draft-ietf-sip-certs-00.txt   draft-ietf-sip-certs-01.txt 
Network Working Group C. Jennings Network Working Group C. Jennings
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Expires: November 26, 2006 J. Peterson Expires: December 27, 2006 J. Peterson
NeuStar, Inc. NeuStar, Inc.
J. Fischl, Ed. J. Fischl, Ed.
CounterPath Solutions, Inc. CounterPath Solutions, Inc.
May 25, 2006 June 25, 2006
Certificate Management Service for The Session Initiation Protocol (SIP) Certificate Management Service for The Session Initiation Protocol (SIP)
draft-ietf-sip-certs-00 draft-ietf-sip-certs-01
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 26, 2006. This Internet-Draft will expire on December 27, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This draft defines a Credential Service that allows Session This draft defines a Credential Service that allows Session
Initiation Protocol (SIP) User Agents (UAs) to use a SIP package to Initiation Protocol (SIP) User Agents (UAs) to use a SIP package to
discover the certificates of other users. This mechanism allows user discover the certificates of other users. This mechanism allows user
agents that want to contact a given Address-of-Record (AOR) to agents that want to contact a given Address-of-Record (AOR) to
retrieve that AOR's certificate by subscribing to the Credential retrieve that AOR's certificate by subscribing to the Credential
Service. The Credential Service also allows users to store and Service, which returns an authenticated response containing that
certificate. The Credential Service also allows users to store and
retrieve their own certificates and private keys. retrieve their own certificates and private keys.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. UA Behavior with Certificates . . . . . . . . . . . . . . . . 7 4. UA Behavior with Certificates . . . . . . . . . . . . . . . . 8
5. UA Behavior with Credentials . . . . . . . . . . . . . . . . . 8 5. UA Behavior with Credentials . . . . . . . . . . . . . . . . . 9
6. Credential Service Behavior . . . . . . . . . . . . . . . . . 9 6. Event Package Formal Definition for "certificate" . . . . . . 10
7. Event Package Formal Definition for "certificate" . . . . . . 9 6.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 10
7.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 9 6.2. Event Package Parameters . . . . . . . . . . . . . . . . . 10
7.2. Event Package Parameters . . . . . . . . . . . . . . . . . 10 6.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 10
7.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 10 6.4. Subscription Duration . . . . . . . . . . . . . . . . . . 10
7.4. Subscription Duration . . . . . . . . . . . . . . . . . . 10 6.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 10
7.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 10 6.6. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 11
7.6. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 10 6.7. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 11
7.7. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 11 6.8. Notifier Generation of NOTIFY Requests . . . . . . . . . . 11
7.8. Notifier Generation of NOTIFY Requests . . . . . . . . . . 11 6.9. Subscriber Processing of NOTIFY Requests . . . . . . . . . 12
7.9. Subscriber Processing of NOTIFY Requests . . . . . . . . . 11 6.10. Handling of Forked Requests . . . . . . . . . . . . . . . 12
7.10. Handling of Forked Requests . . . . . . . . . . . . . . . 11 6.11. Rate of Notifications . . . . . . . . . . . . . . . . . . 12
7.11. Rate of Notifications . . . . . . . . . . . . . . . . . . 12 6.12. State Agents and Lists . . . . . . . . . . . . . . . . . . 12
7.12. State Agents and Lists . . . . . . . . . . . . . . . . . . 12 6.13. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 12
7.13. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 12 7. Event Package Formal Definition for "credential" . . . . . . . 12
8. Event Package Formal Definition for "credential" . . . . . . . 12 7.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 12
8.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 12 7.2. Event Package Parameters . . . . . . . . . . . . . . . . . 13
8.2. Event Package Parameters . . . . . . . . . . . . . . . . . 12 7.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 13
8.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 12 7.4. Subscription Duration . . . . . . . . . . . . . . . . . . 13
8.4. Subscription Duration . . . . . . . . . . . . . . . . . . 13 7.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 13
8.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 13 7.6. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 14
8.6. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 13 7.7. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 14
8.7. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 14 7.8. Notifier Generation of NOTIFY Requests . . . . . . . . . . 14
8.8. Notifier Generation of NOTIFY Requests . . . . . . . . . . 14 7.9. Generation of PUBLISH Requests . . . . . . . . . . . . . . 15
8.9. Generation of PUBLISH Requests . . . . . . . . . . . . . . 14 7.10. Notifier Processing of PUBLISH Requests . . . . . . . . . 15
8.10. Notifier Processing of PUBLISH Requests . . . . . . . . . 15 7.11. Subscriber Processing of NOTIFY Requests . . . . . . . . . 16
8.11. Subscriber Processing of NOTIFY Requests . . . . . . . . . 15 7.12. Handling of Forked Requests . . . . . . . . . . . . . . . 16
8.12. Handling of Forked Requests . . . . . . . . . . . . . . . 16 7.13. Rate of Notifications . . . . . . . . . . . . . . . . . . 16
8.13. Rate of Notifications . . . . . . . . . . . . . . . . . . 16 7.14. State Agents and Lists . . . . . . . . . . . . . . . . . . 16
8.14. State Agents and Lists . . . . . . . . . . . . . . . . . . 16 7.15. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 16
8.15. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 16 8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
9. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 8.1. Encrypted Page Mode IM Message . . . . . . . . . . . . . . 17
9.1. Encrypted Page Mode IM Message . . . . . . . . . . . . . . 16 8.2. Setting and Retrieving UA Credentials . . . . . . . . . . 18
9.2. Setting and Retrieving UA Credentials . . . . . . . . . . 17 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18
10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 9.1. Certificate Revocation . . . . . . . . . . . . . . . . . . 21
10.1. Certificate Revocation . . . . . . . . . . . . . . . . . . 20 9.2. Certificate Replacement . . . . . . . . . . . . . . . . . 21
10.2. Certificate Replacement . . . . . . . . . . . . . . . . . 21 9.3. Trusting the Identity of a Certificate . . . . . . . . . . 21
10.3. Trusting the Identity of a Certificate . . . . . . . . . . 21 9.4. Conformity to the SACRED Framework . . . . . . . . . . . . 22
10.4. Conformity to the SACRED Framework . . . . . . . . . . . . 22 9.5. Crypto Profiles . . . . . . . . . . . . . . . . . . . . . 22
10.5. Crypto Profiles . . . . . . . . . . . . . . . . . . . . . 22 9.6. User Certificate Generation . . . . . . . . . . . . . . . 23
10.6. User Certificate Generation . . . . . . . . . . . . . . . 23 9.7. Compromised Authentication Service . . . . . . . . . . . . 23
10.7. Compromised Authentication Service . . . . . . . . . . . . 23 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 10.1. Certificate Event Package . . . . . . . . . . . . . . . . 24
11.1. Certificate Event Package . . . . . . . . . . . . . . . . 24 10.2. Credential Event Package . . . . . . . . . . . . . . . . . 24
11.2. Credential Event Package . . . . . . . . . . . . . . . . . 24 10.3. PKCS#8 . . . . . . . . . . . . . . . . . . . . . . . . . . 25
11.3. PKCS#8 . . . . . . . . . . . . . . . . . . . . . . . . . . 24 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 26
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 26 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26
13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26 12.1. Normative References . . . . . . . . . . . . . . . . . . . 26
13.1. Normative References . . . . . . . . . . . . . . . . . . . 26 12.2. Informational References . . . . . . . . . . . . . . . . . 27
13.2. Informational References . . . . . . . . . . . . . . . . . 27
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28
Intellectual Property and Copyright Statements . . . . . . . . . . 29 Intellectual Property and Copyright Statements . . . . . . . . . . 29
1. Introduction 1. Introduction
SIP [6] provides a mechanism [18] for end-to-end encryption and SIP [6] provides a mechanism [18] for end-to-end encryption and
integrity using S/MIME [17]. Several security properties of SIP integrity using S/MIME [17]. Several security properties of SIP
depend on S/MIME, and yet it has not been widely deployed. depend on S/MIME, and yet it has not been widely deployed. One
Certainly, one reason is the complexity of providing a reasonable reason is the complexity of providing a reasonable certificate
certificate distribution infrastructure. This specification proposes distribution infrastructure. This specification proposes a way to
a way to address discovery, retrieval, and management of certificates address discovery, retrieval, and management of certificates for SIP
for SIP deployments. It follows the Sacred Framework RFC 3760 [7] deployments. Combined with the SIP Identity [2] specification, this
for management of the credentials. Combined with the SIP Identity specification allows users to have certificates that are not signed
[2] specification, this specification allows users to have by any well known certificate authority while still strongly binding
certificates that are not signed by any well known certificate the user's identity to the certificate.
authority while still strongly binding the user's identity to the
certificate. This mechanism allows SIP User Agents such as IP phones In addition, this specification provides a which mechanism allows SIP
to enroll and get their credentials without any more configuration User Agents such as IP phones to enroll and get their credentials
information than they commonly have today. The end user expends no without any more configuration information than they commonly have
extra effort. today. The end user expends no extra effort. It follows the Sacred
Framework RFC 3760 [7] for management of the credentials.
2. Definitions 2. Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [5]. document are to be interpreted as described in RFC 2119 [5].
Certificate: An X.509v3 [15] style certificate containing a public Certificate: A PKIX [13] style certificate containing a public key
key and a list of identities in the SubjectAltName that are bound and a list of identities in the SubjectAltName that are bound to
to this key. The certificates discussed in this draft are this key. The certificates discussed in this draft are generally
generally self signed and use the mechanisms in the SIP Identity self signed and use the mechanisms in the SIP Identity [2]
[2] specification to vouch for their validity, but certificates specification to vouch for their validity. Certificates that are
that are signed by a certificate authority can also be used with signed by a certificate authority can also be used with all the
all the mechanisms in this draft. mechanisms in this draft, but it is expected that they are used
purely as a key carrier and that their validity is not checked.
Credential: For this document, credential means the combination of a Credential: For this document, credential means the combination of a
certificate and the associated private key. certificate and the associated private key.
password phrase: A password used to encrypt a PKCS#8 private key. password phrase: A password used to encrypt a PKCS#8 private key.
3. Overview 3. Overview
The general approach is to provide a new SIP service referred to as a The general approach is to provide a new SIP service referred to as a
"credential service" that allows SIP User Agents (UAs) to subscribe "credential service" that allows SIP User Agents (UAs) to subscribe
to other users' certificates using a new SIP event package [4]. The to other users' certificates using a new SIP event package [4]. The
certificate is delivered to the subscribing UA in a corresponding SIP certificate is delivered to the subscribing UA in a corresponding SIP
skipping to change at page 6, line 42 skipping to change at page 7, line 29
from the AOR "sip:bob@example.com". Alice's UA receives the from the AOR "sip:bob@example.com". Alice's UA receives the
certificate and can use it to encrypt a message to Bob. certificate and can use it to encrypt a message to Bob.
It is critical to understand that the only way that Alice can trust It is critical to understand that the only way that Alice can trust
that the certificate really is the one for Bob and that the NOTIFY that the certificate really is the one for Bob and that the NOTIFY
has not been spoofed is for Alice to check that the Identity [2] has not been spoofed is for Alice to check that the Identity [2]
header field value is correct. header field value is correct.
The mechanism described in this document works for both self signed The mechanism described in this document works for both self signed
certificates and certificates signed by well known certificate certificates and certificates signed by well known certificate
authorities; however, it is imagined that most UAs using this would authorities. However, most UAs would only use self signed
only use self signed certificates and would use an Authentication certificates and would use an Authentication Service as described in
Service as described in [2] to provide a strong binding of an AOR to [2] to provide a strong binding of an AOR to the certificates.
the certificates.
The mechanisms described in this draft allow for three different The mechanisms described in this draft allow for three different
styles of deployment: styles of deployment:
1. Deployments where the credential server only stores certificates 1. Deployments where the credential server only stores certificates
and does not store any private key information. If the and does not store any private key information. If the
deployment had users with multiple devices, some other scheme deployment had users with multiple devices, some other scheme
(perhaps even manual provisioning) would be used to get the right (perhaps even manual provisioning) would be used to get the right
private keys onto all the devices that a user uses. private keys onto all the devices that a user uses.
2. Deployments where the credential server stores certificates and 2. Deployments where the credential server stores certificates and
also stores encrypted version of the private keys. The also stores an encrypted version of the private keys. The
credential server would not know or need the password phrase for credential server would not know or need the password phrase for
decrypting the private key. The credential server would help decrypting the private key. The credential server would help
move the private keys between devices but the user would need to move the private keys between devices but the user would need to
enter a password phrase on each device to allow that device to enter a password phrase on each device to allow that device to
decrypt (and encrypt) the private key information. decrypt (and encrypt) the private key information.
3. Deployments where the credential server stores the certificates 3. Deployments where the credential server stores the certificates
and private keys and also knows the password phrase for and private keys and also knows the password phrase for
decrypting the private keys. Deployments such as these may not decrypting the private keys. Deployments such as these may not
even use password phrases, in which case the private keys are not even use password phrases, in which case the private keys are not
encrypted inside the PKCS#8 objects. This style of deployments encrypted inside the PKCS#8 objects. This style of deployment
would often have the credential server, instead of the devices, would often have the credential server, instead of the devices,
create the credentials. create the credentials.
4. UA Behavior with Certificates 4. UA Behavior with Certificates
When a User Agent wishes to discover some other user's certificate it When a User Agent wishes to discover some other user's certificate it
subscribes to the "certificate" SIP event package as described in subscribes to the "certificate" SIP event package as described in
Section 7 to get the certificate. While the subscription is active, Section 6 to get the certificate. While the subscription is active,
if the certificate is updated, the Subscriber will receive the if the certificate is updated, the Subscriber will receive the
updated certificate in a notification. updated certificate in a notification.
The Subscriber needs to decide how long it is willing to trust that The Subscriber needs to decide how long it is willing to trust that
the certificate it receives is still valid. If the certificate is the certificate it receives is still valid. If the certificate is
revoked before it expires, the Notifier will send a notification with revoked before it expires, the Notifier will send a notification with
an empty body to indicate that the certificate is no longer valid. an empty body to indicate that the certificate is no longer valid.
However, the Subscriber might not receive the notification if an However, the Subscriber might not receive the notification if an
attacker blocks this traffic. The amount of time that the Subscriber attacker blocks this traffic. The amount of time that the Subscriber
caches a certificate SHOULD be configurable. A default of one day is caches a certificate SHOULD be configurable. A default of one day is
RECOMMENDED. RECOMMENDED.
Note that the actual duration of the subscription is orthogonal to Note that the actual duration of the subscription is unrelated to the
the caching time or validity time of the corresponding certificate. caching time or validity time of the corresponding certificate.
Allowing subscriptions to persist after a certificate is not longer Allowing subscriptions to persist after a certificate is no longer
valid ensures that Subscribers receive the replacement certificate in valid ensures that Subscribers receive the replacement certificate in
a timely fashion. In some cases, the Notifier will not allow a timely fashion. In some cases, the Notifier will not allow
unauthenticated subscriptions to persist. The Notifier could return unauthenticated subscriptions to persist. The Notifier could return
an immediate notification with the certificate in response to an immediate notification with the certificate in response to
subscribe and then immediately terminate subscription, setting the subscribe and then immediately terminate subscription, setting the
reason parameter to "probation". The Subscriber will have to reason parameter to "probation". The Subscriber will have to
periodically poll the Notifier to verify validity of the certificate. periodically poll the Notifier to verify validity of the certificate.
If the UA uses a cached certificate in a request and receives a 437 If the UA uses a cached certificate in a request and receives a 437
(Unsupported Certificate) response, it SHOULD remove the certificate (Unsupported Certificate) response, it SHOULD remove the certificate
it used from the cache, attempt to fetch the certificate again. If it used from the cache, attempt to fetch the certificate again. If
the certificate is the not the same, then the UA SHOULD retry the the certificate is changed, then the UA SHOULD retry the original
original request again. This situation usually indicates that the request again with the new certificate. This situation usually
certificate was recently updated, and that the Subscriber has not indicates that the certificate was recently updated, and that the
received a corresponding notification. If the certificate fetched is Subscriber has not received a corresponding notification. If the
the same as the one that was previously in the cache, then the UA certificate fetched is the same as the one that was previously in the
SHOULD NOT try the request again. This situation can happened when cache, then the UA SHOULD NOT try the request again. This situation
the request was retargeted to a different user than the original can happened when the request was retargeted to a different user than
request. The 437 response is defined in [2]. the original request. The 437 response is defined in [2].
Note: A UA that has a presence list MAY want to subscribe to the Note: A UA that has a presence list MAY want to subscribe to the
certificates of all the presentities in the list when the UA certificates of all the presentities in the list when the UA
subscribes to their presence, so that when the user wishes to subscribes to their presence, so that when the user wishes to
contact a presentity, the UA will already have the appropriate contact a presentity, the UA will already have the appropriate
certificate. Future specifications might consider the possibility certificate. Future specifications might consider the possibility
of retrieving the certificates along with the presence documents. of retrieving the certificates along with the presence documents.
The details of how a UA deals with receiving encrypted messages is The details of how a UA deals with receiving encrypted messages is
outside the scope of this specification but it is worth noting that outside the scope of this specification. It is worth noting that if
if Charlie's UAS receives a request that is encrypted to Bob, it Charlie's UAS receives a request that is encrypted to Bob, it would
would be valid and legal for that UA to send a 302 redirecting the be valid and legal for that UA to send a 302 redirecting the call to
call to Charlie. Charlie.
5. UA Behavior with Credentials 5. UA Behavior with Credentials
UAs discover their own credentials by subscribing to their AOR with UAs discover their own credentials by subscribing to their AOR with
an event type of credential as described in Section 8. After a UA an event type of credential as described in Section 7. After a UA
registers, it SHOULD retrieve its credentials by subscribing to them registers, it SHOULD retrieve its credentials by subscribing to them
as described in Section 7.6. as described in Section 6.6.
When a UA discovers its credential, the private key information might When a UA discovers its credential, the private key information might
be encrypted with a password phrase. The UA SHOULD request that the be encrypted with a password phrase. The UA SHOULD request that the
user enter the password phrase on the device, and the UA MAY cache user enter the password phrase on the device, and the UA MAY cache
this password phrase for future use. this password phrase for future use.
There are several different cases in which a UA should generate a new There are several different cases in which a UA should generate a new
credential: credential:
o If the UA receives a NOTIFY with no body for the credential o If the UA receives a NOTIFY with no body for the credential
package. package.
o If the certificate has expired. o If the certificate has expired.
o If the certificate is within 600 seconds of expiring, the UA o If the certificate's notAfter date is within the next 600 seconds,
SHOULD attempt to create replacement credentials. The UA does the UA SHOULD attempt to create replacement credentials. The UA
this by waiting a random amount of time between 0 and 300 seconds. does this by waiting a random amount of time between 0 and 300
If no new credentials have been received in that time, the UA seconds. If no new credentials have been received in that time,
creates new credentials to replace the expiring ones and sends the UA creates new credentials to replace the expiring ones and
them in a PUBLISH request (with a SIP-If-Match header set to the sends them in a PUBLISH request (with a SIP-If-Match header set to
current etag). This makes credential collisions both unlikely and the current etag). This makes credential collisions both unlikely
harmless. and harmless.
o If the user of the device has indicated via the user interface o If the user of the device has indicated via the user interface
that they wish to revoke the current certificate and issue a new that they wish to revoke the current certificate and issue a new
one. one.
Credentials are created by creating a new key pair which will require Credentials are created by creating a new key pair which will require
appropriate randomness, and then creating a certificate as described appropriate randomness, and then creating a certificate as described
in Section 10.6. The UA MAY encrypt the private key with a password in Section 9.6. The UA MAY encrypt the private key with a password
phrase supplied by the user. Then the UA updates the user's phrase supplied by the user. Next, the UA updates the user's
credential by sending a PUBLISH [3] request with the credentials or credential by sending a PUBLISH [3] request with the credentials or
just the certificate as described in Section 8.9. just the certificate as described in Section 7.9.
If a UA wishes to revoke the existing certificate without publishing If a UA wishes to revoke the existing certificate without publishing
a new one, it MUST send a PUBLISH with an empty body to the a new one, it MUST send a PUBLISH with an empty body to the
credential server. credential server.
6. Credential Service Behavior 6. Event Package Formal Definition for "certificate"
The credential service stores credentials for users and can provide
the credentials to other user agents belonging to the same user, and
certificates to any user agent. The credentials are indexed by a URI
that corresponds to the AOR of the user. When a UA requests a public
certificate with a SUBSCRIBE, the server sends the UA the certificate
in a NOTIFY and sends a subsequent NOTIFY any time the certificate
changes. When a credential is requested, the credential service
digest challenges the requesting UA to authenticate it so that the
credential service can verify that the UA is authorized to receive
the requested credentials. When a credential is published, the
credential service digest challenges the requesting UA to
authenticate it so that the credential service can verify that the UA
is authorized to change the credentials. This behavior is defined in
Section 7 and Section 8.
7. Event Package Formal Definition for "certificate"
7.1. Event Package Name 6.1. Event Package Name
This document defines a SIP Event Package as defined in RFC 3265 [4]. This document defines a SIP Event Package as defined in RFC 3265 [4].
The event-package token name for this package is: The event-package token name for this package is:
certificate certificate
7.2. Event Package Parameters 6.2. Event Package Parameters
This package does not define any event package parameters. This package defines the "etag" Event header parameter which is valid
only in NOTIFY requests. It contains a token which represents the
SIP etag value at the time the notification was sent. Considering
how infrequently credentials are updated, this hint is very likely to
be the correct etag to use in the SIP-If-Match header in a SIP
PUBLISH request to update the current credentials.
7.3. SUBSCRIBE Bodies 6.3. SUBSCRIBE Bodies
This package does not define any SUBSCRIBE bodies. This package does not define any SUBSCRIBE bodies.
7.4. Subscription Duration 6.4. Subscription Duration
Subscriptions to this event package can range from no time to weeks. Subscriptions to this event package can range from no time to weeks.
Subscriptions in days are more typical and are RECOMMENDED. The Subscriptions in days are more typical and are RECOMMENDED. The
default subscription duration for this event package is one day. default subscription duration for this event package is one day.
The credential service is encouraged to keep the subscriptions active The credential service is encouraged to keep the subscriptions active
for AORs that are communicating frequently, but the credential for AORs that are communicating frequently, but the credential
service MAY terminate the subscription at any point in time. service MAY terminate the subscription at any point in time.
7.5. NOTIFY Bodies 6.5. NOTIFY Bodies
The body of a NOTIFY request for this package MUST either be empty or The body of a NOTIFY request for this package MUST either be empty or
contain an application/pkix-cert body (as defined in [10]) that contain an application/pkix-cert body (as defined in [10]) that
contains the certificate, unless an Accept header has negotiated some contains the certificate, unless an Accept header has negotiated some
other type. The Content-Disposition MUST be set to "signal". other type. The Content-Disposition MUST be set to "signal", as
defined in as defined in [16].
A future extension MAY define other NOTIFY bodies. If no "Accept" A future extension MAY define other NOTIFY bodies. If no "Accept"
header is present in the SUBSCRIBE, the body type defined in this header is present in the SUBSCRIBE, the body type defined in this
document MUST be assumed. document MUST be assumed.
Implementations which generate large notifications are reminded to Implementations which generate large notifications are reminded to
follow the message size restrictions for unreliable transports follow the message size restrictions for unreliable transports
articulated in Section 18.1.1 of SIP. articulated in Section 18.1.1 of SIP.
7.6. Subscriber Generation of SUBSCRIBE Requests 6.6. Subscriber Generation of SUBSCRIBE Requests
A UA discovers a certificate by sending a SUBSCRIBE request with an A UA discovers a certificate by sending a SUBSCRIBE request with an
event type of "certificate" to the AOR for which a certificate is event type of "certificate" to the AOR for which a certificate is
desired. In general, the UA stays subscribed to the certificate for desired. In general, the UA stays subscribed to the certificate for
as long as it plans to use and cache the certificate, so that the UA as long as it plans to use and cache the certificate, so that the UA
can be notified about changes or revocations to the certificate. can be notified about changes or revocations to the certificate.
Subscriber User Agents will typically subscribe to certificate Subscriber User Agents will typically subscribe to certificate
information for a period of hours or days, and automatically attempt information for a period of hours or days, and automatically attempt
to re-subscribe just before the subscription is completely expired. to re-subscribe just before the subscription is completely expired.
When a user de-registers from a device (logoff, power down of a When a user de-registers from a device (logoff, power down of a
mobile device, etc.), subscribers SHOULD unsubscribe by sending a mobile device, etc.), subscribers SHOULD unsubscribe by sending a
SUBSCRIBE request with an Expires header of zero. SUBSCRIBE request with an Expires header of zero.
7.7. Notifier Processing of SUBSCRIBE Requests 6.7. Notifier Processing of SUBSCRIBE Requests
When a SIP credential server receives a SUBSCRIBE request with the When a SIP credential server receives a SUBSCRIBE request with the
certificate event-type, it is not necessary to authenticate the certificate event-type, it is not necessary to authenticate the
subscription request. The Notifier MAY limit the duration of the subscription request. The Notifier MAY limit the duration of the
subscription to an administrator-defined period of time. The subscription to an administrator-defined period of time. The
duration of the subscription does not correspond in any way to the duration of the subscription does not correspond in any way to the
period for which the certificate will be valid. period for which the certificate will be valid.
When the credential server receives a SUBSCRIBE request for a When the credential server receives a SUBSCRIBE request for a
certificate, it first checks to see if it has credentials for the certificate, it first checks to see if it has credentials for the
requested URI. If it does not have a certificate, it returns a requested URI. If it does not have a certificate, it returns a
NOTIFY request with an empty message body. NOTIFY request with an empty message body.
7.8. Notifier Generation of NOTIFY Requests 6.8. Notifier Generation of NOTIFY Requests
Immediately after a subscription is accepted, the Notifier MUST send Immediately after a subscription is accepted, the Notifier MUST send
a NOTIFY with the current certificate, or an empty body if no a NOTIFY with the current certificate, or an empty body if no
certificate is available for the target user. In either case it certificate is available for the target user. In either case it
forms a NOTIFY with the From header field value set to the value of forms a NOTIFY with the From header field value set to the value of
the To header field in the SUBSCRIBE request. This server sending the To header field in the SUBSCRIBE request. This server sending
the NOTIFY needs either to implement an Authentication Service (as the NOTIFY needs either to implement an Authentication Service (as
described in SIP Identity [2]) or else the server needs to be set up described in SIP Identity [2]) or else the server needs to be set up
such that the NOTIFY request will be sent through an Authentication such that the NOTIFY request will be sent through an Authentication
Service. Sending the NOTIFY request through the Authentication Service. Sending the NOTIFY request through the Authentication
Service requires the SUBSCRIBE request to have been routed through Service requires the SUBSCRIBE request to have been routed through
the Authentication Service, since the NOTIFY is sent within the the Authentication Service, since the NOTIFY is sent within the
dialog formed by the subscription. dialog formed by the subscription.
7.9. Subscriber Processing of NOTIFY Requests 6.9. Subscriber Processing of NOTIFY Requests
The resulting NOTIFY will contain an application/pkix-cert body that The resulting NOTIFY will contain an application/pkix-cert body that
contains the requested certificate. The UA MUST follow the contains the requested certificate. The UA MUST follow the
procedures in Section 10.3 to decide if the received certificate can procedures in Section 9.3 to decide if the received certificate can
be used. The UA needs to cache this certificate for future use. The be used. The UA needs to cache this certificate for future use. The
maximum length of time it should be cached for is discussed in maximum length of time it should be cached for is discussed in
Section 10.1. The certificate MUST be removed from the cache if the Section 9.1. The certificate MUST be removed from the cache if the
certificate has been revoked (if a NOTIFY with an empty body is certificate has been revoked (if a NOTIFY with an empty body is
received), or if it is updated by a subsequent NOTIFY. The UA MUST received), or if it is updated by a subsequent NOTIFY. The UA MUST
check that the NOTIFY is correctly signed by an Authentication check that the NOTIFY is correctly signed by an Authentication
Service as described in [2]. If the identity asserted by the Service as described in [2]. If the identity asserted by the
Authentication Service does not match the AOR that the UA subscribed Authentication Service does not match the AOR that the UA subscribed
to, the certificate in the NOTIFY is discarded and MUST NOT be used. to, the certificate in the NOTIFY is discarded and MUST NOT be used.
7.10. Handling of Forked Requests 6.10. Handling of Forked Requests
This event package does not permit forked requests. At most one This event package does not permit forked requests. At most one
subscription to this event type is permitted per resource. subscription to this event type is permitted per resource.
7.11. Rate of Notifications 6.11. Rate of Notifications
Notifiers SHOULD NOT generate NOTIFY requests more frequently than Notifiers SHOULD NOT generate NOTIFY requests more frequently than
once per minute. once per minute.
7.12. State Agents and Lists 6.12. State Agents and Lists
Implementers MUST NOT implement state agents for this event type. Implementers MUST NOT implement state agents for this event type.
Likewise, implementations MUST NOT use the event list extension [19] Likewise, implementations MUST NOT use the event list extension [19]
with this event type. It is not possible to make such an approach with this event type. It is not possible to make such an approach
work, because the Authentication service would have to simultaneously work, because the Authentication service would have to simultaneously
assert several different identities. assert several different identities.
7.13. Behavior of a Proxy Server 6.13. Behavior of a Proxy Server
There are no additional requirements on a SIP Proxy, other than to There are no additional requirements on a SIP Proxy, other than to
transparently forward the SUBSCRIBE and NOTIFY requests as required transparently forward the SUBSCRIBE and NOTIFY requests as required
in SIP. This specification describes the Proxy, Authentication in SIP. This specification describes the Proxy, Authentication
service, and credential service as three separate services, but it is service, and credential service as three separate services, but it is
certainly possible to build a single SIP network element that certainly possible to build a single SIP network element that
performs all of these services at the same time. performs all of these services at the same time.
8. Event Package Formal Definition for "credential" 7. Event Package Formal Definition for "credential"
8.1. Event Package Name 7.1. Event Package Name
This document defines a SIP Event Package as defined in RFC 3265 [4]. This document defines a SIP Event Package as defined in RFC 3265 [4].
The event-package token name for this package is: The event-package token name for this package is:
credential credential
8.2. Event Package Parameters 7.2. Event Package Parameters
This package defines the "etag" Event header parameter which is valid This package defines the "etag" Event header parameter which is valid
only in NOTIFY requests. It contains a token which represents the only in NOTIFY requests. It contains a token which represents the
SIP etag value at the time the notification was sent. Considering SIP etag value at the time the notification was sent. Considering
how infrequently credentials are updated, this hint is very likely to how infrequently credentials are updated, this hint is very likely to
be the correct etag to use in the SIP-If-Match header in a SIP be the correct etag to use in the SIP-If-Match header in a SIP
PUBLISH request to update the current credentials. PUBLISH request to update the current credentials.
etag-param = "etag" EQUAL token etag-param = "etag" EQUAL token
8.3. SUBSCRIBE Bodies 7.3. SUBSCRIBE Bodies
This package does not define any SUBSCRIBE bodies. This package does not define any SUBSCRIBE bodies.
8.4. Subscription Duration 7.4. Subscription Duration
Subscriptions to this event package can range from hours to one week. Subscriptions to this event package can range from hours to one week.
Subscriptions in days are more typical and are RECOMMENDED. The Subscriptions in days are more typical and are RECOMMENDED. The
default subscription duration for this event package is one day. default subscription duration for this event package is one day.
The credential service SHOULD keep subscriptions active for UAs that The credential service SHOULD keep subscriptions active for UAs that
are currently registered. are currently registered.
8.5. NOTIFY Bodies 7.5. NOTIFY Bodies
The NOTIFY MUST contain a multipart/mixed (see [14]) body that The NOTIFY MUST contain a multipart/mixed (see [14]) body that
contains both an application/pkix-cert body with the certificate and contains both an application/pkix-cert body with the certificate and
an application/pkcs8 body that has the associated private key an application/pkcs8 body that has the associated private key
information for the certificate. The Content-Disposition MUST be set information for the certificate. The Content-Disposition MUST be set
to "signal" as defined in [16]. to "signal" as defined in [16].
A future extension MAY define other NOTIFY bodies. If no "Accept" A future extension MAY define other NOTIFY bodies. If no "Accept"
header is present in the SUBSCRIBE, the body type defined in this header is present in the SUBSCRIBE, the body type defined in this
document MUST be assumed. document MUST be assumed.
The application/pkix-cert body is a DER encoded X.509v3 certificate The application/pkix-cert body is a DER encoded X.509v3 certificate
[10]. The application/pkcs8 body contains a DER-encoded PKCS#8 [1] [10]. The application/pkcs8 body contains a DER-encoded PKCS#8 [1]
object that contains the private key. The PKCS#8 objects MUST be of object that contains the private key. The PKCS#8 objects MUST be of
type PrivateKeyInfo. The integrity and confidentiality of the PKCS#8 type PrivateKeyInfo. The integrity and confidentiality of the PKCS#8
objects is provided by the TLS transport. The transport encoding of objects is provided by the TLS transport. The transport encoding of
all the MIME bodies is binary. all the MIME bodies is binary.
8.6. Subscriber Generation of SUBSCRIBE Requests 7.6. Subscriber Generation of SUBSCRIBE Requests
A Subscriber User Agent will subscribe to its credential information A Subscriber User Agent will subscribe to its credential information
for a period of hours or days and will automatically attempt to re- for a period of hours or days and will automatically attempt to re-
subscribe before the subscription has completely expired. subscribe before the subscription has completely expired.
The Subscriber SHOULD subscribe to its credentials whenever a new The Subscriber SHOULD subscribe to its credentials whenever a new
user becomes associated with the device (a new login). The user becomes associated with the device (a new login). The
subscriber SHOULD also renew its subscription immediately after a subscriber SHOULD also renew its subscription immediately after a
reboot, or when the subscriber's network connectivity has just been reboot, or when the subscriber's network connectivity has just been
re-established. re-established.
skipping to change at page 14, line 8 skipping to change at page 14, line 29
may be configured with a specific name for the credential service; may be configured with a specific name for the credential service;
otherwise normal SIP routing is used. As described in RFC 3261, the otherwise normal SIP routing is used. As described in RFC 3261, the
TLS connection needs to present a certificate that matches the TLS connection needs to present a certificate that matches the
expected name of the server to which the connection was formed, so expected name of the server to which the connection was formed, so
that the UA knows it is talking to the correct server. Failing to do that the UA knows it is talking to the correct server. Failing to do
this may result in the UA publishing its private key information to this may result in the UA publishing its private key information to
an attacker. The credential service will authenticate the UA using an attacker. The credential service will authenticate the UA using
the usual SIP Digest mechanism, so the UA can expect to receive a SIP the usual SIP Digest mechanism, so the UA can expect to receive a SIP
challenge to the SUBSCRIBE or PUBLISH requests. challenge to the SUBSCRIBE or PUBLISH requests.
8.7. Notifier Processing of SUBSCRIBE Requests 7.7. Notifier Processing of SUBSCRIBE Requests
When a credential service receives a SUBSCRIBE for a credential, the When a credential service receives a SUBSCRIBE for a credential, the
credential service has to authenticate and authorize the UA and credential service has to authenticate and authorize the UA and
validate that adequate transport security is being used. Only a UA validate that adequate transport security is being used. Only a UA
that can authenticate as being able to register as the AOR is that can authenticate as being able to register as the AOR is
authorized to receive the credentials for that AOR. The credential authorized to receive the credentials for that AOR. The credential
Service MUST digest challenge the UA to authenticate the UA and then Service MUST digest challenge the UA to authenticate the UA and then
decide if it is authorized to receive the credentials. If decide if it is authorized to receive the credentials. If
authentication is successful, the Notifier MAY limit the duration of authentication is successful, the Notifier MAY limit the duration of
the subscription to an administrator-defined period of time. The the subscription to an administrator-defined period of time. The
duration of the subscription MUST not be larger than the length of duration of the subscription MUST not be larger than the length of
time for which the certificate is still valid. The Expires header time for which the certificate is still valid. The Expires header
should be set appropriately. SHOULD be set so that it is not longer than the notAfter date in the
certificate.
8.8. Notifier Generation of NOTIFY Requests 7.8. Notifier Generation of NOTIFY Requests
Once the UA has authenticated with the credential service and the Once the UA has authenticated with the credential service and the
subscription is accepted, the credential service MUST immediately subscription is accepted, the credential service MUST immediately
send a Notify request. The Notifier SHOULD include the current etag send a Notify request. The Notifier SHOULD include the current etag
value in the "etag" Event package parameter in the NOTIFY request. value in the "etag" Event package parameter in the NOTIFY request.
The Authentication Service is applied to this NOTIFY request in the The Authentication Service is applied to this NOTIFY request in the
same way as the certificate subscriptions. If the credential is same way as the certificate subscriptions. If the credential is
revoked, the credential service MUST terminate any current revoked, the credential service MUST terminate any current
subscriptions and force the UA to re-authenticate by sending a NOTIFY subscriptions and force the UA to re-authenticate by sending a NOTIFY
with its Subscription-State header set to "terminated" and a reason with its Subscription-State header set to "terminated" and a reason
parameter of "deactivated". (This causes a Subscriber to retry the parameter of "deactivated". (This causes a Subscriber to retry the
subscription immediately.) This is so that if a secret for subscription immediately.) This is so that if a secret for
retrieving the credentials gets compromised, the rogue UA will not retrieving the credentials gets compromised, the rogue UA will not
continue to receive credentials after the compromised secret has been continue to receive credentials after the compromised secret has been
changed. changed.
Any time the credentials for this URI change, the credential service Any time the credentials for this URI change, the credential service
MUST send a new NOTIFY to any active subscriptions with the new MUST send a new NOTIFY to any active subscriptions with the new
credentials. credentials.
8.9. Generation of PUBLISH Requests 7.9. Generation of PUBLISH Requests
A user agent SHOULD be configurable to control whether it publishes A user agent SHOULD be configurable to control whether it publishes
the credential for a user or just the user's certificate. the credential for a user or just the user's certificate.
When publishing just a certificate, the body contains an application/ When publishing just a certificate, the body contains an application/
pkix-cert. When publishing a credential, the body contains a pkix-cert. When publishing a credential, the body contains a
multipart/mixed containing both an application/pkix-cert and an multipart/mixed containing both an application/pkix-cert and an
application/pkcs8 body. application/pkcs8 body.
When the UA sends the PUBLISH [3] request, it needs to do the When the UA sends the PUBLISH [3] request, it needs to do the
skipping to change at page 15, line 20 skipping to change at page 15, line 41
o If the certificate includes Basic Constraints, it SHOULD set the o If the certificate includes Basic Constraints, it SHOULD set the
CA flag to false. CA flag to false.
o The PUBLISH request SHOULD include a SIP-If-Match header field o The PUBLISH request SHOULD include a SIP-If-Match header field
with the previous etag from the subscription. This prevents with the previous etag from the subscription. This prevents
multiple User Agents for the same AOR from publishing conflicting multiple User Agents for the same AOR from publishing conflicting
credentials. Note that UAs replace credentials that are about to credentials. Note that UAs replace credentials that are about to
expire at a random time (described in Section 5), reducing the expire at a random time (described in Section 5), reducing the
chance of publishing conflicting credentials even without using chance of publishing conflicting credentials even without using
the etag. the etag.
8.10. Notifier Processing of PUBLISH Requests 7.10. Notifier Processing of PUBLISH Requests
When the credential service receives a PUBLISH to update credentials, When the credential service receives a PUBLISH to update credentials,
it MUST authenticate and authorize this request the same way as for it MUST authenticate and authorize this request the same way as for
subscriptions for credentials. If the authorization succeeds, then subscriptions for credentials. If the authorization succeeds, then
the credential service MUST perform the following check on the the credential service MUST perform the following check on the
certificate: certificate:
o One of the names in the SubjectAltName of the certificate matches o One of the names in the SubjectAltName of the certificate matches
the authorized user making the request. the authorized user making the request.
o The notBefore validity time MUST NOT be in the future. o The notBefore validity time MUST NOT be in the future.
o The notAfter validity time MUST be in the future. o The notAfter validity time MUST be in the future.
o If an CA Basic Constraint is set in the certificate, it is set to o If a CA Basic Constraint is set in the certificate, it is set to
false. false.
If all of these succeed, the credential service updates the If all of these succeed, the credential service updates the
credential for this URI, processes all the active certificates and credential for this URI, processes all the active certificates and
credential subscriptions to this URI, and generates a NOTIFY request credential subscriptions to this URI, and generates a NOTIFY request
with the new credential or certificate. with the new credential or certificate.
If the Subscriber submits a PUBLISH request with no body, this If the Subscriber submits a PUBLISH request with no body, this
revokes the current credentials and causes all subscriptions to the revokes the current credentials and causes all subscriptions to the
credential package to be deactivated as described in the previous credential package to be deactivated as described in the previous
section. (Note that subscriptions to the certificate package are NOT section. (Note that subscriptions to the certificate package are NOT
terminated; each subscriber to the certificate package receives a terminated; each subscriber to the certificate package receives a
notification with an empty body.) notification with an empty body.)
8.11. Subscriber Processing of NOTIFY Requests 7.11. Subscriber Processing of NOTIFY Requests
When the UA receives a valid NOTIFY request, it should replace its When the UA receives a valid NOTIFY request, it should replace its
existing credentials with the new received ones. If the UA cannot existing credentials with the new received ones. If the UA cannot
decrypt the PKCS#8 object, it MUST send a 437 (Unsupported decrypt the PKCS#8 object, it MUST send a 437 (Unsupported
Certificate) response. Later if the user provides a new password Certificate) response. Later if the user provides a new password
phrase for the private key, the UA can subscribe to the credentials phrase for the private key, the UA can subscribe to the credentials
again and attempt to decrypt with the new password phrase. again and attempt to decrypt with the new password phrase.
8.12. Handling of Forked Requests 7.12. Handling of Forked Requests
This event package does not permit forked requests. This event package does not permit forked requests.
8.13. Rate of Notifications 7.13. Rate of Notifications
Notifiers SHOULD NOT generate NOTIFY requests more frequently than Notifiers SHOULD NOT generate NOTIFY requests more frequently than
once per minute. once per minute.
8.14. State Agents and Lists 7.14. State Agents and Lists
Implementers MUST NOT implement state agents for this event type. Implementers MUST NOT implement state agents for this event type.
Likewise, implementations MUST NOT use the event list extension [19] Likewise, implementations MUST NOT use the event list extension [19]
with this event type. with this event type.
8.15. Behavior of a Proxy Server 7.15. Behavior of a Proxy Server
The behavior is identical to behavior described for certificate The behavior is identical to behavior described for certificate
subscriptions described in Section 7.13. subscriptions described in Section 6.13.
9. Examples
8. Examples
In all these examples, large parts of the messages are omitted to In all these examples, large parts of the messages are omitted to
highlight what is relevant to this draft. The lines in the examples highlight what is relevant to this draft. The lines in the examples
that are prefixed by $ represent encrypted blocks of data. that are prefixed by $ represent encrypted blocks of data.
9.1. Encrypted Page Mode IM Message 8.1. Encrypted Page Mode IM Message
In this example, Alice sends Bob an encrypted page mode instant In this example, Alice sends Bob an encrypted page mode instant
message. Alice does not already have Bob's public key from previous message. Alice does not already have Bob's public key from previous
communications, so she fetches Bob's public key from Bob's credential communications, so she fetches Bob's public key from Bob's credential
service: service:
SUBSCRIBE sip:bob@biloxi.example.com SIP/2.0 SUBSCRIBE sip:bob@biloxi.example.com SIP/2.0
... ...
Event: certificate Event: certificate
skipping to change at page 17, line 21 skipping to change at page 17, line 37
VqoMXZZjdvSpycyHOhh1cmUx3b9Vr3pZuEh+cB01pbMQ8B1ch++iMjw=" VqoMXZZjdvSpycyHOhh1cmUx3b9Vr3pZuEh+cB01pbMQ8B1ch++iMjw="
Identity-Info: <https://atlanta.example.com/cert>;alg=rsa-sha1 Identity-Info: <https://atlanta.example.com/cert>;alg=rsa-sha1
.... ....
Event: certificate Event: certificate
Content-Type: application/pkix-cert Content-Type: application/pkix-cert
Content-Disposition: signal Content-Disposition: signal
< certificate data > < certificate data >
Next, Alice sends a SIP MESSAGE message to Bob and can encrypt the Next, Alice sends a SIP MESSAGE message to Bob and can encrypt the
body using Bob's public key as shown below. Although outside the body using Bob's public key as shown below.
scope of this document, it is worth noting that instant messages
often have common plain text like "Hi", so that setting up symmetric
keys for extended session mode IM conversations will likely increase
efficiency, as well as reducing the likelihood of compromising the
asymmetric key in the certificate.
MESSAGE sip:bob@biloxi.example.com SIP/2.0 MESSAGE sip:bob@biloxi.example.com SIP/2.0
... ...
Content-Type: application/pkcs7-mime Content-Type: application/pkcs7-mime
Content-Disposition: render Content-Disposition: render
$ Content-Type: text/plain $ Content-Type: text/plain
$ $
$ < encrypted version of "Hello" > $ < encrypted version of "Hello" >
9.2. Setting and Retrieving UA Credentials 8.2. Setting and Retrieving UA Credentials
When Alice's UA wishes to publish Alice's public and private keys to When Alice's UA wishes to publish Alice's public and private keys to
the credential service, it sends a PUBLISH request like the one the credential service, it sends a PUBLISH request like the one
below. This must be sent over a TLS connection in which the other below. This must be sent over a TLS connection in which the other
end of the connection presents a certificate that matches the end of the connection presents a certificate that matches the
credential service for Alice and digest challenges the request to credential service for Alice and digest challenges the request to
authenticate her. authenticate her.
PUBLISH sips:alice@atlanta.example.com SIP/2.0 PUBLISH sips:alice@atlanta.example.com SIP/2.0
... ...
skipping to change at page 18, line 26 skipping to change at page 18, line 35
Content-ID: 456 Content-ID: 456
Content-Type: application/pkcs8 Content-Type: application/pkcs8
< Private Key for Alice > < Private Key for Alice >
--boundary --boundary
If one of Alice's UAs subscribes to the credential event, the UA will If one of Alice's UAs subscribes to the credential event, the UA will
be digest challenged, and the NOTIFY will include a body similar to be digest challenged, and the NOTIFY will include a body similar to
the one in the PUBLISH section above. the one in the PUBLISH section above.
10. Security Considerations 9. Security Considerations
The high level message flow from a security point of view is The high level message flow from a security point of view is
summarized in the following figure. The 200 responses are removed summarized in the following figure. The 200 responses are removed
from the figure as they do not have much to do with the overall from the figure as they do not have much to do with the overall
security. security.
In this figure, authC refers to authentication and authZ refers to
authorization.
Alice Server Bob UA Alice Server Bob UA
| | TLS Handshake | 1) Client authC/Z server | | TLS Handshake | 1) Client authC/Z server
| |<---------------->| | |<---------------->|
| | PUBLISH | 2) Client sends request | | PUBLISH | 2) Client sends request
| |<-----------------| (write credential) | |<-----------------| (write credential)
| | Digest Challenge | 3) Server challenges client | | Digest Challenge | 3) Server challenges client
| |----------------->| | |----------------->|
| | PUBLISH + Digest | 4) Server authC/Z client | | PUBLISH + Digest | 4) Server authC/Z client
| |<-----------------| | |<-----------------|
| | time... | | | time... |
skipping to change at page 19, line 51 skipping to change at page 19, line 51
server. First it forms a TLS connection to the Server, which server. First it forms a TLS connection to the Server, which
provides integrity and privacy protection and also authenticates the provides integrity and privacy protection and also authenticates the
server to Bob's UA. Next the UA requests its credentials using a server to Bob's UA. Next the UA requests its credentials using a
SUBSCRIBE request. The Server digest challenges this to authenticate SUBSCRIBE request. The Server digest challenges this to authenticate
Bob's UA. The server and Bob's UA have a shared secret that is used Bob's UA. The server and Bob's UA have a shared secret that is used
for this. If the authentication is successful, the server sends the for this. If the authentication is successful, the server sends the
credentials to Bob's UA. The private key in the credentials may have credentials to Bob's UA. The private key in the credentials may have
been encrypted using a shared secret that the server does not know. been encrypted using a shared secret that the server does not know.
A similar process would be used for Bob's UA to publish new A similar process would be used for Bob's UA to publish new
credentials to the server. The SUBSCRIBE request would change to a credentials to the server. Bob's UA would send a PUBLISH request
PUBLISH request and there would not be an NOTIFY. When this containing the new credentials. When this happened, all the other
happened, all the other UAs that were subscribed to Bob's credentials UAs that were subscribed to Bob's credentials would receive a NOTIFY
would receive a new NOTIFY with the new credentials. with the new credentials.
Alice wishes to find Bob's certificate and sends a SUBSCRIBE to the Alice wishes to find Bob's certificate and sends a SUBSCRIBE to the
server. The server sends the response in NOTIFY. This does not need server. The server sends the response in a NOTIFY. This does not
to be sent over a privacy or integrity protected channel, as the need to be sent over a privacy or integrity protected channel, as the
Authentication service described in [2] provides integrity protection Authentication service described in [2] provides integrity protection
of this information and signs it with the certificate for the domain. of this information and signs it with the certificate for the domain.
This whole scheme is highly dependent on trusting the operators of This whole scheme is highly dependent on trusting the operators of
the credential service and trusting that the credential service will the credential service and trusting that the credential service will
not be compromised. The security of all the users will be not be compromised. The security of all the users will be
compromised if the credential service is compromised. compromised if the credential service is compromised.
Note: There has been significant discussion of the topic of Note: There has been significant discussion of the topic of
avoiding deployments in which the credential servers store the avoiding deployments in which the credential servers store the
skipping to change at page 20, line 34 skipping to change at page 20, line 34
problem any better, or having a different credential for each problem any better, or having a different credential for each
device. For some deployments where each user has only one device device. For some deployments where each user has only one device
this is fine but for deployments with multiple devices, it would this is fine but for deployments with multiple devices, it would
require that when Alice went to contact Bob, Alice would have to require that when Alice went to contact Bob, Alice would have to
provide messages encrypted for all of Bob's devices. The sipping provide messages encrypted for all of Bob's devices. The sipping
working group did consider this architecture and decided it was working group did consider this architecture and decided it was
not appropriate due both to the information it revealed about the not appropriate due both to the information it revealed about the
devices and users and the amount of signaling required to make it devices and users and the amount of signaling required to make it
work. work.
This specification requires the TLS session to be used for SIP This specification requires that TLS be used for the SIP
communications to the credential service. As specified in RFC 3261, communications to place and retrieve a UA's private key. This
TLS clients MUST check that the SubjectAltName of the certificate for provides security in two ways:
the server they connected to exactly matches the server they were 1. Confidentiality is provided for the digest authentication
trying to connect to. Failing to use TLS or selecting a poor cipher exchange, thus protecting it from dictionary attacks.
suite (such as NULL encryption) will result in credentials, including 2. Confidentiality is provided for the private key, thus protecting
private keys, being sent unencrypted over the network and will render it from being exposed to passive attackers.
the whole system useless. Implementations really must use TLS or In order to prevent man-in-the-middle attacks, TLS clients MUST check
there is no point in implementing any of this. that the SubjectAltName of the certificate for the server they
connected to exactly matches the server they were trying to connect
to. Failing to use TLS or selecting a poor cipher suite (such as
NULL encryption) may result in credentials, including private keys,
being sent unencrypted over the network and will render the whole
system useless.
The correct checking of chained certificates as specified in TLS [11] The correct checking of chained certificates as specified in TLS [11]
is critical for the client to authenticate the server. If the client is critical for the client to authenticate the server. If the client
does not authenticate that it is talking to the correct credential does not authenticate that it is talking to the correct credential
service, a man in the middle attack is possible. service, a man in the middle attack is possible.
10.1. Certificate Revocation 9.1. Certificate Revocation
If a particular credential needs to be revoked, the new credential is If a particular credential needs to be revoked, the new credential is
simply published to the credential service. Every device with a copy simply published to the credential service. Every device with a copy
of the old credential or certificate in its cache will have a of the old credential or certificate in its cache will have a
subscription and will rapidly (order of seconds) be notified and subscription and will rapidly (order of seconds) be notified and
replace its cache. Clients that are not subscribed will subscribe replace its cache. Clients that are not subscribed will subscribe
when they next need to use the certificate and will get the new when they next need to use the certificate and will get the new
certificate. certificate.
It is possible that an attacker could mount a DOS attack such that It is possible that an attacker could mount a DOS attack such that
skipping to change at page 21, line 25 skipping to change at page 21, line 30
invalidate the cached information even though no NOTIFY had ever been invalidate the cached information even though no NOTIFY had ever been
received due to the attacker blocking it. received due to the attacker blocking it.
The duration of this cached information is in some ways similar to a The duration of this cached information is in some ways similar to a
device deciding how often to check a CRL list. For many device deciding how often to check a CRL list. For many
applications, a default time of 1 day is suggested, but for some applications, a default time of 1 day is suggested, but for some
applications it may be desirable to set the time to zero so that no applications it may be desirable to set the time to zero so that no
certificates are cached at all and the credential is checked for certificates are cached at all and the credential is checked for
validity every time the certificate is used. validity every time the certificate is used.
10.2. Certificate Replacement 9.2. Certificate Replacement
The UAs in the system replace the certificates close to the time that The UAs in the system replace the certificates close to the time that
the certificates would expire. If a UA has used the same key pair to the certificates would expire. If a UA has used the same key pair to
encrypt a very large volume of traffic, the UA MAY choose to replace encrypt a very large volume of traffic, the UA MAY choose to replace
the credential with a new one before the normal expiration. the credential with a new one before the normal expiration.
10.3. Trusting the Identity of a Certificate 9.3. Trusting the Identity of a Certificate
When a UA wishes to discover the certificate for When a UA wishes to discover the certificate for
sip:alice@example.com, the UA subscribes to the certificate for sip:alice@example.com, the UA subscribes to the certificate for
alice@example.com and receives a certificate in the body of a SIP alice@example.com and receives a certificate in the body of a SIP
NOTIFY request. The term original URI is used to describe the URI NOTIFY request. The term original URI is used to describe the URI
that was in the To header field value of the SUBSCRIBE request. So that was in the To header field value of the SUBSCRIBE request. So
in this case the original URI would be sip:alice@example.com. in this case the original URI would be sip:alice@example.com.
If the certificate is signed by a trusted CA, and one of the names in If the certificate is signed by a trusted CA, and one of the names in
the SubjectAltName matches the original URI, then this certificate the SubjectAltName matches the original URI, then this certificate
skipping to change at page 22, line 32 skipping to change at page 22, line 38
with. The certificate in the body contains the public key for the with. The certificate in the body contains the public key for the
identity. Only the UA that can authenticate as this AOR, or devices identity. Only the UA that can authenticate as this AOR, or devices
with access to the private key of the domain, can tamper with this with access to the private key of the domain, can tamper with this
body. This stops other users from being able to provide a false body. This stops other users from being able to provide a false
public key. This chain of assertion from original URI, to From, to public key. This chain of assertion from original URI, to From, to
body, to public key is critical to the security of the mechanism body, to public key is critical to the security of the mechanism
described in this specification. If any of the steps above are not described in this specification. If any of the steps above are not
followed, this chain of security will be broken and the system will followed, this chain of security will be broken and the system will
not work. not work.
10.4. Conformity to the SACRED Framework 9.4. Conformity to the SACRED Framework
This specification uses the security design outlined in the SACRED This specification uses the security design outlined in the SACRED
Framework [7]. Specifically, it follows the cTLS architecture Framework [7]. Specifically, it follows the cTLS architecture
described in section 4.2.2 of RFC 3760. The client authenticates the described in section 4.2.2 of RFC 3760. The client authenticates the
server using the server's TLS certificate. The server authenticates server using the server's TLS certificate. The server authenticates
the client using a SIP digest transaction inside the TLS session. the client using a SIP digest transaction inside the TLS session.
The TLS sessions form a strong session key that is used to protect The TLS sessions form a strong session key that is used to protect
the credentials being exchanged. the credentials being exchanged.
10.5. Crypto Profiles 9.5. Crypto Profiles
Credential services SHOULD implement the server name indication Credential services SHOULD implement the server name indication
extensions in RFC 3546 [8] and they MUST support a TLS profile of extensions in RFC 3546 [8] and they MUST support a TLS profile of
TLS_RSA_WITH_AES_128_CBC_SHA as described in RFC 3268 [9] and a TLS_RSA_WITH_AES_128_CBC_SHA as described in RFC 3268 [9] as a
profile of TLS_RSA_WITH_3DES_EDE_CBC_SHA. profile of TLS_RSA_WITH_3DES_EDE_CBC_SHA.
The PKCS#8 in the clients MUST implement PBES2 with a key derivation The PKCS#8 in the clients MUST implement PBES2 with a key derivation
algorithm of PBKDF2 using HMAC with SHA1 and an encryption algorithm algorithm of PBKDF2 using HMAC with SHA1 and an encryption algorithm
of DES-EDE2-CBC-Pad as defined in RFC 2898 [12]. It is RECOMMENDED of DES-EDE2-CBC-Pad as defined in RFC 2898 [12]. It is RECOMMENDED
that this profile be used when using PKCS#8. that this profile be used when using PKCS#8. A different passphrase
SHOULD be used for the PKCS#8 encryption than is used for server
authentication.
10.6. User Certificate Generation 9.6. User Certificate Generation
The certificates should be consistent with RFC 3280 [13]. A The certificates should be consistent with RFC 3280 [13]. A
signatureAlgorithm of sha1WithRSAEncryption MUST be implemented. The signatureAlgorithm of sha1WithRSAEncryption MUST be implemented. The
Issuers SHOULD be the same as the subject. Given the ease of issuing Issuers SHOULD be the same as the subject. Given the ease of issuing
new certificates with this system, the Validity can be relatively new certificates with this system, the Validity can be relatively
short. A Validity of one year or less is RECOMMENDED. The short. A Validity of one year or less is RECOMMENDED. The
subjectAltName must have a URI type that is set to the SIP URL subjectAltName must have a URI type that is set to the SIP URL
corresponding to the user AOR. It MAY be desirable to put some corresponding to the user AOR. It MAY be desirable to put some
randomness into the length of time for which the certificates are randomness into the length of time for which the certificates are
valid so that it does not become necessary to renew all the valid so that it does not become necessary to renew all the
certificates in the system at the same time. certificates in the system at the same time.
It is worth noting that a UA can discover the current time by looking It is worth noting that a UA can discover the current time by looking
at the Date header field value in the 200 response to a REGISTER at the Date header field value in the 200 response to a REGISTER
request. request.
10.7. Compromised Authentication Service 9.7. Compromised Authentication Service
One of this worst attacks against this system would be if the One of this worst attacks against this system would be if the
Authentication Service were compromised. This attack is somewhat Authentication Service were compromised. This attack is somewhat
analogous to a CA being compromised in traditional PKI systems. The analogous to a CA being compromised in traditional PKI systems. The
attacker could make a fake certificate for which it knows the private attacker could make a fake certificate for which it knows the private
key, use it to receive any traffic for a given use, and then re- key, use it to receive any traffic for a given use, and then re-
encrypt that traffic with the correct key and forward the encrypt that traffic with the correct key and forward the
communication to the intended receiver. The attacker would thus communication to the intended receiver. The attacker would thus
become a man in the middle in the communications. become a man in the middle in the communications.
skipping to change at page 23, line 47 skipping to change at page 24, line 7
allow the credential server to recognize the user's UA. allow the credential server to recognize the user's UA.
The UA MAY also save the fingerprints of the cached certificates and The UA MAY also save the fingerprints of the cached certificates and
warn users when the certificates change significantly before their warn users when the certificates change significantly before their
expiry date. expiry date.
The UA MAY also allow the user to see the fingerprints for the cached The UA MAY also allow the user to see the fingerprints for the cached
certificates so that they can be verified by some other out of band certificates so that they can be verified by some other out of band
means. means.
11. IANA Considerations 10. IANA Considerations
This specification defines two new event packages that IANA is This specification defines two new event packages that IANA is
requested to add the registry at: requested to add the registry at:
http://www.iana.org/assignments/sip-events http://www.iana.org/assignments/sip-events
It also defines a new mime type that IANA is requested to add to the It also defines a new mime type that IANA is requested to add to the
registry at: registry at:
http://www.iana.org/assignments/media-types/application http://www.iana.org/assignments/media-types/application
11.1. Certificate Event Package 10.1. Certificate Event Package
To: ietf-sip-events@iana.org To: ietf-sip-events@iana.org
Subject: Registration of new SIP event package Subject: Registration of new SIP event package
Package Name: certificate Package Name: certificate
Is this registration for a Template Package: No Is this registration for a Template Package: No
Published Specification(s): This document Published Specification(s): This document
New Event header parameters: This package defines no New Event header parameters: This package defines no
new parameters new parameters
Person & email address to contact for further information: Person & email address to contact for further information:
Cullen Jennings <fluffy@cisco.com> Cullen Jennings <fluffy@cisco.com>
11.2. Credential Event Package 10.2. Credential Event Package
To: ietf-sip-events@iana.org To: ietf-sip-events@iana.org
Subject: Registration of new SIP event package Subject: Registration of new SIP event package
Package Name: credential Package Name: credential
Is this registration for a Template Package: No Is this registration for a Template Package: No
Published Specification(s): This document Published Specification(s): This document
New Event header parameters: "etag" New Event header parameters: "etag"
Person & email address to contact for further information: Person & email address to contact for further information:
Cullen Jennings <fluffy@cisco.com> Cullen Jennings <fluffy@cisco.com>
11.3. PKCS#8 10.3. PKCS#8
To: ietf-types@iana.org To: ietf-types@iana.org
Subject: Registration of MIME media type application/pkcs8 Subject: Registration of MIME media type application/pkcs8
MIME media type name: application MIME media type name: application
MIME subtype name: pkcs8 MIME subtype name: pkcs8
Required parameters: None Required parameters: None
Optional parameters: None Optional parameters: None
skipping to change at page 25, line 49 skipping to change at page 26, line 4
Magic number(s): None Magic number(s): None
File extension(s): .p8 File extension(s): .p8
Macintosh File Type Code(s): none Macintosh File Type Code(s): none
Person & email address to contact for further information: Person & email address to contact for further information:
Cullen Jennings <fluffy@cisco.com> Cullen Jennings <fluffy@cisco.com>
Intended usage: COMMON Intended usage: COMMON
Author/Change controller: Author/Change controller:
the IESG the IESG
12. Acknowledgments 11. Acknowledgments
Many thanks to Eric Rescorla, Jim Schaad, Rohan Mahy for significant Many thanks to Eric Rescorla, Jim Schaad, Rohan Mahy for significant
help and discussion. Many others provided useful comments, including help and discussion. Many others provided useful comments, including
Kumiko Ono, Peter Gutmann, Russ Housley, Yaron Pdut, Aki Niemi, Kumiko Ono, Peter Gutmann, Russ Housley, Yaron Pdut, Aki Niemi,
Magnus Nystrom, Paul Hoffman, Adina Simu, Dan Wing, Mike Hammer, Magnus Nystrom, Paul Hoffman, Adina Simu, Dan Wing, Mike Hammer and
Lyndsay Campbell, and Jason Fischl. Rohan Mahy, John Elwell, and Lyndsay Campbell. Rohan Mahy, John Elwell, and Jonathan Rosenberg
Jonathan Rosenberg provided detailed review and text. provided detailed review and text.
13. References 12. References
13.1. Normative References 12.1. Normative References
[1] RSA Laboratories, "Private-Key Information Syntax Standard, [1] RSA Laboratories, "Private-Key Information Syntax Standard,
Version 1.2", PKCS 8, November 1993. Version 1.2", PKCS 8, November 1993.
[2] Peterson, J. and C. Jennings, "Enhancements for Authenticated [2] Peterson, J. and C. Jennings, "Enhancements for Authenticated
Identity Management in the Session Initiation Protocol (SIP)", Identity Management in the Session Initiation Protocol (SIP)",
draft-ietf-sip-identity-05 (work in progress), May 2005. draft-ietf-sip-identity-05 (work in progress), May 2005.
[3] Niemi, A., "Session Initiation Protocol (SIP) Extension for [3] Niemi, A., "Session Initiation Protocol (SIP) Extension for
Event State Publication", RFC 3903, October 2004. Event State Publication", RFC 3903, October 2004.
skipping to change at page 27, line 28 skipping to change at page 27, line 32
[15] International Telecommunications Union, "Information technology [15] International Telecommunications Union, "Information technology
- Open Systems Interconnection - The Directory: Public-key and - Open Systems Interconnection - The Directory: Public-key and
attribute certificate frameworks", ITU-T Recommendation X.509, attribute certificate frameworks", ITU-T Recommendation X.509,
ISO Standard 9594-8, March 2000. ISO Standard 9594-8, March 2000.
[16] Zimmerer, E., Peterson, J., Vemuri, A., Ong, L., Audet, F., [16] Zimmerer, E., Peterson, J., Vemuri, A., Ong, L., Audet, F.,
Watson, M., and M. Zonoun, "MIME media types for ISUP and QSIG Watson, M., and M. Zonoun, "MIME media types for ISUP and QSIG
Objects", RFC 3204, December 2001. Objects", RFC 3204, December 2001.
13.2. Informational References 12.2. Informational References
[17] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions [17] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
(S/MIME) Version 3.1 Message Specification", RFC 3851, (S/MIME) Version 3.1 Message Specification", RFC 3851,
July 2004. July 2004.
[18] Peterson, J., "S/MIME Advanced Encryption Standard (AES) [18] Peterson, J., "S/MIME Advanced Encryption Standard (AES)
Requirement for the Session Initiation Protocol (SIP)", Requirement for the Session Initiation Protocol (SIP)",
RFC 3853, July 2004. RFC 3853, July 2004.
[19] Roach, A., Rosenberg, J., and B. Campbell, "A Session [19] Roach, A., Rosenberg, J., and B. Campbell, "A Session
 End of changes. 88 change blocks. 
213 lines changed or deleted 211 lines changed or added

This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/