[asterisk-users] OT: certificate for softphone

[Olle E. Johansson]

10 nov 2010 kl. 21.48 skrev Hans Witvliet:

> On Wed, 2010-11-10 at 08:38 +0100, Olle E. Johansson wrote:
>> 6 nov 2010 kl. 15.30 skrev Hans Witvliet:
>> 
>>> Hi all,
>>> 
>>> As stated in the subject, slightly off-topic, as it is not directly a
>>> Asterisk issue, but more SIP in general
>>> 
>>> Because security in general, and specifically identification becomes
>>> more and more a subject for more concern, and Asterisk is capable of
>>> doing sip/TLS, i was wondering what more could be done to improve
>>> security.
>>> 
>>> Specially softphones, might it be possible to employ etokens or
>>> smartcards for holding the certificates needed by TLS?
>>> 
>>> Done before?
>> 
>> In the SIP protocol there is support for TLS client certificates, much like in HTTP. 
>> 
>> Asterisk doesn't support it. You need to put a SIP proxy like Kamailio in front of Asterisk to get this kind of strong authentication.
>> 
>> /O
> Am i that mistaken?
> 
> I got the impression** that sip-registration of a phone could be done in
> the same way as client-authentication on apache:
> On the server-side you got the certificate holding your public key which
> is signed by a trusted third party (the CA), while you hold your private
> key on a smartcard or token. If you start your browser you are prompted
> for your pin-code.
> 
> I was just hoping that there would be a softphone that could work the
> same way, two-factor authentication.
> 
I haven't seen any soft clients implementing this. Bria/Eyebeam may have it, but they've removed all TLS options from the GUI.

As I said, the SIP protocol supports it. Kamailio supports it on the server side. Now we need clients that supports it.

Now we're talking about authentication. For identity assurance, there's another set of standards called SIP Identity where you use TLS to sign your identity.
The TLS is just between the phone and the first server. Identity is supposed to be something that follows the call to the callee.

/O