[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sip] TLS: how to validate multiple domains with single certificate (fwd)

To: sip@ietf.org
Subject: [Sip] TLS: how to validate multiple domains with single certificate (fwd)
From: Amit Bhadoria <bhadoria@cisco.com>
Date: Tue, 31 Dec 2002 15:14:42 -0800 (PST)
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/sip>,<mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>,<mailto:sip-request@ietf.org?subject=unsubscribe>
Sender: sip-admin@ietf.org

repost from yesterday...

---------- Forwarded message ----------
Date: Mon, 30 Dec 2002 17:20:50 -0800 (PST)
From: Amit Bhadoria <bhadoria@cisco.com>
To: sip@ietf.org
Subject: [TLS] how to validate multiple domains with single certificate

hi,

i have some questions based on rfc 3263 "locating sip services". in
rfc 3263 it is mentioned that:
  "For NAPTR records with SIPS protocol fields, (if the server is using
   a site certificate), the domain name in the query and the domain name
   in the replacement field MUST both be valid based on the site
   certificate handed out by the server in the TLS exchange.  Similarly,
   the domain name in the SRV query and the domain name in the target in
   the SRV record MUST both be valid based on the same site certificate.
   Otherwise, an attacker could modify the DNS records to contain
   replacement values in a different domain, and the client could not
   validate that this was the desired behavior or the result of an
   attack."

now, there are three potentially different domains in concern while
processing a SIPS request:
	1. domain used in NAPTR querry: this is the target domain for this
	   request
	2. domain mentioned in replacement field of NAPTR records: this
	   is the domain used in the SRV querry, obtained from replacement
	   field of NAPTR records
	3. domain mentioned in target in the SRV record: the domain
	   mentioned in the SRV record selected for final A lookup

is it possible to have all the three domains different, or is it just a
bad example (due to my limited knowledge of DNS setups), and in practical
cases the three domains will either be same as TARGET or a subdomain of
it?

incase my imagination is correct, and it is possible to have a setup where
all three domains (from three steps of DNS procedures) are different, then
how can a client validate these three domains using the same certificate?

i'd appreciate your comments/explanation to my querries.

thanks,
-amit.
----------------------------------------------------------------------------
I have hardly ever known a mathematician who was capable of reasoning.
   -- gnulib

_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] TLS: how to validate multiple domains with single certificate(fwd)
  - From: Jonathan Rosenberg

Prev by Date: Re: [Sip] Loop detection; Not a bad thing to have
Next by Date: Re: [Sip] INFO considered harmful
Previous by thread: [Sip] SIP and Media Servers [was: INFO considered harmful]
Next by thread: Re: [Sip] TLS: how to validate multiple domains with single certificate(fwd)
Index(es):
- Date
- Thread