Internet Engineering Task Force (IETF) V. Gurbani Request for Comments: 5922 Bell Laboratories, Alcatel-Lucent Updates: 3261 S. Lawrence Category: Standards Track ISSN: 2070-1721 A. Jeffrey Bell Laboratories, Alcatel-Lucent June 2010 Domain Certificates in the Session Initiation Protocol (SIP)
AbstractThis document describes how to construct and interpret certain information in a PKIX-compliant (Public Key Infrastructure using X.509) certificate for use in a Session Initiation Protocol (SIP) over Transport Layer Security (TLS) connection. More specifically, this document describes how to encode and extract the identity of a SIP domain in a certificate and how to use that identity for SIP domain authentication. As such, this document is relevant both to implementors of SIP and to issuers of certificates. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5922.
Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. 1. Introduction ....................................................3 2. Terminology .....................................................3 2.1. Key Words ..................................................3 3. Problem Statement ...............................................3 4. SIP Domain to Host Resolution ...................................5 5. The Need for Mutual Interdomain Authentication ..................6 6. Certificate Usage by a SIP Service Provider .....................7 7. Behavior of SIP Entities ........................................8 7.1. Finding SIP Identities in a Certificate ....................8 7.2. Comparing SIP Identities ...................................9 7.3. Client Behavior ...........................................10 7.4. Server Behavior ...........................................11 7.5. Proxy Behavior ............................................12 7.6. Registrar Behavior ........................................12 7.7. Redirect Server Behavior ..................................12 7.8. Virtual SIP Servers and Certificate Content ...............12 8. Security Considerations ........................................13 8.1. Connection Authentication Using Digest ....................13 9. Acknowledgments ................................................14 10. References ....................................................14 10.1. Normative References .....................................14 10.2. Informative References ...................................15 Appendix A. Editorial Guidance (Non-Normative) ...................16 A.1. Additions .................................................16 A.2. Changes ...................................................16 A.2.1. Changes to Section 26.3.1 .............................16
RFC 5246  Transport Layer Security (TLS) is available in an increasing number of Session Initiation Protocol (SIP) RFC 3261  implementations. In order to use the authentication capabilities of TLS, certificates as defined by the Internet X.509 Public Key Infrastructure, see RFC 5280 , are required. Existing SIP specifications do not sufficiently specify how to use certificates for domain (as opposed to host) authentication. This document provides guidance to ensure interoperability and uniform conventions for the construction and interpretation of certificates used to identify their holders as being authoritative for the domain. The discussion in this document is pertinent to an X.509 PKIX- compliant certificate used for a TLS connection; this document does not define use of such certificates for any other purpose (such as Secure/Multipurpose Internet Mail Extensions (S/MIME)). RFC 2119 . Additional definition(s): SIP domain identity: An identity (e.g., "sip:example.com") contained in an X.509 certificate bound to a subject that identifies the subject as an authoritative SIP server for a domain. RFC 5280  X.509 Public Key Infrastructure to bind an identity or a set of identities, to the subject of an X.509 certificate. While RFC 3261 provides adequate guidance on the use of X.509 certificates for S/MIME, it is relatively silent on the use of such certificates for TLS. With respect to certificates for TLS, RFC 3261 (Section 26.3.1) says: Proxy servers, redirect servers, and registrars SHOULD possess a site certificate whose subject corresponds to their canonical hostname.
The security properties of TLS and S/MIME as used in SIP are different: X.509 certificates for S/MIME are generally used for end- to-end authentication and encryption; thus, they serve to bind the identity of a user to the certificate and RFC 3261 is sufficiently clear that in certificates used for S/MIME, the subjectAltName field will contain the appropriate identity. On the other hand, X.509 certificates used for TLS serve to bind the identities of the per-hop domain sending or receiving the SIP messages. However, the lack of guidelines in RFC 3261 on exactly where to put identities -- in the subjectAltName field or carried as a Common Name (CN) in the Subject field -- of an X.509 certificate created ambiguities. Following the accepted practice of the time, legacy X.509 certificates were allowed to store the identity in the CN field of the certificate instead of the currently specified subjectAltName extension. Lack of further guidelines on how to interpret the identities, which identity to choose if more than one identity is present in the certificate, the behavior when multiple identities with different schemes were present in the certificate, etc., lead to ambiguities when attempting to interpret the certificate in a uniform manner for TLS use. This document shows how the certificates are to be used for mutual authentication when both the client and server possess appropriate certificates, and normative behavior for matching the DNS query string with an identity stored in the X.509 certificate. Furthermore, a certificate can contain multiple identities for the subject in the subjectAltName extension (the "subject" of a certificate identifies the entity associated with the public key stored in the public key field). As such, this document specifies appropriate matching rules to encompass various subject identity representation options. And finally, this document also provides guidelines to service providers for assigning certificates to SIP servers. The rest of this document is organized as follows: the next section provides an overview of the most primitive case of a client using DNS to access a SIP server and the resulting authentication steps. Section 5 looks at the reason why mutual inter-domain authentication is desired in SIP, and the lack of normative text and behavior in RFC 3261 for doing so. Section 6 outlines normative guidelines for a service provider assigning certificates to SIP servers. Section 7 provides normative behavior on the SIP entities (user agent clients, user agent servers, registrars, redirect servers, and proxies) that need perform authentication based on X.509 certificates. Section 8 includes the security considerations.
RFC 3263  procedures on a URI, called the "Application Unique String (AUS)" (c.f. Section 8 of RFC 3263 ). These procedures take as input a SIP AUS (the SIP URI), extract the domain portion of that URI for use as a lookup key, and query the Domain Name Service (DNS) to obtain an ordered set of one or more IP addresses with a port number and transport corresponding to each IP address in the set (the "Expected Output"). If the transport indicates the use of TLS, then a TLS connection is opened to the server on a specific IP address and port. The server presents an X.509 certificate to the client for verification as part of the initial TLS handshake. The client extracts identifiers from the Subject and any subjectAltName extension in the certificate (see Section 7.1) and compares these values to the domain part extracted from the original SIP URI (the AUS). If any identifier match is found, the server is considered to be authenticated and subsequent signaling can now proceed over the TLS connection. Matching rules for X.509 certificates and the normative behavior for clients is specified in Section 7.3. As an example, consider a request that is to be routed to the SIP address "sips:firstname.lastname@example.org". This address requires a secure connection to the SIP domain "example.com" (the 'sips' scheme mandates a secure connection). Through a series of DNS manipulations, the domain name is mapped to a set of host addresses and transports. The entity attempting to create the connection selects an address appropriate for use with TLS from this set. When the connection is established to that server, the server presents a certificate asserting the identity "sip:example.com". Since the domain part of the SIP AUS matches the subject of the certificate, the server is authenticated (see Section 7.2 for the normative rules that govern this comparison). Session Initiation Protocol Secure (SIPS) borrows this pattern of server certificate matching from HTTPS. However, RFC 2818  prefers that the identity be conveyed as a subjectAltName extension of type dNSName rather than the common practice of conveying the identity in the CN field of the Subject field. Similarly, this document recommends that the SIP domain identity be conveyed as a subjectAltName extension of type uniformResourceIdentifier (c.f. Sections 6 and 7.1). A domain name in an X.509 certificates is properly interpreted only as a sequence of octets to be compared to the URI used to reach the host. No inference can be made based on the DNS name
hierarchy. For example, a valid certificate for "example.com" does not imply that the owner of that certificate has any relationship at all to "subname.example.com". Figure 1. Proxy-A.example.com Proxy-B.example.net +-------+ +-------+ | Proxy |--------------------| Proxy | +----+--+ +---+---+ | | | | | | | +---+ 0---0 | | /-\ |___| +---+ / / +----+ email@example.com firstname.lastname@example.org Figure 1: SIP Trapezoid A user, email@example.com, invites firstname.lastname@example.org for a multimedia communication session. Alice's outbound proxy, Proxy-A.example.com, uses normal RFC 3263  resolution rules to find a proxy -- Proxy- B.example.net -- in the example.net domain that uses TLS. Proxy-A actively establishes an interdomain TLS connection with Proxy-B and each presents a certificate to authenticate that connection. RFC 3261 , Section 22.214.171.124, "Interdomain Requests" states that when a TLS connection is created between two proxies: Each side of the connection SHOULD verify and inspect the certificate of the other, noting the domain name that appears in the certificate for comparison with the header fields of SIP messages. However, RFC 3261 is silent on whether to use the subjectAltName or CN of the certificate to obtain the domain name, and which takes precedence when there are multiple names identifying the holder of the certificate.
The authentication problem for Proxy-A is straightforward: in the certificate Proxy-A receives from Proxy-B, Proxy-A looks for an identity that is a SIP URI ("sip:example.net") or a DNS name ("example.net") that asserts Proxy-B's authority over the example.net domain. Normative behavior for a TLS client like Proxy-A is specified in Section 7.3. The problem for Proxy-B is slightly more complex since it accepts the TLS request passively. Thus, Proxy-B does not possess an equivalent AUS that it can use as an anchor in matching identities from Proxy-A's certificate. RFC 3261 , Section 126.96.36.199, only tells Proxy-B to "compare the domain asserted by the certificate with the 'domainname' portion of the From header field in the INVITE request". The difficulty with that instruction is that the domainname in the From header field is not always that of the domain from which the request is received. The normative behavior for a TLS server like Proxy-B that passively accepts a TLS connection and requires authentication of the sending peer domain is provided in Section 7.4.
distributes to its users SIP URIs whose domain portion corresponds to an identity for which the service provider has been issued a certificate. Section 7.1 describes how to extract a set of SIP identities from the certificate obtained from a TLS peer, and Section 7.2 specifies how to compare SIP identities. The remaining subsections provide context for how and when these rules are to be applied by entities in different SIP roles. RFC 5280 . As specified by RFC 5280 , Section 188.8.131.52, implementations MUST check for restrictions on certificate usage declared by any extendedKeyUsage extensions in the certificate. The SIP Extended Key Usage (EKU) document  defines an extendedKeyUsage for SIP. Given an X.509 certificate that the above checks have found to be acceptable, the following describes how to determine what SIP domain identity or identities the certificate contains. A single certificate can serve more than one purpose -- that is, the certificate might contain identities not acceptable as SIP, domain identities and/or might contain one or more identities that are acceptable for use as SIP domain identities. 1. Examine each value in the subjectAltName field. The subjectAltName field and the constraints on its values are defined in Section 184.108.40.206 of RFC 5280 . The subjectAltName field can be absent or can contain one or more values. Each value in the subjectAltName has a type; the only types acceptable for encoding a SIP domain identity SHALL be: URI If the scheme of the URI is not "sip", then the implementation MUST NOT accept the value as a SIP domain identity.
If the scheme of the URI value is "sip", and the URI value that contains a userpart (there is an '@'), the implementation MUST NOT accept the value as a SIP domain identity (a value with a userpart identifies an individual user, not a domain). If the scheme of the URI value is "sip", and there is no userinfo component in the URI (there is no '@'), then the implementation MUST accept the hostpart as a SIP domain identity. Note: URI scheme tokens are always case insensitive. DNS An implementation MUST accept a domain name system identifier as a SIP domain identity if and only if no other identity is found that matches the "sip" URI type described above. 2. If and only if the subjectAltName does not appear in the certificate, the implementation MAY examine the CN field of the certificate. If a valid DNS name is found there, the implementation MAY accept this value as a SIP domain identity. Accepting a DNS name in the CN value is allowed for backward compatibility, but when constructing new certificates, consider the advantages of using the subjectAltName extension field (see Section 6). The above procedure yields a set containing zero or more identities from the certificate. A client uses these identities to authenticate a server (see Section 7.3) and a server uses them to authenticate a client (see Section 7.4). RFC 4343 . Implementations MUST handle Internationalized Domain Names (IDNs) in accordance with Section 7.2 of RFC 5280 .
Implementations MUST match the values in their entirety: Implementations MUST NOT match suffixes. For example, "foo.example.com" does not match "example.com". Implementations MUST NOT match any form of wildcard, such as a leading "." or "*." with any other DNS label or sequence of labels. For example, "*.example.com" matches only "*.example.com" but not "foo.example.com". Similarly, ".example.com" matches only ".example.com", and does not match "foo.example.com". RFC 2818  (HTTP over TLS) allows the dNSName component to contain a wildcard; e.g., "DNS:*.example.com". RFC 5280 , while not disallowing this explicitly, leaves the interpretation of wildcards to the individual specification. RFC 3261  does not provide any guidelines on the presence of wildcards in certificates. Through the rule above, this document prohibits such wildcards in certificates for SIP domains. Section 4 for an overview). The SIP server, when establishing a TLS connection, presents its certificate to the client for authentication. The client MUST determine the SIP domain identities in the server certificate using the procedure in Section 7.1. Then, the client MUST compare the original domain portion of the SIP AUS used as input to the RFC 3263  server location procedures to the SIP domain identities obtained from the certificate. o If there were no identities found in the server certificate, the server is not authenticated. o If the domain extracted from the AUS matches any SIP domain identity obtained from the certificate when compared as described in Section 7.2, the server is authenticated for the domain. If the server is not authenticated, the client MUST close the connection immediately.
Section 8.1). If the local server policy requires client authentication for some local purpose, then one element of such a local policy might be to allow the connection only if the client is authenticated. For example, if the server is an inbound proxy that has peering relationships with the outbound proxies of other specific domains, the server might allow only connections authenticated as coming from those domains. When authenticating the client, the server MUST obtain the set of SIP domain identities from the client certificate as described in Section 7.1. Because the server accepted the TLS connection passively, unlike a client, the server does not possess an AUS for comparison. Nonetheless, server policies can use the set of SIP domain identities gathered from the certificate in Section 7.1 to make authorization decisions. For example, a very open policy could be to accept an X.509 certificate and validate the certificate using the procedures in RFC 5280 . If the certificate is valid, the identity set is logged. Alternatively, the server could have a list of all SIP domains the server is allowed to accept connections from; when a client presents its certificate, for each identity in the client certificate, the server searches for the identity in the list of acceptable domains to decide whether or not to accept the connection. Other policies that make finer distinctions are possible.
The decision of whether or not the authenticated connection to the client is appropriate for use to route new requests to the client domain is independent of whether or not the connection is authenticated; the connect-reuse  document discusses this aspect in more detail. Section 7.4 when authenticating a connection from a client. A proxy MUST use the procedures defined for a User Agent Client (UAC) in Section 7.3 when requesting an authenticated connection to a UAS. If a proxy adds a Record-Route when forwarding a request with the expectation that the route is to use secure connections, the proxy MUST insert into the Record-Route header a URI that corresponds to an identity for which the proxy has a certificate; if the proxy does not insert such a URI, then creation of a secure connection using the value from the Record-Route as the AUS will be impossible. Section 7.4. When the SIP registrar accepts a TLS connection from the client, the SIP registrar presents its certificate. Depending on the registrar policies, the SIP registrar can challenge the client with HTTP Digest. Section 7.4. RFC 4474 . Clients seeking to authenticate a server on such a virtual host can still follow the directions in Section 7.3 to find the identity matching the SIP AUS used to query DNS. Alternatively, if the TLS client hello "server_name" extension as defined in RFC 4366  is supported, the client SHOULD use that extension to request a certificate corresponding to the specific domain (from the SIP AUS) with which the client is seeking to establish a connection.
more messages on a particular transport connection as a way to authenticate the connection itself -- by implication, authenticating other (unauthenticated) messages on that connection. Some even choose to similarly authenticate a UDP source address and port based on the digest authentication of another message received from that address and port. This use of digest goes beyond the assurances that the Digest Authentication mechanism was designed to provide. A SIP implementation SHOULD NOT use the Digest Authentication of one message on a TCP connection or from a UDP peer to infer any authentication of any other messages on that connection or from that peer. Authentication of the domain at the other end of a connection SHOULD be accomplished using TLS and the certificate validation rules described by this specification instead.  Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002.  Eastlake, D., "Domain Name System (DNS) Case Insensitivity Clarification", RFC 4343, January 2006.  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and T. Wright, "Transport Layer Security (TLS) Extensions", RFC 4366, April 2006.  Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.
 Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.  Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol (SIP): Locating SIP Servers", RFC 3263, June 2002.  Peterson, J. and C. Jennings, "Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)", RFC 4474, August 2006.  Mahy, R., Gurbani, V., and B. Tate, "Connection Reuse in the Session Initiation Protocol", RFC 5923, June 2010.  Drage, K., "A Process for Handling Essential Corrections to the Session Initiation Protocol (SIP)", Work in Progress, July 2008.  Lawrence, S. and V. Gurbani, "Using Extended Key Usage (EKU) for Session Initiation Protocol (SIP) X.509 Certificates", RFC 5924, June 2010.
RFC 3261 in accordance with the SIP Working Group procedures described in  or its successor. This appendix provides guidance to the editor of the next comprehensive update to RFC 3261  on how to incorporate the changes provided by this document. 4 through 7 inclusive can be incorporated as subsections within a section that describes SIP domain authentication. The contents of Section 8.1 can be incorporated into the Security Considerations section of the new document. All normative references from this document can be carried forward to its successor. RFC 3261  that need to be modified in the successor document to align them with the content of this document. In each of the following, the token <domain-authentication> is a reference to the section added as described in Appendix A.1.