[SIP Beyond VoIP] TLS certificate of sip2sip.info is "wrong"

James Cloos cloos at jhcloos.com
Fri Jan 24 00:59:15 CET 2014


>>>>> "AG" == Adrian Georgescu <ag at ag-projects.com> writes:

AG> I believe the cert is bound to the A record where the client attempts
AG> to connect after NAPTR and SRV record lookups. A domain is served by
AG> different A records for different services and the client should use
AG> the A record name for validation rather than the original domain.

That would have been the reasonable choice, but unfortunately the sip
rfcs went the other way.

SMTP gets this right; SIP does not.

The ideas that every domain should have its own unique proxies or that
proxies need to have every domain they may SRV in their certs is unworkable.

To be fair, reasonable trust requires that the full chain of dns lookups
be signed when the tls cert is for the proxy rather than for the uri.

But the fix is to sign the dns, not to depand every possible uri in a
proxy's cert.

-JimC
--
James Cloos <cloos at jhcloos.com>         OpenPGP: 1024D/ED7DAEA6


More information about the SIPBeyondVoIP mailing list