IETF Logo Mail Archive

Re: [sipcore] Enabling the wildcard certificates for SIP TLS implementation

Daniel-Constantin Mierla <miconda@gmail.com> Tue, 11 August 2020 09:36 UTC

Return-Path: <miconda@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0B9E3A0F23 for <sipcore@ietfa.amsl.com>; Tue, 11 Aug 2020 02:36:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.046
X-Spam-Level:
X-Spam-Status: No, score=-3.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.949, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vGAPVeVByy39 for <sipcore@ietfa.amsl.com>; Tue, 11 Aug 2020 02:36:19 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C205C3A0F1C for <sipcore@ietf.org>; Tue, 11 Aug 2020 02:36:18 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id f12so10818689wru.13 for <sipcore@ietf.org>; Tue, 11 Aug 2020 02:36:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=reply-to:subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=VHjvMtfa8Alga5sTjxbdi3WM186t9zCsD8rjCokg8V4=; b=DMk1ZAxc/v4qtMOsDWitFzT2vhJINSCQ3lRw+hxKQUupWwEIO1z30kKz3p8ZJ0gPuP yx/Z+600TG6i5C+qY1t97khUw9T2heVIULUcalXgSr50OlynPnwOMm/sRPDi7Lp0IlNs yi3g7gqE3iRWYDwiesNjRIkxKRiaYmkjM2NIbW3VItCivkdI2Pg0iTyXgUpAQlGoJTcG VY7ImGjM0LmuZw7FUThTiOvc1nLaR7XawiWWCLltJWWLgOkfSyPpHR9UxAZhN65g5bDL vVNK3V0JRI+Dh83M8q32c7IxISpGLMH5Fb8WUNP4/k6QYAXe4iA2poHbqWJYoKRUuL9c 7HGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:subject:to:cc:references:from :message-id:date:user-agent:mime-version:in-reply-to :content-language; bh=VHjvMtfa8Alga5sTjxbdi3WM186t9zCsD8rjCokg8V4=; b=aYkEcaZ8wjdALi8cAFJxTcmqdi+smE8doPqn1TFZ09IjwZ5PEck/CQe6/KaHPmLw92 Vl4FhTeNUZHA5eAzLizjg7hdlmWKtLPwLgkcMb4Y8AuJ9rBOm+oh3T3g5VA8hsKIqVJb ByqNrtTotaW0z/1lgnDNKNqgi7Bf8qQtFYmmfaxczoHF/P5c1KC/MgFlNMTUOZ8oWmVi uAJmmUTmNfLjjT6Bon++A5+hrh0Sg2pwGZBU3dyVsEEFqCtYt9FS8vO3wlQv3ZUzAhBg aZyEGz5aCTIvDKbFcXbALOHTdtySIJdfyaxw4JobKSbloEpIVqqgudTjeaxPVzBXAewE IXvA==
X-Gm-Message-State: AOAM533HH/o/E2rZr0kVQJGIo+tRKCQRqq2UpgjozKlSoXnFvclnTQtn pxLKLK+QpLOmajyWGDbZYB8=
X-Google-Smtp-Source: ABdhPJzr34afWJJsmZIZf1S2bosOWwrIKkNRHSZnYgKP7oq97hzCNgHN/fZ5w20kaxVytsowlkByDg==
X-Received: by 2002:adf:90d1:: with SMTP id i75mr27369334wri.278.1597138577164; Tue, 11 Aug 2020 02:36:17 -0700 (PDT)
Received: from saturnxs-MacBook-Pro-2.fritz.box (esa.asipto.com. [2a01:4f8:a0:638e::2]) by smtp.googlemail.com with ESMTPSA id n5sm24480257wrx.22.2020.08.11.02.36.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 11 Aug 2020 02:36:16 -0700 (PDT)
Reply-To: miconda@gmail.com
To: Simon MORLAT <simon.morlat@gmail.com>, Roman Shpount <roman@telurix.com>
Cc: SIPCORE <sipcore@ietf.org>, "Olle E. Johansson" <oej@edvina.net>, Leonid Fainshtein <leonid.fainshtein@xorcom.com>
References: <CAJr_9Tau8iW7idbJLNhhKX5MA5PDhZxR0vmdcfva6_fMMBfKCA@mail.gmail.com> <5BFABAC0-BCF4-4282-A457-F41BD3D142F2@edvina.net> <CAH_g9Rx5DcgOG1--GsUv86OJRu0Kf2MwA-p25gasVa=ex-R95A@mail.gmail.com> <AFF09E0F-3063-4C10-B6D8-221237A46FA8@edvina.net> <CAD5OKxsBGM6+Dmx_YEYcJk2ZbTGi6EC1S+z+9DiyHGb6sQjsFQ@mail.gmail.com> <CAH_g9RxWXKp8nMtPVzb0bNG5GXgshB-iB9NFE3fUddvFjEmkoQ@mail.gmail.com>
From: Daniel-Constantin Mierla <miconda@gmail.com>
Message-ID: <7164b84b-ade1-7085-7e64-541be8c25085@gmail.com>
Date: Tue, 11 Aug 2020 11:36:15 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <CAH_g9RxWXKp8nMtPVzb0bNG5GXgshB-iB9NFE3fUddvFjEmkoQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------B07366B836D0CDCC867FDB8A"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/izyhEuaf4qUhjIEhWtzMIQ3PfpQ>
Subject: Re: [sipcore] Enabling the wildcard certificates for SIP TLS implementation
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 09:36:21 -0000

Hello,

maybe it should be split in:

1) trusting the certificate to be used for encryption, but asserting the
identity of the peer is done separately. This is the common use case
these days and the goal is to ensure the certificate belongs to the
entity owning the service by association with the main domain name.
E.g., hosted pbx providers with subdomain allocation per customer, like
custid.cloudpbx.lab. Identity of peers is ensured by other meanings like
shared secret. Here wild card certificates are very useful (with the
full left most label being the wildcard), is such case management of
certificates with full domains is getting close to impossible on large
deployments, not only painful.

2) trusting the certificate also for asserting the identity of the peer,
when it needs to match in a 1-to-1 relation. In this case wildcard
certificates are not useful, of course, but I rarely have seen it used
for this purpose.

Cheers,
Daniel

On 11.08.20 10:43, Simon MORLAT wrote:
> Hi,
>
> Thank you for all your answers, this is very helpful.
> I did not know RFC 6125. Based on these considerations, I would say
> that wildcard certificates will probably disappear for all
> applications in the next few years.
>
> Best regards,
>
> Simon
>
>
> Le lun. 10 août 2020 à 20:12, Roman Shpount <roman@telurix.com
> <mailto:roman@telurix.com>> a écrit :
>
>
>     On Mon, Aug 10, 2020 at 11:04 AM Olle E. Johansson <oej@edvina.net
>     <mailto:oej@edvina.net>> wrote:
>
>         I found documentation in RFC 6125 from the “Using TLS in
>         applications” working group.
>         https://tools.ietf.org/html/rfc6125#section-7.2
>
>      
>     This section essentially says why wildcard certificates must not
>     be used and can only be supported for legacy applications. Not
>     supporting wildcard certificates does create a certain degree of
>     pain but given security risks should continue to be avoided.
>
>         Changes are done by publishing a new RFC, not with Errata.
>         That will open up a whole can of worms, but we need to open it
>         and specify how SIP over TLS should work. Like the
>         "transport=TLS” stuff and deprecating “SIPS:”.
>
>
>     One thing I've wanted for a long time is an extension which allows
>     to multiplex several DTLS connections over the same
>     protocol/address/port pair. This will allow to replicate all the
>     current SIP over UDP deployment scenarios using a secure protocol.
>     Once this is available, I would participate or author an RFC.
>
>     Best Regards,
>     _____________
>     Roman Shpount 
>
>
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda

v2.23.0 | Report a Bug | By Email