[SIPForum-techwg] draft v04 - certificate validate
spencer at wonderhamster.org
Wed Apr 8 16:31:57 EDT 2009
So if I'm following you, you're proposing something like
The SP-SSE MUST provide a certificate and the SIP-PBX MUST verify and SHOULD validate a received certificate, using the procedures described in Section 6 of [RFC5280]. Verification steps include verifying that the certificate has not expired, that the issuing certification authority is one the SIP-PBX trusts, and that the subject of the certificate matches the host portion of the first-hop SP-SSE entity to be used by the IP-PBX. Validation steps include checking the status of the certificate as well as the status of all the certificates in the certificate chain using certificate revocation lists (CRLs)[RFC 5280] or other mechanisms such as Online Certificate Status Protocol (OCSP) [RFC2560].
Did I get this right?
----- Original Message -----
From: Bernard Aboba
To: tasveren at sonusnet.com ; spencer at wonderhamster.org
Cc: techwg at sipforum.org
Sent: Wednesday, April 08, 2009 1:31 AM
Subject: RE: [SIPForum-techwg] draft v04 - certificate validate
When the term "validation" is used, this typically brings to mind "path validation" as defined in RFC 5280 Section 6. Although you might think that TLS has been around long enough for most implementations to implement this correctly, given the recent discovery of some fairly horrendous certificate validation bugs, this apparently isn't yet the case, so a reference to RFC 5280 Section 6 is probably a good idea. Note that RFC 5280 includes a number of important updates that could creep up as interoperability issues in the future, such as support for internationalized domain names within certificates. While I have my doubts as to how common it is for implementations to handle this correctly today, this is going to be a bigger and bigger problem as time goes on.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the techwg