2011 March

March 2011

A friend of mine, Jacob Schlyter, has not only been busy working on DNSsec around the globe. He has also been co-writing a new draft in the IETF DANE working group. He blogs on kirei.se:

The working group’s first draft describes how to use DNSSEC to associate certificates with domain names For TLS. In this context, a certificate association is a secure binding between a DNS name, TLS/DTLS transport protocol (i.e., TCP, UDP or SCTP) and port number, to an end entity’s certificate or to a certification authority’s certificate.

This proposal builds a distributed PKI based on DNS.  If you want to call me in the voip-forum.com domain, you will be able to get my certificate chain from DNS and set up a secure and trusted session. The current PKI model used in the web delivers encryption – but few bothers with checking identity of the other end, check if the certificate chain is trusted or even if a certificate is revoked.

In SIP, we can do better and really kick off DANE. I will work on this and write more as I make progress in trying to understand the details.

For many years I have believed that DNSsec is a platform that will change the trust model on the net. Now, the light is on the ICANN, IANA and the TLD registries. Will they earn our trust?  Will they be better than the current set of web CAs that someone else approved for all of us? If not, we will have to start building a distributed trustworthy root soon. The technology is getting there, so the focus needs to move to the people and organizations that will be the new platform. These are interesting times. Let’s start discussing SIPdane and get a few implementations running soon!

During the last couple of months, I’ve been trying to understand how to migrate SIP to a world with dual stacks or only IPv6 stacks.  In order to get momentum, I’ve started to create a repository of information on Edvina’s SIPv6 site. I’ve also started a new Twitter flow and a Facebook page. Please follow the project there.

Dan York of Voxeo encouraged this work even further by writing an article on the Voxeo blog called “Will You Join In Olle’s Crusade for VoIP and IPv6?” Great support – thanks, Dan!

I have been doing a lot of reading, trying to start discussion on various mailing lists and have gotten a lot of good feedback I’m trying to digest. Here’s the summary from the latest page on the Edvina web:

I’m confused! My personal feeling is that there are many bits and pieces, many in expired drafts, that is needed to create a working solution. In addition, we need to create a happy-signalling-solution that focuses on dual stack call setup using DNS to find the next hop and possibly Record-route issues. For developers, this is all very confusing and time-consuming to understand and try to implement. It’s time to come up with clear guidelines.

Help me untangle this mess!