draft-ietf-sip-certs-11.txt   draft-ietf-sip-certs-12.txt 
Network Working Group C. Jennings Network Working Group C. Jennings
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track J. Fischl, Ed. Intended status: Standards Track J. Fischl, Ed.
Expires: September 6, 2010 Skype Expires: September 23, 2010 Skype
March 5, 2010 March 22, 2010
Certificate Management Service for The Session Initiation Protocol (SIP) Certificate Management Service for The Session Initiation Protocol (SIP)
draft-ietf-sip-certs-11 draft-ietf-sip-certs-12
Abstract Abstract
This draft defines a Credential Service that allows Session This draft defines a Credential Service that allows Session
Initiation Protocol (SIP) User Agents (UAs) to use a SIP event Initiation Protocol (SIP) User Agents (UAs) to use a SIP event
package to discover the certificates of other users. This mechanism package to discover the certificates of other users. This mechanism
allows user agents that want to contact a given Address-of-Record allows user agents that want to contact a given Address-of-Record
(AOR) to retrieve that AOR's certificate by subscribing to the (AOR) to retrieve that AOR's certificate by subscribing to the
Credential Service, which returns an authenticated response Credential Service, which returns an authenticated response
containing that certificate. The Credential Service also allows containing that certificate. The Credential Service also allows
skipping to change at page 1, line 44 skipping to change at page 1, line 44
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 6, 2010. This Internet-Draft will expire on September 23, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 7 skipping to change at page 3, line 7
modifications of such material outside the IETF Standards Process. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. UA Behavior with Certificates . . . . . . . . . . . . . . . . 9 4. UA Behavior with Certificates . . . . . . . . . . . . . . . . 8
5. UA Behavior with Credentials . . . . . . . . . . . . . . . . . 10 5. UA Behavior with Credentials . . . . . . . . . . . . . . . . . 9
6. Event Package Formal Definition for "certificate" . . . . . . 11 6. Event Package Formal Definition for "certificate" . . . . . . 10
6.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 11 6.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 10
6.2. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 11 6.2. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 10
6.3. Subscription Duration . . . . . . . . . . . . . . . . . . 11 6.3. Subscription Duration . . . . . . . . . . . . . . . . . . 10
6.4. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 11 6.4. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 10
6.5. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 12 6.5. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 11
6.6. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 12 6.6. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 11
6.7. Notifier Generation of NOTIFY Requests . . . . . . . . . . 12 6.7. Notifier Generation of NOTIFY Requests . . . . . . . . . . 11
6.8. Subscriber Processing of NOTIFY Requests . . . . . . . . . 13 6.8. Subscriber Processing of NOTIFY Requests . . . . . . . . . 12
6.9. Handling of Forked Requests . . . . . . . . . . . . . . . 13 6.9. Handling of Forked Requests . . . . . . . . . . . . . . . 12
6.10. Rate of Notifications . . . . . . . . . . . . . . . . . . 13 6.10. Rate of Notifications . . . . . . . . . . . . . . . . . . 12
6.11. State Agents and Lists . . . . . . . . . . . . . . . . . . 13 6.11. State Agents and Lists . . . . . . . . . . . . . . . . . . 12
6.12. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 13 6.12. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 12
7. Event Package Formal Definition for "credential" . . . . . . . 14 7. Event Package Formal Definition for "credential" . . . . . . . 13
7.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 14 7.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 13
7.2. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 14 7.2. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 13
7.3. Subscription Duration . . . . . . . . . . . . . . . . . . 14 7.3. Subscription Duration . . . . . . . . . . . . . . . . . . 13
7.4. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 14 7.4. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 13
7.5. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 15 7.5. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 14
7.6. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 15 7.6. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 14
7.7. Notifier Generation of NOTIFY Requests . . . . . . . . . . 15 7.7. Notifier Generation of NOTIFY Requests . . . . . . . . . . 14
7.8. Generation of PUBLISH Requests . . . . . . . . . . . . . . 16 7.8. Generation of PUBLISH Requests . . . . . . . . . . . . . . 15
7.9. Notifier Processing of PUBLISH Requests . . . . . . . . . 16 7.9. Notifier Processing of PUBLISH Requests . . . . . . . . . 15
7.10. Subscriber Processing of NOTIFY Requests . . . . . . . . . 17 7.10. Subscriber Processing of NOTIFY Requests . . . . . . . . . 16
7.11. Handling of Forked Requests . . . . . . . . . . . . . . . 17 7.11. Handling of Forked Requests . . . . . . . . . . . . . . . 16
7.12. Rate of Notifications . . . . . . . . . . . . . . . . . . 17 7.12. Rate of Notifications . . . . . . . . . . . . . . . . . . 16
7.13. State Agents and Lists . . . . . . . . . . . . . . . . . . 17 7.13. State Agents and Lists . . . . . . . . . . . . . . . . . . 16
7.14. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 18 7.14. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 17
8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
8.1. Encrypted Page Mode IM Message . . . . . . . . . . . . . . 18 8.1. Encrypted Page Mode IM Message . . . . . . . . . . . . . . 17
8.2. Setting and Retrieving UA Credentials . . . . . . . . . . 19 8.2. Setting and Retrieving UA Credentials . . . . . . . . . . 18
9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18
9.1. Certificate Revocation . . . . . . . . . . . . . . . . . . 22 9.1. Certificate Revocation . . . . . . . . . . . . . . . . . . 21
9.2. Certificate Replacement . . . . . . . . . . . . . . . . . 22 9.2. Certificate Replacement . . . . . . . . . . . . . . . . . 21
9.3. Trusting the Identity of a Certificate . . . . . . . . . . 23 9.3. Trusting the Identity of a Certificate . . . . . . . . . . 22
9.3.1. Extra Assurance . . . . . . . . . . . . . . . . . . . 24 9.3.1. Extra Assurance . . . . . . . . . . . . . . . . . . . 23
9.4. SACRED Framework . . . . . . . . . . . . . . . . . . . . . 24 9.4. SACRED Framework . . . . . . . . . . . . . . . . . . . . . 23
9.5. Crypto Profiles . . . . . . . . . . . . . . . . . . . . . 24 9.5. Crypto Profiles . . . . . . . . . . . . . . . . . . . . . 23
9.6. User Certificate Generation . . . . . . . . . . . . . . . 25 9.6. User Certificate Generation . . . . . . . . . . . . . . . 24
9.7. Compromised Authentication Service . . . . . . . . . . . . 25 9.7. Compromised Authentication Service . . . . . . . . . . . . 24
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25
10.1. Certificate Event Package . . . . . . . . . . . . . . . . 26 10.1. Certificate Event Package . . . . . . . . . . . . . . . . 25
10.2. Credential Event Package . . . . . . . . . . . . . . . . . 26 10.2. Credential Event Package . . . . . . . . . . . . . . . . . 25
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 26 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 25
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26
12.1. Normative References . . . . . . . . . . . . . . . . . . . 27 12.1. Normative References . . . . . . . . . . . . . . . . . . . 26
12.2. Informational References . . . . . . . . . . . . . . . . . 28 12.2. Informational References . . . . . . . . . . . . . . . . . 27
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27
1. Introduction 1. Introduction
[RFC3261], as amended by [RFC3853], provides a mechanism for end-to- [RFC3261], as amended by [RFC3853], provides a mechanism for end-to-
end encryption and integrity using S/MIME [RFC3851]. Several end encryption and integrity using S/MIME [RFC3851]. Several
security properties of [RFC3261] depend on S/MIME, and yet it has not security properties of [RFC3261] depend on S/MIME, and yet it has not
been widely deployed. One reason is the complexity of providing a been widely deployed. One reason is the complexity of providing a
reasonable certificate distribution infrastructure. This reasonable certificate distribution infrastructure. This
specification proposes a way to address discovery, retrieval, and specification proposes a way to address discovery, retrieval, and
management of certificates for SIP deployments. Combined with the management of certificates for SIP deployments. Combined with the
skipping to change at page 17, line 5 skipping to change at page 17, line 5
CA flag to false. CA flag to false.
7.9. Notifier Processing of PUBLISH Requests 7.9. Notifier Processing of PUBLISH Requests
When the credential service receives a PUBLISH to update credentials, When the credential service receives a PUBLISH to update credentials,
it MUST authenticate and authorize this request the same way as for it MUST authenticate and authorize this request the same way as for
subscriptions for credentials. If the authorization succeeds, then subscriptions for credentials. If the authorization succeeds, then
the credential service MUST perform the following check on the the credential service MUST perform the following check on the
certificate: certificate:
o One of the names in the SubjectAltName of the certificate matches
the authorized user making the request.
o The notBefore validity time MUST NOT be in the future. o The notBefore validity time MUST NOT be in the future.
o The notAfter validity time MUST be in the future. o The notAfter validity time MUST be in the future.
o If a CA Basic Constraint is set in the certificate, it is set to o If a CA Basic Constraint is set in the certificate, it is set to
false. false.
If all of these succeed, the credential service updates the If all of these succeed, the credential service updates the
credential for this URI, processes all the active certificates and credential for this URI, processes all the active certificates and
credential subscriptions to this URI, and generates a NOTIFY request credential subscriptions to this URI, and generates a NOTIFY request
with the new credential or certificate. with the new credential or certificate. Note the SubjectAltName
SHOULD NOT be checked as that would restrict which certificates could
be used and offers no additional security guarentees.
If the Subscriber submits a PUBLISH request with no body and If the Subscriber submits a PUBLISH request with no body and
Expires=0, this revokes the current credentials. Watchers of these Expires=0, this revokes the current credentials. Watchers of these
credentials will receive update with no body indicating that they credentials will receive update with no body indicating that they
MUST stop any previously stored credentials. Note that subscriptions MUST stop any previously stored credentials. Note that subscriptions
to the certificate package are NOT terminated; each subscriber to the to the certificate package are NOT terminated; each subscriber to the
certificate package receives a notification with an empty body. certificate package receives a notification with an empty body.
7.10. Subscriber Processing of NOTIFY Requests 7.10. Subscriber Processing of NOTIFY Requests
skipping to change at page 24, line 50 skipping to change at page 24, line 50
that is used to protect the credentials being exchanged. that is used to protect the credentials being exchanged.
9.5. Crypto Profiles 9.5. Crypto Profiles
Credential Services SHOULD implement the server name indication Credential Services SHOULD implement the server name indication
extensions in [RFC4366]. As specified in [RFC5246], Credential extensions in [RFC4366]. As specified in [RFC5246], Credential
Services MUST support the TLS cipher suite Services MUST support the TLS cipher suite
TLS_RSA_WITH_AES_128_CBC_SHA. TLS_RSA_WITH_AES_128_CBC_SHA.
The PKCS#8 in the clients MUST implement PBES2 with a key derivation The PKCS#8 in the clients MUST implement PBES2 with a key derivation
algorithm of PBKDF2 using HMAC with SHA1 and an encryption algorithm algorithm of PBKDF2 using HMAC with SHA-256 [RFC5754] and an
of DES-EDE2-CBC-Pad as defined in [RFC2898]. It is RECOMMENDED that encryption algorithm of DES-EDE2-CBC-Pad as defined in [RFC2898]. It
this profile be used when using PKCS#8. A different passphrase is RECOMMENDED that this profile be used when using PKCS#8. A
SHOULD be used for the PKCS#8 encryption than is used for server different passphrase SHOULD be used for the PKCS#8 encryption than is
authentication. used for server authentication.
9.6. User Certificate Generation 9.6. User Certificate Generation
The certificates should be consistent with [RFC5280]. A The certificates should be consistent with [RFC5280]. A
signatureAlgorithm of sha1WithRSAEncryption MUST be implemented. The signatureAlgorithm of sha1WithRSAEncryption MUST be implemented. The
Issuers SHOULD be the same as the subject. Given the ease of issuing Issuers SHOULD be the same as the subject. Given the ease of issuing
new certificates with this system, the Validity can be relatively new certificates with this system, the Validity can be relatively
short. A Validity of one year or less is RECOMMENDED. The short. A Validity of one year or less is RECOMMENDED. The
subjectAltName must have a URI type that is set to the SIP URL subjectAltName must have a URI type that is set to the SIP URL
corresponding to the user AOR. It MAY be desirable to put some corresponding to the user AOR. It MAY be desirable to put some
skipping to change at page 28, line 12 skipping to change at page 28, line 12
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", BCP 106, RFC 4086, June 2005. Requirements for Security", BCP 106, RFC 4086, June 2005.
[RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
and T. Wright, "Transport Layer Security (TLS) and T. Wright, "Transport Layer Security (TLS)
Extensions", RFC 4366, April 2006. Extensions", RFC 4366, April 2006.
[RFC5754] Turner, S., "Using SHA2 Algorithms with Cryptographic
Message Syntax", RFC 5754, January 2010.
[I-D.turner-asymmetrickeyformat] [I-D.turner-asymmetrickeyformat]
Turner, S., "Asymmetric Key Packages", Turner, S., "Asymmetric Key Packages",
draft-turner-asymmetrickeyformat-03 (work in progress), draft-turner-asymmetrickeyformat-04 (work in progress),
February 2010. March 2010.
12.2. Informational References 12.2. Informational References
[RFC3760] Gustafson, D., Just, M., and M. Nystrom, "Securely [RFC3760] Gustafson, D., Just, M., and M. Nystrom, "Securely
Available Credentials (SACRED) - Credential Server Available Credentials (SACRED) - Credential Server
Framework", RFC 3760, April 2004. Framework", RFC 3760, April 2004.
[RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail [RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail
Extensions (S/MIME) Version 3.1 Message Specification", Extensions (S/MIME) Version 3.1 Message Specification",
RFC 3851, July 2004. RFC 3851, July 2004.
 End of changes. 9 change blocks. 
67 lines changed or deleted 70 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/