1 / 5

Certificate Directory for SIP

Certificate Directory for SIP. Cullen Jennings fluffy@cisco.com. SIP Security & SMIME. SIP Security depends on S/MIME with user certificates Encryption of SDP (and keys for SRTP) Refer Identity Request History End to Middle? Middle to End? This requires Certificates in the UA’s.

yolandat
Download Presentation

Certificate Directory for SIP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Certificate Directory for SIP • Cullen Jennings • fluffy@cisco.com

  2. SIP Security & SMIME • SIP Security depends on S/MIME with user certificates • Encryption of SDP (and keys for SRTP) • Refer • Identity • Request History • End to Middle? Middle to End? • This requires Certificates in the UA’s

  3. Certificates • Traditional “PKI” certs (like Verisign) • Problem: Enrollment difficulty and yearly fee to CA • Private CA certs • Problem: Only work if all callers have this CA as a trust anchor. • Self signed certs • Problem: Need a directory to store certs and vouch for them

  4. Certificate Directory Server • Way for UAC to locate the directory • use domain from AOR • Way for the UAC to authenticate the directory • use traditional PKI • Way to fetch certs • HTTPS, LDAPS, other • Way to store certs • HTTPS, LDAPS, Sacred • Way for directory to authenticate the UAS • reuse SIP credential (Digest shared secret) • Way for the UAC to authenticate the directory • use traditional PKI 2 1 3 UAC UAS

  5. Proposal • Wrote a draft using the HTTPS options • draft-jennings-sipping-certs-01 • 00 version done before last IETF • Several security people have looked at it • They believe it works and can be reasonably secure • Provides certificates with minimal cost • Introduces an extra TLS connection setup to calls with no cached certificate • Requires each domain to run an e-commerce style web server • Is only as trustable as the server is trustable • Does the WG want to solve this problem?

More Related