[SIPForum-techwg] draft v04 - certificate validate
Bernard Aboba
bernard_aboba at hotmail.com
Mon Apr 6 23:13:39 EDT 2009
The latest S-Channel (and OpenSSL) code bases do support OCSP.
That said, in most specifications (e.g. RFC 5216), OCSP support is no better than a SHOULD.
> From: spencer at wonderhamster.org
> To: fluffy at cisco.com; SBharrat at sonusnet.com
> Date: Mon, 6 Apr 2009 17:58:31 -0500
> CC: techwg at sipforum.org
> Subject: Re: [SIPForum-techwg] draft v04 - certificate validate
>
> So are we saying that we should remove this text?
>
> Just trying to understand...
>
> Thanks,
>
> Spencer
>
> > Even worse, lets imagine hypothetically that the none of the major PBX
> > vendors ship this in the mainstream products in the next 3 years. That
> > means no one is complaint for 3 years. If that happens, it seems like
> > the whole compliance idea will just basically fail.
> >
> > On Feb 20, 2009, at 5:39 AM, Bharrat, Shaun wrote:
> >
> >>>
> >>>> I'm curious. Do many SIP-PBX implementations (or SPs for
> >>> that matter)
> >>>> actually support CRLs or OCSP?
> >>>
> >>> No, most (all?) don't.
> >>>
> >>>> Is this setting the bar too high?
> >>> No, I don't think it is.
> >>
> >> So by definition every body starts off being
> >> SIPConnect 1.1 non-compliant (even if they are currently
> >> 1.0 compliant)?
> >>
> >> With my vendor-hat on, I'm not particularly enamored.
> >>
> >> Cheers,
> >> Shaun
> >>
> >>> -----Original Message-----
> >>> From: Theo Zourzouvillys [mailto:theo at crazygreek.co.uk]
> >>> Sent: Friday, February 20, 2009 12:38 AM
> >>> To: Bharrat, Shaun
> >>> Cc: techwg at sipforum.org
> >>> Subject: Re: [SIPForum-techwg] draft v04 - certificate validate
> >>>
> >>> On Fri, Feb 13, 2009 at 12:27 PM, Bharrat, Shaun
> >>> <SBharrat at sonusnet.com> wrote:
> >>>
> >>>> I'm curious. Do many SIP-PBX implementations (or SPs for
> >>> that matter)
> >>>> actually support CRLs or OCSP?
> >>>
> >>> No, most (all?) don't.
> >>>
> >>>> Is this setting the bar too high?
> >>>
> >>> No, I don't think it is.
> >>>
> >>>> (It just seems odd that a whole bunch of stuff is "by
> >>> contract between
> >>>> SP and enterprise" but that enterprise must not just verify
> >>> but also
> >>>> validate the certificate presented by the SP.)
> >>>
> >>> SCVP (rfc5055) provides 2 mechanisms (DVP and DPD) for the
> >>> whole "policy thing" (validation, verification, path
> >>> discoovery, etc) to be offloaded to a seperate (set of)
> >>> servers somewhere, and would be a good choice for this sort
> >>> of thing, although this isn't (not should
> >>> be) in the scope of 1.1.
> >>>
> >>> ~ Theo
> >>>
> >>
> >> _______________________________________________
> >> techwg mailing list
> >> Send mail to: techwg at sipforum.org
> >> Unsubscribe or edit options at:
> >> http://sipforum.org/mailman/listinfo/techwg
> >
> > _______________________________________________
> > techwg mailing list
> > Send mail to: techwg at sipforum.org
> > Unsubscribe or edit options at:
> > http://sipforum.org/mailman/listinfo/techwg
> >
>
>
> _______________________________________________
> techwg mailing list
> Send mail to: techwg at sipforum.org
> Unsubscribe or edit options at: http://sipforum.org/mailman/listinfo/techwg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://sipforum.org/pipermail/techwg/attachments/20090406/f7dfa0cc/attachment.html
More information about the techwg
mailing list