[Users] Re: [Serusers] trusting peers

Cesc cesc.santa at gmail.com
Wed Oct 12 11:13:59 CEST 2005


Hi,
 Klaus, i think that you hit the fountain of truth :)
As of now, ser-tls only provides transport layer authentication. Not more.
Who is allowed to authenticate? all those you trust, that is, all those with
the cert signed by the CAs you trust. If you picked a ruthless CA that would
give away certs to
hacking.incorporated.com<http://hacking.incorporated.com>... sorry :)
 Now, for sip message authentication and authorization you need to lift the
authentication information from TLS up to the application (ser). It is not
difficult, it just needs a few lines of code for that (all the certs
exchanged are within reach for as long as the tls connection stays up). Here
is where the tls_tools module's functions (to be written) come into play:
- tls_check_from/to()
- tls_check_cn_trusted()
- ...

So, let's say we want to set up a tls test network (which we do).
We don't want to pay for the certs, so we should generate a root cert (say,
"openser.org <http://openser.org>"). It would be even better if some nice CA
whose cert is signed by a recognized root would do sign that for us ...
anyone with connections? :) This would ease transition and compatibility
issues ...
The root cert provides certs for each domain (providerX.com, providerY.net,
... )
Now, we all can authenticate each other.
With the tools for sip authentication and authorization, you can decide who
you allow to do what in your proxy ...
 Regards,
 Cesc
 On 10/12/05, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
>
> Nils Ohlmeier wrote:
> > Klaus, if you do not trust badguy.com <http://badguy.com> although he
> has a valid singed
> > certificate from a CA which you trust, then you can throw away TLS
> > completely.
>
> There is a big difference between authentication and authorization.
>
> 1. I have to authenticate the peer. Using TLS and certifiactes is fine.
>
> 2. I have to authorize the peer. Some peers will be e.g. routed
> different. You would this this like:
> if (message is from trusted peer) {
> ....
>
> So I need to check the certificate in ser.cfg somehow, or associate the
> domain in the From header with the domain in the certificate.
>
> Or do I miss the point?
>
> regards
> klaus
>
> > The hole model only works because the trust in inherited from the CA
> when you
> > get a singed certificate.
> > If you do not trust any CA, except your own, then you created your own
> trust
> > database which is hard to maintain. No matter what is the base of the
> > trustworthyness (IP; certificate signed by you; shared secret or signed
> > certificate for IPSec) maintaining the trust database (or however you
> call
> > it) is a real pain, that is the reason why you should trust someone else
> to
> > do this job.
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kamailio.org/pipermail/users/attachments/20051012/5b785541/attachment.htm 


More information about the Users mailing list