1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
|
Internet Engineering Task Force (IETF) C. Jennings
Request for Comments: 6072 Cisco Systems
Category: Standards Track J. Fischl, Ed.
ISSN: 2070-1721 Skype
February 2011
Certificate Management Service for the Session Initiation Protocol (SIP)
Abstract
This document defines a credential service that allows Session
Initiation Protocol (SIP) User Agents (UAs) to use a SIP event
package to discover the certificates of other users. This mechanism
allows User Agents that want to contact a given Address-of-Record
(AOR) to retrieve that AOR's certificate by subscribing to the
credential service, which returns an authenticated response
containing that certificate. The credential service also allows
users to store and retrieve their own certificates and private keys.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6072.
Jennings & Fischl Standards Track [Page 1]
^L
RFC 6072 SIP Certificates February 2011
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents
1. Introduction ....................................................3
2. Definitions .....................................................4
3. Overview ........................................................4
4. UA Behavior with Certificates ...................................7
5. UA Behavior with Credentials ....................................8
6. Event Package Formal Definition for "certificate" ...............9
6.1. Event Package Name .........................................9
6.2. SUBSCRIBE Bodies ...........................................9
6.3. Subscription Duration .....................................10
6.4. NOTIFY Bodies .............................................10
6.5. Subscriber Generation of SUBSCRIBE Requests ...............10
6.6. Notifier Processing of SUBSCRIBE Requests .................11
6.7. Notifier Generation of NOTIFY Requests ....................11
6.8. Subscriber Processing of NOTIFY Requests ..................11
6.9. Handling of Forked Requests ...............................11
6.10. Rate of Notifications ....................................12
6.11. State Agents and Lists ...................................12
6.12. Behavior of a Proxy Server ...............................12
Jennings & Fischl Standards Track [Page 2]
^L
RFC 6072 SIP Certificates February 2011
7. Event Package Formal Definition for "credential" ...............12
7.1. Event Package Name ........................................12
7.2. SUBSCRIBE Bodies ..........................................12
7.3. Subscription Duration .....................................12
7.4. NOTIFY Bodies .............................................13
7.5. Subscriber Generation of SUBSCRIBE Requests ...............13
7.6. Notifier Processing of SUBSCRIBE Requests .................14
7.7. Notifier Generation of NOTIFY Requests ....................14
7.8. Generation of PUBLISH Requests ............................15
7.9. Notifier Processing of PUBLISH Requests ...................15
7.10. Subscriber Processing of NOTIFY Requests .................16
7.11. Handling of Forked Requests ..............................16
7.12. Rate of Notifications ....................................16
7.13. State Agents and Lists ...................................16
7.14. Behavior of a Proxy Server ...............................16
8. Identity Signatures ............................................16
9. Examples .......................................................17
9.1. Encrypted Page Mode Instant Message .......................17
9.2. Setting and Retrieving UA Credentials .....................18
10. Security Considerations .......................................19
10.1. Certificate Revocation ...................................21
10.2. Certificate Replacement ..................................22
10.3. Trusting the Identity of a Certificate ...................22
10.3.1. Extra Assurance ...................................23
10.4. SACRED Framework .........................................24
10.5. Crypto Profiles ..........................................24
10.6. User Certificate Generation ..............................25
10.7. Private Key Storage ......................................25
10.8. Compromised Authentication Service .......................26
11. IANA Considerations ...........................................26
11.1. Certificate Event Package ................................27
11.2. Credential Event Package .................................27
11.3. Identity Algorithm .......................................27
12. Acknowledgments ...............................................27
13. References ....................................................28
13.1. Normative References .....................................28
13.2. Informative References ...................................29
1. Introduction
[RFC3261], as amended by [RFC3853], provides a mechanism for end-to-
end encryption and integrity using Secure/Multipurpose Internet Mail
Extensions (S/MIME) [RFC5751]. Several security properties of
[RFC3261] depend on S/MIME, and yet it has not been widely deployed.
One reason is the complexity of providing a reasonable certificate
distribution infrastructure. This specification proposes a way to
address discovery, retrieval, and management of certificates for SIP
deployments. Combined with the SIP Identity [RFC4474] specification,
Jennings & Fischl Standards Track [Page 3]
^L
RFC 6072 SIP Certificates February 2011
this specification allows users to have certificates that are not
signed by any well known certification authority while still strongly
binding the user's identity to the certificate.
In addition, this specification provides a mechanism that allows SIP
User Agents such as IP phones to enroll and get their credentials
without any more configuration information than they commonly have
today. The end user expends no extra effort.
2. Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Certificate: A Public Key Infrastructure using X.509 (PKIX)-
[RFC5280] style certificate containing a public key and a list of
identities in the SubjectAltName that are bound to this key. The
certificates discussed in this document are generally self-signed
and use the mechanisms in the SIP Identity [RFC4474] specification
to vouch for their validity. Certificates that are signed by a
certification authority can also be used with all the mechanisms
in this document; however, they need not be validated by the
receiver (although the receiver can validate them for extra
assurance; see Section 10.3.1).
Credential: For this document, "credential" means the combination of
a certificate and the associated private key.
Password Phrase: A password used to encrypt and decrypt a PKCS #8
(Public Key Cryptographic System #8) private key.
3. Overview
The general approach is to provide a new SIP service referred to as a
"credential service" that allows SIP User Agents (UAs) to subscribe
to other users' certificates using a new SIP event package [RFC3265].
The certificate is delivered to the subscribing UA in a corresponding
SIP NOTIFY request. An authentication service as described in the
SIP Identity [RFC4474] specification can be used to vouch for the
identity of the sender of the certificate by using the sender's proxy
domain certificate to sign the NOTIFY request. The authentication
service is vouching that the sender is allowed to populate the SIP
From header field value. The sender of the message is vouching that
this is an appropriate certificate for the user identified in the SIP
From header field value. The credential service can manage public
certificates as well as the user's private keys. Users can update
their credentials, as stored on the credential service, using a SIP
Jennings & Fischl Standards Track [Page 4]
^L
RFC 6072 SIP Certificates February 2011
PUBLISH [RFC3903] request. The UA authenticates to the credential
service using a shared secret when a UA is updating a credential.
Typically the shared secret will be the same one that is used by the
UA to authenticate a REGISTER request with the Registrar for the
domain (usually with SIP Digest Authentication).
The following figure shows Bob publishing his credentials from one of
his User Agents (e.g., his laptop software client), retrieving his
credentials from another of his User Agents (e.g., his mobile phone),
and then Alice retrieving Bob's certificate and sending a message to
Bob. SIP 200-class responses are omitted from the diagram to make
the figure easier to understand.
example.com domain
------------------
Alice Proxy Auth Cred Bob1 Bob2
| | | | TLS Handshake | |
| [ Bob generates ] |<--------------------->|
| [ credentials and ] | PUBLISH (credential) |
| [ publishes them ] |<----------------------|
| | | | Digest Challenge |
| | | |---------------------->|
| | | | PUBLISH + Digest |
| | | |<----------------------|
| | | | |
| | | | time passes... |
| | | | |
| | | | TLS Handshake |
| [ Bob later gets ] |<---------------->|
| [ back his own ] | SUBSCRIBE |
| [ credentials ] | (credential) |
| [ at another ] |<-----------------|
| [ User Agent ] | SUBSCRIBE+Digest |
| | | |<-----------------|
| | | | NOTIFY |
| | | |----------------->|
| | | | Bob decrypts key |
| | | | |
| | | | |
| SUBSCRIBE (certificate) | Alice fetches |
|---------->|----->|----->| Bob's cert |
| | |NOTIFY| |
| NOTIFY+Identity |<-----| |
|<----------+------| | Alice uses cert |
| | | | to encrypt |
| MESSAGE | | | message to Bob |
|---------->|------+------+----------------->|
Jennings & Fischl Standards Track [Page 5]
^L
RFC 6072 SIP Certificates February 2011
Bob's UA (Bob2) does a Transport Layer Security (TLS) [RFC5246]
handshake with the credential server to authenticate that the UA is
connected to the correct credential server. Then Bob's UA publishes
his newly created or updated credentials. The credential server
challenges the UA using a Digest Authentication scheme to
authenticate that the UA knows Bob's shared secret. Once the UA is
authenticated, the credential server stores Bob's credentials.
Another of Bob's User Agents (Bob1) wants to fetch its current
credentials. It does a TLS [RFC5246] handshake with the credential
server to authenticate that the UA is connected to the correct
credential server. Then Bob's UA subscribes for the credentials.
The credential server challenges the UA to authenticate that the UA
knows Bob's shared secret. Once the UA is authenticated, the
credential server sends a NOTIFY that contains Bob's credentials.
The private key portion of the credential may have been encrypted
with a secret that only Bob's UA (and not the credential server)
knows. In this case, once Bob's UA decrypts the private key, it will
be ready to go. Typically Bob's UA would do this when it first
registers on the network.
Some time later Alice decides that she wishes to discover Bob's
certificate so that she can send him an encrypted message or so that
she can verify the signature on a message from Bob. Alice's UA sends
a SUBSCRIBE message to Bob's AOR. The proxy in Bob's domain routes
this to the credential server via an "authentication service" as
defined in [RFC4474]. The credential server returns a NOTIFY that
contains Bob's public certificate in the body. This is routed
through an authentication service that signs that this message really
can validly claim to be from the AOR "sip:bob@example.com". Alice's
UA receives the certificate and can use it to encrypt a message to
Bob.
It is critical to understand that the only way that Alice can trust
that the certificate really is the one for Bob and that the NOTIFY
has not been spoofed is for Alice to check that the Identity
[RFC4474] header field value is correct.
The mechanism described in this document works for both self-signed
certificates and certificates signed by well known certification
authorities. In order to deploy certificates signed by well known
certification authorities, certification authorities would have to
support adding SIP URIs to the SubjectAltName of the certificates
they generate. This is something that has been rarely implemented by
commercial certification authorities. However, most UAs would only
use self-signed certificates and would use an authentication service
as described in [RFC4474] to provide a strong binding of an AOR to
the certificates.
Jennings & Fischl Standards Track [Page 6]
^L
RFC 6072 SIP Certificates February 2011
The mechanisms described in this document allow for three different
styles of deployment:
1. Deployments where the credential server only stores certificates
and does not store any private key information. If the
deployment had users with multiple devices, some other scheme
(perhaps even manual provisioning) would be used to get the right
private keys onto all the devices that a user employs.
2. Deployments where the credential server stores certificates and
also stores an encrypted version of the private keys. The
credential server would not know or need the password phrase for
decrypting the private key. The credential server would help
move the private keys between devices, but the user would need to
enter a password phrase on each device to allow that device to
decrypt (and encrypt) the private key information.
3. Deployments where the credential server generates and stores the
certificates and private keys. Deployments such as these may not
use password phrases. Consequently, the private keys are not
encrypted inside the PKCS #8 objects. This style of deployment
would often have the credential server, instead of the devices,
create the credentials.
4. UA Behavior with Certificates
When a User Agent wishes to discover some other user's certificate,
it subscribes to the "certificate" SIP event package as described in
Section 6 to get the certificate. While the subscription is active,
if the certificate is updated, the Subscriber will receive the
updated certificate in a notification.
The Subscriber needs to decide how long it is willing to trust that
the certificate it receives is still valid. If the certificate is
revoked before it expires, the Notifier will send a notification with
an empty body to indicate that the certificate is no longer valid.
If the certificate is renewed before it expires, the Notifier will
send a notification with a body containing the new certificate. Note
that the Subscriber might not receive the notification if an attacker
blocks this traffic. The amount of time that the Subscriber caches a
certificate SHOULD be configurable. A default of one day is
RECOMMENDED.
Note that the actual duration of the subscription is unrelated to the
caching time or validity time of the corresponding certificate.
Allowing subscriptions to persist after a certificate is no longer
valid ensures that Subscribers receive the replacement certificate in
a timely fashion. The Notifier could return an immediate
Jennings & Fischl Standards Track [Page 7]
^L
RFC 6072 SIP Certificates February 2011
notification with the certificate in response to a subscribe request
and then immediately terminate subscription, setting the reason
parameter to "probation". The Subscriber will have to periodically
poll the Notifier to verify the validity of the certificate.
If the UA uses a cached certificate in a request and receives a 437
(Unsupported Certificate) response, it SHOULD remove the certificate
it used from the cache and attempt to fetch the certificate again.
If the certificate is changed, then the UA SHOULD retry the original
request with the new certificate. This situation usually indicates
that the certificate was recently updated, and that the Subscriber
has not received a corresponding notification. If the certificate
fetched is the same as the one that was previously in the cache, then
the UA SHOULD NOT try the request again. This situation can happen
when the request is retargeted to a different user than the original
request. The 437 response is defined in [RFC4474].
Note: A UA that has a presence list MAY want to subscribe to the
certificates of all the presentities in the list when the UA
subscribes to their presence, so that when the user wishes to
contact a presentity, the UA will already have the appropriate
certificate. Future specifications might consider the possibility
of retrieving the certificates along with the presence documents.
The details of how a UA deals with receiving encrypted messages is
outside the scope of this specification. It is worth noting that if
Charlie's User Agent Server (UAS) receives a request that is
encrypted to Bob, it would be valid and legal for that UA to send a
302 redirecting the call to Bob.
5. UA Behavior with Credentials
UAs discover their own credentials by subscribing to their AOR with
an event type of "credential" as described in Section 7. After a UA
registers, it SHOULD retrieve its credentials by subscribing to them
as described in Section 6.5.
When a UA discovers its credential, the private key information might
be encrypted with a password phrase. The UA SHOULD request that the
user enter the password phrase on the device, and the UA MAY cache
this password phrase for future use.
Jennings & Fischl Standards Track [Page 8]
^L
RFC 6072 SIP Certificates February 2011
There are several different cases in which a UA should generate a new
credential:
o If the UA receives a NOTIFY with no body for the credential
package.
o If the certificate has expired.
o If the certificate's notAfter date is within the next 600 seconds,
the UA SHOULD attempt to create replacement credentials. The UA
does this by waiting a random amount of time between 0 and
300 seconds. If no new credentials have been received in that
time, the UA creates new credentials to replace the expiring ones
and sends them in a PUBLISH request following the rules for
modifying event state as described in Section 4.4 of [RFC3903].
o If the user of the device has indicated via the user interface
that they wish to revoke the current certificate and issue a new
one.
Credentials are created by constructing a new key pair that will
require appropriate randomness as described in [RFC4086] and then
creating a certificate as described in Section 10.6. The UA MAY
encrypt the private key with a password phrase supplied by the user
as specified in Section 10.5. Next, the UA updates the user's
credential by sending a PUBLISH [RFC3903] request with the
credentials or just the certificate as described in Section 7.8.
If a UA wishes to revoke the existing certificate without publishing
a new one, it MUST send a PUBLISH with an empty body to the
credential server.
6. Event Package Formal Definition for "certificate"
6.1. Event Package Name
This document defines a SIP event package as defined in [RFC3265].
The event-package token name for this package is:
certificate
6.2. SUBSCRIBE Bodies
This package does not define any SUBSCRIBE bodies.
Jennings & Fischl Standards Track [Page 9]
^L
RFC 6072 SIP Certificates February 2011
6.3. Subscription Duration
Subscriptions to this event package can range from no time to weeks.
Subscriptions in days are more typical and are RECOMMENDED. The
default subscription duration for this event package is one day.
The credential service is encouraged to keep the subscriptions active
for AORs that are communicating frequently, but the credential
service MAY terminate the subscription at any point in time.
6.4. NOTIFY Bodies
The body of a NOTIFY request for this package MUST either be empty or
contain an application/pkix-cert body (as defined in [RFC2585]) that
contains the certificate, unless an Accept header field has
negotiated some other type. The Content-Disposition MUST be set to
"signal" as defined in [RFC3204].
A future extension MAY define other NOTIFY bodies. If no "Accept"
header field is present in the SUBSCRIBE, the body type defined in
this document MUST be assumed.
Implementations that generate large notifications are reminded to
follow the message size restrictions for unreliable transports
articulated in Section 18.1.1 of [RFC3261].
6.5. Subscriber Generation of SUBSCRIBE Requests
A UA discovers a certificate by sending a SUBSCRIBE request with an
event type of "certificate" to the AOR for which a certificate is
desired. In general, the UA stays subscribed to the certificate for
as long as it plans to use and cache the certificate, so that the UA
can be notified about changes or revocations to the certificate.
Subscriber User Agents will typically subscribe to certificate
information for a period of hours or days, and automatically attempt
to re-subscribe just before the subscription is completely expired.
When a user de-registers from a device (logoff, power down of a
mobile device, etc.), Subscribers SHOULD unsubscribe by sending a
SUBSCRIBE request with an Expires header field of zero.
Jennings & Fischl Standards Track [Page 10]
^L
RFC 6072 SIP Certificates February 2011
6.6. Notifier Processing of SUBSCRIBE Requests
When a SIP credential server receives a SUBSCRIBE request with the
certificate event-type, it is not necessary to authenticate the
subscription request. The Notifier MAY limit the duration of the
subscription to an administrator-defined period of time. The
duration of the subscription does not correspond in any way to the
period for which the certificate will be valid.
When the credential server receives a SUBSCRIBE request for a
certificate, it first checks to see if it has credentials for the
requested URI. If it does not have a certificate, it returns a
NOTIFY request with an empty message body.
6.7. Notifier Generation of NOTIFY Requests
Immediately after a subscription is accepted, the Notifier MUST send
a NOTIFY with the current certificate, or an empty body if no
certificate is available for the target user. In either case it
forms a NOTIFY with the From header field value set to the value of
the To header field in the SUBSCRIBE request. This server sending
the NOTIFY needs either to implement an authentication service (as
described in SIP Identity [RFC4474]) or else the server needs to be
set up such that the NOTIFY request will be sent through an
authentication service. Sending the NOTIFY request through the
authentication service requires the SUBSCRIBE request to have been
routed through the authentication service, since the NOTIFY is sent
within the dialog formed by the subscription.
6.8. Subscriber Processing of NOTIFY Requests
The resulting NOTIFY will contain an application/pkix-cert body that
contains the requested certificate. The UA MUST follow the
procedures in Section 10.3 to decide if the received certificate can
be used. The UA needs to cache this certificate for future use. The
maximum length of time for which it should be cached is discussed in
Section 10.1. The certificate MUST be removed from the cache if the
certificate has been revoked (if a NOTIFY with an empty body is
received), or if it is updated by a subsequent NOTIFY. The UA MUST
check that the NOTIFY is correctly signed by an authentication
service as described in [RFC4474]. If the identity asserted by the
authentication service does not match the AOR that the UA subscribed
to, the certificate in the NOTIFY is discarded and MUST NOT be used.
6.9. Handling of Forked Requests
This event package does not permit forked requests. At most one
subscription to this event type is permitted per resource.
Jennings & Fischl Standards Track [Page 11]
^L
RFC 6072 SIP Certificates February 2011
6.10. Rate of Notifications
Notifiers SHOULD NOT generate NOTIFY requests more frequently than
once per minute.
6.11. State Agents and Lists
The credential server described in this section that serves
certificates is a state agent as defined in [RFC3265], and
implementations of the credential server MUST be implemented as a
state agent.
Implementers MUST NOT use the event list extension [RFC4662] with
this event type. It is not possible to make such an approach work,
because the authentication service would have to simultaneously
assert several different identities.
6.12. Behavior of a Proxy Server
There are no additional requirements on a SIP proxy, other than to
transparently forward the SUBSCRIBE and NOTIFY requests as required
in SIP. This specification describes the proxy, authentication
service, and credential service as three separate services, but it is
certainly possible to build a single SIP network element that
performs all of these services at the same time.
7. Event Package Formal Definition for "credential"
7.1. Event Package Name
This document defines a SIP event package as defined in [RFC3265].
The event-package token name for this package is:
credential
7.2. SUBSCRIBE Bodies
This package does not define any SUBSCRIBE bodies.
7.3. Subscription Duration
Subscriptions to this event package can range from hours to one week.
Subscriptions in days are more typical and are RECOMMENDED. The
default subscription duration for this event package is one day.
The credential service SHOULD keep subscriptions active for UAs that
are currently registered.
Jennings & Fischl Standards Track [Page 12]
^L
RFC 6072 SIP Certificates February 2011
7.4. NOTIFY Bodies
An implementation compliant to this specification MUST support the
multipart/mixed type (see [RFC2046]). This allows a notification to
contain multiple resource documents including at a minimum the
application/pkix-cert body with the certificate and an application/
pkcs8 body that has the associated private key information for the
certificate. The application/pkcs8 media type is defined in
[RFC5958].
The absence of an Accept header in the SUBSCRIBE indicates support
for multipart/mixed and the content types application/pkix-cert and
application/pkcs8. If an Accept header is present, these types MUST
be included, in addition to any other types supported by the client.
The application/pkix-cert body is a Distinguished Encoding Rules
(DER)-encoded X.509v3 certificate [RFC2585]. The application/pkcs8
body contains a DER-encoded [RFC5958] object that contains the
private key. The PKCS #8 objects MUST be of type PrivateKeyInfo.
The integrity and confidentiality of the PKCS #8 objects are provided
by the TLS transport. The transport encoding of all the MIME bodies
is binary.
7.5. Subscriber Generation of SUBSCRIBE Requests
A Subscriber User Agent will subscribe to its credential information
for a period of hours or days and will automatically attempt to
re-subscribe before the subscription has completely expired.
The Subscriber SHOULD subscribe to its credentials whenever a new
user becomes associated with the device (a new login). The
Subscriber SHOULD also renew its subscription immediately after a
reboot, or when the Subscriber's network connectivity has just been
re-established.
The UA needs to authenticate with the credential service for these
operations. The UA MUST use TLS to directly connect to the server
acting as the credential service or to a server that is authoritative
for the domain of the credential service. The UA MUST NOT connect
through an intermediate proxy to the credential service. The UA may
be configured with a specific name for the credential service;
otherwise, normal SIP routing is used. As described in RFC 3261, the
TLS connection needs to present a certificate that matches the
Jennings & Fischl Standards Track [Page 13]
^L
RFC 6072 SIP Certificates February 2011
expected name of the server to which the connection was formed, so
that the UA knows it is talking to the correct server. Failing to do
this may result in the UA publishing its private key information to
an attacker. The credential service will authenticate the UA using
the usual SIP Digest mechanism, so the UA can expect to receive a SIP
challenge to the SUBSCRIBE or PUBLISH requests.
7.6. Notifier Processing of SUBSCRIBE Requests
When a credential service receives a SUBSCRIBE for a credential, the
credential service has to authenticate and authorize the UA, and
validate that adequate transport security is being used. Only a UA
that can authenticate as being able to register as the AOR is
authorized to receive the credentials for that AOR. The credential
service MUST challenge the UA to authenticate the UA and then decide
if it is authorized to receive the credentials. If authentication is
successful, the Notifier MAY limit the duration of the subscription
to an administrator-defined period of time. The duration of the
subscription MUST NOT be larger than the length of time for which the
certificate is still valid. The Expires header field SHOULD be set
so that it is not longer than the notAfter date in the certificate.
7.7. Notifier Generation of NOTIFY Requests
Once the UA has authenticated with the credential service and the
subscription is accepted, the credential service MUST immediately
send a Notify request. The authentication service is applied to this
NOTIFY request in the same way as the certificate subscriptions. If
the credential is revoked, the credential service MUST terminate any
current subscriptions and force the UA to re-authenticate by sending
a NOTIFY with its Subscription-State header field set to "terminated"
and a reason parameter set to "deactivated". (This causes a
Subscriber to retry the subscription immediately.) This is so that
if a secret for retrieving the credentials gets compromised, the
rogue UA will not continue to receive credentials after the
compromised secret has been changed.
Any time the credentials for this URI change, the credential service
MUST send a new NOTIFY to any active subscriptions with the new
credentials.
The notification MUST be sent over TLS so that it is integrity
protected, and the TLS needs to be directly connected between the UA
and the credential service with no intermediaries.
Jennings & Fischl Standards Track [Page 14]
^L
RFC 6072 SIP Certificates February 2011
7.8. Generation of PUBLISH Requests
A User Agent SHOULD be configurable to control whether it publishes
the credential for a user or just the user's certificate.
When publishing just a certificate, the body contains an application/
pkix-cert. When publishing a credential, the body contains a
multipart/mixed containing both an application/pkix-cert and an
application/pkcs8 body.
When the UA sends the PUBLISH [RFC3903] request, it needs to do the
following:
o The UA MUST use TLS to directly connect to the server acting as
the credential service or to a server that is authoritative for
the domain of the credential service. The UA MUST NOT connect
through an intermediate proxy to the credential service.
o The Expires header field value in the PUBLISH request SHOULD be
set to match the time for which the certificate is valid.
o If the certificate includes Basic Constraints, it SHOULD set the
cA boolean to false.
7.9. Notifier Processing of PUBLISH Requests
When the credential service receives a PUBLISH request to update
credentials, it MUST authenticate and authorize this request in the
same way as for subscriptions for credentials. If the authorization
succeeds, then the credential service MUST perform the following
checks on the certificate:
o The notBefore validity time MUST NOT be in the future.
o The notAfter validity time MUST be in the future.
o If a cA BasicConstraints boolean is set in the certificate, it is
set to FALSE.
If all of these succeed, the credential service updates the
credential for this URI, processes all the active certificates and
credential subscriptions to this URI, and generates a NOTIFY request
with the new credential or certificate. Note the SubjectAltName
SHOULD NOT be checked, as that would restrict which certificates
could be used and offers no additional security guarantees.
Jennings & Fischl Standards Track [Page 15]
^L
RFC 6072 SIP Certificates February 2011
If the Subscriber submits a PUBLISH request with no body and
Expires=0, this revokes the current credentials. Watchers of these
credentials will receive an update with no body, indicating that they
MUST stop any previously stored credentials. Note that subscriptions
to the certificate package are NOT terminated; each Subscriber to the
certificate package receives a notification with an empty body.
7.10. Subscriber Processing of NOTIFY Requests
When the UA receives a valid NOTIFY request, it should replace its
existing credentials with the new received ones. If the UA cannot
decrypt the PKCS #8 object, it MUST send a 437 (Unsupported
Certificate) response. Later, if the user provides a new password
phrase for the private key, the UA can subscribe to the credentials
again and attempt to decrypt with the new password phrase.
7.11. Handling of Forked Requests
This event package does not permit forked requests.
7.12. Rate of Notifications
Notifiers SHOULD NOT generate NOTIFY requests more frequently than
once per minute.
7.13. State Agents and Lists
The credential server described in this section which serves
credentials is a state agent, and implementations of the credential
server MUST be implemented as a state agent.
Implementers MUST NOT use the event list extension [RFC4662] with
this event type.
7.14. Behavior of a Proxy Server
The behavior is identical to behavior described for certificate
subscriptions in Section 6.12.
8. Identity Signatures
The [RFC4474] authentication service defined a signature algorithm
based on SHA-1 called rsa-sha1. This specification adds a signature
algorithm that is roughly the same but based on SHA-256 and called
rsa-sha256.
Jennings & Fischl Standards Track [Page 16]
^L
RFC 6072 SIP Certificates February 2011
When using the rsa-sha256 algorithm, the signature MUST be computed
in exactly the same way as described in Section 9 of [RFC4474] with
the exception that instead of using sha1WithRSAEncryption, the
computation is done using sha256WithRSAEncryption as described in
[RFC5754].
Implementations of this specification MUST implement both rsa-sha1
and rsa-sha256. The IANA registration for rsa-sha256 is defined in
Section 11.3.
9. Examples
In all of these examples, large parts of the messages are omitted to
highlight what is relevant to this document. The lines in the
examples that are prefixed by $ represent encrypted blocks of data.
9.1. Encrypted Page Mode Instant Message
In this example, Alice sends Bob an encrypted page mode instant
message. Alice does not already have Bob's public key from previous
communications, so she fetches Bob's public key from Bob's credential
service:
SUBSCRIBE sip:bob@biloxi.example.com SIP/2.0
...
Event: certificate
The credential service responds with the certificate in a NOTIFY.
NOTIFY alice@atlanta.example.com SIP/2.0
Subscription-State: active; expires=7200
....
From: <sip:bob@biloxi.example.com>;tag=1234
Identity: ".... stuff removed ...."
Identity-Info: <https://atlanta.example.com/cert>;alg=rsa-sha256
....
Event: certificate
Content-Type: application/pkix-cert
Content-Disposition: signal
< certificate data >
Jennings & Fischl Standards Track [Page 17]
^L
RFC 6072 SIP Certificates February 2011
Next, Alice sends a SIP MESSAGE to Bob and can encrypt the body using
Bob's public key as shown below.
MESSAGE sip:bob@biloxi.example.com SIP/2.0
...
Content-Type: application/pkcs7-mime
Content-Disposition: render
$ Content-Type: text/plain
$
$ < encrypted version of "Hello" >
9.2. Setting and Retrieving UA Credentials
When Alice's UA wishes to publish Alice's certificate and private key
to the credential service, it sends a PUBLISH request like the one
below. This must be sent over a TLS connection directly to the
domain of the credential service. The credential service presents a
certificate where the SubjectAltName contains an entry that matches
the domain name in the request line of the PUBLISH request and
challenges the request to authenticate her.
PUBLISH sips:alice@atlanta.example.com SIP/2.0
...
Event: credential
Content-Type: multipart/mixed;boundary=boundary
Content-Disposition: signal
--boundary
Content-ID: 123
Content-Type: application/pkix-cert
< Public certificate for Alice >
--boundary
Content-ID: 456
Content-Type: application/pkcs8
< Private Key for Alice >
--boundary
If one of Alice's UAs subscribes to the credential event, the
credential service will challenge the request to authenticate her,
and the NOTIFY will include a body similar to the one in the PUBLISH
example above.
Jennings & Fischl Standards Track [Page 18]
^L
RFC 6072 SIP Certificates February 2011
10. Security Considerations
The high-level message flow from a security point of view is
summarized in the following figure. The 200 responses are removed
from the figure, as they do not have much to do with the overall
security.
In this figure, authC refers to authentication and authZ refers to
authorization.
Alice Server Bob UA
| | TLS Handshake | 1) Client authC/Z server
| |<---------------->|
| | PUBLISH | 2) Client sends request
| |<-----------------| (write credential)
| | Digest Challenge | 3) Server challenges client
| |----------------->|
| | PUBLISH + Digest | 4) Server authC/Z client
| |<-----------------|
| | time... |
| | |
| | TLS Handshake | 5) Client authC/Z server
| |<---------------->|
| | SUBSCRIBE | 6) Client sends request
| |<-----------------| (read credential)
| | Digest Challenge | 7) Server challenges client
| |----------------->|
| | SUBSCRIBE+Digest | 8) Server authC/Z client
| |<-----------------|
| | NOTIFY | 9) Server returns credential
| |----------------->|
| |
| SUBSCRIBE | 10) Client requests certificate
|---------->|
| |
|NOTIFY+AUTH| 11) Server returns user's certificate and signs that
|<----------| it is valid using certificate for the domain
| |
When the UA, labeled Bob, first created a credential for Bob, it
would store this on the credential server. The UA authenticated the
server using the certificates from the TLS handshake. The server
authenticated the UA using a digest-style challenge with a shared
secret.
The UA, labeled Bob, wishes to request its credentials from the
server. First, it forms a TLS connection to the server, which
provides integrity and privacy protection and also authenticates the
Jennings & Fischl Standards Track [Page 19]
^L
RFC 6072 SIP Certificates February 2011
server to Bob's UA. Next, the UA requests its credentials using a
SUBSCRIBE request. The server challenges the SUBSCRIBE Request to
authenticate Bob's UA. The server and Bob's UA have a shared secret
that is used for this. If the authentication is successful, the
server sends the credentials to Bob's UA. The private key in the
credentials may have been encrypted using a shared secret that the
server does not know.
A similar process would be used for Bob's UA to publish new
credentials to the server. Bob's UA would send a PUBLISH request
containing the new credentials. When this happened, all the other
UAs that were subscribed to Bob's credentials would receive a NOTIFY
with the new credentials.
Alice wishes to find Bob's certificate and sends a SUBSCRIBE to the
server. The server sends the response in a NOTIFY. This does not
need to be sent over a privacy or integrity protected channel, as the
authentication service described in [RFC4474] provides integrity
protection of this information and signs it with the certificate for
the domain.
This whole scheme is highly dependent on trusting the operators of
the credential service and trusting that the credential service will
not be compromised. The security of all the users will be
compromised if the credential service is compromised.
Note: There has been significant discussion of the topic of
avoiding deployments in which the credential servers store the
private keys, even in some encrypted form that the credential
server does not know how to decrypt. Various schemes were
considered to avoid this, but they all result in either moving the
problem to some other server, which does not seem to make the
problem any better, or having a different credential for each
device. For some deployments where each user has only one device,
this is fine, but for deployments with multiple devices, it would
require that when Alice went to contact Bob, Alice would have to
provide messages encrypted for all of Bob's devices. The SIPPING
Working Group did consider this architecture and decided it was
not appropriate due both to the information it revealed about the
devices and users, and to the amount of signaling required to make
it work.
Jennings & Fischl Standards Track [Page 20]
^L
RFC 6072 SIP Certificates February 2011
This specification requires that TLS be used for the SIP
communications to place and retrieve a UA's private key. This
provides security in two ways:
1. Confidentiality is provided for the Digest Authentication
exchange, thus protecting it from dictionary attacks.
2. Confidentiality is provided for the private key, thus protecting
it from being exposed to passive attackers.
In order to prevent man-in-the-middle attacks, TLS clients MUST check
that the SubjectAltName of the certificate for the server they
connected to exactly matches the server they were trying to connect
to. The TLS client must be directly connected to the correct server;
otherwise, any intermediaries in the TLS path can compromise the
certificate and instead provide a certificate for which the attacker
knows the private key. This may lead the UA that relies on this
compromised certificate to lose confidential information. Failing to
use TLS or selecting a poor cipher suite (such as NULL encryption)
may result in credentials, including private keys, being sent
unencrypted over the network and will render the whole system
useless.
The correct checking of chained certificates as specified in TLS
[RFC5246] is critical for the client to authenticate the server. If
the client does not authenticate that it is talking to the correct
credential service, a man-in-the-middle attack is possible.
10.1. Certificate Revocation
If a particular credential needs to be revoked, the new credential is
simply published to the credential service. Every device with a copy
of the old credential or certificate in its cache will have a
subscription and will rapidly (order of seconds) be notified and
replace its cache. Clients that are not subscribed will subscribe
when they next need to use the certificate and will get the new
certificate.
It is possible that an attacker could mount a denial-of-service (DoS)
attack such that the UA that had cached a certificate did not receive
the NOTIFY with its revocation. To protect against this attack, the
UA needs to limit how long it caches certificates. After this time,
the UA would invalidate the cached information, even though no NOTIFY
had ever been received due to the attacker blocking it.
The duration of this cached information is in some ways similar to a
device deciding how often to check a Certificate Revocation List
(CRL). For many applications, a default time of one day is
Jennings & Fischl Standards Track [Page 21]
^L
RFC 6072 SIP Certificates February 2011
suggested, but for some applications it may be desirable to set the
time to zero so that no certificates are cached at all and the
credential is checked for validity every time the certificate is
used.
The UA MUST NOT cache the certificates for a period longer than that
of the subscription duration. This is to avoid the UA using invalid
cached credentials when the Notifier of the new credentials has been
prevented from updating the UA.
10.2. Certificate Replacement
The UAs in the system replace the certificates close to the time that
the certificates would expire. If a UA has used the same key pair to
encrypt a very large volume of traffic, the UA MAY choose to replace
the credential with a new one before the normal expiration.
10.3. Trusting the Identity of a Certificate
When a UA wishes to discover the certificate for
sip:alice@example.com, the UA subscribes to the certificate for
alice@example.com and receives a certificate in the body of a SIP
NOTIFY request. The term "original URI" is used to describe the URI
that was in the To header field value of the SUBSCRIBE request. So,
in this case, the original URI would be sip:alice@example.com.
If the certificate is signed by a trusted certification authority,
and one of the names in the SubjectAltName matches the original URI,
then this certificate MAY be used, but only for exactly the original
URI and not for other identities found in the SubjectAltName.
Otherwise, there are several steps the UA MUST perform before using
this certificate.
o The From header field in the NOTIFY request MUST match the
original URI that was subscribed to.
o The UA MUST check the Identity header field as described in the
Identity [RFC4474] specification to validate that bodies have not
been tampered with and that an authentication service has
validated this From header field.
o The UA MUST check the validity time of the certificate and stop
using the certificate if it is invalid. (Implementations are
reminded to verify both the notBefore and notAfter validity
times.)
Jennings & Fischl Standards Track [Page 22]
^L
RFC 6072 SIP Certificates February 2011
o The certificate MAY have several names in the SubjectAltName, but
the UA MUST only use this certificate when it needs the
certificate for the identity asserted by the authentication
service in the NOTIFY. This means that the certificate should
only be indexed in the certificate cache by the AOR that the
authentication service asserted and not by the value of all the
identities found in the SubjectAltName list.
These steps result in a chain of bindings that result in a trusted
binding between the original AOR that was subscribed to and a public
key. The original AOR is forced to match the From header field. The
authentication service validates that this request did come from the
identity claimed in the From header field value and that the bodies
in the request that carry the certificate have not been tampered
with. The certificate in the body contains the public key for the
identity. Only the UA that can authenticate as this AOR, or devices
with access to the private key of the domain, can tamper with this
body. This stops other users from being able to provide a false
public key. This chain of assertion from original URI, to From, to
body, to public key is critical to the security of the mechanism
described in this specification. If any of the steps above are not
followed, this chain of security will be broken and the system will
not work.
10.3.1. Extra Assurance
Although the certificates used with this document need not be
validatable to a trust anchor via PKIX [RFC5280] procedures,
certificates that can be validated may also be distributed via this
mechanism. Such certificates potentially offer an additional level
of security because they can be used with the secure (and partially
isolated) certification authority user verification and key issuance
toolset, rather than depending on the security of generic SIP
implementations.
When a relying party receives a certificate that is not self-signed,
it MAY attempt to validate the certificate using the rules in
Section 6 of [RFC5280]. If the certificate validates successfully
and the names correctly match the user's AOR (see Section 10.6), then
the implementation SHOULD provide some indication that the
certificate has been validated with an external authority. In
general, failure to validate a certificate via this mechanism SHOULD
NOT be used as a reason to reject the certificate. However, if the
certificate is revoked, then the implementation SHOULD reject it.
Jennings & Fischl Standards Track [Page 23]
^L
RFC 6072 SIP Certificates February 2011
10.4. SACRED Framework
This specification includes a mechanism that allows end users to
share the same credentials across different end-user devices. This
mechanism is based on the one presented in the Securely Available
Credentials (SACRED) Framework [RFC3760]. While this mechanism is
fully described in this document, the requirements and background are
more thoroughly discussed in [RFC3760].
Specifically, Sections 7.5, 7.6, and 7.9 follow the TLS with Client
Authentication (cTLS) architecture described in Section 4.2.2 of
[RFC3760]. The client authenticates the server using the server's
TLS certificate. The server authenticates the client using a SIP
Digest transaction inside the TLS session. The TLS sessions form a
strong session key that is used to protect the credentials being
exchanged.
10.5. Crypto Profiles
Credential services SHOULD implement the server name indication
extensions in [RFC4366]. As specified in [RFC5246], credential
services MUST support the TLS cipher suite
TLS_RSA_WITH_AES_128_CBC_SHA. In addition, they MUST support the TLS
cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 as specified in
[RFC5246]. If additional cipher suites are supported, then
implementations MUST NOT negotiate a cipher suite that employs NULL
encryption, integrity, or authentication algorithms.
Implementations of TLS typically support multiple versions of the
Transport Layer Security protocol as well as the older Secure Socket
Layer (SSL) protocol. Because of known security vulnerabilities,
clients and servers MUST NOT request, offer, or use SSL 2.0. See
Appendix E.2 of [RFC5246] for further details.
The PKCS #8 encryption in the clients MUST implement PBES2 with a key
derivation algorithm of PBKDF2 using HMAC. Clients MUST implement
this HMAC with both SHA-1 [RFC3370] and SHA-256 [RFC5754]. Clients
MUST implement an encryption algorithm of id-aes128-wrap-pad as
defined in [RFC5649]. Some pre-standard deployments of this
specification used DES-EDE2-CBC-Pad as defined in [RFC2898] so, for
some implementations, it may be desirable to also support that
algorithm. A different password SHOULD be used for the PKCS #8
encryption than is used for authentication of the client. It is
important to choose sufficiently strong passwords. Specific advice
on the password can be found in Section 6 of [RFC5959].
Jennings & Fischl Standards Track [Page 24]
^L
RFC 6072 SIP Certificates February 2011
10.6. User Certificate Generation
The certificates need to be consistent with [RFC5280]. The
sha1WithRSAEncryption and sha256WithRSAEncryption algorithms for the
signatureAlgorithm MUST be implemented. The Issuers SHOULD be the
same as the subject. Given the ease of issuing new certificates with
this system, the Validity field can be relatively short. A Validity
value of one year or less is RECOMMENDED. The SubjectAltName must
have a URI type that is set to the SIP URL corresponding to the user
AOR. It MAY be desirable to put some randomness into the length of
time for which the certificates are valid so that it does not become
necessary to renew all the certificates in the system at the same
time.
When creating a new key pair for a certificate, it is critical to
have appropriate randomness as described in [RFC4086]. This can be
challenging on some embedded devices, such as some IP phones, and
implementers should pay particular attention to this point.
It is worth noting that a UA can discover the current time by looking
at the Date header field value in the 200 response to a REGISTER
request.
10.7. Private Key Storage
The protection afforded private keys is a critical security factor.
On a small scale, failure of devices to protect the private keys will
permit an attacker to masquerade as the user or decrypt their
personal information. As noted in the SACRED Framework, when stored
on an end-user device, such as a diskette or hard drive, credentials
SHOULD NOT be in the clear. It is RECOMMENDED that private keys be
stored securely in the device, more specifically, encrypting them
using tamper-resistant hardware encryption and exposing them only
when required: for example, the private key is decrypted when
necessary to generate a digital signature, and re-encrypted
immediately to limit exposure in the RAM to a short period of time.
Some implementations may limit access to private keys by prompting
users for a PIN prior to allowing access to the private key.
Jennings & Fischl Standards Track [Page 25]
^L
RFC 6072 SIP Certificates February 2011
On the server side, the protection of unencrypted PKCS #8 objects is
equally important. Failure of a server to protect the private keys
would be catastrophic, as attackers with access to unencrypted
PKCS #8 objects could masquerade as any user whose private key was
not encrypted. Therefore, it is also recommended that the private
keys be stored securely in the server, more specifically, encrypting
them using tamper-resistant hardware encryption and exposing them
only when required.
FIPS 140-2 [FIPS-140-2] provides useful guidance on secure storage.
10.8. Compromised Authentication Service
One of the worst attacks against the Certificate Management Service
described in this document would be if the authentication service
were compromised. This attack is somewhat analogous to a
certification authority being compromised in traditional PKI systems.
The attacker could make a fake certificate for which it knows the
private key, use it to receive any traffic for a given use, and then
re-encrypt that traffic with the correct key and forward the
communication to the intended receiver. The attacker would thus
become a "man in the middle" in the communications.
There is not too much that can be done to protect against this type
of attack. A UA MAY subscribe to its own certificate under some
other identity to try to detect whether the credential server is
handing out the correct certificates. It will be difficult to do
this in a way that does not allow the credential server to recognize
the user's UA.
The UA MAY also save the fingerprints of the cached certificates and
warn users when the certificates change significantly before their
expiry date.
The UA MAY also allow the user to see the fingerprints of the cached
certificates so that they can be verified by some other out-of-band
means.
11. IANA Considerations
This specification defines two new event packages that IANA has added
to the "Session Initiation Protocol (SIP) Event Types Namespace"
registry.
Jennings & Fischl Standards Track [Page 26]
^L
RFC 6072 SIP Certificates February 2011
11.1. Certificate Event Package
To: ietf-sip-events@iana.org
Subject: Registration of new SIP event package
Package Name: certificate
Is this registration for a template-package: No
Published Specification(s): This document
New Event header parameters: This package defines no
new parameters
Person & email address to contact for further information:
Cullen Jennings <fluffy@cisco.com>
11.2. Credential Event Package
To: ietf-sip-events@iana.org
Subject: Registration of new SIP event package
Package Name: credential
Is this registration for a template-package: No
Published Specification(s): This document
Person & email address to contact for further information:
Cullen Jennings <fluffy@cisco.com>
11.3. Identity Algorithm
IANA added the following entry to the "Identity-Info Algorithm
Parameter Values" registry.
"alg" Parameter Name Reference
---------------------- ---------
rsa-sha256 [RFC6072]
12. Acknowledgments
Many thanks to Eric Rescorla, Russ Housley, Jim Schaad, Rohan Mahy,
and Sean Turner for significant help, discussion, and text. Many
others provided useful comments and text, including Kumiko Ono, Peter
Gutmann, Yaron Pdut, Aki Niemi, Magnus Nystrom, Paul Hoffman, Adina
Simu, Dan Wing, Mike Hammer, Pasi Eronen, Alexey Melnikov, Tim Polk,
John Elwell, Jonathan Rosenberg, and Lyndsay Campbell.
Jennings & Fischl Standards Track [Page 27]
^L
RFC 6072 SIP Certificates February 2011
13. References
13.1. Normative References
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet
Mail Extensions (MIME) Part Two: Media Types",
RFC 2046, November 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2585] Housley, R. and P. Hoffman, "Internet X.509 Public Key
Infrastructure Operational Protocols: FTP and HTTP",
RFC 2585, May 1999.
[RFC3204] Zimmerer, E., Peterson, J., Vemuri, A., Ong, L., Audet,
F., Watson, M., and M. Zonoun, "MIME media types for
ISUP and QSIG Objects", RFC 3204, December 2001.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G.,
Johnston, A., Peterson, J., Sparks, R., Handley, M.,
and E. Schooler, "SIP: Session Initiation Protocol",
RFC 3261, June 2002.
[RFC3265] Roach, A., "Session Initiation Protocol (SIP)-Specific
Event Notification", RFC 3265, June 2002.
[RFC3370] Housley, R., "Cryptographic Message Syntax (CMS)
Algorithms", RFC 3370, August 2002.
[RFC3903] Niemi, A., "Session Initiation Protocol (SIP) Extension
for Event State Publication", RFC 3903, October 2004.
[RFC4474] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 4474, August 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer
Security (TLS) Protocol Version 1.2", RFC 5246,
August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation
List (CRL) Profile", RFC 5280, May 2008.
Jennings & Fischl Standards Track [Page 28]
^L
RFC 6072 SIP Certificates February 2011
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", BCP 106, RFC 4086,
June 2005.
[RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen,
J., and T. Wright, "Transport Layer Security (TLS)
Extensions", RFC 4366, April 2006.
[RFC5754] Turner, S., "Using SHA2 Algorithms with Cryptographic
Message Syntax", RFC 5754, January 2010.
[RFC5649] Housley, R. and M. Dworkin, "Advanced Encryption
Standard (AES) Key Wrap with Padding Algorithm",
RFC 5649, September 2009.
[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958,
August 2010.
[RFC5959] Turner, S., "Algorithms for Asymmetric Key Package
Content Type", RFC 5959, August 2010.
13.2. Informative References
[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography
Specification Version 2.0", RFC 2898, September 2000.
[RFC3760] Gustafson, D., Just, M., and M. Nystrom, "Securely
Available Credentials (SACRED) - Credential Server
Framework", RFC 3760, April 2004.
[RFC3853] Peterson, J., "S/MIME Advanced Encryption Standard
(AES) Requirement for the Session Initiation Protocol
(SIP)", RFC 3853, July 2004.
[RFC4662] Roach, A., Campbell, B., and J. Rosenberg, "A Session
Initiation Protocol (SIP) Event Notification Extension
for Resource Lists", RFC 4662, August 2006.
[RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose
Internet Mail Extensions (S/MIME) Version 3.2 Message
Specification", RFC 5751, January 2010.
[FIPS-140-2] NIST, "Security Requirements for Cryptographic
Modules", May 2001, <http://csrc.nist.gov/publications/
fips/fips140-2/fips1402.pdf>.
Jennings & Fischl Standards Track [Page 29]
^L
RFC 6072 SIP Certificates February 2011
Authors' Addresses
Cullen Jennings
Cisco Systems
170 West Tasman Drive
San Jose, CA 95134
USA
Phone: +1 408 421-9990
EMail: fluffy@cisco.com
Jason Fischl (editor)
Skype
3210 Porter Drive
Palo Alto, CA 94304
USA
Phone: +1-415-202-5192
EMail: jason.fischl@skype.net
Jennings & Fischl Standards Track [Page 30]
^L
|