[Serusers] [Fwd: [Sip-implementors] TLS certificate question]
Juha Heinanen
jh at tutpro.com
Mon Oct 10 15:44:23 CEST 2005
Klaus Darilion writes:
> But then, the whole authorization thing would be nonsens.
>
> Just imagine a host named "sip.badguy.com". This host has a valid
> certificate for its hostname. Then, this SIP proxy sends a SIP request
> with the header:
> From: "Klaus Darilion" <sip:klaus at darilion.com>
>
> Now, what is the receiving proxy interested in? Does it want to validate
> the host or the sender (From header)?
there are other ietf means to validate the sender. usually they involve
signing of from uri with the certificate of its domain. see for example
draft-rosenberg-sip-identity-privacy-00
for a good summary of the issues and problems involved. in
proxy-to-proxy case, all that needs to be done is to validate the remote
proxy.
> IMO, I want to authenticate the sender in the From header. Thus, the
> certificate would have to match the SIP domain, and not the host
> name.
see above.
-- juha
More information about the sr-users
mailing list