[Free-RTC] QR codes, mobile SIP provisioning, TLS certs
Daniel Pocock
daniel at pocock.pro
Fri Jul 8 10:15:18 CEST 2016
On 08/07/16 10:03, Olle E. Johansson wrote:
>
>> On 08 Jul 2016, at 10:02, Daniel Pocock <daniel at pocock.pro> wrote:
>>
>>
>>
>> On 08/07/16 09:12, Olle E. Johansson wrote:
>>>
>>>> On 07 Jul 2016, at 19:37, Daniel Pocock <daniel at pocock.pro> wrote:
>>>>
>>>> Every vendor of deskphones has their own provisioning system, they are
>>>> all quite different. Some are quite effective, e.g. the way Polycom
>>>> puts certificates in every phone to avoid the risk of exposing
>>>> credentials during provisioning or subsequent updates.
>>> Polycom’s system was broken because there was no secure way
>>> to validate their root ca. It was only available from a non-TLS site
>>> and wasn’t referred to in any printed documentation, not on promotional
>>> USB sticks or anything…
>>>
>>> Good idea, poor implementation. If they made it available on a web
>>> site with HTTPS it would have been much easier to trust the CA.
>>>
>>
>> For something like this, everybody who operates the provisioning system
>> would be able to create their own CA. It may also work with public CAs
>> (e.g. those who issue email certificates). Maybe we should include the
>> root certificate or the CN and hash of the root certificate in the
>> QR-code and then the provisioning client can verify it against the
>> certificate that is eventually issued?
>
> I think I suggested that in a follow-up email :-)
>
There you mentioned the fingerprint of the server cert, I was referring
to the root that will sign the client cert. It may be the same root
signing the server cert too.
More information about the Free-RTC
mailing list