[SIPForum-techwg] draft v04 - certificate validate
Spencer Dawkins
spencer at wonderhamster.org
Thu Apr 9 11:58:05 EDT 2009
Sorry, we got cut off on the call.
Bernard, were you saying that I had this backwards - should the text have been
The SP-SSE MUST provide a certificate and the SIP-PBX MUST validate and SHOULD verify a received certificate. Verification steps include verifying that the certificate has not expired, that the issuing certification authority is one the SIP-PBX trusts, and that the subject of the certificate matches the host portion of the first-hop SP-SSE entity to be used by the IP-PBX. Validation steps include checking the status of the certificate as well as the status of all the certificates in the certificate chain using certificate revocation lists (CRLs)[RFC 5280] or other mechanisms such as Online Certificate Status Protocol (OCSP) [RFC2560].
?
Thanks,
Spencer
----- Original Message -----
From: Bernard Aboba
To: 'Spencer Dawkins' ; tasveren at sonusnet.com
Cc: techwg at sipforum.org
Sent: Wednesday, April 08, 2009 4:47 PM
Subject: RE: [SIPForum-techwg] draft v04 - certificate validate
RFC 5280 validation really needs to be mandated, or else there's no point in verifying the certificate. As an example, over the last year, some very severe problems were found that allowed an attacker to construct a certificate for any site that would be validated by buggy TLS implementations. Checking the validity of the certificate chain in a compliant way isn't just a "nice to have". It's a separate question as to whether it should be required to check CRLs or support OCSP. Those are mere frills compared with allowing an attacker to forge arbitrary certificates at will.
From: techwg-bounces at sipforum.org [mailto:techwg-bounces at sipforum.org] On Behalf Of Spencer Dawkins
Sent: Wednesday, April 08, 2009 1:32 PM
To: Bernard Aboba; tasveren at sonusnet.com
Cc: techwg at sipforum.org
Subject: Re: [SIPForum-techwg] draft v04 - certificate validate
Hi, Bernard,
So if I'm following you, you're proposing something like
The SP-SSE MUST provide a certificate and the SIP-PBX MUST verify and SHOULD validate a received certificate, using the procedures described in Section 6 of [RFC5280]. Verification steps include verifying that the certificate has not expired, that the issuing certification authority is one the SIP-PBX trusts, and that the subject of the certificate matches the host portion of the first-hop SP-SSE entity to be used by the IP-PBX. Validation steps include checking the status of the certificate as well as the status of all the certificates in the certificate chain using certificate revocation lists (CRLs)[RFC 5280] or other mechanisms such as Online Certificate Status Protocol (OCSP) [RFC2560].
Did I get this right?
Thanks,
Spencer
----- Original Message -----
From: Bernard Aboba
To: tasveren at sonusnet.com ; spencer at wonderhamster.org
Cc: techwg at sipforum.org
Sent: Wednesday, April 08, 2009 1:31 AM
Subject: RE: [SIPForum-techwg] draft v04 - certificate validate
When the term "validation" is used, this typically brings to mind "path validation" as defined in RFC 5280 Section 6. Although you might think that TLS has been around long enough for most implementations to implement this correctly, given the recent discovery of some fairly horrendous certificate validation bugs, this apparently isn't yet the case, so a reference to RFC 5280 Section 6 is probably a good idea. Note that RFC 5280 includes a number of important updates that could creep up as interoperability issues in the future, such as support for internationalized domain names within certificates. While I have my doubts as to how common it is for implementations to handle this correctly today, this is going to be a bigger and bigger problem as time goes on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://sipforum.org/pipermail/techwg/attachments/20090409/3000e096/attachment-0001.html
More information about the techwg
mailing list