[Serusers] [Fwd: [Sip-implementors] TLS certificate question]

[Adrian Georgescu]

Juha,

I host for example multiple domains for multiple users. This means that 
users rely on my services entirely to provide them with identity 
services. Ideally I would like to present the Certificate of domain X 
from user in domain X when I forward his calls through my proxy. 
Alternatively I could say I put certificate with CN=ag-projects.com in 
all request going outside my domains but then my white-label customers 
will become yellow.

So something to match business with the technicalities is required, 
don't you think?

Adrian

  > But then, the whole authorization thing would be nonsens.
  >
  > Just imagine a host named "sip.badguy.com". This host has a valid
  > certificate for its hostname. Then, this SIP proxy sends a SIP 
request
  > with the header:
  > From: "Klaus Darilion" <sip:klaus at darilion.com>
  >
  > Now, what is the receiving proxy interested in? Does it want to 
validate
  > the host or the sender (From header)?

there are other ietf means to validate the sender.  usually they involve
signing of from uri with the certificate of its domain.  see for example

draft-rosenberg-sip-identity-privacy-00

for a good summary of the issues and problems involved.  in
proxy-to-proxy case, all that needs to be done is to validate the remote
proxy.



  > IMO, I want to authenticate the sender in the From header. Thus, the
  > certificate would have to match the SIP domain, and not the host
  > name.

see above.

-- juha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 1648 bytes
Desc: not available
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20051010/50bc4c2a/attachment.bin>