Skip to main content

Example Call Flows Using Session Initiation Protocol (SIP) Security Mechanisms
draft-ietf-sipcore-sec-flows-09

Revision differences

Document history

Date Rev. By Action
2012-08-22
09 (System) post-migration administrative database adjustment to the No Objection position for Sean Turner
2011-02-14
09 (System) IANA Action state changed to No IC from In Progress
2011-02-14
09 (System) IANA Action state changed to In Progress
2011-02-14
09 Cindy Morgan State changed to RFC Ed Queue from Approved-announcement sent.
2011-02-14
09 Amy Vezza IESG state changed to Approved-announcement sent
2011-02-14
09 Amy Vezza IESG has approved the document
2011-02-14
09 Amy Vezza Closed "Approve" ballot
2011-02-14
09 Amy Vezza State changed to Approved-announcement to be sent from IESG Evaluation::AD Followup.
2011-02-14
09 Amy Vezza Approval announcement text regenerated
2011-02-14
09 Amy Vezza Ballot writeup text changed
2011-02-10
09 Sean Turner [Ballot Position Update] Position for Sean Turner has been changed to No Objection from Discuss
2011-02-09
09 (System) New version available: draft-ietf-sipcore-sec-flows-09.txt
2011-01-21
09 (System) Removed from agenda for telechat - 2011-01-20
2011-01-20
09 Cindy Morgan State changed to IESG Evaluation::AD Followup from IESG Evaluation.
2011-01-20
09 Stewart Bryant [Ballot Position Update] New position, No Objection, has been recorded
2011-01-20
09 Sean Turner
[Ballot comment]
Appendix A: Add an informative reference to PKCS#8 [RFC5958].

ASN.1 dumps: The "hority" wraps around the line oddly.

Section 5: Is …
[Ballot comment]
Appendix A: Add an informative reference to PKCS#8 [RFC5958].

ASN.1 dumps: The "hority" wraps around the line oddly.

Section 5: Is it worth noting that the SHA2 algs also say don't include the parameters according to [RFC5754].
2011-01-20
09 Sean Turner
[Ballot discuss]
#1) The AKIs seems to include all three possibilities.  RFC 5280 says:

  The identification MAY be based on either the
  key …
[Ballot discuss]
#1) The AKIs seems to include all three possibilities.  RFC 5280 says:

  The identification MAY be based on either the
  key identifier (the subject key identifier in the issuer's
  certificate) or the issuer name and serial number.

It also goes on to recommend using the keyIdentifier choice.  I'd remove the other two (authorityCertIssuer and authorityCertSerialNumber) they're just making the certificates bigger than they need to be.

#2) User certificate subject names: look a lot like email addresses.  RFC 5280 requires that new implementations put the email address in the SAN extension with the rfc822Name choice.  Shouldn't the last component of the user's common name be Cullen Jennings, Kumiko, etc and then put the email addresss in SAN:rfc822Name?
2011-01-20
09 Sean Turner [Ballot Position Update] New position, Discuss, has been recorded
2011-01-19
09 Russ Housley [Ballot Position Update] New position, No Objection, has been recorded
2011-01-19
09 Ron Bonica [Ballot Position Update] New position, No Objection, has been recorded
2011-01-19
09 Alexey Melnikov
[Ballot comment]
6.  Additional Test Scenarios

      *  assure that the most specific CommonName in the Subject field
        matches …
[Ballot comment]
6.  Additional Test Scenarios

      *  assure that the most specific CommonName in the Subject field
        matches if there are no dNSName entries in the subjectAltName
        at all (which is not the same as there being no matching
        dNSName entries).  This match can be either exact, or against
        an entry that uses the wildcard matching character '*'

Anywhere in the domain pattern or only in the leftmost position?


Nits: The usual (many acronyms are not spelled out on first use, etc.)
2011-01-18
09 Peter Saint-Andre
[Ballot comment]
This is a fine document. My only nits are:

1. Some of the acronyms are not expanded on first use.

2. There are …
[Ballot comment]
This is a fine document. My only nits are:

1. Some of the acronyms are not expanded on first use.

2. There are some trifling typos (e.g., "particulary").

3. Some of the terms are used inconsistently or casually (e.g., "subjAltName" when "subjectAltName" is meant; it might be even better to re-use the terminology from draft-saintandre-tls-server-id-check).

4. No rules are provided regarding the process of matching IP addresses (e.g., matching of IPv4 addresses vs. IPv6 addresses); however, because use of IP addresses is deemed inadvisable, the lack of rules probably does not have implications for interoperability.
2011-01-18
09 Peter Saint-Andre [Ballot Position Update] New position, No Objection, has been recorded
2011-01-18
09 Dan Romascanu
[Ballot comment]
The 'Observed Interoperability Issues' section includes a number of example of implementation problems detected during the SIPit events. I can guess that this …
[Ballot comment]
The 'Observed Interoperability Issues' section includes a number of example of implementation problems detected during the SIPit events. I can guess that this information canges in time, as interoperability problems due to implementation bugs or lack of clarity in documents are in the majority of the cases being fixed in the coming releases of the implementations. For this purpose it would be useful I think to mention what is the time reference (may be the indication of the SIPit event) when the problems were detected.
2011-01-18
09 Dan Romascanu [Ballot Position Update] New position, No Objection, has been recorded
2011-01-14
09 Alexey Melnikov [Ballot Position Update] Position for Alexey Melnikov has been changed to Yes from Discuss
2011-01-14
08 (System) New version available: draft-ietf-sipcore-sec-flows-08.txt
2011-01-14
09 Alexey Melnikov
[Ballot discuss]
I generally support publication of this document. I have one minor issue I would like to see addressed before I can recommend approval …
[Ballot discuss]
I generally support publication of this document. I have one minor issue I would like to see addressed before I can recommend approval of this document:

----------------------------------------------
From Apps Area review by Kurt Zeilenga:

I see some inconsistencies in how Distinguished Names (DNs) are presented in the RFC.

For instance (from 2.1):
  Issuer: C=US, ST=California, L=San Jose, O=sipit,
          OU=Sipit Test Certificate Authority

vs. (also from 2.1)
  DirName:/C=US/ST=California/L=San Jose/O=sipit/
          OU=Sipit Test Certificate Authority

The former kind of looks like the LDAP DN format but, if that's what was intended, the RDNs appear in the incorrect order.  Note that in the LDAP DN format, the most specific element appears first (the reverse of how they appear in the BER/DER encoding of a DN).  Also, there should be no spaces after the RDN separators (the commas).

The latter appears to be DCE format.

I would think it appropriate to use a single format for all DNs and, if one chooses to use the LDAP DN format, that values ought to be constructed per RFC 4514.  I note that Appendix A of RFC 4514 discusses presentation issues of Distinguished Names.
----------------------------------------------

My concern with examples in the document is that a naive reader can decide that the "Issuer" field values are LDAP DNs (which per RFC 4514 are in most-specific-first RDN order), which could result in certificates with inverse ordered RDNs. This might cause interoperability issues with verification of such certificates.

Because the document is using output of OpenSSL tools, in order to address this issue I would like to suggest addition of a sentence somewhere early in the document saying that values of the "Issuer:" field displayed in the document is NOT in the LDAP DN format, but an application-specific least-specific-first RDN order format.
2011-01-14
09 Alexey Melnikov
[Ballot discuss]
I am sorry that my preliminary DISCUSS caused some agitation to the authors and WG chairs.
This version was updated to clarify the …
[Ballot discuss]
I am sorry that my preliminary DISCUSS caused some agitation to the authors and WG chairs.
This version was updated to clarify the issue:

----------------------------------------------
From Apps Area review by Kurt Zeilenga:

I see some inconsistencies in how Distinguished Names (DNs) are presented in the RFC.

For instance (from 2.1):
  Issuer: C=US, ST=California, L=San Jose, O=sipit,
          OU=Sipit Test Certificate Authority

vs. (also from 2.1)
  DirName:/C=US/ST=California/L=San Jose/O=sipit/
          OU=Sipit Test Certificate Authority

The former kind of looks like the LDAP DN format but, if that's what was intended, the RDNs appear in the incorrect order.  Note that in the LDAP DN format, the most specific element appears first (the reverse of how they appear in the BER/DER encoding of a DN).  Also, there should be no spaces after the RDN separators (the commas).

The latter appears to be DCE format.

I would think it appropriate to use a single format for all DNs and, if one chooses to use the LDAP DN format, that values ought to be constructed per RFC 4514.  I note that Appendix A of RFC 4514 discusses presentation issues of Distinguished Names.
----------------------------------------------

My concern with examples in the document is that a naive reader can decide that the "Issuer" field values are LDAP DNs (which per RFC 4514 are in most-specific-first RDN order), which could result in certificates with inverse ordered RDNs. This might cause interoperability issues with verification of such certificates.

Because the document is using output of OpenSSL tools, in order to address this issue I would like to suggest addition of a sentence somewhere early in the document saying that values of the "Issuer:" field displayed in the document is NOT in the LDAP DN format, but an application-specific least-specific-first RDN order format.
2011-01-14
09 Alexey Melnikov
[Ballot discuss]
I am sorry that my preliminary DISCUSS caused some agitation to the authors and WG chairs.
This version was updated to clarify the …
[Ballot discuss]
I am sorry that my preliminary DISCUSS caused some agitation to the authors and WG chairs.
This version was updated to clarify the issue:

----------------------------------------------
From Apps Area review by Kurt Zeilenga:

I see some inconsistencies in how Distinguished Names (DNs) are presented in the RFC.

For instance (from 2.1):
  Issuer: C=US, ST=California, L=San Jose, O=sipit,
          OU=Sipit Test Certificate Authority

vs. (also from 2.1)
  DirName:/C=US/ST=California/L=San Jose/O=sipit/
          OU=Sipit Test Certificate Authority

The former kind of looks like the LDAP DN format but, if that's what was intended, the RDNs appear in the incorrect order.  Note that in the LDAP DN format, the most specific element appears first (the reverse of how they appear in the BER/DER encoding of a DN).  Also, there should be no spaces after the RDN separators (the commas).

The latter appears to be DCE format.

I would think it appropriate to use a single format for all DNs and, if one chooses to use the LDAP DN format, that values ought to be constructed per RFC 4514.  I note that Appendix A of RFC 4514 discusses presentation issues of Distinguished Names.
----------------------------------------------

My concern with examples in the document is that a naive reader can decide that the "Issuer" field values are LDAP DNs (as required according to X.509), which will result in generation of invalid certificates. This might cause interoperability issues with verification of such certificates.

Because the document is using output of OpenSSL tools, in order to address this issue I would like to suggest addition of a sentence somewhere early in the document saying that values of the "Issuer:" field displayed in the document is NOT in the LDAP DN format typically used by X.509 certificates.
2011-01-04
09 Alexey Melnikov [Ballot comment]
Nits: The usual (many acronyms are not spelled out on first use, etc.)
2011-01-04
09 Alexey Melnikov
[Ballot discuss]
From Apps Area review by Kurt Zeilenga:

I see some inconsistencies in how Distinguished Names (DNs) are presented in the RFC.

For instance …
[Ballot discuss]
From Apps Area review by Kurt Zeilenga:

I see some inconsistencies in how Distinguished Names (DNs) are presented in the RFC.

For instance (from 2.1):
  Issuer: C=US, ST=California, L=San Jose, O=sipit,
          OU=Sipit Test Certificate Authority

vs. (also from 2.1)
  DirName:/C=US/ST=California/L=San Jose/O=sipit/
          OU=Sipit Test Certificate Authority

The former kind of looks like the LDAP DN format but, if that's what was intended, the RDNs appear in the incorrect order.  Note that in the LDAP DN format, the most specific element appears first (the reverse of how they appear in the BER/DER encoding of a DN).  Also, there should be no spaces after the RDN separators (the commas).

The latter appears to be DCE format.

I would think it appropriate to use a single format for all DNs and, if one chooses to use the LDAP DN format, that values ought to be constructed per RFC 4514.  I note that Appendix A of RFC 4514 discusses presentation issues of Distinguished Names.
2011-01-04
09 Alexey Melnikov [Ballot Position Update] New position, Discuss, has been recorded
2010-12-15
09 Robert Sparks [Ballot Position Update] New position, Recuse, has been recorded
2010-12-15
09 Gonzalo Camarillo Placed on agenda for telechat - 2011-01-20
2010-12-15
09 Gonzalo Camarillo State changed to IESG Evaluation from Waiting for AD Go-Ahead.
2010-12-15
09 Gonzalo Camarillo [Ballot Position Update] New position, Yes, has been recorded for Gonzalo Camarillo
2010-12-15
09 Gonzalo Camarillo Ballot has been issued
2010-12-15
09 Gonzalo Camarillo Created "Approve" ballot
2010-12-15
09 Gonzalo Camarillo Ballot writeup text changed
2010-12-13
07 (System) New version available: draft-ietf-sipcore-sec-flows-07.txt
2010-12-03
09 (System) State changed to Waiting for AD Go-Ahead from In Last Call.
2010-11-22
09 Sam Weiler Request for Last Call review by SECDIR is assigned to Dave Cridland
2010-11-22
09 Sam Weiler Request for Last Call review by SECDIR is assigned to Dave Cridland
2010-11-19
09 Amy Vezza Last call sent
2010-11-19
09 Amy Vezza
State changed to In Last Call from Last Call Requested.

The following Last Call Announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: …
State changed to In Last Call from Last Call Requested.

The following Last Call Announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Subject: Last Call:  (Example call flows using Session Initiation Protocol (SIP) security mechanisms) to Informational RFC


The IESG has received a request from the Session Initiation Protocol Core
WG (sipcore) to consider the following document:
- 'Example call flows using Session Initiation Protocol (SIP) security
  mechanisms'
  as an Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2010-12-03. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-sipcore-sec-flows/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-sipcore-sec-flows/
2010-11-19
09 Gonzalo Camarillo Last Call was requested
2010-11-19
09 Gonzalo Camarillo State changed to Last Call Requested from Publication Requested::AD Followup.
2010-11-19
09 Gonzalo Camarillo Last Call text changed
2010-11-19
09 (System) Ballot writeup text was added
2010-11-19
09 (System) Last call text was added
2010-11-19
09 (System) Ballot approval text was added
2010-11-18
09 (System) Sub state has been changed to AD Follow up from New Id Needed
2010-11-18
06 (System) New version available: draft-ietf-sipcore-sec-flows-06.txt
2010-11-17
09 Gonzalo Camarillo State changed to Publication Requested::Revised ID Needed from Publication Requested.
2010-11-09
05 (System) New version available: draft-ietf-sipcore-sec-flows-05.txt
2010-11-08
09 Cindy Morgan
(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he …
(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he or she believe this
version is ready for forwarding to the IESG for publication?

Adam Roach is the document shepherd. He has reviewed the current
version of the document and believes that it is ready for publication.

Note that the majority of the document is machine-generated and
machine-readable. The shepherd has not performed a detailed validation
of these portions of the draft, as doing so would be an effort
tantamount to creating the document in the first place. Note also
that the shepherd has only a passing familiarity with specific
details of TLS and S/MIME certificates, and is relying on the
authors and reviewers to have caught any errors in their construction.
(The shepherd is, however, personally familiar with the certificate
expertise of three of the document authors, and beleives that they
have the skills necessary to get this right).


(1.b) Has the document had adequate review both from key WG members
and from key non-WG members? Does the Document Shepherd have
any concerns about the depth or breadth of the reviews that
have been performed?

By its nature as a security examples document, this work has a
fairly limited number of people qualified to comment on it.
Reviewers require a moderately detailed understanding of SIP,
TLS, and S/MIME. As a result, the majority of substantive feedback
(at least, during the document's tenure in SIPCORE) has been
from dedicated reviewers.

(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective,
e.g., security, operational complexity, someone familiar with
AAA, internationalization or XML?

The shepherd believes that the combination of authors and existing
reviewers have the proper expertise for this document.

(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he
or she is uncomfortable with certain parts of the document, or
has concerns whether there really is a need for it. In any
event, if the WG has discussed those issues and has indicated
that it still wishes to advance the document, detail those
concerns here. Has an IPR disclosure related to this document
been filed? If so, please include a reference to the
disclosure and summarize the WG discussion and conclusion on
this issue.

The shepherd has no concerns regarding the document. No IPR disclosures
have been filed on this document.

(1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with
others being silent, or does the WG as a whole understand and
agree with it?

Due to the specialized nature of security, the document has been
created and reviewed by a relatively small number of working group
participants.

(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)

No.

(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? (See the Internet-Drafts Checklist
and http://tools.ietf.org/tools/idnits/). Boilerplate checks are
not enough; this check needs to be thorough. Has the document
met all formal review criteria it needs to, such as the MIB
Doctor, media type and URI type reviews?

The document passes a NITs review. The NITs tool turns up quite a few
false positives. All remaining NITs reported by the tool have been
pursued and determined to be bogus.

(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that
are not ready for advancement or are otherwise in an unclear
state? If such normative references exist, what is the
strategy for their completion? Are there normative references
that are downward references, as described in [RFC3967]? If
so, list these downward references to support the Area
Director in the Last Call procedure for them [RFC3967].

The draft is informational. All normative references are RFCs.

(1.i) Has the Document Shepherd verified that the document IANA
consideration section exists and is consistent with the body
of the document? If the document specifies protocol
extensions, are reservations requested in appropriate IANA
registries? Are the IANA registries clearly identified? If
the document creates a new registry, does it define the
proposed initial contents of the registry and an allocation
procedure for future registrations? Does it suggest a
reasonable name for the new registry? See [RFC5226]. If the
document describes an Expert Review process has Shepherd
conferred with the Responsible Area Director so that the IESG
can appoint the needed Expert during the IESG Evaluation?

The document correctly states that no IANA actions are necessary.

(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML
code, BNF rules, MIB definitions, etc., validate correctly in
an automated checker?

The document contains two shell scripts for generation of SSL
certificates. They both execute and produce certificates on the
shepherd's laptop. So, they are valid in at least certain
circumstances.

(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Write-Up? Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary
This document shows example call flows demonstrating the
use of Transport Layer Security (TLS), and Secure/Multipurpose
Internet Mail Extensions (S/MIME) in Session Initiation
Protocol (SIP). It also provides information that helps
implementers build interoperable SIP software.


Working Group Summary
This work traces its roots back to 2003, when it was first
introduced into the SIP working group. For much of its
lifetime, it existed quietly alongside the document
"Certificate Management Service for The Session Initiation
Protocol," which is currently in the RFC Editors' queue.
After moving into SIPCORE, repeated requests by the chairs
for review yielded a small number of in-depth reviews.


Document Quality
According to one of the document authors, he has received
"many emails from implementors that use this draft." Using
this as our data point, the document's utility as a sanity
check for the security aspects of SIP implementations would
seem to be very high. Ole Johansson brought back practical
feedback from SIPit interoperabilty testing events regarding
some of the practical aspects of what needs to appear in
TLS certificates.
2010-11-08
09 Cindy Morgan Draft Added by Cindy Morgan in state Publication Requested
2010-11-08
09 Cindy Morgan [Note]: 'Adam Roach (adam@nostrum.com) is the document shepherd.' added by Cindy Morgan
2010-11-08
04 (System) New version available: draft-ietf-sipcore-sec-flows-04.txt
2010-06-14
03 (System) New version available: draft-ietf-sipcore-sec-flows-03.txt
2010-01-22
02 (System) New version available: draft-ietf-sipcore-sec-flows-02.txt
2009-11-23
01 (System) New version available: draft-ietf-sipcore-sec-flows-01.txt
2009-11-09
09 (System) Document has expired
2009-05-04
00 (System) New version available: draft-ietf-sipcore-sec-flows-00.txt