[SIPForum-techwg] draft v04 - certificate validate

Spencer Dawkins spencer at wonderhamster.org
Wed Apr 8 16:31:57 EDT 2009 

Hi, Bernard,

So if I'm following you, you're proposing something like 

The SP-SSE MUST provide a certificate and the SIP-PBX MUST verify and SHOULD validate a received certificate, using the procedures described in Section 6 of [RFC5280]. Verification steps include verifying that the certificate has not expired, that the issuing certification authority is one the SIP-PBX trusts, and that the subject of the certificate matches the host portion of the first-hop SP-SSE entity to be used by the IP-PBX. Validation steps include checking the status of the certificate as well as the status of all the certificates in the certificate chain using certificate revocation lists (CRLs)[RFC 5280] or other mechanisms such as Online Certificate Status Protocol (OCSP) [RFC2560].


Did I get this right?

Thanks,

Spencer

  ----- Original Message ----- 
  From: Bernard Aboba 
  To: tasveren at sonusnet.com ; spencer at wonderhamster.org 
  Cc: techwg at sipforum.org 
  Sent: Wednesday, April 08, 2009 1:31 AM
  Subject: RE: [SIPForum-techwg] draft v04 - certificate validate


  When the term "validation" is used, this typically brings to mind "path validation" as defined in RFC 5280 Section 6.  Although you might think that TLS has been around long enough for most implementations to implement this correctly,  given the recent discovery of some fairly horrendous certificate validation bugs, this apparently isn't yet the case, so a reference to RFC 5280 Section 6 is probably a good idea. Note that RFC 5280 includes a number of important updates that could creep up as interoperability issues in the future, such as  support for internationalized domain names within certificates.   While I have my doubts as to how common it is for implementations to handle this correctly today,  this is going to be a bigger and bigger problem as time goes on. 








-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://sipforum.org/pipermail/techwg/attachments/20090408/5e75b318/attachment.html

More information about the techwg mailing list