[Docs] [txt|pdf|xml|html] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: (draft-gurbani-sip-domain-certs) 00 01 02 03 04 05 06 07 RFC 5922

SIP WG                                                        V. Gurbani
Internet-Draft                         Bell Laboratories, Alcatel-Lucent
Intended status:  Best Current                               S. Lawrence
Practice                                                 Bluesocket Inc.
Expires:  May 11, 2008                                        A. Jeffrey
                                       Bell Laboratories, Alcatel-Lucent
                                                        November 8, 2007


      Domain Certificates in the Session Initiation Protocol (SIP)
                     draft-ietf-sip-domain-certs-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on May 11, 2008.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This document describes how to interpret certain information in a
   X.509 PKIX-compliant certificate used in a Transport Layer Security
   (TLS) connection.  More specifically, it describes how to find the
   right identity for authentication in such certificates and how to use
   it for mutual authentication.



Gurbani, et al.           Expires May 11, 2008                  [Page 1]


Internet-Draft                Domain Certs                 November 2007


Table of Contents

   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Key Words  . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Problem statement  . . . . . . . . . . . . . . . . . . . . . .  3
   4.  SIP domain to host resolution  . . . . . . . . . . . . . . . .  4
   5.  The need for mutual interdomain authentication . . . . . . . .  5
   6.  Guidelines for a service provider  . . . . . . . . . . . . . .  6
   7.  Behavior of SIP entities . . . . . . . . . . . . . . . . . . .  7
     7.1.  Finding SIP Identities in a Certificate  . . . . . . . . .  7
     7.2.  Comparing SIP Identities . . . . . . . . . . . . . . . . .  8
     7.3.  Client behavior  . . . . . . . . . . . . . . . . . . . . .  8
     7.4.  Server behavior  . . . . . . . . . . . . . . . . . . . . .  9
     7.5.  Proxy behavior . . . . . . . . . . . . . . . . . . . . . . 10
     7.6.  Registrar behavior . . . . . . . . . . . . . . . . . . . . 10
     7.7.  Redirect server behavior . . . . . . . . . . . . . . . . . 10
     7.8.  Virtual SIP Servers and Certificate Content  . . . . . . . 10
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
     8.1.  Connection authentication using Digest . . . . . . . . . . 12
   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
   10. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 12
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
     11.1. Normative References . . . . . . . . . . . . . . . . . . . 12
     11.2. Informative References . . . . . . . . . . . . . . . . . . 13
   Editorial Comments . . . . . . . . . . . . . . . . . . . . . . . .
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14
   Intellectual Property and Copyright Statements . . . . . . . . . . 15























Gurbani, et al.           Expires May 11, 2008                  [Page 2]


Internet-Draft                Domain Certs                 November 2007


1.  Terminology

1.1.  Key Words

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [1].


2.  Introduction

   Transport Layer Security (TLS) [3] has started to appear in an
   increasing number of Session Initiation Protocol (SIP) [2]
   implementations.  In order to use the authentication capabilities of
   TLS, certificates as defined by the Internet X.509 Public Key
   Infrastructure RFC 3280 [4] are required.

   Existing SIP specifications do no sufficiently specify how to use
   certificates for domain (as opposed to host) authentication.  This
   document provides guidance to ensure interoperability and uniform
   conventions for the construction of SIP domain certificates.

   The discussion in this document is pertinent to an X.509 PKIX-
   compliant certificate used for a TLS connection; it may not apply to
   use of such certificates with S/MIME, for instance.


3.  Problem statement

   TLS uses X.509 Public Key Infrastructure [4] to bind an identity, or
   a set of identities, to the subject of a X.509 certificate.
   Accordingly, the recommendations of the SIP working group have been
   to populate the X.509v3 subjectAltName extension with an identity.
   However, this is under-specified in RFC 3261, which mentions
   subjectAltName in conjunction with S/MIME only and not TLS.  The
   security properties of TLS and S/MIME as used in SIP are different:
   X.509 certificates used for S/MIME are generally used for end-to-end
   authentication and encryption, thus they serve to bind the identity
   of a user to the certificate.  On the other hand, X.509 certificates
   used for TLS serve to bind the identities of the per-hop domain
   sending or receiving the SIP messages.

   While RFC3261 provides adequate guidance on the use of X.509
   certificates used for S/MIME, it is relatively silent on the use of
   such certificates for TLS.  The concept of what should be contained
   in a site (or domain) certificate in RFC3261 is quoted below (Section
   26.3.1):




Gurbani, et al.           Expires May 11, 2008                  [Page 3]


Internet-Draft                Domain Certs                 November 2007


      Proxy servers, redirect servers and registrars SHOULD possess a
      site certificate whose subject corresponds to their canonical
      hostname.

   The lack of specifications leads to problems when attempting to
   interpret the certificate contents for TLS connections in a uniform
   manner.

   This document shows how the certificates are to be used for mutual
   authentication when both the client and server possess appropriate
   certificates.  It also contains normative behavior for matching the
   DNS query string with an identity stored in the X.509 certificate.
   Following the accepted practice of the time, legacy X.509
   certificates may store the identity in the Common Name (CN) field of
   the certificate [Comment.1] instead of the currently used Subject
   Alternative Names (subjectAltName) extension.  Furthermore, it is
   permissible for a certificate to contain multiple identifiers for the
   Subject via the subjectAltName extension.  As such, this document
   specifies appropriate matching rules to encompass various Subject
   identity representation options.  And finally, this document also
   provides guidelines to service providers for assigning certificates
   to SIP servers.

   The rest of this document is organized as follows:  the next section
   provides an overview of the most primitive case of a client using DNS
   to access a SIP server and the resulting authentication steps.
   Section 5 looks at the reason why mutual inter-domain authentication
   is desired in SIP, and the lack of normative text and behavior in
   RFC3261 for doing so.  Section 7 provides normative behavior on the
   SIP entities (user agent clients, user agent servers, registrars,
   redirect servers, and proxies) that need perform authentication based
   on X.509 certificates.  Section 8 includes the security
   considerations.


4.  SIP domain to host resolution

   Routing in SIP is performed by having the client execute RFC 3263 [5]
   procedures on a URI, called the "Application Unique String (AUS)
   (c.f.  Section 8 of RFC 3263 [5]).  These procedures take as input a
   SIP AUS (the SIP domain) and return an ordered set containing one or
   more IP addresses, and a port number and transport corresponding to
   each IP address in the set (the "Expected Output") by querying an
   Domain Name Service (DNS).  If the transport indicates the use of
   TLS, then a TLS connection is opened to the server on a specific IP
   address and port.  The server presents an X.509 certificate to the
   client for verification as part of the initial TLS handshake.




Gurbani, et al.           Expires May 11, 2008                  [Page 4]


Internet-Draft                Domain Certs                 November 2007


   The client should extract identifiers from the Subject and
   subjectAltName extension in the certificate (see Section 7.1) and
   compare these values to the AUS.  If any identifier match is found,
   the server is considered to be authenticated and subsequent signaling
   can now proceed over the TLS connection.  Matching rules for X.509
   certificates and the normative behavior for clients is specified in
   Section 7.3.

   As an example:  a request is to be routed to the SIP address
   "sips:alice@example.com".  This address requires a secure connection
   to the SIP domain "example.com", so that is the SIP AUS value.
   Through a series of untrusted DNS manipulations, that AUS is mapped
   to a set of host addresses and transports, from which an address
   appropriate for use with TLS is selected.  A connection is
   established to that server, which presents a certificate asserting an
   identity of "sip:example.com".  Since the host portion of the SIP AUS
   matches the subject of the certificate, the server is authenticated.

      SIPS borrows this behavior from HTTPS.  However, to be pedantic,
      RFC 2818 [6] prefers that the identity be conveyed as a
      subjectAltName extension of type dNSName instead of the commonly
      used practice of conveying the identity in the CN field of the
      Subject field.  Similarly, this document RECOMMENDS that the SIP
      identity be conveyed as a subjectAltName extension of type
      uniformResourceIdentifier (c.f.  Section 6, Section 7.1).

      A domain name in an X.509 certificates is properly interpreted
      only as a sequence of octets to be compared to the URI used to
      reach the host.  No inference should be made based on the DNS name
      hierarchy.


5.  The need for mutual interdomain authentication

   Consider the SIP trapezoid shown in Figure 1.


      proxyA.example.com ------------ proxyB.example.net
             |                           |
             |                           |
             |                           |
             |                         +---+
           0---0                       |   |
            /-\                        |___|
           +---+                      /    /
                                     +----+
      alice@example.com          bob@example.net




Gurbani, et al.           Expires May 11, 2008                  [Page 5]


Internet-Draft                Domain Certs                 November 2007


                          Figure 1: SIP Trapezoid

   Assume that alice@example.com creates an INVITE for bob@example.net;
   her user agent routes the request to some proxy in her domain,
   example.com.  Suppose also that example.com is a large organization
   that maintains several SIP proxies, and normal resolution rules cause
   her INVITE to be sent to an outbound proxy proxyA.example.com, which
   then uses RFC 3263 [5] resolution and finds that proxyB.example.net
   is a valid proxy for example.net that uses TLS. proxyA.example.com
   requests a TLS connection to proxyB.example.net, and each presents a
   certificate to authenticate that connection.

      RFC 3261 [2] section 26.3.2.2 "Interdomain Requests" states that
      when a TLS connection is created between two proxies, each should
      authenticate the other by validating the certificates exchanged
      during the TLS handshake and by comparing the subject of those
      certificates to the expected domain name.  However, RFC3261 does
      not make any reference to using an identifier extracted
      specifically from the Subject field as opposed to the
      subjectAltName when comparing against the domain name.

   The authentication problem for proxyA is straightforward - if we
   assume secure DNS, then proxyA already knows that proxyB is a valid
   proxy for the SIP domain example.net, so it only needs a valid
   certificate from proxyB that contains the fully qualified host name
   proxyB.example.net, or a SIP URI that asserts proxy B's authority
   over example.net domain, i.e., a certificate that asserts the
   identity "sip:example.net".  [Comment.2] Normative behavior for
   proxyA is outlined in Section 7.3.

   The problem for proxyB is slightly more complex since it accepted the
   TLS request passively.  Thus, it does not possess an equivalent AUS
   that proxyA did; instead, it uses local policies to consider the
   client authenticated.  The normative behavior for servers is provided
   in Section 7.4.


6.  Guidelines for a service provider

   When assigning certificates to proxy servers, registrars, and
   redirect servers, a service provider MUST ensure that the SIP AUS
   used to address the server is present as an identity in the
   subjectAltName field of the certificate.

   Service providers MAY continue the practice of using existing
   certificates for SIP usage with the identity conveyed in the Subject
   field; however, such usage is NOT RECOMMENDED for new certificates,
   which MUST contain the identity in the subjectAltName extension.



Gurbani, et al.           Expires May 11, 2008                  [Page 6]


Internet-Draft                Domain Certs                 November 2007


7.  Behavior of SIP entities

   This section normatively specifies the behavior of SIP entities when
   using X.509 certificates to determine an authenticated SIP domain
   identity.

7.1.  Finding SIP Identities in a Certificate

   Procedures for constructing a certificate path and checking
   revocation status to determine the validity of a certificate are
   described in RFC 3280 [4]; implementations must follow checks as
   prescribed therein.  This document adds additional rules for
   interpreting an X.509 certificate for use in SIP.

   I-D.sip-eku [9] describes the method to validate any Extended Key
   Usage values found in the certificate for a SIP domain.
   Implementations MUST perform the checks prescribed by that
   specification.

   Given an X.509 certificate that the above checks have found to be
   acceptable, the following describes how to determine what SIP
   identity or identities it contains.  Note that a single certificate
   MAY serve more than one purpose - that is, it MAY contain identities
   not valid for use in SIP, and/or MAY contain one or more identities
   that are valid for use in SIP.

   1.  Examine the values in the subjectAltName field.  The contents of
       subjectAltName field and the constraints that may be imposed on
       them are defined in Section 4.2.1.7 of RFC 3280 [4].  The
       subjectAltName field may not be present or it may contain one or
       more identities.  Each value in the subjectAltName has a type;
       the only types acceptable for encoding a SIP domain identity are:

       URI  If the scheme of the URI value is 'sip' (URI scheme tokens
          are always case insensitive), and there is no userinfo
          component in the URI (there is no '@'), then the hostpart is a
          SIP domain identity.  A URI value that does contain a userpart
          MUST NOT be used as a domain identity (such a certificate
          identifies an individual user, not a server for the domain).

       DNS  A domain name system identifier MAY be accepted as a SIP
          domain identity.  An implementation MAY choose to accept a DNS
          name as a domain identity, but only when no identity is found
          using the URI type above.

   2.  If and only if the subjectAltName does not appear in the
       certificate, the client MAY examine the Subject Common Name (CN)
       field of the certificate.  If a valid DNS name is found there,



Gurbani, et al.           Expires May 11, 2008                  [Page 7]


Internet-Draft                Domain Certs                 November 2007


       the implementation MAY use this value as a SIP domain identity.
       The use of the CN value is allowed for backward compatibility,
       but is NOT RECOMMENDED.

   The above procedure yields a set containing zero or more identities
   from the certificate.  A client uses these identities to authenticate
   a server (see Section 7.3) and a server uses them to authenticate a
   client (see Section 7.4).

7.2.  Comparing SIP Identities

   When comparing two values as SIP identities:

      Implementations MUST compare only that part of each identifier
      (from the procedure defined in Section 7.1 that is a DNS name.
      Any scheme or parameters extracted from an identifier MUST NOT be
      used in the comparison procedure described below.

      The values MUST be compared as DNS names, which means that the
      comparison is case insensitive.

      The match MUST be exact:

         A suffix match MUST NOT be considered a match.  For example,
         "foo.example.com" does not match "example.com".

         Any form of wildcard, such as a leading "." or "*.", MUST NOT
         be considered a match.  For example, "foo.example.com" does not
         match ".example.com" or "*.example.com".  [Comment.3]

7.3.  Client behavior

   A client uses the SIP AUS (the SIP domain name) to query a (possibly
   untrusted) DNS to obtain a result set, which is a one or more SRV and
   A records identifying the server for the domain (see Section 4 for an
   overview.)

   The SIP server, when establishing a TLS connection, presents its
   certificate to the client for authentication.  The client MUST
   determine the SIP identities in the server certificate using the
   procedure in Section 7.1.  Then, the client MUST compare the original
   SIP domain name (the AUS) used as input to the server location
   procedures [5] to the SIP domain identities obtained from the
   certificate.

   o  If there were no identities found in the server certificate, the
      server is not authenticated.




Gurbani, et al.           Expires May 11, 2008                  [Page 8]


Internet-Draft                Domain Certs                 November 2007


   o  If the AUS matches any SIP domain identity obtained from the
      certificate when compared as described in section Section 7.2, the
      server is authenticated for the domain.

   If the server is not authenticated, the client MUST close the
   connection immediately.

7.4.  Server behavior

   When a server accepts a TLS connection, it presents its own X.509
   certificate to the client.  To authenticate the client, the server
   asks the client for a certificate.  If the client possesses a
   certificate, it is presented to the server.  If the client does not
   present a certificate, it MUST NOT be considered authenticated.

      Whether or not to close a connection if the client cannot present
      a certificate is a matter of local policy, and depends on the
      authentication needs of the server for the connection.  Some
      currently deployed servers use Digest authentication to
      authenticate individual requests on the connection, and choose to
      treat the connection as authenticated by those requests for some
      purposes (but see Section 8.1).

      If the server requires client authentication for some local
      purpose, then it MAY implement a policy of allowing the connection
      only if the client is authenticated.  For example, if the server
      is an inbound proxy that has peering relationships with the
      outbound proxies of other specific domains, it might only allow
      connections authenticated as coming from those domains.

   The server MUST obtain the set of SIP domain identities from the
   client certificate as described in Section 7.1.  Because the server
   accepted the TLS connection passively, unlike a client, it does not
   possess an AUS for comparison.  Nonetheless, server policies can use
   the authenticated SIP domain identity to make authorization
   decisions.

   For example, a very open policy could be to accept any X.509
   certificates and validate them using the procedures in RFC 3280; if
   they validate, the identity is accepted and logged.  Alternatively,
   the server could have a list of all SIP domain names is allowed to
   accept connections from; when a client presents its certificate, for
   each identity in the client certificate, the server searches for it
   in the list of acceptable domains to decide whether or not to accept
   the connection.  Other policies that make finer distinctions are
   possible.

   Note that the decision of whether or not the authenticated connection



Gurbani, et al.           Expires May 11, 2008                  [Page 9]


Internet-Draft                Domain Certs                 November 2007


   to the client is appropriate for use to route new requests to the
   client domain is independent of whether or not the connection is
   authenticated; the connect-reuse [10] draft discusses this aspect in
   more detail.

7.5.  Proxy behavior

   A proxy MUST use the procedures defined for a User Agent Server (UAS)
   in Section 7.4 when authenticating a connection from a client.

   A proxy MUST use the procedures defined for a User Agent Client (UAC)
   in Section 7.3 when requesting an authenticated connection to a UAS.

   If a proxy adds a Record-Route when forwarding a request with the
   expectation that the route is to use secure connections, it MUST
   insert into the Record-Route header a URI that corresponds to an
   identity for which it has a certificate; if it does not, then it will
   not be possible to create a secure connection using the value from
   the Record-Route as the AUS.

7.6.  Registrar behavior

   A SIP registrar, acting as a server, follows the normative behavior
   of Section 7.4.  When it accepts a TLS connection from the client, it
   present its certificate.  Depending on the registrar policies, it may
   challenge the client with HTTP Digest.

7.7.  Redirect server behavior

   A SIP redirect server follows the normative behavior of Section 7.4.
   It may accept a TLS connection from the client, present its
   certificate, and then challenge the client with HTTP Digest.

7.8.  Virtual SIP Servers and Certificate Content

   The closest guidance in SIP today regarding certificates and virtual
   SIP servers occurs in SIP Identity ([8], Section 13.4).  The quoted
   section states that, "... certificates have varying ways of
   describing their subjects, and may indeed have multiple subjects,
   especially in the 'virtual hosting' cases where multiple domains are
   managed by a single application."

   The above quote is incorrect, in that it implies that one certificate
   can have multiple subjectAltName (or Subject) fields, each
   corresponding to a discrete virtual server that represents a single
   domain; actually, a PKIX-compliant certificate has exactly one
   Subject field and at most one subjectAltName (the subjectAltName MAY
   contain multiple identifiers for the Subject).



Gurbani, et al.           Expires May 11, 2008                 [Page 10]


Internet-Draft                Domain Certs                 November 2007


   Since only one certificate is needed for multiple domains, the keying
   material management is straightforward, but such a certificate MUST
   be revoked if ANY identifier in the certificate is no longer
   associated with the holder of the private key for the certificate.

   The TLS extended client hello [7] allows a TLS client to provide to
   the TLS server the name of the server to which a connection is
   desired.  Thus, the server can present the correct certificate to
   establish the TLS connection.


8.  Security Considerations

   The goals of TLS (when used with X.509 certificates) include the
   following security guarantees at the transport layer:

   Confidentiality:  packets tunneled through TLS can be read only by
      the sender and receiver.

   Integrity:  packets tunneled through TLS cannot be undetectably
      modified on the connection between the sender and receiver.

   Authentication:  each principal is authenticated to the other as
      possessing a private key for which a certificate has been issued.
      Moreover, this certificate has not been revoked, and is verifiable
      by a certificate chain leading to a (locally configured) trust
      anchor.

   We expect appropriate processing of domain certificates to provide
   the following security guarantees at the application level:

   Confidentiality:  SIPS messages from alice@example.com to
      bob@example.edu can be read only by alice@example.com,
      bob@example.edu, and SIP proxies issued with domain certificates
      for example.com or example.edu.

   Integrity:  SIPS messages from alice@example.com to bob@example.edu
      cannot be undetectably modified on the links between
      alice@example.com, bob@example.edu, and SIP proxies issued with
      domain certificates for example.com or example.edu.

   Authentication:  alice@example.com and proxy.example.com are mutually
      authenticated; moreover proxy.example.com is authenticated to
      alice@example.com as an authoritative proxy for domain
      example.com.  Similar mutual authentication guarantees are given
      between proxy.example.com and proxy.example.edu and between
      proxy.example.edu and bob@example.edu.  As a result,
      alice@example.com is transitively mutually authenticated to



Gurbani, et al.           Expires May 11, 2008                 [Page 11]


Internet-Draft                Domain Certs                 November 2007


      bob@example.edu (assuming trust in the authoritative proxies for
      example.com and example.edu).

8.1.  Connection authentication using Digest

   Digest authentication in SIP provides for authentication of the
   message sender to the challenging UAS.  As commonly deployed, it
   provides only very limited integrity protection of the authenticated
   message.  Many existing deployments have chosen to use the Digest
   authentication of one or more messages on a particular connection as
   a way to authenticate the connection itself - and by implication,
   authenticating other (unchallenged) messages on that connection.
   Some even choose to similarly authenticate a UDP source address and
   port based on the Digest authentication of a message received from
   that address and port.  This use of Digest goes beyond the assurances
   it was designed to provide, and is NOT RECOMMENDED.  Authentication
   of the domain at the other end of a connection SHOULD be accomplished
   using TLS and the certificate validation rules described by this
   specification instead.


9.  IANA Considerations

   This memo does not contain any considerations for IANA.


10.  Acknowledgments

   The following IETF contributors provided substantive input to this
   document:  Jeroen van Bemmel, Michael Hammer, Cullen Jennings, Paul
   Kyzivat, Derek MacDonald, Dave Oran, Jon Peterson, Eric Rescorla,
   Jonathan Rosenberg, Russ Housley.  Special acknowledgement goes to
   Stephen Kent for extensively reviewing draft versions and suggesting
   invaluable feedback, edits, and comments.


11.  References

11.1.  Normative References

   [1]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", RFC 2119, March 1997.

   [2]   Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
         Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
         Session Initiation Protocol", RFC 3261, June 2002.

   [3]   Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",



Gurbani, et al.           Expires May 11, 2008                 [Page 12]


Internet-Draft                Domain Certs                 November 2007


         RFC 2246, January 1999.

   [4]   Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509
         Public Key Infrastructure Certificate and Certificate
         Revocation List (CRL) Profile", RFC 3280, April 2002.

11.2.  Informative References

   [5]   Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol
         (SIP): Location SIP Servers", RFC 3263, June 2002.

   [6]   Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [7]   Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
         T. Wright, "Transport Layer Security (TLS) Extensions",
         RFC 4366, April 2006.

   [8]   Peterson, J. and C. Jennings, "Enhancements for Authenticated
         Identity Management in the Session Initiation Protocol (SIP)",
         RFC 4474, August 2006.

   [9]   Lawrence, S. and V. Gurbani, "Using Extended Key Usage (EKU)
         for Session Initiation Protocol (SIP) X.509 Certificates",
         draft-ietf-sip-eku-00.txt (work in progress), 2007.

   [10]  Mahy, R., Gurbani, V., and B. Tate, "Connection Reuse in the
         Session Initiation Protocol",
         draft-ietf-sip-connect-reuse-08.txt (work in progress),
         October 2007.

Editorial Comments

   [Comment.1]  Stephen Kent: PKIX standards made an exception for RFC
                822 names in legacy certificates, but not for DNS names
                or URIs!  There is a private extension, developed by
                Netscape for representing a DNS name in a certificate
                prior to the advent of SAN.  I think it's rather late to
                be accomodating certificates that are not compliant with
                RFC 3280, a spec that is 5 years old.

   [Comment.2]  (authors) and Stephen Kent: Actually, even if DNSSEC
                provides a trusted host name, it is sufficient for
                proxyB to have presented a certificate that contains a
                SIP identity for example.net, so authentication of just
                the proxyB hostname has little value since it would not
                be sufficient without DNSSEC.

   [Comment.3]  (authors): RFC 2818 (HTTP over TLS) allows the dNSName



Gurbani, et al.           Expires May 11, 2008                 [Page 13]


Internet-Draft                Domain Certs                 November 2007


                component to contain a  wildcard; e.g., "DNS:
                *.example.com".  RFC 3280, while not disallowing this
                explicitly, leaves the interpretation of wildcards to
                the individual  specification.  RFC 3261 does not
                provide any guidelines on the presence  of wildcards in
                certificates.  The consensus from the working group
                discussion leans in the favor of not using them in SIP.


Authors' Addresses

   Vijay K. Gurbani
   Bell Laboratories, Alcatel-Lucent
   2701 Lucent Lane
   Room 9F-546
   Lisle, IL  60532
   USA

   Phone:  +1 630 224-0216
   Email:  vkg@alcatel-lucent.com


   Scott Lawrence
   Bluesocket Inc.
   10 North Ave.
   Burlington, MA  01803
   USA

   Phone:  +1 781 229 0533
   Email:  slawrence@bluesocket.com


   Alan S.A. Jeffrey
   Bell Laboratories, Alcatel-Lucent
   2701 Lucent Lane
   Room 9F-534
   Lisle, IL  60532
   USA

   Email:  ajeffrey@alcatel-lucent.com











Gurbani, et al.           Expires May 11, 2008                 [Page 14]


Internet-Draft                Domain Certs                 November 2007


Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Gurbani, et al.           Expires May 11, 2008                 [Page 15]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/