| < draft-ietf-sip-certs-08.txt | draft-ietf-sip-certs-09.txt > | |||
|---|---|---|---|---|
| Network Working Group C. Jennings | Network Working Group C. Jennings | |||
| Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
| Intended status: Standards Track J. Fischl, Ed. | Intended status: Standards Track J. Fischl, Ed. | |||
| Expires: January 14, 2010 Skype | Expires: March 12, 2010 Skype | |||
| July 13, 2009 | September 8, 2009 | |||
| Certificate Management Service for The Session Initiation Protocol (SIP) | Certificate Management Service for The Session Initiation Protocol (SIP) | |||
| draft-ietf-sip-certs-08 | draft-ietf-sip-certs-09 | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. This document may contain material | |||
| from IETF Documents or IETF Contributions published or made publicly | ||||
| available before November 10, 2008. The person(s) controlling the | ||||
| copyright in some of this material may not have granted the IETF | ||||
| Trust the right to allow modifications of such material outside the | ||||
| IETF Standards Process. Without obtaining an adequate license from | ||||
| the person(s) controlling the copyright in such materials, this | ||||
| document may not be modified outside the IETF Standards Process, and | ||||
| derivative works of it may not be created outside the IETF Standards | ||||
| Process, except to format it for publication as an RFC or to | ||||
| translate it into languages other than English. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on January 14, 2010. | This Internet-Draft will expire on March 12, 2010. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2009 IETF Trust and the persons identified as the | Copyright (c) 2009 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents in effect on the date of | Provisions Relating to IETF Documents in effect on the date of | |||
| publication of this document (http://trustee.ietf.org/license-info). | publication of this document (http://trustee.ietf.org/license-info). | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 13 ¶ | skipping to change at page 3, line 7 ¶ | |||
| Initiation Protocol (SIP) User Agents (UAs) to use a SIP event | Initiation Protocol (SIP) User Agents (UAs) to use a SIP event | |||
| package to discover the certificates of other users. This mechanism | package to discover the certificates of other users. This mechanism | |||
| allows user agents that want to contact a given Address-of-Record | allows user agents that want to contact a given Address-of-Record | |||
| (AOR) to retrieve that AOR's certificate by subscribing to the | (AOR) to retrieve that AOR's certificate by subscribing to the | |||
| Credential Service, which returns an authenticated response | Credential Service, which returns an authenticated response | |||
| containing that certificate. The Credential Service also allows | containing that certificate. The Credential Service also allows | |||
| users to store and retrieve their own certificates and private keys. | users to store and retrieve their own certificates and private keys. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. UA Behavior with Certificates . . . . . . . . . . . . . . . . 8 | 4. UA Behavior with Certificates . . . . . . . . . . . . . . . . 9 | |||
| 5. UA Behavior with Credentials . . . . . . . . . . . . . . . . . 9 | 5. UA Behavior with Credentials . . . . . . . . . . . . . . . . . 10 | |||
| 6. Event Package Formal Definition for "certificate" . . . . . . 10 | 6. Event Package Formal Definition for "certificate" . . . . . . 11 | |||
| 6.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 10 | 6.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 11 | |||
| 6.2. Event Package Parameters . . . . . . . . . . . . . . . . . 10 | 6.2. Event Package Parameters . . . . . . . . . . . . . . . . . 11 | |||
| 6.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 10 | 6.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 6.4. Subscription Duration . . . . . . . . . . . . . . . . . . 10 | 6.4. Subscription Duration . . . . . . . . . . . . . . . . . . 11 | |||
| 6.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 10 | 6.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 6.6. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 11 | 6.6. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 12 | |||
| 6.7. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 11 | 6.7. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 12 | |||
| 6.8. Notifier Generation of NOTIFY Requests . . . . . . . . . . 11 | 6.8. Notifier Generation of NOTIFY Requests . . . . . . . . . . 12 | |||
| 6.9. Subscriber Processing of NOTIFY Requests . . . . . . . . . 12 | 6.9. Subscriber Processing of NOTIFY Requests . . . . . . . . . 13 | |||
| 6.10. Handling of Forked Requests . . . . . . . . . . . . . . . 12 | 6.10. Handling of Forked Requests . . . . . . . . . . . . . . . 13 | |||
| 6.11. Rate of Notifications . . . . . . . . . . . . . . . . . . 12 | 6.11. Rate of Notifications . . . . . . . . . . . . . . . . . . 13 | |||
| 6.12. State Agents and Lists . . . . . . . . . . . . . . . . . . 12 | 6.12. State Agents and Lists . . . . . . . . . . . . . . . . . . 13 | |||
| 6.13. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 12 | 6.13. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 13 | |||
| 7. Event Package Formal Definition for "credential" . . . . . . . 13 | 7. Event Package Formal Definition for "credential" . . . . . . . 14 | |||
| 7.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 13 | 7.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.2. Event Package Parameters . . . . . . . . . . . . . . . . . 13 | 7.2. Event Package Parameters . . . . . . . . . . . . . . . . . 14 | |||
| 7.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 13 | 7.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.4. Subscription Duration . . . . . . . . . . . . . . . . . . 13 | 7.4. Subscription Duration . . . . . . . . . . . . . . . . . . 14 | |||
| 7.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 13 | 7.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.6. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 14 | 7.6. Subscriber Generation of SUBSCRIBE Requests . . . . . . . 15 | |||
| 7.7. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 14 | 7.7. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 15 | |||
| 7.8. Notifier Generation of NOTIFY Requests . . . . . . . . . . 15 | 7.8. Notifier Generation of NOTIFY Requests . . . . . . . . . . 16 | |||
| 7.9. Generation of PUBLISH Requests . . . . . . . . . . . . . . 15 | 7.9. Generation of PUBLISH Requests . . . . . . . . . . . . . . 16 | |||
| 7.10. Notifier Processing of PUBLISH Requests . . . . . . . . . 16 | 7.10. Notifier Processing of PUBLISH Requests . . . . . . . . . 17 | |||
| 7.11. Subscriber Processing of NOTIFY Requests . . . . . . . . . 16 | 7.11. Subscriber Processing of NOTIFY Requests . . . . . . . . . 17 | |||
| 7.12. Handling of Forked Requests . . . . . . . . . . . . . . . 16 | 7.12. Handling of Forked Requests . . . . . . . . . . . . . . . 17 | |||
| 7.13. Rate of Notifications . . . . . . . . . . . . . . . . . . 16 | 7.13. Rate of Notifications . . . . . . . . . . . . . . . . . . 17 | |||
| 7.14. State Agents and Lists . . . . . . . . . . . . . . . . . . 17 | 7.14. State Agents and Lists . . . . . . . . . . . . . . . . . . 18 | |||
| 7.15. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 17 | 7.15. Behavior of a Proxy Server . . . . . . . . . . . . . . . . 18 | |||
| 8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 | 8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 8.1. Encrypted Page Mode IM Message . . . . . . . . . . . . . . 17 | 8.1. Encrypted Page Mode IM Message . . . . . . . . . . . . . . 18 | |||
| 8.2. Setting and Retrieving UA Credentials . . . . . . . . . . 18 | 8.2. Setting and Retrieving UA Credentials . . . . . . . . . . 19 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 20 | ||||
| 9.1. Certificate Revocation . . . . . . . . . . . . . . . . . . 22 | ||||
| 9.2. Certificate Replacement . . . . . . . . . . . . . . . . . 23 | ||||
| 9.3. Trusting the Identity of a Certificate . . . . . . . . . . 23 | ||||
| 9.4. SACRED Framework . . . . . . . . . . . . . . . . . . . . . 24 | ||||
| 9.5. Crypto Profiles . . . . . . . . . . . . . . . . . . . . . 24 | ||||
| 9.6. User Certificate Generation . . . . . . . . . . . . . . . 24 | ||||
| 9.7. Compromised Authentication Service . . . . . . . . . . . . 25 | ||||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 9.1. Certificate Revocation . . . . . . . . . . . . . . . . . . 21 | 10.1. Certificate Event Package . . . . . . . . . . . . . . . . 26 | |||
| 9.2. Certificate Replacement . . . . . . . . . . . . . . . . . 22 | 10.2. Credential Event Package . . . . . . . . . . . . . . . . . 26 | |||
| 9.3. Trusting the Identity of a Certificate . . . . . . . . . . 22 | 10.3. PKCS#8 . . . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 9.4. SACRED Framework . . . . . . . . . . . . . . . . . . . . . 23 | 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 9.5. Crypto Profiles . . . . . . . . . . . . . . . . . . . . . 23 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 9.6. User Certificate Generation . . . . . . . . . . . . . . . 23 | 12.1. Normative References . . . . . . . . . . . . . . . . . . . 28 | |||
| 9.7. Compromised Authentication Service . . . . . . . . . . . . 24 | 12.2. Informational References . . . . . . . . . . . . . . . . . 29 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 10.1. Certificate Event Package . . . . . . . . . . . . . . . . 25 | ||||
| 10.2. Credential Event Package . . . . . . . . . . . . . . . . . 25 | ||||
| 10.3. PKCS#8 . . . . . . . . . . . . . . . . . . . . . . . . . . 26 | ||||
| 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 26 | ||||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 | ||||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . . 27 | ||||
| 12.2. Informational References . . . . . . . . . . . . . . . . . 28 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 | ||||
| 1. Introduction | 1. Introduction | |||
| [RFC3261], as ammended by [RFC3853], provides a mechanism for end-to- | [RFC3261], as ammended by [RFC3853], provides a mechanism for end-to- | |||
| end encryption and integrity using S/MIME [RFC3851]. Several | end encryption and integrity using S/MIME [RFC3851]. Several | |||
| security properties of [RFC3261] depend on S/MIME, and yet it has not | security properties of [RFC3261] depend on S/MIME, and yet it has not | |||
| been widely deployed. One reason is the complexity of providing a | been widely deployed. One reason is the complexity of providing a | |||
| reasonable certificate distribution infrastructure. This | reasonable certificate distribution infrastructure. This | |||
| specification proposes a way to address discovery, retrieval, and | specification proposes a way to address discovery, retrieval, and | |||
| management of certificates for SIP deployments. Combined with the | management of certificates for SIP deployments. Combined with the | |||
| skipping to change at page 14, line 8 ¶ | skipping to change at page 15, line 8 ¶ | |||
| contains both an application/pkix-cert body with the certificate and | contains both an application/pkix-cert body with the certificate and | |||
| an application/pkcs8 body that has the associated private key | an application/pkcs8 body that has the associated private key | |||
| information for the certificate. The Content-Disposition MUST be set | information for the certificate. The Content-Disposition MUST be set | |||
| to "signal" as defined in [RFC3204]. | to "signal" as defined in [RFC3204]. | |||
| A future extension MAY define other NOTIFY bodies. If no "Accept" | A future extension MAY define other NOTIFY bodies. If no "Accept" | |||
| header field is present in the SUBSCRIBE, the body type defined in | header field is present in the SUBSCRIBE, the body type defined in | |||
| this document MUST be assumed. | this document MUST be assumed. | |||
| The application/pkix-cert body is a DER encoded X.509v3 certificate | The application/pkix-cert body is a DER encoded X.509v3 certificate | |||
| [RFC2585]. The application/pkcs8 body contains a DER-encoded PKCS#8 | [RFC2585]. The application/pkcs8 body contains a DER-encoded | |||
| [PKCS.8.1993] object that contains the private key. The PKCS#8 | [RFC5208] object that contains the private key. The PKCS#8 objects | |||
| objects MUST be of type PrivateKeyInfo. The integrity and | MUST be of type PrivateKeyInfo. The integrity and confidentiality of | |||
| confidentiality of the PKCS#8 objects is provided by the TLS | the PKCS#8 objects is provided by the TLS transport. The transport | |||
| transport. The transport encoding of all the MIME bodies is binary. | encoding of all the MIME bodies is binary. | |||
| 7.6. Subscriber Generation of SUBSCRIBE Requests | 7.6. Subscriber Generation of SUBSCRIBE Requests | |||
| A Subscriber User Agent will subscribe to its credential information | A Subscriber User Agent will subscribe to its credential information | |||
| for a period of hours or days and will automatically attempt to re- | for a period of hours or days and will automatically attempt to re- | |||
| subscribe before the subscription has completely expired. | subscribe before the subscription has completely expired. | |||
| The Subscriber SHOULD subscribe to its credentials whenever a new | The Subscriber SHOULD subscribe to its credentials whenever a new | |||
| user becomes associated with the device (a new login). The | user becomes associated with the device (a new login). The | |||
| subscriber SHOULD also renew its subscription immediately after a | subscriber SHOULD also renew its subscription immediately after a | |||
| skipping to change at page 27, line 9 ¶ | skipping to change at page 28, line 9 ¶ | |||
| help and discussion. Many others provided useful comments, including | help and discussion. Many others provided useful comments, including | |||
| Kumiko Ono, Peter Gutmann, Russ Housley, Yaron Pdut, Aki Niemi, | Kumiko Ono, Peter Gutmann, Russ Housley, Yaron Pdut, Aki Niemi, | |||
| Magnus Nystrom, Paul Hoffman, Adina Simu, Dan Wing, Mike Hammer and | Magnus Nystrom, Paul Hoffman, Adina Simu, Dan Wing, Mike Hammer and | |||
| Lyndsay Campbell. Rohan Mahy, John Elwell, and Jonathan Rosenberg | Lyndsay Campbell. Rohan Mahy, John Elwell, and Jonathan Rosenberg | |||
| provided detailed review and text. | provided detailed review and text. | |||
| 12. References | 12. References | |||
| 12.1. Normative References | 12.1. Normative References | |||
| [PKCS.8.1993] | ||||
| RSA Laboratories, "Private-Key Information Syntax | ||||
| Standard, Version 1.2", PKCS 8, November 1993. | ||||
| [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
| Extensions (MIME) Part Two: Media Types", RFC 2046, | Extensions (MIME) Part Two: Media Types", RFC 2046, | |||
| November 1996. | November 1996. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2585] Housley, R. and P. Hoffman, "Internet X.509 Public Key | [RFC2585] Housley, R. and P. Hoffman, "Internet X.509 Public Key | |||
| Infrastructure Operational Protocols: FTP and HTTP", | Infrastructure Operational Protocols: FTP and HTTP", | |||
| RFC 2585, May 1999. | RFC 2585, May 1999. | |||
| skipping to change at page 27, line 46 ¶ | skipping to change at page 28, line 42 ¶ | |||
| [RFC3265] Roach, A., "Session Initiation Protocol (SIP)-Specific | [RFC3265] Roach, A., "Session Initiation Protocol (SIP)-Specific | |||
| Event Notification", RFC 3265, June 2002. | Event Notification", RFC 3265, June 2002. | |||
| [RFC3903] Niemi, A., "Session Initiation Protocol (SIP) Extension | [RFC3903] Niemi, A., "Session Initiation Protocol (SIP) Extension | |||
| for Event State Publication", RFC 3903, October 2004. | for Event State Publication", RFC 3903, October 2004. | |||
| [RFC4474] Peterson, J. and C. Jennings, "Enhancements for | [RFC4474] Peterson, J. and C. Jennings, "Enhancements for | |||
| Authenticated Identity Management in the Session | Authenticated Identity Management in the Session | |||
| Initiation Protocol (SIP)", RFC 4474, August 2006. | Initiation Protocol (SIP)", RFC 4474, August 2006. | |||
| [RFC5208] Kaliski, B., "Public-Key Cryptography Standards (PKCS) #8: | ||||
| Private-Key Information Syntax Specification Version 1.2", | ||||
| RFC 5208, May 2008. | ||||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| 12.2. Informational References | 12.2. Informational References | |||
| skipping to change at page 28, line 41 ¶ | skipping to change at page 29, line 41 ¶ | |||
| Phone: +1 408 421-9990 | Phone: +1 408 421-9990 | |||
| Email: fluffy@cisco.com | Email: fluffy@cisco.com | |||
| Jason Fischl (editor) | Jason Fischl (editor) | |||
| Skype | Skype | |||
| 2145 Hamilton Ave. | 2145 Hamilton Ave. | |||
| San Jose, CA 95125 | San Jose, CA 95125 | |||
| USA | USA | |||
| Phone: +1-408-786-5919 | Phone: +1-415-202-5192 | |||
| Email: jason.fischl@skype.net | Email: jason.fischl@skypelabs.com | |||
| End of changes. 10 change blocks. | ||||
| 69 lines changed or deleted | 79 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||