qoslab at gmail.com
Wed May 24 21:33:13 BST 2006
There is certainly a huge number of potential use case of H235, but
CAT/Radius authentication is the easiest way from what i've seen yet. I
haven't seen much CPEs/softphone supporting more advanced mode of H235
authentication and same for AGK/SBC. But I would be interested in having
your feedback on this and sources/references of such devices/deployment.
And regarding the PKI, let me quote Zimmerman's draft on zrtp, because I
have the same opinion moreover I originaly am from the security field before
moving to voip/telecom. Note that this is my opinion for a carrier grade
deployment... I truly believe that a PKI for a small scale could remain
" A decade of industry experience has shown that deploying centrally
managed PKIs can be a painful and often futile experience. PKIs are
just too messy, and require too much activation energy to get them
started. Setting up a PKI requires somebody to run it, which is not
practical for an equipment provider. A service provider like a
carrier might venture down this path, but even then you have to deal
with cross-carrier authentication, certificate revocation lists, and
other complexities. It is much simpler to avoid PKIs altogether,
especially when developing secure commercial products."
On 5/22/06, Simon Horne <s.horne at packetizer.com> wrote:
> H.235 has a lot more than just CAT and Radius support, it can be used to
> embed user/pass, digital certificates, encrypted shared secret material into
> almost any H.323 message which means that potentially any message (or all)
> can be authenticated or used for key exchange or both. It is quite legal to
> put a user/pass (H.235.1) and a PKI & diffie-hellman (H.235.2) in the same
> H.235 field of a single H.323 message to do 2 different functions
> Per-Call admission control at the border element (with radius support) and
> end-to-end certificate based authentication and encryption.
> At 12:50 AM 22/05/2006, Qos Lab wrote:
> From what i've seen, cisco like implementation of H235 (search for H235
> CAT cisco access token) is very nice, more over you can have H235
> authentication through a Radius authentication server thanks to this
> On 5/10/06, *Simon Horne* <s.horne at packetizer.com> wrote:
> They are in the most part final drafts (and almost identical to the
> standards document) and free, They are kept up to date by a college who is
> closely associated with the ITU, all 'official' standards have to be
> purchased from the ITU.
> Also, a concise list of SIP related RFC's are also available
> At 04:21 PM 10/05/2006, Michael Prochaska wrote:
> >but are these the official standards or only drafts for the year 2006?
> >i've thought i have to pay for them...
> >Simon Horne schrieb:
> >>The ITU last year changed the numbering system for the H.235 series from
> >>Annex D,E etc to H235.x notation.
> >>Basically the following were renamed
> >>H.235AnnexD -> H.235.1
> >>H.235AnnexE -> H.235.2
> >>A complete list of draft standards are available free from
> >>At 06:44 AM 10/05/2006, you wrote:
> >>>it would be great if there is anybody out there who can give me a short
> >>>overview over H.235.
> >>>everytime i read annex D, annex e, and so on. but on the itu-t homepage
> >>>there are no annexes but substandards (h.235.1, ....).
> >>>i thought that the annexes became substandards, but i've read a
> >>>scientific paper from the year 2005 which speaks from annexes....i'm
> >>>really confused
> >>>thanks very much in advance,
> >>>Voipsec mailing list
> >>>Voipsec at voipsa.org
> Voipsec mailing list
> Voipsec at voipsa.org
More information about the Voipsec