Paul Hoffman wrote:
> From what I have heard, all of them will, and all of them that don't
> ask "CN or SAN" give them in SAN. I could be wrong, of course. I'll
> ask on the PKIX list, and will report back.
Paul: OK, good. That would be invaluable data.
> Given that there is now lots of interop experience with SIP-over-TLS,
> has anyone checked the certs floating around for whether there are
> any using domain names in CN? If not, you shouldn't have to drag
> around that baggage.
I believe -- and someone on the WG will correct me if I am wrong --
that most of our interop experience with SIP/TLS comes from the
SIPits (SIP Interoperability Events). At the SIPits, the certs
are generated and handed off to individual implementations. These
certs have the identity in the SAN. So this is not that much of
an issue when we have control of how certs are created.
Here is the breakdown of TLS support in the last few SIPits:
SIPit Number Support for TLS (Total implementations)
-----------------------------------------------------------
16 43.8% (57)
18 41.0% (73)
19 45.0% [1] (90)
36.0% [2]
20 46.0% [1] (90)
24.0% [2]
21 49.0% [1] (70)
6.0% [2]
[1] Server auth only
[2] Server or mutual auth
I do not have a good feel for the deployment of SIP/TLS out in
the wild. If anyone in the WG is using a X.509 cert for TLS,
it would be great to have some data as to where the identities
are encoded, and how many there are, etc.
Thanks,
- vijay
--
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA)
Email: [EMAIL PROTECTED],bell-labs.com,acm.org}
WWW: http://www.alcatel-lucent.com/bell-labs
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
