Archived
TD0106: Removing SDES/SRTP from FIA_X509_EXT.2
Publication Date
2016.09.22
Protection Profiles
PP_VOIP_V1.3
Other References
PP_VOIP_V1.3, FIA_X509_EXT.2.1
Issue Description
The FIA_X509_EXT.2 requirement mandates support for X509 authentication for SDES-SRTP and TLS. SDES-SRTP is used to protect voice calls that are p2p (between client applications). There are no provisions for X509 authentication within SDES-SRTP. Resolution
Remove SDES/SRTP from the requirement: FIA_X509_EXT.2.1 The [selection, choose at least one of: VoIP client application, client device platform] shall use X.509v3 certificates as defined by RFC 5280 to support authentication for SDES/SRTP, TLS, and [selection: code signing for software updates, code signing for software integrity verification, no additional uses]. Changed to: FIA_X509_EXT.2.1 The [selection, choose at least one of: VoIP client application, client device platform] shall use X.509v3 certificates as defined by RFC 5280 to support authentication for TLS and [selection: code signing for software updates, code signing for software integrity verification, no additional uses].
Justification
X.509 authentication is used in the TLS connection which is used to protect the SIP signaling messages (which passes the symmetric keys that are then used for the SDES-SRTP session). |