Simon Perreault wrote:
Le 2013-09-23 15:09, Jan Willamowius a écrit :
GnuGk currently checks the certificates signature (either against your own CA or the public CAs you configure) and can also check if the IP the call comes from matches the certificate.
The weak point here is, and has always been, the necessary PKI infrastructure. Way too complex to set up and maintain.
A way to untie this knot could be to use DANE, a protocol for verifying TLS certificates using self-published DNSSEC records. No need for a CA. There is this proposal for SIP, but one could easily imagine an H.323 equivalent:
I'd be happy to support DANE in GnuGk, but the current lack of PKI infrastructure should not serve as an excuse not to implement TLS at all.
There are a lot of H.323 installations with a rather closed user group that can happily live with their own private CA, except you can't get any endpoints doing TLS at all...
Regards, Jan