, and not realize how this technical  
>> approach wouldn't apply / couldn't be done in this instance.  If so,  
>> toss this out.
>>
>> But, if not, should we allow for it?
>>
>> -jb
>>
>>
>> On Dec 13, 2005, at 12:00 PM, Alan Johnston wrote:
>>
>>>> - Mandatory PKI support is implied by text on TLS, but the only
>>>> reference related to PKI is RFC 2560 (OCSP). Why was this  
>>>> particular one
>>>> picked - an implementation can use other ways of checking a  
>>>> certificate.
>>>> Should other PKI RFCs be added as well?
>>>>
>>>>
>>>
>>> I don't agree that mandatory PKI support is required by this  
>>> recommendation.  I do agree that the text only mentioning OCSP is  
>>> not quite right.   I  think it should say something like the  
>>> following:
>>>
>>> Certificates received over TLS MUST be verfied and MAY be  
>>> validated.  Verification steps include verifying that the  
>>> certificate has not expired, that the issuing CA is one the PBX  
>>> trusts, and finally that the subject of the certificate matches the  
>>> server's host name or SIP URI.  Validation can be performed using a  
>>> CRL, OCSP, or other approaches.
>>>
>>> If you agree with a statement such as the one above, are there any  
>>> other PKI RFCs that need to be referenced?
>>
>>
>>
>> _______________________________________________
>> techwg mailing list
>> Send mail to: techwg at sipforum.org
>> Unsubscribe or edit options at:  
>> http://sipforum.org/mailman/listinfo/techwg
>>
>>
>>
>> _______________________________________________
>> techwg mailing list
>> Send mail to: techwg at sipforum.org
>> Unsubscribe or edit options at:  
>> http://sipforum.org/mailman/listinfo/techwg
>>
>>
>
>

More information about the techwg mailing list