[h323implementers] [Openh323gk-users] [Openh323gk-developer] Thoughts on H.323 encryption or Why your AES encryption might be worth nothing

Jan Willamowius jan at willamowius.de
Mon Sep 23 09:38:37 EDT 2013


Simon Perreault wrote:
> Le 2013-09-23 15:09, Jan Willamowius a écrit :
> > GnuGk currently checks the certificates signature (either against your
> > own CA or the public CAs you configure) and can also check if the IP
> > the call comes from matches the certificate.
> 
> The weak point here is, and has always been, the necessary PKI
> infrastructure. Way too complex to set up and maintain.
> 
> A way to untie this knot could be to use DANE, a protocol for verifying
> TLS certificates using self-published DNSSEC records. No need for a CA.
> There is this proposal for SIP, but one could easily imagine an H.323
> equivalent:
> 
> https://tools.ietf.org/html/draft-johansson-dane-sip-00


I'd be happy to support DANE in GnuGk, but the current lack of PKI
infrastructure should not serve as an excuse not to implement TLS at
all.

There are a lot of H.323 installations with a rather closed user group
that can happily live with their own private CA, except you can't get
any endpoints doing TLS at all...

Regards,
Jan

-- 
Jan Willamowius, Founder of the GNU Gatekeeper Project
EMail  : jan at willamowius.de
Website: http://www.gnugk.org
Support: http://www.willamowius.com/gnugk-support.html

Relaxed Communications GmbH
Frahmredder 91
22393 Hamburg
Geschäftsführer: Jan Willamowius
HRB 125261 (Amtsgericht Hamburg)
USt-IdNr: DE286003584




More information about the h323implementers mailing list