Klaus Darilion writes:
But then, the whole authorization thing would be nonsens.
Just imagine a host named "sip.badguy.com". This host has a valid certificate for its hostname. Then, this SIP proxy sends a SIP request with the header: From: "Klaus Darilion" sip:klaus@darilion.com
Now, what is the receiving proxy interested in? Does it want to validate the host or the sender (From header)?
there are other ietf means to validate the sender. usually they involve signing of from uri with the certificate of its domain. see for example
draft-rosenberg-sip-identity-privacy-00
for a good summary of the issues and problems involved. in proxy-to-proxy case, all that needs to be done is to validate the remote proxy.
IMO, I want to authenticate the sender in the From header. Thus, the certificate would have to match the SIP domain, and not the host name.
see above.
-- juha