Re: [Users] Re: [Serusers] trusting peers

Hi, Klaus, i think that you hit the fountain of truth :) As of now, ser-tls only provides transport layer authentication. Not more. Who is allowed to authenticate? all those you trust, that is, all those with the cert signed by the CAs you trust. If you picked a ruthless CA that would give away certs to hacking.incorporated.com<http://hacking.incorporated.com>... sorry :) Now, for sip message authentication and authorization you need to lift the authentication information from TLS up to the application (ser). It is not difficult, it just needs a few lines of code for that (all the certs exchanged are within reach for as long as the tls connection stays up). Here is where the tls_tools module's functions (to be written) come into play: - tls_check_from/to() - tls_check_cn_trusted() - ... So, let's say we want to set up a tls test network (which we do). We don't want to pay for the certs, so we should generate a root cert (say, "openser.org <http://openser.org>"). It would be even better if some nice CA whose cert is signed by a recognized root would do sign that for us ... anyone with connections? :) This would ease transition and compatibility issues ... The root cert provides certs for each domain (providerX.com, providerY.net, ... ) Now, we all can authenticate each other. With the tools for sip authentication and authorization, you can decide who you allow to do what in your proxy ... Regards, Cesc On 10/12/05, Klaus Darilion &lt;klaus.mailinglists(a)pernau.at&gt; wrote: