repost from yesterday...
---------- Forwarded message ----------
Date: Mon, 30 Dec 2002 17:20:50 -0800 (PST)
From: Amit Bhadoria <bhadoria@cisco.com>
To: sip@ietf.org
Subject: [TLS] how to validate multiple domains with single certificate
hi,
i have some questions based on rfc 3263 "locating sip services". in
rfc 3263 it is mentioned that:
"For NAPTR records with SIPS protocol fields, (if the server is using
a site certificate), the domain name in the query and the domain name
in the replacement field MUST both be valid based on the site
certificate handed out by the server in the TLS exchange. Similarly,
the domain name in the SRV query and the domain name in the target in
the SRV record MUST both be valid based on the same site certificate.
Otherwise, an attacker could modify the DNS records to contain
replacement values in a different domain, and the client could not
validate that this was the desired behavior or the result of an
attack."
now, there are three potentially different domains in concern while
processing a SIPS request:
1. domain used in NAPTR querry: this is the target domain for this
request
2. domain mentioned in replacement field of NAPTR records: this
is the domain used in the SRV querry, obtained from replacement
field of NAPTR records
3. domain mentioned in target in the SRV record: the domain
mentioned in the SRV record selected for final A lookup
is it possible to have all the three domains different, or is it just a
bad example (due to my limited knowledge of DNS setups), and in practical
cases the three domains will either be same as TARGET or a subdomain of
it?
They can be different as far as DNS is concerned, but the point of the
text is to say that for SIPS URIs, they generally shouldn't be.
Otherwise, there is this potential DNS attack. I say "generally" because
it is possible for a single site certificate to be valid for multiple
domains. In that case, so long as the domains in the DNS were all valid
for that single certificate, its OK to use different domains. But, this
is rare I think.