draft-ietf-sip-certs-04.txt   draft-ietf-sip-certs-05.txt 
Network Working Group C. Jennings Network Working Group C. Jennings
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track J. Peterson Intended status: Standards Track J. Peterson
Expires: January 9, 2008 NeuStar, Inc. Expires: August 1, 2008 NeuStar, Inc.
J. Fischl, Ed. J. Fischl, Ed.
CounterPath Solutions, Inc. CounterPath Solutions, Inc.
July 8, 2007 January 31, 2008
Certificate Management Service for The Session Initiation Protocol (SIP) Certificate Management Service for The Session Initiation Protocol (SIP)
draft-ietf-sip-certs-04 draft-ietf-sip-certs-05
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 41 skipping to change at page 1, line 41
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 9, 2008. This Internet-Draft will expire on January 9, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2008).
Abstract Abstract
This draft defines a Credential Service that allows Session This draft defines a Credential Service that allows Session
Initiation Protocol (SIP) User Agents (UAs) to use a SIP package to Initiation Protocol (SIP) User Agents (UAs) to use a SIP event
discover the certificates of other users. This mechanism allows user package to discover the certificates of other users. This mechanism
agents that want to contact a given Address-of-Record (AOR) to allows user agents that want to contact a given Address-of-Record
retrieve that AOR's certificate by subscribing to the Credential (AOR) to retrieve that AOR's certificate by subscribing to the
Service, which returns an authenticated response containing that Credential Service, which returns an authenticated response
certificate. The Credential Service also allows users to store and containing that certificate. The Credential Service also allows
retrieve their own certificates and private keys. users to store and retrieve their own certificates and private keys.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. UA Behavior with Certificates . . . . . . . . . . . . . . . . 8 4. UA Behavior with Certificates . . . . . . . . . . . . . . . . 8
5. UA Behavior with Credentials . . . . . . . . . . . . . . . . . 9 5. UA Behavior with Credentials . . . . . . . . . . . . . . . . . 9
6. Event Package Formal Definition for "certificate" . . . . . . 10 6. Event Package Formal Definition for "certificate" . . . . . . 10
6.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 10 6.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 10
skipping to change at page 12, line 33 skipping to change at page 12, line 33
subscription to this event type is permitted per resource. subscription to this event type is permitted per resource.
6.11. Rate of Notifications 6.11. Rate of Notifications
Notifiers SHOULD NOT generate NOTIFY requests more frequently than Notifiers SHOULD NOT generate NOTIFY requests more frequently than
once per minute. once per minute.
6.12. State Agents and Lists 6.12. State Agents and Lists
The certificate server described in this section which serves The certificate server described in this section which serves
certificates is a state agent and implementions of the certificate certificates is a state agent and implementations of the
server MUST be implemented as a state agent. certificate server MUST be implemented as a state agent.
Implementers MUST NOT use the event list extension [RFC4662] with Implementers MUST NOT use the event list extension [RFC4662] with
this event type. It is not possible to make such an approach work, this event type. It is not possible to make such an approach work,
because the Authentication service would have to simultaneously because the Authentication service would have to simultaneously
assert several different identities. assert several different identities.
6.13. Behavior of a Proxy Server 6.13. Behavior of a Proxy Server
There are no additional requirements on a SIP Proxy, other than to There are no additional requirements on a SIP Proxy, other than to
transparently forward the SUBSCRIBE and NOTIFY requests as required transparently forward the SUBSCRIBE and NOTIFY requests as required
skipping to change at page 14, line 43 skipping to change at page 14, line 43
When a credential service receives a SUBSCRIBE for a credential, the When a credential service receives a SUBSCRIBE for a credential, the
credential service has to authenticate and authorize the UA and credential service has to authenticate and authorize the UA and
validate that adequate transport security is being used. Only a UA validate that adequate transport security is being used. Only a UA
that can authenticate as being able to register as the AOR is that can authenticate as being able to register as the AOR is
authorized to receive the credentials for that AOR. The credential authorized to receive the credentials for that AOR. The credential
Service MUST digest challenge the UA to authenticate the UA and then Service MUST digest challenge the UA to authenticate the UA and then
decide if it is authorized to receive the credentials. If decide if it is authorized to receive the credentials. If
authentication is successful, the Notifier MAY limit the duration of authentication is successful, the Notifier MAY limit the duration of
the subscription to an administrator-defined period of time. The the subscription to an administrator-defined period of time. The
duration of the subscription MUST not be larger than the length of duration of the subscription MUST NOT be larger than the length of
time for which the certificate is still valid. The Expires header time for which the certificate is still valid. The Expires header
field SHOULD be set so that it is not longer than the notAfter date field SHOULD be set so that it is not longer than the notAfter date
in the certificate. in the certificate.
7.8. Notifier Generation of NOTIFY Requests 7.8. Notifier Generation of NOTIFY Requests
Once the UA has authenticated with the credential service and the Once the UA has authenticated with the credential service and the
subscription is accepted, the credential service MUST immediately subscription is accepted, the credential service MUST immediately
send a Notify request. The Notifier SHOULD include the current etag send a Notify request. The Notifier SHOULD include the current etag
value in the "etag" Event package parameter in the NOTIFY request. value in the "etag" Event package parameter in the NOTIFY request.
skipping to change at page 16, line 44 skipping to change at page 16, line 44
This event package does not permit forked requests. This event package does not permit forked requests.
7.13. Rate of Notifications 7.13. Rate of Notifications
Notifiers SHOULD NOT generate NOTIFY requests more frequently than Notifiers SHOULD NOT generate NOTIFY requests more frequently than
once per minute. once per minute.
7.14. State Agents and Lists 7.14. State Agents and Lists
The credential server described in this section which serves The credential server described in this section which serves
credentials is a state agent and implementions of the credential credentials is a state agent and implementations of the credential
server MUST be implemented as a state agent. server MUST be implemented as a state agent.
Implementers MUST NOT use the event list extension [RFC4662] with Implementers MUST NOT use the event list extension [RFC4662] with
this event type. this event type.
7.15. Behavior of a Proxy Server 7.15. Behavior of a Proxy Server
The behavior is identical to behavior described for certificate The behavior is identical to behavior described for certificate
subscriptions described in Section 6.13. subscriptions described in Section 6.13.
skipping to change at page 30, line 7 skipping to change at page 30, line 7
505 Burrard Street 505 Burrard Street
Vancouver, BC V7X 1M3 Vancouver, BC V7X 1M3
Canada Canada
Phone: +1 604 320-3344 Phone: +1 604 320-3344
Email: jason@counterpath.com Email: jason@counterpath.com
URI: http://www.counterpath.com URI: http://www.counterpath.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
 End of changes. 9 change blocks. 
16 lines changed or deleted 16 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/