[Free-RTC] QR codes, mobile SIP provisioning, TLS certs
Daniel Pocock
daniel at pocock.pro
Fri Jul 8 10:02:23 CEST 2016
On 08/07/16 09:12, Olle E. Johansson wrote:
>
>> On 07 Jul 2016, at 19:37, Daniel Pocock <daniel at pocock.pro> wrote:
>>
>> Every vendor of deskphones has their own provisioning system, they are
>> all quite different. Some are quite effective, e.g. the way Polycom
>> puts certificates in every phone to avoid the risk of exposing
>> credentials during provisioning or subsequent updates.
> Polycom’s system was broken because there was no secure way
> to validate their root ca. It was only available from a non-TLS site
> and wasn’t referred to in any printed documentation, not on promotional
> USB sticks or anything…
>
> Good idea, poor implementation. If they made it available on a web
> site with HTTPS it would have been much easier to trust the CA.
>
For something like this, everybody who operates the provisioning system
would be able to create their own CA. It may also work with public CAs
(e.g. those who issue email certificates). Maybe we should include the
root certificate or the CN and hash of the root certificate in the
QR-code and then the provisioning client can verify it against the
certificate that is eventually issued?
More information about the Free-RTC
mailing list