Re: [sipcore] SIP client certs
Ash Wilson <ash.wilson@valimail.com> Tue, 24 November 2020 17:41 UTC
Return-Path: <ash.wilson@valimail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 330723A122D for <sipcore@ietfa.amsl.com>; Tue, 24 Nov 2020 09:41:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zGCVoJ7ojyCw for <sipcore@ietfa.amsl.com>; Tue, 24 Nov 2020 09:41:21 -0800 (PST)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F6BC3A1218 for <sipcore@ietf.org>; Tue, 24 Nov 2020 09:41:21 -0800 (PST)
Received: by mail-qt1-x82a.google.com with SMTP id p12so16660217qtp.7 for <sipcore@ietf.org>; Tue, 24 Nov 2020 09:41:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sGa55alFkE+1oZrCqlrvDSkmS+p6P02gLGraOPXiTQE=; b=BNdksYPJT8Oj4/q9qyK5h0iypzrH8PzJSCh8zBZegqX122gonZsb6twPL0eHsH6RHz ynvWOAwcFzG2AhFbs6dh3sNPePXWchgyZklwXQGJvSHDbefS45QsVDwWuxkFP0zSsp3d 0RpQYmEEPHzfyHonXQcze84Pcd8AY0C4Sn/ilzNnUNfThW+xmQyyLYXVPFmoH/ysIOT2 zj1MGmIaP6sbSmnk/y2NNGWUGyD8QfbB7uk3/zka8ZG1qATwUAqwyLcWtFR5c7wudfpX K/zDfnXKEV3EbD3DYHs5ZvAHM3HYwdcLidFL2JFqBjohLXcvXvXD3XmumnmNf86XBZyd Krvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sGa55alFkE+1oZrCqlrvDSkmS+p6P02gLGraOPXiTQE=; b=BCTt++L0I4B072QlVqoBmN51XCsK6iqHol+boJqFXSg+qJCIvK7M2OdLQxB35LJnmY rmH+YhE3tF9NQWdI40rTjT99mePOMeA4lQ+5Y0/v/BKK/zj28+wm307xgwV+smIpL8wH ewGXzorZj5cqCdbDv5l8YIvOHR6IyC+MTYEk2mxf2VEHYz5N5nAkFZtOK+20NbdkUJQ4 hNRMrAZSpVC2Q6hCc74PKlvlzpnLluz2rontnUc1tNutg6MWVHinnH/MjEzMOgSZu0nF VFtE9uq7LfW8nox8LZy05W6shuk6yd+6uKjZzvoh8KsBjKquoxyFTGvCbcwid7SSkb9G ydNw==
X-Gm-Message-State: AOAM530fOjeVheFXZ8OpJrJPLqniLl2i2Vin8kov1V34OFL71xf+B4aI oVY/GWg0OshVUH+pN/eTv3XX/n95kMLdiiYESIqvlue+q+hTuA==
X-Google-Smtp-Source: ABdhPJzUfzY4sOuwkymp9t3er1+to/CNxyhl2doIR0gWDcu3Niy7qR6vyXhC/hdD1DhHoCN8kp32jrqnnwAMRutwW8s=
X-Received: by 2002:ac8:5741:: with SMTP id 1mr5392333qtx.294.1606239680056; Tue, 24 Nov 2020 09:41:20 -0800 (PST)
MIME-Version: 1.0
References: <DFD5CD1A-B55F-4239-8538-75BC09AC6122@edvina.net>
In-Reply-To: <DFD5CD1A-B55F-4239-8538-75BC09AC6122@edvina.net>
From: Ash Wilson <ash.wilson@valimail.com>
Date: Tue, 24 Nov 2020 09:41:08 -0800
Message-ID: <CAEfM=vS+ZVVZm6cGpssQbmd9pVO=oyvOSSPMmS_wnWzmi=cKmw@mail.gmail.com>
To: "Olle E. Johansson" <oej@edvina.net>
Cc: sipcore@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008de75105b4ddd12c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/FuOVnCBbtktT5Xa4xq3rBxuxxcY>
Subject: Re: [sipcore] SIP client certs
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2020 17:41:23 -0000
Hi Olle, Are you referring to https://tools.ietf.org/html/draft-dotson-sip-certificate-auth-04 ? -Ash On Tue, Nov 24, 2020 at 4:31 AM Olle E. Johansson <oej@edvina.net> wrote: > Hi! > I hope everyone stays safe in these times. > > During last week’s IETF I ended up in a discussion in RUM about using TLS > client certs in SIP. I have been testing this a long time ago, but > obviously not fully. The question I got I failed to find an answer to, > which is annoying :-) > > Here it goes, let’s see if you can help: > > SIP UA -> Ingress proxy -> Registrar > > If the Ingress Proxy requires a client cert for authentication, that > certificate is only seen on the first hop between the UA and the proxy. How > can we make the registrar validate and trust the client cert for the > registration? > > If there is absolute trust between the ingress proxy and the registrar, I > guess we could parse out a lot of cert info and add to SIP headers and send > forward. If there is no trust relationship (let’s say the Ingress Proxy is > an enterprise SBC and the registrar is a service provider) then we have a > problem. > > In HTTP there’s a CONNECT method so the SIP UA can establish a direct TLS > session to the registrar through a proxy. There is a very old expired draft > for a SIP connect method that could potentially be helpful here. > > I do remember that we had a SIP Connect draft many years ago. > > Any ideas? > > Cheers, > /Olle > _______________________________________________ > sipcore mailing list > sipcore@ietf.org > https://www.ietf.org/mailman/listinfo/sipcore > -- *Ash Wilson* | Technical Director *e:* ash.wilson@valimail.com This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- [sipcore] SIP client certs Olle E. Johansson
- Re: [sipcore] SIP client certs Ash Wilson