| < draft-ietf-sip-certs-04.txt | draft-ietf-sip-certs-05.txt > | |||
|---|---|---|---|---|
| Network Working Group C. Jennings | Network Working Group C. Jennings | |||
| Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
| Intended status: Standards Track J. Peterson | Intended status: Standards Track J. Peterson | |||
| Expires: January 9, 2008 NeuStar, Inc. | Expires: August 1, 2008 NeuStar, Inc. | |||
| J. Fischl, Ed. | J. Fischl, Ed. | |||
| CounterPath Solutions, Inc. | CounterPath Solutions, Inc. | |||
| July 8, 2007 | January 31, 2008 | |||
| Certificate Management Service for The Session Initiation Protocol (SIP) | Certificate Management Service for The Session Initiation Protocol (SIP) | |||
| draft-ietf-sip-certs-04 | draft-ietf-sip-certs-05 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on January 9, 2008. | This Internet-Draft will expire on January 9, 2008. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2008). | |||
| Abstract | Abstract | |||
| This draft defines a Credential Service that allows Session | This draft defines a Credential Service that allows Session | |||
| Initiation Protocol (SIP) User Agents (UAs) to use a SIP package to | Initiation Protocol (SIP) User Agents (UAs) to use a SIP event | |||
| discover the certificates of other users. This mechanism allows user | package to discover the certificates of other users. This mechanism | |||
| agents that want to contact a given Address-of-Record (AOR) to | allows user agents that want to contact a given Address-of-Record | |||
| retrieve that AOR's certificate by subscribing to the Credential | (AOR) to retrieve that AOR's certificate by subscribing to the | |||
| Service, which returns an authenticated response containing that | Credential Service, which returns an authenticated response | |||
| certificate. The Credential Service also allows users to store and | containing that certificate. The Credential Service also allows | |||
| retrieve their own certificates and private keys. | users to store and retrieve their own certificates and private keys. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. UA Behavior with Certificates . . . . . . . . . . . . . . . . 8 | 4. UA Behavior with Certificates . . . . . . . . . . . . . . . . 8 | |||
| 5. UA Behavior with Credentials . . . . . . . . . . . . . . . . . 9 | 5. UA Behavior with Credentials . . . . . . . . . . . . . . . . . 9 | |||
| 6. Event Package Formal Definition for "certificate" . . . . . . 10 | 6. Event Package Formal Definition for "certificate" . . . . . . 10 | |||
| 6.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 10 | 6.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 10 | |||
| skipping to change at page 12, line 33 ¶ | skipping to change at page 12, line 33 ¶ | |||
| subscription to this event type is permitted per resource. | subscription to this event type is permitted per resource. | |||
| 6.11. Rate of Notifications | 6.11. Rate of Notifications | |||
| Notifiers SHOULD NOT generate NOTIFY requests more frequently than | Notifiers SHOULD NOT generate NOTIFY requests more frequently than | |||
| once per minute. | once per minute. | |||
| 6.12. State Agents and Lists | 6.12. State Agents and Lists | |||
| The certificate server described in this section which serves | The certificate server described in this section which serves | |||
| certificates is a state agent and implementions of the certificate | certificates is a state agent and implementations of the | |||
| server MUST be implemented as a state agent. | certificate server MUST be implemented as a state agent. | |||
| Implementers MUST NOT use the event list extension [RFC4662] with | Implementers MUST NOT use the event list extension [RFC4662] with | |||
| this event type. It is not possible to make such an approach work, | this event type. It is not possible to make such an approach work, | |||
| because the Authentication service would have to simultaneously | because the Authentication service would have to simultaneously | |||
| assert several different identities. | assert several different identities. | |||
| 6.13. Behavior of a Proxy Server | 6.13. Behavior of a Proxy Server | |||
| There are no additional requirements on a SIP Proxy, other than to | There are no additional requirements on a SIP Proxy, other than to | |||
| transparently forward the SUBSCRIBE and NOTIFY requests as required | transparently forward the SUBSCRIBE and NOTIFY requests as required | |||
| skipping to change at page 14, line 43 ¶ | skipping to change at page 14, line 43 ¶ | |||
| When a credential service receives a SUBSCRIBE for a credential, the | When a credential service receives a SUBSCRIBE for a credential, the | |||
| credential service has to authenticate and authorize the UA and | credential service has to authenticate and authorize the UA and | |||
| validate that adequate transport security is being used. Only a UA | validate that adequate transport security is being used. Only a UA | |||
| that can authenticate as being able to register as the AOR is | that can authenticate as being able to register as the AOR is | |||
| authorized to receive the credentials for that AOR. The credential | authorized to receive the credentials for that AOR. The credential | |||
| Service MUST digest challenge the UA to authenticate the UA and then | Service MUST digest challenge the UA to authenticate the UA and then | |||
| decide if it is authorized to receive the credentials. If | decide if it is authorized to receive the credentials. If | |||
| authentication is successful, the Notifier MAY limit the duration of | authentication is successful, the Notifier MAY limit the duration of | |||
| the subscription to an administrator-defined period of time. The | the subscription to an administrator-defined period of time. The | |||
| duration of the subscription MUST not be larger than the length of | duration of the subscription MUST NOT be larger than the length of | |||
| time for which the certificate is still valid. The Expires header | time for which the certificate is still valid. The Expires header | |||
| field SHOULD be set so that it is not longer than the notAfter date | field SHOULD be set so that it is not longer than the notAfter date | |||
| in the certificate. | in the certificate. | |||
| 7.8. Notifier Generation of NOTIFY Requests | 7.8. Notifier Generation of NOTIFY Requests | |||
| Once the UA has authenticated with the credential service and the | Once the UA has authenticated with the credential service and the | |||
| subscription is accepted, the credential service MUST immediately | subscription is accepted, the credential service MUST immediately | |||
| send a Notify request. The Notifier SHOULD include the current etag | send a Notify request. The Notifier SHOULD include the current etag | |||
| value in the "etag" Event package parameter in the NOTIFY request. | value in the "etag" Event package parameter in the NOTIFY request. | |||
| skipping to change at page 16, line 44 ¶ | skipping to change at page 16, line 44 ¶ | |||
| This event package does not permit forked requests. | This event package does not permit forked requests. | |||
| 7.13. Rate of Notifications | 7.13. Rate of Notifications | |||
| Notifiers SHOULD NOT generate NOTIFY requests more frequently than | Notifiers SHOULD NOT generate NOTIFY requests more frequently than | |||
| once per minute. | once per minute. | |||
| 7.14. State Agents and Lists | 7.14. State Agents and Lists | |||
| The credential server described in this section which serves | The credential server described in this section which serves | |||
| credentials is a state agent and implementions of the credential | credentials is a state agent and implementations of the credential | |||
| server MUST be implemented as a state agent. | server MUST be implemented as a state agent. | |||
| Implementers MUST NOT use the event list extension [RFC4662] with | Implementers MUST NOT use the event list extension [RFC4662] with | |||
| this event type. | this event type. | |||
| 7.15. Behavior of a Proxy Server | 7.15. Behavior of a Proxy Server | |||
| The behavior is identical to behavior described for certificate | The behavior is identical to behavior described for certificate | |||
| subscriptions described in Section 6.13. | subscriptions described in Section 6.13. | |||
| skipping to change at page 30, line 7 ¶ | skipping to change at page 30, line 7 ¶ | |||
| 505 Burrard Street | 505 Burrard Street | |||
| Vancouver, BC V7X 1M3 | Vancouver, BC V7X 1M3 | |||
| Canada | Canada | |||
| Phone: +1 604 320-3344 | Phone: +1 604 320-3344 | |||
| Email: jason@counterpath.com | Email: jason@counterpath.com | |||
| URI: http://www.counterpath.com | URI: http://www.counterpath.com | |||
| Full Copyright Statement | Full Copyright Statement | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2008). | |||
| This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||
| contained in BCP 78, and except as set forth therein, the authors | contained in BCP 78, and except as set forth therein, the authors | |||
| retain all their rights. | retain all their rights. | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND | |||
| THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS | THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS | |||
| OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF | OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF | |||
| End of changes. 9 change blocks. | ||||
| 16 lines changed or deleted | 16 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||