Hi! Looking at the DANE SRV draft with my SIP eyes I realize that there's a lot of work to be done to get this to work with SIP.
SIP has no StartTLS, we use NAPTR records to select transport. The NAPTR points to a SRV name that resolves into a set of host names. The SIP Domain certificates RFC - http://tools.ietf.org/html/rfc5922 - specificies matching a given SIP URI with a certificate. The matching is done on service domain either with a ALT name URI, like sip:ietf.org or a DNS name, like ietf.org - but not the host name. I personally agree with the policy in the DANE SRV draft that we should match on the SRV hostname used to get A/AAAA records when using DNSsec. For this to work, the path from the SIP URI over NAPTR to SRV and hostnames needs to be fully signed in and verified in the DNS. This is going to require an update to 5922. The final question is how to handle this without SNI. The certificates for both DANE verification and RFC 5922 plus "old-style" verification with the sip domain in the CN seems like a complicated mess to manage. Food for thought on a sunny Sunday. The SRV draft is not clear on how to use Subject AltNames of various types, and doesn't mention NAPTR. I am not personally aware of other protocols using this setup, so maybe this requires a very SIP specfic draft, following the wake of the smtp work. /O _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
