[SIPForum-techwg] Feedback on bootstrapping

Henning Schulzrinne hgs at cs.columbia.edu
Sun Sep 28 12:45:21 EDT 2008 

Some thoughts on my action items:

On Aug 18, 2008, at 9:32 AM, Elwell, John wrote:
>
>
> - Henning Schulzrinne will examine the needs for configuring basic
> UI devices (username, password, domain).

I re-checked what RFC 3261 says about the Digest parameters,
particularly "realm" and "username". Currently, there are SHOULD-
strength recommendations that the former be the service provider
domain and the latter the user part of the REGISTER URL. I think that
the SIP Forum recommendation should strengthen and clarify this. There
are roughly two cases:

- User is signing up with a web-based provider and gets a user name
and password, as in sip:alice at example.com or sip:2125551234 at example.com

In that case, the username parameter MUST be 'alice' (or 2125551234,
without any spaces or hyphens) and the 'realm' example.com (rather
than, say, server1.example.com, sip:server1.example.com or some other
variation).

- For WWW-Authenticate, the "domain" parameter needs to be specified.
As far as I can tell, RFC 3261 is silent on the content, but it needs
to be a URI. It should contain the host part of the SIP URI, as in
sip:example.com. (It is unclear whether this would change to sips: .
That also needs to be determined.)

(Btw, RFC 3261 has a bug in that Proxy-Authenticate contains a domain
parameter, which RFC 2617 says is to be ignored...)

- However, this doesn't work well for tel URLs since the number at domain
format is hard to explain to users. This leads to the next item below.

>
>
> - Henning Schulzrinne will examine the needs for no-UI devices.

I would suggest the following for ATA-style devices:

- The password MUST be numeric and be at least N digits long.
(Guessability is not a major concern since one can relatively easily
limit retries to some small number for the same IP address.)

- The username in Digest is the telephone number. (E.164 with country
code is RECOMMENDED.)

- The new part: since the phone number does not give you the proxy
server/registrar/PSD to contact, we need a third piece of information
that identifies the carrier. The easiest method is to use the ITAD
(http://www.iana.org/assignments/trip-parameters/
), as this is a free registry that already has close to a 1000 entries.

A user would then be prompted by the device to enter, using the
numeric keypad, to enter three numbers: his phone number, the PIN and
the phone company number. I think that's reasonably easy to
understand. (The latter is somewhat similar to the 1010 prefixes that
used to be popular in the US for dial-around services.)

What's missing is a mechanism to map the ITAD to a configuration
server. Ideally, IANA would operate this, as in

333.itad.iana.org

but there may be other mechanisms, including the SIP Forum.

I have considered the use of ENUM, but I suspect that some people may
object to being able to determine who my phone company is. ENUM could
be used if the third number is a "customer service" number for the
service provider, which would then lead to an ENUM lookup.

Longer term, I think it would be helpful to define a common method for
using USB sticks to transfer crypto credentials to non-GUI devices.
That would primarily require nailing down file formats and file names.
This basic method has worked reasonably well for setting up no-
password configuration for ssh and I would suggest something very
similar. In that model, the user simply clicks on a link, downloads a
file, copies the file to the memory stick and plugs the memory stick
into the phone.

Henning

More information about the techwg mailing list