[Users] Re: [Serusers] trusting peers
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Oct 12 17:40:37 CEST 2005
Juha Heinanen wrote:
> Klaus Darilion writes:
>
> > * validate domains in certifiacte with requests domain
>
> > * If I understand correctly, this part is missing in current
> > * implementation
>
> what would that check mean? proxy selects next hop proxy my manual
> configuration or by srv lookup on host part of request uri. then proxy
> can verify server certificate of the next hop proxy. i don't understand
> what domains have to do with this.
server verification:
1. the certificate must be valid (signed by a trusted CA)
2. The certificate should reflect the proxy I'm tryin to reach. When
contacting klaus at iptel.org the proxy should not accept a certificate for
foo.bar.com, but for iptel.org or sip.iptel.org
>
> > Version A:
> > 1. Validate the From: domain in the SIP request against the domain
> > name in the certificate.
>
> you cannot do this, because domain of certificate has nothing to do with
> from domain.
Depends on the certificate. IMO the complete TLS part is crude.
regard
klaus
RFC 3261; 26.3.2.2 Interdomain Requests
[...atlanta calls biloxy...]
The proxy server at biloxi.com SHOULD inspect the certificate of the
proxy server at atlanta.com in turn and compare the domain asserted
by the certificate with the "domainname" portion of the From header
field in the INVITE request. The biloxi proxy MAY have a strict
security policy that requires it to reject requests that do not match
the administrative domain from which they have been proxied.
More information about the sr-users
mailing list