[h323implementers] [Openh323gk-users] [Openh323gk-developer] Thoughts on H.323 encryption or Why your AES encryption might be worth nothing
jan at willamowius.de
Mon Sep 23 09:38:37 EDT 2013
Simon Perreault wrote:
> Le 2013-09-23 15:09, Jan Willamowius a écrit :
> > GnuGk currently checks the certificates signature (either against your
> > own CA or the public CAs you configure) and can also check if the IP
> > the call comes from matches the certificate.
> The weak point here is, and has always been, the necessary PKI
> infrastructure. Way too complex to set up and maintain.
> A way to untie this knot could be to use DANE, a protocol for verifying
> TLS certificates using self-published DNSSEC records. No need for a CA.
> There is this proposal for SIP, but one could easily imagine an H.323
I'd be happy to support DANE in GnuGk, but the current lack of PKI
infrastructure should not serve as an excuse not to implement TLS at
There are a lot of H.323 installations with a rather closed user group
that can happily live with their own private CA, except you can't get
any endpoints doing TLS at all...
Jan Willamowius, Founder of the GNU Gatekeeper Project
EMail : jan at willamowius.de
Relaxed Communications GmbH
Geschäftsführer: Jan Willamowius
HRB 125261 (Amtsgericht Hamburg)
More information about the h323implementers