draft-ietf-sip-certs-08.txt   draft-ietf-sip-certs-09.txt 
Network Working Group C. Jennings Network Working Group C. Jennings
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track J. Fischl, Ed. Intended status: Standards Track J. Fischl, Ed.
Expires: January 14, 2010 Skype Expires: March 12, 2010 Skype
July 13, 2009 September 8, 2009
Certificate Management Service for The Session Initiation Protocol (SIP) Certificate Management Service for The Session Initiation Protocol (SIP)
draft-ietf-sip-certs-08 draft-ietf-sip-certs-09
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 14, 2010. This Internet-Draft will expire on March 12, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 13 skipping to change at page 3, line 7
Initiation Protocol (SIP) User Agents (UAs) to use a SIP event Initiation Protocol (SIP) User Agents (UAs) to use a SIP event
package to discover the certificates of other users. This mechanism package to discover the certificates of other users. This mechanism
allows user agents that want to contact a given Address-of-Record allows user agents that want to contact a given Address-of-Record
(AOR) to retrieve that AOR's certificate by subscribing to the (AOR) to retrieve that AOR's certificate by subscribing to the
Credential Service, which returns an authenticated response Credential Service, which returns an authenticated response
containing that certificate. The Credential Service also allows containing that certificate. The Credential Service also allows
users to store and retrieve their own certificates and private keys. users to store and retrieve their own certificates and private keys.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. UA Behavior with Certificates . . . . . . . . . . . . . . . . 8 4. UA Behavior with Certificates . . . . . . . . . . . . . . . . 9
5. UA Behavior with Credentials . . . . . . . . . . . . . . . . . 9 5. UA Behavior with Credentials . . . . . . . . . . . . . . . . . 10
6. Event Package Formal Definition for "certificate" . . . . . . 10 6. Event Package Formal Definition for "certificate" . . . . . . 11
6.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 10 6.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 11
6.2. Event Package Parameters . . . . . . . . . . . . . . . . . 10 6.2. Event Package Parameters . . . . . . . . . . . . . . . . . 11
6.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 10 6.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 11
6.4. Subscription Duration . . . . . . . . . . . . . . . . . . 10 6.4. Subscription Duration . . . . . . . . . . . . . . . . . . 11
6.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 10 6.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 11
6.6. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 11 6.6. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 12
6.7. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 11 6.7. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 12
6.8. Notifier Generation of NOTIFY Requests . . . . . . . . . . 11 6.8. Notifier Generation of NOTIFY Requests . . . . . . . . . . 12
6.9. Subscriber Processing of NOTIFY Requests . . . . . . . . . 12 6.9. Subscriber Processing of NOTIFY Requests . . . . . . . . . 13
6.10. Handling of Forked Requests . . . . . . . . . . . . . . . 12 6.10. Handling of Forked Requests . . . . . . . . . . . . . . . 13
6.11. Rate of Notifications . . . . . . . . . . . . . . . . . . 12 6.11. Rate of Notifications . . . . . . . . . . . . . . . . . . 13
6.12. State Agents and Lists . . . . . . . . . . . . . . . . . . 12 6.12. State Agents and Lists . . . . . . . . . . . . . . . . . . 13
6.13. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 12 6.13. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 13
7. Event Package Formal Definition for "credential" . . . . . . . 13 7. Event Package Formal Definition for "credential" . . . . . . . 14
7.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 13 7.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 14
7.2. Event Package Parameters . . . . . . . . . . . . . . . . . 13 7.2. Event Package Parameters . . . . . . . . . . . . . . . . . 14
7.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 13 7.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 14
7.4. Subscription Duration . . . . . . . . . . . . . . . . . . 13 7.4. Subscription Duration . . . . . . . . . . . . . . . . . . 14
7.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 13 7.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 14
7.6. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 14 7.6. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 15
7.7. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 14 7.7. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 15
7.8. Notifier Generation of NOTIFY Requests . . . . . . . . . . 15 7.8. Notifier Generation of NOTIFY Requests . . . . . . . . . . 16
7.9. Generation of PUBLISH Requests . . . . . . . . . . . . . . 15 7.9. Generation of PUBLISH Requests . . . . . . . . . . . . . . 16
7.10. Notifier Processing of PUBLISH Requests . . . . . . . . . 16 7.10. Notifier Processing of PUBLISH Requests . . . . . . . . . 17
7.11. Subscriber Processing of NOTIFY Requests . . . . . . . . . 16 7.11. Subscriber Processing of NOTIFY Requests . . . . . . . . . 17
7.12. Handling of Forked Requests . . . . . . . . . . . . . . . 16 7.12. Handling of Forked Requests . . . . . . . . . . . . . . . 17
7.13. Rate of Notifications . . . . . . . . . . . . . . . . . . 16 7.13. Rate of Notifications . . . . . . . . . . . . . . . . . . 17
7.14. State Agents and Lists . . . . . . . . . . . . . . . . . . 17 7.14. State Agents and Lists . . . . . . . . . . . . . . . . . . 18
7.15. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 17 7.15. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 18
8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.1. Encrypted Page Mode IM Message . . . . . . . . . . . . . . 17 8.1. Encrypted Page Mode IM Message . . . . . . . . . . . . . . 18
8.2. Setting and Retrieving UA Credentials . . . . . . . . . . 18 8.2. Setting and Retrieving UA Credentials . . . . . . . . . . 19
9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 9. Security Considerations . . . . . . . . . . . . . . . . . . . 20
9.1. Certificate Revocation . . . . . . . . . . . . . . . . . . 21 9.1. Certificate Revocation . . . . . . . . . . . . . . . . . . 22
9.2. Certificate Replacement . . . . . . . . . . . . . . . . . 22 9.2. Certificate Replacement . . . . . . . . . . . . . . . . . 23
9.3. Trusting the Identity of a Certificate . . . . . . . . . . 22 9.3. Trusting the Identity of a Certificate . . . . . . . . . . 23
9.4. SACRED Framework . . . . . . . . . . . . . . . . . . . . . 23 9.4. SACRED Framework . . . . . . . . . . . . . . . . . . . . . 24
9.5. Crypto Profiles . . . . . . . . . . . . . . . . . . . . . 23 9.5. Crypto Profiles . . . . . . . . . . . . . . . . . . . . . 24
9.6. User Certificate Generation . . . . . . . . . . . . . . . 23 9.6. User Certificate Generation . . . . . . . . . . . . . . . 24
9.7. Compromised Authentication Service . . . . . . . . . . . . 24 9.7. Compromised Authentication Service . . . . . . . . . . . . 25
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25
10.1. Certificate Event Package . . . . . . . . . . . . . . . . 25 10.1. Certificate Event Package . . . . . . . . . . . . . . . . 26
10.2. Credential Event Package . . . . . . . . . . . . . . . . . 25 10.2. Credential Event Package . . . . . . . . . . . . . . . . . 26
10.3. PKCS#8 . . . . . . . . . . . . . . . . . . . . . . . . . . 26 10.3. PKCS#8 . . . . . . . . . . . . . . . . . . . . . . . . . . 27
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 26 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28
12.1. Normative References . . . . . . . . . . . . . . . . . . . 27 12.1. Normative References . . . . . . . . . . . . . . . . . . . 28
12.2. Informational References . . . . . . . . . . . . . . . . . 28 12.2. Informational References . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29
1. Introduction 1. Introduction
[RFC3261], as ammended by [RFC3853], provides a mechanism for end-to- [RFC3261], as ammended by [RFC3853], provides a mechanism for end-to-
end encryption and integrity using S/MIME [RFC3851]. Several end encryption and integrity using S/MIME [RFC3851]. Several
security properties of [RFC3261] depend on S/MIME, and yet it has not security properties of [RFC3261] depend on S/MIME, and yet it has not
been widely deployed. One reason is the complexity of providing a been widely deployed. One reason is the complexity of providing a
reasonable certificate distribution infrastructure. This reasonable certificate distribution infrastructure. This
specification proposes a way to address discovery, retrieval, and specification proposes a way to address discovery, retrieval, and
management of certificates for SIP deployments. Combined with the management of certificates for SIP deployments. Combined with the
skipping to change at page 14, line 8 skipping to change at page 15, line 8
contains both an application/pkix-cert body with the certificate and contains both an application/pkix-cert body with the certificate and
an application/pkcs8 body that has the associated private key an application/pkcs8 body that has the associated private key
information for the certificate. The Content-Disposition MUST be set information for the certificate. The Content-Disposition MUST be set
to "signal" as defined in [RFC3204]. to "signal" as defined in [RFC3204].
A future extension MAY define other NOTIFY bodies. If no "Accept" A future extension MAY define other NOTIFY bodies. If no "Accept"
header field is present in the SUBSCRIBE, the body type defined in header field is present in the SUBSCRIBE, the body type defined in
this document MUST be assumed. this document MUST be assumed.
The application/pkix-cert body is a DER encoded X.509v3 certificate The application/pkix-cert body is a DER encoded X.509v3 certificate
[RFC2585]. The application/pkcs8 body contains a DER-encoded PKCS#8 [RFC2585]. The application/pkcs8 body contains a DER-encoded
[PKCS.8.1993] object that contains the private key. The PKCS#8 [RFC5208] object that contains the private key. The PKCS#8 objects
objects MUST be of type PrivateKeyInfo. The integrity and MUST be of type PrivateKeyInfo. The integrity and confidentiality of
confidentiality of the PKCS#8 objects is provided by the TLS the PKCS#8 objects is provided by the TLS transport. The transport
transport. The transport encoding of all the MIME bodies is binary. encoding of all the MIME bodies is binary.
7.6. Subscriber Generation of SUBSCRIBE Requests 7.6. Subscriber Generation of SUBSCRIBE Requests
A Subscriber User Agent will subscribe to its credential information A Subscriber User Agent will subscribe to its credential information
for a period of hours or days and will automatically attempt to re- for a period of hours or days and will automatically attempt to re-
subscribe before the subscription has completely expired. subscribe before the subscription has completely expired.
The Subscriber SHOULD subscribe to its credentials whenever a new The Subscriber SHOULD subscribe to its credentials whenever a new
user becomes associated with the device (a new login). The user becomes associated with the device (a new login). The
subscriber SHOULD also renew its subscription immediately after a subscriber SHOULD also renew its subscription immediately after a
skipping to change at page 27, line 9 skipping to change at page 28, line 9
help and discussion. Many others provided useful comments, including help and discussion. Many others provided useful comments, including
Kumiko Ono, Peter Gutmann, Russ Housley, Yaron Pdut, Aki Niemi, Kumiko Ono, Peter Gutmann, Russ Housley, Yaron Pdut, Aki Niemi,
Magnus Nystrom, Paul Hoffman, Adina Simu, Dan Wing, Mike Hammer and Magnus Nystrom, Paul Hoffman, Adina Simu, Dan Wing, Mike Hammer and
Lyndsay Campbell. Rohan Mahy, John Elwell, and Jonathan Rosenberg Lyndsay Campbell. Rohan Mahy, John Elwell, and Jonathan Rosenberg
provided detailed review and text. provided detailed review and text.
12. References 12. References
12.1. Normative References 12.1. Normative References
[PKCS.8.1993]
RSA Laboratories, "Private-Key Information Syntax
Standard, Version 1.2", PKCS 8, November 1993.
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046, Extensions (MIME) Part Two: Media Types", RFC 2046,
November 1996. November 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2585] Housley, R. and P. Hoffman, "Internet X.509 Public Key [RFC2585] Housley, R. and P. Hoffman, "Internet X.509 Public Key
Infrastructure Operational Protocols: FTP and HTTP", Infrastructure Operational Protocols: FTP and HTTP",
RFC 2585, May 1999. RFC 2585, May 1999.
skipping to change at page 27, line 46 skipping to change at page 28, line 42
[RFC3265] Roach, A., "Session Initiation Protocol (SIP)-Specific [RFC3265] Roach, A., "Session Initiation Protocol (SIP)-Specific
Event Notification", RFC 3265, June 2002. Event Notification", RFC 3265, June 2002.
[RFC3903] Niemi, A., "Session Initiation Protocol (SIP) Extension [RFC3903] Niemi, A., "Session Initiation Protocol (SIP) Extension
for Event State Publication", RFC 3903, October 2004. for Event State Publication", RFC 3903, October 2004.
[RFC4474] Peterson, J. and C. Jennings, "Enhancements for [RFC4474] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 4474, August 2006. Initiation Protocol (SIP)", RFC 4474, August 2006.
[RFC5208] Kaliski, B., "Public-Key Cryptography Standards (PKCS) #8:
Private-Key Information Syntax Specification Version 1.2",
RFC 5208, May 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
12.2. Informational References 12.2. Informational References
skipping to change at page 28, line 41 skipping to change at page 29, line 41
Phone: +1 408 421-9990 Phone: +1 408 421-9990
Email: fluffy@cisco.com Email: fluffy@cisco.com
Jason Fischl (editor) Jason Fischl (editor)
Skype Skype
2145 Hamilton Ave. 2145 Hamilton Ave.
San Jose, CA 95125 San Jose, CA 95125
USA USA
Phone: +1-408-786-5919 Phone: +1-415-202-5192
Email: jason.fischl@skype.net Email: jason.fischl@skypelabs.com
 End of changes. 9 change blocks. 
69 lines changed or deleted 79 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/