draft-ietf-sip-eku-06.txt   draft-ietf-sip-eku-07.txt 
SIP WG S. Lawrence SIP WG S. Lawrence
Internet-Draft Nortel Networks, Inc. Internet-Draft Nortel Networks, Inc.
Intended status: Experimental V. Gurbani Intended status: Experimental V. Gurbani
Expires: April 23, 2010 Bell Laboratories, Alcatel-Lucent Expires: April 23, 2010 Bell Laboratories, Alcatel-Lucent
October 20, 2009 October 20, 2009
Using Extended Key Usage (EKU) for Session Initiation Protocol (SIP) Using Extended Key Usage (EKU) for Session Initiation Protocol (SIP)
X.509 Certificates X.509 Certificates
draft-ietf-sip-eku-06 draft-ietf-sip-eku-07
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from IETF Standards Process. Without obtaining an adequate license from
skipping to change at page 2, line 32 skipping to change at page 2, line 32
1.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Abstract syntax notation . . . . . . . . . . . . . . . . . 3 1.2. Abstract syntax notation . . . . . . . . . . . . . . . . . 3
2. Problem statement . . . . . . . . . . . . . . . . . . . . . . . 3 2. Problem statement . . . . . . . . . . . . . . . . . . . . . . . 3
3. Restricting usage to SIP . . . . . . . . . . . . . . . . . . . 4 3. Restricting usage to SIP . . . . . . . . . . . . . . . . . . . 4
3.1. Extended Key Usage values for SIP domains . . . . . . . . . 5 3.1. Extended Key Usage values for SIP domains . . . . . . . . . 5
4. Using the SIP EKU in a certificate . . . . . . . . . . . . . . 5 4. Using the SIP EKU in a certificate . . . . . . . . . . . . . . 5
5. Implications for a Certification Authority . . . . . . . . . . 6 5. Implications for a Certification Authority . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 9. Normative References . . . . . . . . . . . . . . . . . . . . . 7
9.1. Normative References . . . . . . . . . . . . . . . . . . . 7
9.2. Informative References . . . . . . . . . . . . . . . . . . 7
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 8 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Terminology 1. Terminology
1.1. Key Words 1.1. Key Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1]. document are to be interpreted as described in RFC 2119 [1].
skipping to change at page 3, line 27 skipping to change at page 3, line 27
certificate owner is authoritative for SIP services in the domain certificate owner is authoritative for SIP services in the domain
named by that subject identity. named by that subject identity.
1.2. Abstract syntax notation 1.2. Abstract syntax notation
All X.509 certificate X.509 [4] extensions are defined using ASN.1 All X.509 certificate X.509 [4] extensions are defined using ASN.1
X.680 [5],X.690 [6]. X.680 [5],X.690 [6].
2. Problem statement 2. Problem statement
Consider the SIP RFC 3261 [2] trapezoid shown in Figure 1. Consider the SIP RFC 3261 [2] actors shown in Figure 1.
Proxy-A.example.com Proxy-B.example.net Proxy-A.example.com Proxy-B.example.net
+-------+ +-------+ +-------+ +-------+
| Proxy |--------------------| Proxy | | Proxy |--------------------| Proxy |
+----+--+ +---+---+ +----+--+ +---+---+
| | | |
| | | |
| | | |
| +---+ | +---+
0---0 | | 0---0 | |
skipping to change at page 6, line 6 skipping to change at page 6, line 6
The implementation MUST examine the Extended Key Usage value(s), if The implementation MUST examine the Extended Key Usage value(s), if
any: any:
o If the certificate does not contain any EKU values (the Extended o If the certificate does not contain any EKU values (the Extended
Key Usage extension does not exist), it is a matter of local Key Usage extension does not exist), it is a matter of local
policy whether or not to accept the certificate for use as a SIP policy whether or not to accept the certificate for use as a SIP
certificate. certificate.
o If the certificate contains the id-kp-sipDomain EKU extension, o If the certificate contains the id-kp-sipDomain EKU extension,
then implementations MUST consider the certificate acceptable for then implementations of this specification MUST consider the
use as a SIP certificate. certificate acceptable for use as a SIP certificate.
o If the certificate does not contain the id-kp-sipDomain EKU value, o If the certificate does not contain the id-kp-sipDomain EKU value,
but does contain the id-kp-anyExtendedKeyUsage EKU value, it is a but does contain the id-kp-anyExtendedKeyUsage EKU value, it is a
matter of local policy whether or not to consider the certificate matter of local policy whether or not to consider the certificate
acceptable for use as a SIP certificate. acceptable for use as a SIP certificate.
o If the EKU extension exists, but does not contain any of the id- o If the EKU extension exists, but does not contain any of the id-
kp-sipDomain or id-kp-anyExtendedKeyUsage EKU values, then the kp-sipDomain or id-kp-anyExtendedKeyUsage EKU values, then the
certificate MUST NOT be accepted as valid for use as a SIP certificate MUST NOT be accepted as valid for use as a SIP
certificate. certificate.
skipping to change at page 7, line 9 skipping to change at page 7, line 9
The following IETF contributors provided substantive input to this The following IETF contributors provided substantive input to this
document: Jeroen van Bemmel, Michael Hammer, Cullen Jennings, Paul document: Jeroen van Bemmel, Michael Hammer, Cullen Jennings, Paul
Kyzivat, Derek MacDonald, Dave Oran, Jon Peterson, Eric Rescorla, Kyzivat, Derek MacDonald, Dave Oran, Jon Peterson, Eric Rescorla,
Jonathan Rosenberg, Russ Housley, Paul Hoffman, and Stephen Kent. Jonathan Rosenberg, Russ Housley, Paul Hoffman, and Stephen Kent.
Sharon Boyen and Trevor Freeman reviewed the document and facilitated Sharon Boyen and Trevor Freeman reviewed the document and facilitated
the discussion on id-kp-anyExtendedKeyUsage, id-kpServerAuth and id- the discussion on id-kp-anyExtendedKeyUsage, id-kpServerAuth and id-
kp-ClientAuth purposes in certificates. kp-ClientAuth purposes in certificates.
9. References 9. Normative References
9.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, March 1997. Levels", RFC 2119, March 1997.
[2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., [2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, June 2002. Session Initiation Protocol", RFC 3261, June 2002.
[3] Cooper, D., Santesson, S., Farrell, S., Boyen, S., Housley, R., [3] Cooper, D., Santesson, S., Farrell, S., Boyen, S., Housley, R.,
and W. Polk, "Internet X.509 Public Key Infrastructure and W. Polk, "Internet X.509 Public Key Infrastructure
skipping to change at page 7, line 43 skipping to change at page 7, line 41
[6] International International Telephone and Telegraph Consultative [6] International International Telephone and Telegraph Consultative
Committee, "ASN.1 encoding rules: Specification of basic Committee, "ASN.1 encoding rules: Specification of basic
encoding Rules (BER), Canonical encoding rules (CER) and encoding Rules (BER), Canonical encoding rules (CER) and
Distinguished encoding rules (DER)", CCITT Recommendation X.690, Distinguished encoding rules (DER)", CCITT Recommendation X.690,
July 2002. July 2002.
[7] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol [7] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol
(SIP): Location SIP Servers", RFC 3263, June 2002. (SIP): Location SIP Servers", RFC 3263, June 2002.
9.2. Informative References
[8] Gurbani, V., Lawrence, S., and A. Jeffrey, "Domain Certificates [8] Gurbani, V., Lawrence, S., and A. Jeffrey, "Domain Certificates
in the Session Initiation Protocol (SIP)", in the Session Initiation Protocol (SIP)",
draft-ietf-sip-domain-certs-04.txt (work in progress), May 2009. draft-ietf-sip-domain-certs-04.txt (work in progress), May 2009.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
SIPDomainCertExtn SIPDomainCertExtn
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-sip-domain-extns2007(62) } id-mod-sip-domain-extns2007(62) }
 End of changes. 6 change blocks. 
12 lines changed or deleted 6 lines changed or added

This html diff was produced by rfcdiff 1.37a. The latest version is available from http://tools.ietf.org/tools/rfcdiff/