SIP WG                                                        V. Gurbani
Internet-Draft                                                A. Jeffrey
Expires:  December 28, 2006               Lucent Technologies, Inc./Bell
                                                            Laboratories
                                                           June 26, 2006


      Domain Certificates in the Session Initiation Protocol (SIP)
                   draft-gurbani-sip-domain-certs-01

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on December 28, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document attempts to clarify the use of domain certificates in
   the Session Initiation Protocol (SIP).  Currently, there is much
   ambiguity surrounding domain -- or site -- certificates.







Gurbani & Jeffrey       Expires December 28, 2006               [Page 1]

Internet-Draft                Domain Certs                     June 2006


Table of Contents

   1.   Terminology  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.   Introduction . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.   Problem Statement  . . . . . . . . . . . . . . . . . . . . .   3
   4.   A Possible Solution to Conveying the Peer Identity . . . . .   4
   5.   Registrars and Redirect Servers  . . . . . . . . . . . . . .   5
   6.   Proxy Servers, Identities and SIP Headers  . . . . . . . . .   6
   7.   Server Farms and Certificate Content . . . . . . . . . . . .   8
     7.1  Choosing a Server in the Proxy Farm  . . . . . . . . . . .   9
     7.2  Authenticating a Server From the Proxy Farm  . . . . . . .   9
   8.   Virtual SIP Servers and Certificate Content  . . . . . . . .  10
   9.   Wildcards in dNSName Type  . . . . . . . . . . . . . . . . .  11
   10.  Security Considerations  . . . . . . . . . . . . . . . . . .  11
   11.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . .  13
   12.  References . . . . . . . . . . . . . . . . . . . . . . . . .  13
     12.1   Normative References . . . . . . . . . . . . . . . . . .  13
     12.2   Informative References . . . . . . . . . . . . . . . . .  13
        Authors' Addresses . . . . . . . . . . . . . . . . . . . . .  14
   A.   Retargetting in SIP  . . . . . . . . . . . . . . . . . . . .  14
   B.   Retargetting and Identity  . . . . . . . . . . . . . . . . .  16
        Intellectual Property and Copyright Statements . . . . . . .  18





























Gurbani & Jeffrey       Expires December 28, 2006               [Page 2]

Internet-Draft                Domain Certs                     June 2006


1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [1].

2.  Introduction

   Transport Layer Security (TLS) [3] has started to appear in an
   increasing number of Session Initiation Protocol (SIP) [2]
   implementations.  TLS depends on the Internet X.509 Public Key
   Infrastructure [4] for its proper use and function.

   Despite the appearance of TLS in SIP implementations, an enduring
   question has remained regarding the contents of the certificates for
   domain verification.  We hope that the discussion in this document
   provides some guidelines in this area.  Moreover, TLS by itself only
   provides security guarantees for the transport layer.  In this
   document, we also discuss the requirements of SIPS message processing
   to ensure that these security guarantees are also provided at the
   application layer.

   The discussion in this document is pertinent to a certificate used
   for a TLS connection.  It may not apply in its entirety to a
   certificate used in S/MIME, for instance.

3.  Problem Statement

   Put succinctly, the problem can be summarized as how should hosts be
   identified in a certificate that purports to authoritatively
   represent a domain from which a request is being sent from, or a
   domain to which a request is being sent to?  Not surprisingly, the
   answer has varied depending on the exact assumptions under
   consideration.

   In SIP, proxy servers, redirect servers, and registrars must posses
   domain certificates by which their identity is conveyed in an
   authoritative fashion to a client.  Conversely, a proxy server in
   particular, accepting inter-domain requests from other proxy servers
   may ask of equivalent domain certificate from its peer.  As such, a
   domain certificate must provide two pieces of identification.  First,
   it must provide an assurance the peer presenting the certificate is
   an authority for the domain, and second, since TLS in SIP is defined
   on a hop-by-hop basis, the certificate must also convey the identity
   of the host that presents the certificate.  It is conceivable that
   the latter identification be made optional; however, an explicit
   binding in this fashion is preferable to implicitly assuming that a
   certificate presented that does not contain the canonical name of the



Gurbani & Jeffrey       Expires December 28, 2006               [Page 3]

Internet-Draft                Domain Certs                     June 2006


   host does indeed belong to the said host.  TLS connections are made
   between individual hosts, thus conveying the identity of the host
   directly in the certificate in the form of a canonical host name
   provides a strong guarantee that the host is indeed who it purports
   to be.

4.  A Possible Solution to Conveying the Peer Identity

   A TLS client connecting to a TLS server, and a TLS server who has
   received a certificate from a TLS client need to ensure that the
   identity of the peer is contained in the certificate.  Traditionally,
   the identity of the peer in the form of a domain name was carried in
   the Common Name field of the Subject field.  However, RFC 3280 [4]
   has mandated that such identities now be carried in the
   subjectAltName extension.

   Accordingly, the recommendations of the SIP working group have been
   to populate the X.509v3 subjectAltName extension.  However, this is
   underspecified in RFC 3261, which mentions subjectAltName in
   conjunction with S/MIME only and not TLS.  For S/MIME certificates,
   the subjectAltName provides additional identities of the certificate
   holder, some in the form of a SIP URI.  RFC 3261 does not provide any
   guidelines on the use of subjectAltName for TLS certificates.  As a
   result, some implementations populate only the Common Name field of
   the Subject field with a domain name, and others populate only the
   subjectAltName extension, while still others populate both.  This
   leads to problems when attempting to interpret the certificate
   contents in a uniform manner.

   As a possible answer to the problem of conveying identity described
   above, it seems appropriate that TLS certificates contain two
   identities in the subjectAltName X.509v3 extension.  The first
   identity would be a Uniform Resource Identifier (URI), more
   specifically, a SIP URI.  This URI corresponds to the name of the
   domain over which that certificate is asserting its authority (e.g.,
   "URI:sip:example.com").  The second identity would correspond to a
   domain name system label, more specifically, the canonical name of
   the host (e.g., "DNS:proxy-1.example.com") to who the certificate
   belongs.

      Note that RFC 3261 states that "Proxy servers, redirect servers
      and registrars SHOULD possess a site certificate whose subject
      corresponds to their canonical hostname."  (Section 26.3.1)

   The notion that a domain certificate contains, at the very least, the
   two identities mentioned above is well worth consideration and
   further discussion.  It solves the problem identified in Section 5.1
   of [8], as well as satisfy the RFC 3261 concept on what should be



Gurbani & Jeffrey       Expires December 28, 2006               [Page 4]

Internet-Draft                Domain Certs                     June 2006


   contained in a site (or domain) certificate (Section 26.3.1 of RFC
   3261, quoted above).

   As an example, consider that the autonomous domain example.com is
   applying for a certificate from an authority.  As part of the
   certificate request, it will ask the following two identities be
   bound to the generated certificate:  "URI:sip:example.com", and "DNS:
   proxy-1.example.com".  The former (domain) URI asserts the ownership
   of the domain to the holder of the certificate, and the latter (host)
   URI identifies the particular host on hop-by-hop TLS connections.

   Aspects of this document have been discussed on the SIP working group
   mailing list and some consensus appears to be coalescing around how
   to identify a downstream server when the said server presents a
   certificate upon contact.  More specifically, when a client asks for
   a certificate from the server, and receives one, the certificate must
   assert an identity corresponding to the name that the client
   performed a RFC3263-type resolution on.  A certificate asserting an
   identity of "sip:example.com" provides a sufficient anchor for
   identifying the said server if the client was attempting to connect
   to a Request-URI (R-URI) (or the URI in the topmost Route header, if
   one existed) that contained a domainname of "example.com".  In this
   direction (i.e., the server presenting a certificate for
   verification), it is not absolutely required to search for a
   canonical hostname as an identity in the certificate (i.e., if
   RFC3263 leads to the choice of "proxy-1.example.com", then it is not
   necessary to specifically look for a dNSName SAN extension matching
   this canonical name).  In fact, certain deployments specifically
   forbid this (SIP Identity [9] mentions an example of RFC3263
   resolution on "sip:jon@example.com" leading to a service located at
   "sip1.example.org").

   For the remainder of this document, the term "domain URI" will be
   used to describe the identity contained in the subjectAltName URI of
   the form "URI:sip:example.com", and the term "host URI" will be used
   to describe the identity (canonical hostname) contained in the
   subjectAltName domain name system label of the form "DNS:proxy-
   1.example.com".

5.  Registrars and Redirect Servers

   The identities in the certificate are leveraged by clients to
   authenticate the registrars and redirect servers they are connecting
   to.  When a client forms a TLS connection to a registrar, it will be
   presented with a certificate corresponding to the registrar.  To
   assure the client that it is indeed conversing with the correct
   registrar, the domain URI in the certificate should matches the R-URI
   the client was trying to reach (in a REGISTER request, the R-URI



Gurbani & Jeffrey       Expires December 28, 2006               [Page 5]

Internet-Draft                Domain Certs                     June 2006


   typically names the location service for which the registration is
   meant, for example, "REGISTER sip:example.com").

      Note that this only works as intended if the client and the
      registrar are in the same domain.  If the client is in a visited
      network, it may have to go through a chain of TLS intermediaries
      in order to reach its home registrar, and thus it may not be able
      to directly access the certificate of the home registrar or to
      open a TLS connection to it.

   In SIP, redirect servers are used in lieu of proxy servers to offload
   the processing of a request to the client.  As such, the steps that a
   client would normally use to ascertain the identity of a proxy server
   are just as applicable when identifying a redirect server.  These are
   outlined in the next section.

   Needless to say, registrars and redirect servers should authenticate
   the clients as well.  This can be done by asking for a X509
   certificate of the client if the client possesses one, or by other
   means such as HTTP Digest authentication.

6.  Proxy Servers, Identities and SIP Headers

   For the following discussion, assume the standard SIP trapezoid shown
   in Figure 1:



            P1 ------------------  P2
      (proxy.example.com)     (proxy.biloxi.com)
             V                        V
             /                         \
            /                           \
           /                             \
          /                               \
     User Agent                        User Agent
    (sip:alice@example.com)        (sip:bob@biloxi.com)

   Figure 1: Traditional SIP Trapezoid



   P1 establishes a TLS connection to P2 on behalf of the sender of the
   request, Alice.  P1 is presented with P2's certificate.  P1 must
   ensure that the certificate is not expired and is rooted in a trusted
   hierarchy.  Next, P1 compares the domain URI in the certificate
   against the domainname in the next hop URI -- which could be the
   R-URI or the topmost Route header -- and looks for a match.  If they



Gurbani & Jeffrey       Expires December 28, 2006               [Page 6]

Internet-Draft                Domain Certs                     June 2006


   match, P1 can be certain that P2 adequately represents the biloxi.com
   domain.  Note that under some circumstances, the next hop URI may not
   contain contents that will be amenable to an RFC3263-type of
   resolution; it may contain a fully-qualified domain name instead of
   an identifier that would normally be used as input to the RFC3263
   process.  In such cases, having the host URI in the certificate is a
   help since P1 can match the host URI in the certificate to the next
   hop URI to gain confidence in the veracity of the connection.

   P2 may ask of a certificate from P1.  Since P1 is a proxy, it has a
   certificate, which it presents to P2.  P2 now proceeds to do mutual
   authentication of P1.  It should ensure that the certificate is not
   expired and is rooted in a trusted hierarchy.  Additionally, because
   of the transitive trust nature of TLS connections in SIP, the only
   attribute that P2 can absolutely depend on verifying of P1 is that it
   (i.e., P1) represents a host in the example.com domain.  To this
   extent, matching the topmost Via sent-by with one of the URIs in the
   SAN of the presented certificate will give P2 the confidence
   regarding adequate representation of the example.com domain by P1.

      Note that RFC3261 Section 26.3.2.2 essentially allows P2 to match
      the domainname in the P1's certificate with the domainname of the
      From header field in the INVITE request for mutual verification.
      This, however, may not always work due to retargetting since in
      this case the From header will not correspond to the
      administrative domain from which the request has been proxied (see
      Appendix A).  Furthermore, the From header may contain an
      alternative URI such as the tel URI instead of SIP or SIPS URI.
      Thus, other techniques such as examining the Via trail may
      additionally be used.

      Since the issuance of RFC3261, the SIP WG has also expanded
      considerable resources in SIP Identity [9].  SIP Identity makes it
      possible for a sending domain to authoritatively assert the
      originator of a SIP message.  This mechanism is much more robust
      that ensuring that the domainname in the From header matches the
      one stored in the certificate.  The minor irritant in SIP Identity
      and per-hop transitive nature of TLS connections means that if P2
      gets a request from P1 over a TLS connection, and this request has
      an Identity header (and Identity-Info header), P2 cannot assume
      that P1 inserted those headers.  Some other element upstream of P1
      could have inserted them (these headers are not removed by
      intermediaries; see Appendix B).  Thus, it appears that the Via
      sent-by is the only appropriate SIP header that can be used by P2
      to provide it adequate confidence regarding representation of the
      example.com domain by P1.





Gurbani & Jeffrey       Expires December 28, 2006               [Page 7]

Internet-Draft                Domain Certs                     June 2006


7.  Server Farms and Certificate Content

   In many deployments, a bank of SIP servers are logically treated as
   one SIP entity.  Such clusters of SIP servers, or server farms, are
   routinely used for load balancing and reliability.  Server farms have
   an interesting intersection with the identities stored in
   certificates.  Generally speaking, it seems appropriate to have at
   least two identities stored in the certificate.  One would correspond
   to a top level URI and the other one would be specific to that host.
   The following discussion outlines this in more detail.

   Figure 2 contains a proxy farm consisting of two SIP servers.  This
   farm is identified by an advertised address of "example.com", i.e.,
   any request that emanates from this farm has a sent-by value of
   "example.com".  Conversely, any requests destined to this farm is
   done by performing a RFC 3263 [5] resolution of the domain name
   "example.com".


     +-----------+   +-----------+           +---------+
     |           |   |           |           |         |
     |  host-a1  |   | host-a2   |           | Proxy B |
     | 192.0.2.1 |   | 192.0.2.2 |           |         |
     +-----------+   +-----------+           +---------+
   |________________________________|      |_____________|
              example.com                     biloxi.com

   Figure 2: A Server Farm.


   Here is a partial DNS zone file corresponding to the above farm.


   $ORIGIN example.com.
   ;      order pref. flags  service  regexp replacement
     NAPTR 100   50    "s"  "SIPS+D2T"  ""   _sips._tcp.example.com.

   ;;                            pri. weight port target
   _sips._tcp.example.com. IN SRV 0     1    5061 host-a1.example.com.
                           IN SRV 0     1    5061 host-a2.example.com.

   host-a1   A   192.0.2.1
   host-a2   A   192.0.2.2


   Now, assume that each server in the farm has a unique certificate
   that contains two identities of type dNSName in subjectAltName
   extension.  The first one is "DNS:example.com" and the second



Gurbani & Jeffrey       Expires December 28, 2006               [Page 8]

Internet-Draft                Domain Certs                     June 2006


   identity corresponds to the actual host name.  The two identities
   work in concert to provide the appropriate identification and
   authentication to hosts outside the server farm.

7.1  Choosing a Server in the Proxy Farm

   When a SIP server outside the server farm wants to choose a server
   from the farm, it will follow the normal RFC 3263 [5] resolution
   process to find an appropriate server.  In Figure 2, consider that
   Proxy B wants to choose one of the two servers in the farm.  Let's
   assume that it executes the RFC 3263 server resolution process and
   arrives at a choice of host-a1.example.com.  It now makes a TLS
   connection to host-a1.example.com and is presented with a certificate
   from host-a1.

   Proxy B must ensure that the canonical host name that it used to
   establish the connection -- host-a1.example.com -- appears as one of
   the identities in the subjectAltName extension.  If this is not the
   case, then the connection must be closed and the authentication of
   the server from the proxy farm would be considered to have failed.

   It goes without saying that host-a1.example.com must mutually
   authenticate Proxy B. If Proxy B itself is a cluster of proxies, then
   the steps in the next section can be applied to the authentication of
   Proxy B.

7.2  Authenticating a Server From the Proxy Farm

   When any of the servers in the farm establish a TLS connection to
   Proxy B in a different administrative domain (biloxi.com), they
   should be prepared to present a certificate if asked by Proxy B. For
   the sake of this discussion, assume that proxy B asks for a
   certificate when it accepts a TLS connection.

   Proxy B now has the certificate of one of the host from the server
   farm.  Proxy B also has a SIP request that contains the following
   topmost Via header ("received" parameter has been added by Proxy B):

   Via: SIP/2.0/TLS example.com;branch=z9hG4bK7cx8177;
     received=192.0.2.2

   To authenticate the host in the server farm that sent the request,
   Proxy B follows the following logic:

   1.  Verifies that the certificate presented is not expired and that
       it is rooted in a trusted certificate chain.





Gurbani & Jeffrey       Expires December 28, 2006               [Page 9]

Internet-Draft                Domain Certs                     June 2006


   2.  Void.
   3.  Resolve the "sent-by" by performing a DNS SRV lookup for service
       "_sips" and transport "_tcp".  If this fails, go to Step 5.
       Otherwise, this will result in one or more relevant A/AAAA
       records.  Ensure that one of these records resolves to the IP
       address in the "received" parameter.
   4.  If the "sent-by" had a non-default port number, then this port
       number must match the port number corresponding to the A record
       that matched in the above step.  Got to step 7, authentication is
       successful.
          It is open to discussion whether the port number should be
          used in the matching rule.
   5.  If DNS SRV lookup failed, then chances are that the contents of
       the "sent-by" contain a canonical host name.  Thus, this name
       must match the host URI stored in the certificate.  If there is
       no match, the connection should be closed and processing proceeds
       to step 7; authentication has failed.
   6.  If the host name in "sent-by" matches the host URI stored in the
       certificate, then ensure that it resolves to the IP address in
       the "received" parameter.  If so, authentication is successful,
       otherwise it has failed.
          Note:  This is open to discussion since it allocates a lower
          probability of a compromised DNS when compared to a
          compromised certificate.
   7.  Process is complete.

   Open issue:  Will all of this work if the proxy farm is behind a NAT?
   In that case, P1 will add a "received" parameter that corresponds to
   the IP address of the middlebox and not that of the appropriate
   server from the proxy farm.

   Open issue:  Will all of this work if the proxy farm is behind a TLS
   accelerator?  This is similar to the problem of NATs, but the
   certificate is issued to the accelerator, not to the proxy.

8.  Virtual SIP Servers and Certificate Content

   The closest guidance in SIP today regarding certificates and virtual
   SIP servers occurs in SIP Identity ([9], Section 13.4).  The quoted
   section states that, "... certificates have varying ways of
   describing their subjects, and may indeed have multiple subjects,
   especially in the 'virtual hosting' cases where multiple domains are
   managed by a single application."

   This appears to imply that one certificate will have multiple SANs
   (or Subject) fields, each such field corresponding to a discrete
   virtual server that represents a single domain?  Since only one
   certificate is needed for multiple domains, the keying material



Gurbani & Jeffrey       Expires December 28, 2006              [Page 10]

Internet-Draft                Domain Certs                     June 2006


   management is simpler, but what happens if one of the domains no
   longer wants to continue the business relationship with the hosting
   service?  Is the entire certificate to be revoked?

   Is it conceivable that each domain have a distinct certificate that
   is provided to the hosting service?  Certainly, this means that the
   domain must share the domain's private key with the hosting service.
   TLS extensions [7] like the extended client hello allow TLS clients
   to provide to the TLS server the name of the server they are
   contacting.  Thus, the server can present the correct certificate to
   establish the TLS connection.

   TODO:  Need some more discussion on the mailing list around this
   issue.  What is the recommended procedure here?

9.  Wildcards in dNSName Type

   RFC 2818 (HTTP over TLS) [6] allows the dNSName component to contain
   a wildcard; e.g., "DNS:*.example.com".  RFC 3280 [4], while not
   disallowing this explicitly, leaves the interpretation of wildcards
   to the individual specification.

   RFC 3261 does not provide any guidelines on the presence of wildcards
   in certificates.  The consensus from the working group discussion
   leans in the favor of not using them in SIP.

10.  Security Considerations

   The goals of TLS include the following security guarantees at the
   transport layer:

   Confidentiality: packets tunneled through TLS can only be read by the
      sender and receiver.
   Integrity: packets tunneled through TLS can only be modified by the
      sender and receiver.
   Authenticity: each principal is authenticated to the other as
      posessing a private key for which a certificate has been issued.
      Moreover, this certificate has not been revoked, and is backed by
      a certificate chain leading to a mutually trusted trust anchor.

   By itself, these security guarantees do not immediately lift to
   guarantees at the application layer.  RFC 3261 states that:

      The proxy server at biloxi.com SHOULD inspect the certificate of
      the proxy server at atlanta.com in turn and compare the domain
      asserted by the certificate with the "domainname" portion of the
      From header field in the INVITE request.




Gurbani & Jeffrey       Expires December 28, 2006              [Page 11]

Internet-Draft                Domain Certs                     June 2006


   This requires each authoritative proxy for atlanta.com to be issued
   with a certificate containing "atlanta.com" as its subject.  This has
   two problems:

   1.  It does not correspond to common TLS usage, which is to use a
       certificate identifying the host.  If proxy.biloxi.com is allowed
       to require that the subject of the certificate contains a DNS
       entry corresponding to the IP address of proxy1.atlanta.com, then
       this in turn requires every authoritative proxy for atlanta.com
       to be registered with the DNS entry atlanta.com.  Hence it is
       impossible for a domain to use different SIP proxies as incoming
       and outgoing proxies.
   2.  It makes forensics in the case of compromise more complex.  If a
       malicious principal is discovered making use of a certificate for
       a private key issued to proxy1.atlanta.com, there is little to
       identify which of atlanta.com's SIP proxies has been compromised.
       If the certificate contains proxy1.atlanta.com's name as well as
       atlanta.com's name, then the forensics are simpler.

   Fortunately, both of these problems are addressed by having two
   identities in domain certificate as outlined in Section 3.

   We expect that appropriate processing requirements of domain
   certificates will provide the following security guarantees at the
   application level:

   Confidentiality: SIPS messages from alice@atlanta.com to
      bob@biloxi.com can only be read by alice@atlanta.com,
      bob@biloxi.com, and SIP proxies issued with domain certificates
      for atlanta.com or biloxi.com.
   Integrity: SIPS messages from alice@atlanta.com to bob@biloxi.com can
      only be modified by alice@atlanta.com, bob@biloxi.com, and SIP
      proxies issued with domain certificates for atlanta.com or
      biloxi.com.
   Authenticity: alice@atlanta.com and proxy.atlanta.com are mutually
      authenticated, and moreover proxy.atlanta.com is authenticated to
      alice@atlanta.com as an authoritative proxy for domain
      atlanta.com.  Similar mutual authentication guarantees are given
      between proxy.atlanta.com and proxy.biloxi.com and between
      proxy.biloxi.com and bob@biloxi.com.  As a result,
      alice@atlanta.com is transitively mutually authenticated to
      bob@biloxi.com (assuming trust in the authoritative proxies for
      atlanta.com and biloxi.com).

   Moreover, if a suitable media key exchange mechanism (such as DH-HMAC
   with null encryption [DH-HMAC]) is used to protect the media between
   alice@atlanta.com and bob@biloxi.com, then these guarantees are also
   provided for the media streams.



Gurbani & Jeffrey       Expires December 28, 2006              [Page 12]

Internet-Draft                Domain Certs                     June 2006


11.  Acknowledgments

   The discussion on proxy farms in Section 7 is inspired by earlier
   versions of Rohan Mahy's connect-reuse draft.  Scott Lawrence
   suggested the idea of a certificate containing two identities.
   Jeroen van Bemmel provided comments to draft versions of this
   document.

12.  References

12.1  Normative References

   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", RFC 2119, March 1997.

   [2]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
        Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
        Session Initiation Protocol", RFC 3261, June 2002.

   [3]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
        RFC 2246, January 1999.

   [4]  Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509
        Public Key Infrastructure Certificate and Certificate Revocation
        List (CRL) Profile", RFC 3280.

12.2  Informative References

   [5]  Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol
        (SIP): Location SIP Servers", RFC 3263, June 2002.

   [6]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [7]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
        T. Wright, "Transport Layer Security (TLS) Extensions",
        RFC 4366, April 2006.

   [8]  Gurbani, V. and A. Jeffrey, "The Use of Transport Layer Security
        (TLS) in the Session Initiation Protocol (SIP)",
        draft-gurbani-sip-tls-use-00.txt (work in progress),
        February 2006.

   [9]  Peterson, J. and C. Jennings, "Enhancements for Authenticated
        Identity Management in the Session Initiation Protocol (SIP)",
        draft-ietf-sip-identity-06.txt (work in progress), October 2005.






Gurbani & Jeffrey       Expires December 28, 2006              [Page 13]

Internet-Draft                Domain Certs                     June 2006


Authors' Addresses

   Vijay K. Gurbani
   Lucent Technologies, Inc./Bell Laboratories
   2701 Lucent Lane
   Room 9F-546
   Lisle, IL  60532
   USA

   Phone:  +1 630 224-0216
   Email:  vkg at aCm dot OrG


   Alan S.A. Jeffrey
   Lucent Technologies, Inc./Bell Laboratories
   2701 Lucent Lane
   Room 9F-534
   Lisle, IL  60532
   USA

   Email:  ajeffrey at bell hyphen labs dot com

Appendix A.  Retargetting in SIP

   Re-targetting breaks down several security assumptions in SIP.  For
   instance, consider the following call flow:

























Gurbani & Jeffrey       Expires December 28, 2006              [Page 14]

Internet-Draft                Domain Certs                     June 2006


              P1               P2             P3
          (example.com)   (atlanta.com)   (biloxi.com)
               |               |              |
               +--F1---------->|              |
               |               +--F2--------->|
              ...

   Figure 3: Retargetting in SIP

   F1:
   INVITE sips:bob@atlanta.com SIP/2.0
   Via: SIP/2.0/TLS proxy.example.com;branch=...
   Via: SIP/2.0/TLS alice-pc.example.com;branch=...
   From: Alice <sips:alice@example.com>;tag=891jhh
   To: Bob <sips:bob@atlanta.com>
   ...

   F2:
   INVITE sips:bob@biloxi.com SIP/2.0
   Via: SIP/2.0/TLS proxy.atlanta.com;branch=...
   Via: SIP/2.0/TLS proxy.example.com;branch=...
   Via: SIP/2.0/TLS alice-pc.example.com;branch=...
   From: Alice <sips:alice@example.com>;tag=891jhh
   To: Bob <sips:bob@atlanta.com>
   ...



   Alice sends a request to Bob through her outbound proxy (F1).  The
   request ends up at Bob's inbound proxy, P2.  Bob is currently not in
   the atlanta.com domain and has his forwarding rules set such that all
   requests are forwarded to an alternate domain, biloxi.com.  P2 now
   retargets the request to Bob's forwarding address in the biloxi.com
   domain (F2).

   When the biloxi.com proxy gets the incoming request, the "domainname"
   component in the From SIP header will not match the domain URI stored
   in the certificate (which will "URI:sip:atlanta.com").  If the
   biloxi.com proxy has a strict policy to reject requests that do not
   match the administrative domain from which they have been proxied,
   the session setup will fail.










Gurbani & Jeffrey       Expires December 28, 2006              [Page 15]

Internet-Draft                Domain Certs                     June 2006


Appendix B.  Retargetting and Identity


              P1               P2             P3
          (example.com)   (atlanta.com)   (biloxi.com)
               |               |              |
               +--F1---------->|              |
               |               +--F2--------->|
              ...

   Figure 4: Retargetting with Identity

   F1:
   INVITE sips:bob@atlanta.com SIP/2.0
   Via: SIP/2.0/TLS proxy.example.com;branch=...
   Via: SIP/2.0/TLS alice-pc.example.com;branch=...
   From: Alice <sips:alice@example.com>;tag=891jhh
   To: Bob <sips:bob@atlanta.com>
   Identity: "kj0P4..."
   Identity-Info: <https://proxy.example.com/example.cer>;alg=rsa-sha1
   ...

   F2:
   INVITE sips:bob@biloxi.com SIP/2.0
   Via: SIP/2.0/TLS proxy.atlanta.com;branch=...
   Via: SIP/2.0/TLS proxy.example.com;branch=...
   Via: SIP/2.0/TLS alice-pc.example.com;branch=...
   From: Alice <sips:alice@example.com>;tag=891jhh
   To: Bob <sips:bob@atlanta.com>
   Identity: "kj0P4..."
   Identity-Info: <https://proxy.example.com/example.cer>;alg=rsa-sha1
   ...



   Alice sends a request to Bob through her outbound proxy (F1).  The
   request ends up at Bob's inbound proxy, P2.  Bob is currently not in
   the atlanta.com domain and has his forwarding rules set such that all
   requests are forwarded to an alternate domain, biloxi.com.  P2 now
   retargets the request to Bob's forwarding address in the biloxi.com
   domain (F2).

   When P3 gets the request from P2, the only attribute that P3 can
   absolutely depend on to mutually authenticate P2 is the topmost Via
   sent-by.  This gives P3 some guarantee that P2 represents a host in
   the atlanta.com domain.  P3 cannot depend on the domainname in the
   From header; that contains a completely different domain than
   atlanta.com.  Neither can it depend on the Identity headers inserted



Gurbani & Jeffrey       Expires December 28, 2006              [Page 16]

Internet-Draft                Domain Certs                     June 2006


   by the originating proxy.  These correspond, of course, to the
   originating proxy and not to the proxy in the atlanta.com domain.

















































Gurbani & Jeffrey       Expires December 28, 2006              [Page 17]

Internet-Draft                Domain Certs                     June 2006


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2006).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Gurbani & Jeffrey       Expires December 28, 2006              [Page 18]