[Rum] RUE client credentials

[Paul Kyzivat <pkyzivat@alum.mit.edu>]

On 8/7/19 5:14 PM, Brian Rosen wrote:
> Working on these comments.  I submitted a new version (-01)
> 
> I edited the doc to say the client cert is provisioned.  Given that it’s 
> provisioned by the entity that the provides the server, do I need to say 
> anything else about validating the cert?

I think we need to examine what the goal is here, and whether it is 
being achieved. I don't think enough is said to decide.

This client cert mechanism was first added way back when (2015 I think). 
IIRC, the motivation was because the providers wanted to restrict access 
to RUE *implementations* that have passed interoperability testing, in 
order to reduce the problems of dealing with buggy implementations or 
attackers.

The idea was that certs would only be made available to 
*implementations* (e.g. images) that have been tested. There was no 
expectation that each user who obtains a rue would need to have it tested.

But the exact mechanism for binding a cert to a tested implementation 
was never worked out. I've asked around from time to time and I haven't 
learned of any way to achieve this.

Brian's new text pushes this off one level but doesn't solve the 
problem. The provider's *sip* server can perhaps trust that the rue got 
the cert from the provider's provisioning server. But the provisioning 
server still has to decide if this is a trustworthy implementation.

The Apple store and the Google Play Store solve this problem by being 
the distributor of apps. The developer has to submit the app, which is 
then tested/verified by the store and then being assigned credentials. 
Potentially we could have something list that by having a RUE Store 
operated by a RUE testing authority. But I don't think anybody is 
prepared to operate such a thing and it would require the devices 
receiving these apps to bypass the normal vendor restrictions on 
installations.

I don't have a good answer here.

	Thanks,
	Paul