On Wed, 2010-11-10 at 08:38 +0100, Olle E. Johansson wrote: > 6 nov 2010 kl. 15.30 skrev Hans Witvliet: > > > Hi all, > > > > As stated in the subject, slightly off-topic, as it is not directly a > > Asterisk issue, but more SIP in general > > > > Because security in general, and specifically identification becomes > > more and more a subject for more concern, and Asterisk is capable of > > doing sip/TLS, i was wondering what more could be done to improve > > security. > > > > Specially softphones, might it be possible to employ etokens or > > smartcards for holding the certificates needed by TLS? > > > > Done before? > > In the SIP protocol there is support for TLS client certificates, much like > in HTTP. > > Asterisk doesn't support it. You need to put a SIP proxy like Kamailio in > front of Asterisk to get this kind of strong authentication. > > /O Am i that mistaken?
I got the impression** that sip-registration of a phone could be done in the same way as client-authentication on apache: On the server-side you got the certificate holding your public key which is signed by a trusted third party (the CA), while you hold your private key on a smartcard or token. If you start your browser you are prompted for your pin-code. I was just hoping that there would be a softphone that could work the same way, two-factor authentication. Hans ** http://www.remiphilippe.fr/2010/05/30/sips-on-asterisk-sip-security-with-tls/ http://www.sipring.ru/overview/func-asterisk/100-asterisk-tls-transport.html -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users