Re: Domain certificates in SIP (complete)

[the last copy escaped early  ]

On Sat, 2007-06-23 at 16:46 -0400, Scott Lawrence wrote:
> draft-gurbani-sip-domain-certs-05 has been submitted to
> the IETF archives.  We've tried to incorporate some of the advice we got
> around the Prague meeting.
> 
> This version focuses fairly narrowly on:
> 
> - How to use and interpret the SIP identities in a X.509 certificate.
> - How to indicate that this particular certificate is for SIP
>   usage.
> 
> What goes in the subjectAltName, and a new EKU value, with the detailed
> steps to interpret and validate them are provided from the viewpoint of
> user agents, proxies, and registrars.
> 
> Until the -05 version appears in the archives, you can get it from:
> 
> http://svn.resiprocate.org/rep/ietf-drafts/gurbani/domain-certs/draft-gurbani-sip-domain-certs-05.txt
> http://svn.resiprocate.org/rep/ietf-drafts/gurbani/domain-certs/draft-gurbani-sip-domain-certs-05.html
> 
> Comments, questions and other feedback is much appreciated.

The authors would particularly appreciate some expert PKIX review on
whether or not the usage of the suggested Extended Key Usage reasonable
and (at least potentially) effective?  

This is described in sections 5 and 8.1:

Re: Domain certificates in SIP

On Sat, 2007-06-23 at 16:46 -0400, Scott Lawrence wrote:
> draft-gurbani-sip-domain-certs-05 has been submitted to
> the IETF archives.  We've tried to incorporate some of the advice we got
> around the Prague meeting.
> 
> This version focuses fairly narrowly on:
> 
> - How to use and interpret the SIP identities in a X.509 certificate.
> - How to indicate that this particular certificate is for SIP
>   usage.
> 
> What goes in the subjectAltName, and a new EKU value, with the detailed
> steps to interpret and validate them are provided from the viewpoint of
> user agents, proxies, and registrars.
> 
> Until the -05 version appears in the archives, you can get it from:
> 
> http://svn.resiprocate.org/rep/ietf-drafts/gurbani/domain-certs/draft-gurbani-sip-domain-certs-05.txt
> http://svn.resiprocate.org/rep/ietf-drafts/gurbani/domain-certs/draft-gurbani-sip-domain-certs-05.html
> 
> Comments, questions and other feedback is much appreciated.

There are two areas in this draft that we would particularly getting
appreciate some expert PKIX review:

      * Is the usage of the suggested Extended Key Usage reasonable and
        (at least potentially) effective?  This is described in 
--

-- 
Scott Lawrence  tel:+1-781-938-5306;ext=162 or sip:slawrence <at> pingtel.com

RE: Call for agenda items for the CHicago PKIX meeting

RE: Certificate authentication in SIP

Thanks Vijay, and thanks Scott for the clarification.

The SIP cert auth requirements document currently lists a few use cases:

 - the certificate identifies a device
 - the certificate identifies a user

There could also be the case where the device certificate is mapped to a
user for subscription purposes, and there are probably others.

As Sumanth states, depending on the agreed upon requirements, the
solution could leave these types of specifics as out of scope and just
handle the transport and messaging between UA and registrar, or we could
go so far as to have certificate profiles and requirements and then work
those requirements with the appropriate groups.

Thanks.

Steve. 

-----Original Message-----
From: Scott Lawrence [mailto:slawrence <at> pingtel.com] 
Sent: Friday, June 29, 2007 12:32 PM
To: IETF SIP List; ietf-pkix <at> imc.org
Subject: Re: [Sip] Certificate authentication in SIP

On Fri, 2007-06-29 at 09:37 -0500, Vijay K. Gurbani wrote:
> Sumanth Channabasappa wrote:
> > And if we find that certificates need some work to support this 
> > initiative (e.g., SIP identifiers as subjects), perhaps we can 
> > present some of those requirements to other WGs. If we find an 
> > existing solutions that can be used, good (and we can document them 
> > as such :) ).
> 
> Scott Lawrence and I have spent some time on this issue, i.e., SIP 
> identifiers as subjects in X.509 certificates.  The latest version of 
> the draft that includes pkix WG comments from Prague and the comments 
> of the sip WG ADs and others was posted last week to the archives, and

> is available at
> http://tools.ietf.org/html/draft-gurbani-sip-domain-certs-05

One qualification - the draft above is limited to certificates as whose
subject is a SIP domain - not an individual.  The goal is to clarify how
such certificates are constructed and constrained, and how they should
be used to authenticate that a server is authoritative for a domain.

> Comments on this version would be extremely helpful.

--
Scott Lawrence  tel:+1-781-938-5306;ext=162 or sip:slawrence <at> pingtel.com
  sipXecs project coordinator - SIPfoundry
http://www.sipfoundry.org/sipXecs
  Chief Technology Officer    - Pingtel Corp. http://www.pingtel.com/

_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors <at> cs.columbia.edu for questions on current sip
Use sipping <at> ietf.org for new developments on the application of sip

_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors <at> cs.columbia.edu for questions on current sip
Use sipping <at> ietf.org for new developments on the application of sip

I: I-D ACTION:draft-santoni-timestampeddata-00.txt

FYI

-----Messaggio originale-----
Da: Internet-Drafts <at> ietf.org [mailto:Internet-Drafts <at> ietf.org] 
Inviato: giovedì 5 luglio 2007 22.15
A: i-d-announce <at> ietf.org
Oggetto: I-D ACTION:draft-santoni-timestampeddata-00.txt 

A New Internet-Draft is available from the on-line Internet-Drafts directories.

	Title		: Syntax for binding documents with time stamps
	Author(s)	: A. Santoni
	Filename	: draft-santoni-timestampeddata-00.txt
	Pages		: 8
	Date		: 2007-7-5
	
This document describes a syntax which can be used to bind a generic 
document (or any set of data, not necessarily protected by means of 
cryptographic techniques) to one or more time-stamp tokens obtained 
for that document, where "time-stamp token" has the meaning defined 
in [TSP]. 

Whereas digital time stamping has become the standard technique for 
proving the existence of a document before a certain point in time, 
there is not a generally accepted syntax for keeping together one 
document and the associated time-stamps in a single "bundle". Such a 
syntax would facilitate keeping track of which time-stamps belong to 
what documents and would therefore improve the efficiency of 
timestamp-aware applications. 

This document proposes a simple syntax based on [CMS], by defining a 
new contentType. 

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-santoni-timestampeddata-00.txt

To remove yourself from the I-D Announcement list, send a message to 
i-d-announce-request <at> ietf.org with the word unsubscribe in the body of 
the message. 
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce 
to change your subscription settings.

Internet-Drafts are also available by anonymous FTP. Login with the 
username "anonymous" and a password of your e-mail address. After 
logging in, type "cd internet-drafts" and then 
"get draft-santoni-timestampeddata-00.txt".

A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html 
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

Internet-Drafts can also be obtained by e-mail.

Send a message to:
	mailserv <at> ietf.org.
In the body type:
	"FILE /internet-drafts/draft-santoni-timestampeddata-00.txt".
	
NOTE:	The mail server at ietf.org can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

_______________________________________________
I-D-Announce mailing list
I-D-Announce <at> ietf.org
https://www1.ietf.org/mailman/listinfo/i-d-announce

draft-ietf-pkix-scvp-32.txt

All,

I just submitted draft 32 of SCVP for posting.  This draft contains some 
editorial changes to address comments raised as a result of IESG review, 
but there are no changes to the protocol, either syntactic or semantic.  
A diff file comparing drafts 31 and 32 is available at 
http://csrc.nist.gov/pki/documents/PKIX/wdiff_draft-ietf-pkix-scvp-31_to_32.html.

I should note that this draft does not address every issue raised during 
the IESG review.  In particular, there are still outstanding comments 
from Lisa Dusseault relating to the use of HTTP, which is mainly 
specified in Appendix B of SCVP.  Lisa's comments may be found at 
https://datatracker.ietf.org/idtracker/draft-ietf-pkix-scvp/comment/65322.  
If there is someone who has a sufficient knowledge of HTTP to address 
the issues that Lisa raises and who is willing to work with us to 
resolve these issues, that would be appreciated.

Dave

Re: draft-ietf-pkix-scvp-32.txt

Re: draft-ietf-pkix-scvp-32.txt

Re: draft-ietf-pkix-scvp-32.txt

Re: draft-ietf-pkix-scvp-32.txt

Dave Engberg <dengberg <at> narrowmountain.com> writes:

>SCVP is a protocol that can make complex PKIs work. 
 ^^^^^^^^^^^^^^^^^^^^^^^

You misspelled "nothing".

Peter.