[SIPForum-techwg] draft v04 - certificate validate
Bharrat, Shaun
SBharrat at sonusnet.com
Fri Feb 20 07:39:45 EST 2009
>
> > I'm curious. Do many SIP-PBX implementations (or SPs for
> that matter)
> > actually support CRLs or OCSP?
>
> No, most (all?) don't.
>
> > Is this setting the bar too high?
> No, I don't think it is.
So by definition every body starts off being
SIPConnect 1.1 non-compliant (even if they are currently
1.0 compliant)?
With my vendor-hat on, I'm not particularly enamored.
Cheers,
Shaun
> -----Original Message-----
> From: Theo Zourzouvillys [mailto:theo at crazygreek.co.uk]
> Sent: Friday, February 20, 2009 12:38 AM
> To: Bharrat, Shaun
> Cc: techwg at sipforum.org
> Subject: Re: [SIPForum-techwg] draft v04 - certificate validate
>
> On Fri, Feb 13, 2009 at 12:27 PM, Bharrat, Shaun
> <SBharrat at sonusnet.com> wrote:
>
> > I'm curious. Do many SIP-PBX implementations (or SPs for
> that matter)
> > actually support CRLs or OCSP?
>
> No, most (all?) don't.
>
> > Is this setting the bar too high?
>
> No, I don't think it is.
>
> > (It just seems odd that a whole bunch of stuff is "by
> contract between
> > SP and enterprise" but that enterprise must not just verify
> but also
> > validate the certificate presented by the SP.)
>
> SCVP (rfc5055) provides 2 mechanisms (DVP and DPD) for the
> whole "policy thing" (validation, verification, path
> discoovery, etc) to be offloaded to a seperate (set of)
> servers somewhere, and would be a good choice for this sort
> of thing, although this isn't (not should
> be) in the scope of 1.1.
>
> ~ Theo
>
More information about the techwg
mailing list