[sipcore] Fwd: [POSH] PKIX Over Secure HTTP (POSH)
Peter Saint-Andre <stpeter@stpeter.im> Tue, 11 June 2013 19:22 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EE9721F99D9 for <sipcore@ietfa.amsl.com>; Tue, 11 Jun 2013 12:22:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.482
X-Spam-Level:
X-Spam-Status: No, score=-102.482 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dit9CM-BxFos for <sipcore@ietfa.amsl.com>; Tue, 11 Jun 2013 12:22:38 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 3509121F99D3 for <sipcore@ietf.org>; Tue, 11 Jun 2013 12:22:38 -0700 (PDT)
Received: from ergon.local (unknown [64.101.72.59]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 5311740393; Tue, 11 Jun 2013 13:36:03 -0600 (MDT)
Message-ID: <51B778F5.4010703@stpeter.im>
Date: Tue, 11 Jun 2013 13:22:29 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: sipcore@ietf.org
References: <51AE771F.6080005@stpeter.im>
In-Reply-To: <51AE771F.6080005@stpeter.im>
X-Enigmail-Version: 1.5.1
X-Forwarded-Message-Id: <51AE771F.6080005@stpeter.im>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [sipcore] Fwd: [POSH] PKIX Over Secure HTTP (POSH)
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2013 19:22:43 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Perhaps of interest here given recent discussions about server identity checking in SIP... - -------- Original Message -------- Subject: [POSH] PKIX Over Secure HTTP (POSH) Date: Tue, 04 Jun 2013 17:24:15 -0600 From: Peter Saint-Andre <stpeter@stpeter.im> To: posh@ietf.org Matt Miller and I have been working on a specification for "PKIX Over Secure HTTP" (POSH), which aims to make it easier to ensure proper TLS server identity checking in multi-tenanted environments (where it's basically impossible right now): https://datatracker.ietf.org/doc/draft-miller-posh/ As the abstract says: This document defines two methods that make it easier to deploy certificates for proper server identity checking in application protocols. The first method enables a TLS client to obtain a TLS server's end-entity certificate over secure HTTP as an alternative to standard Public Key Infrastructure using X.509 (PKIX) and DNS-Based Authentication of Named Entities (DANE). The second method enables a source domain to securely delegate an application to a derived domain using HTTPS redirects. We love PKIX (really!), we love DNSSEC, and we love DANE (which solves some of the same problems for some application protocols as POSH does). However, we want a technology that can be deployed more quickly than DANE in order to solve pressing operational security issues with standard PKIX in multi-tenanted environments. This effort emerged from the XMPP community, but we have heard from folks working on other application technologies that it might be useful for things like IMAP and SMTP, thus the more generalized version of POSH that we published today (superseding draft-miller-xmpp-posh-prooftype). We are planning to hold a BoF on this topic in Berlin, but in the meantime comments are very much welcome. Please post your feedback to the new posh@ietf.org list: https://www.ietf.org/mailman/listinfo/posh Thanks! Peter _______________________________________________ posh mailing list posh@ietf.org https://www.ietf.org/mailman/listinfo/posh -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRt3j1AAoJEOoGpJErxa2pZLAP/3iaWo6yiMRfndWYDs2xytng hHwzukYQGiwzHsKYBDdmB15QzquaslVEHj1nSzR6S4JGZtEQj8as0/N9LuHinZr8 UjWDPs3iBwV0RjKyUxfIwksTbJ6K0BWj7gwOhtCHxWTd4ElCKz3tzSB93gTT1Aos pdaU/5nKCfmZfwM6rcTi2vKk8Q4lyNIXLRCWXtZbSqWD36AR9OARncgKAvb+VMdT w0DD1YnZSIRl/P6bXVZWPOvJ6Pr6PHw4L/BCuIwB6h0GZYLhqRb7qbQeAVFHLfQw LrZTIDyeLWQORqmHvVC1Ri6cuUOw2jJkh0mLKVZAv2wl+H6c4+BuDpdKV4xEHEKK clt8woGtQGbkccZrieC0Yr6Yn8K9od2ID4REB/sGllRHW3sQVIpDwKQXxw5j8+16 AzvkFaiOYDMjFXxVHHSIUY2kCTzgxxIYlcU1TfUwXWd6b1v3aJyRpFv+xGfii7TK wIOY3rGF8unlrVCV53A1/7LIV0nLrZbt7uEorjxYHab68ybEAHplroXi+szvAOmP dTUTijEZETgLzg6/HmdNexT2/4kI4Qihj8kis2EaUlGtFrkLxGm44UMxzz33TuiU YOlOIYSaPyGU6v0qrFloAHHVvv6nWCzcmEgxYQQxqE3Yb05/0di4+Gk8VkwSwTeJ A4jgYEdvkvif2SYy41aG =9S40 -----END PGP SIGNATURE-----
- [sipcore] Fwd: [POSH] PKIX Over Secure HTTP (POSH) Peter Saint-Andre