If the impis match then the p cscf shall forward this

Info icon This preview shows pages 88–90. Sign up to view the full content.

View Full Document Right Arrow Icon
matches the IMPI associated with the TLS Session ID. If the IMPIs match, then the P-CSCF shall forward this REGISTER message together with a TLS integrity protection indicator indicating the logical value "authentication complete". - If the IMPI is not present in the REGISTER message the P-CSCF shall not include any TLS integrity protection indicator. When the S-CSCF receives a REGISTER message with a TLS integrity protection indicator indicating the logical value "authentication complete" it may authenticate the user by means of SIP Digest, according to the local security policy of the S-CSCF. When the S-CSCF receives a REGISTER message with no TLS integrity protection indicator the S-CSCF shall challenge the user by sending a SIP 401 Auth_Challenge. If the UE considers the TLS session no longer active at the P-CSCF, e.g., after receiving no response to several protected messages, then the UE should send an unprotected REGISTER message. In this case, the S-CSCF shall determine the applicable authentication scheme according to Annex P. O.5 TLS Certificate Profile and Validation O.5.1 TLS Certificate X.509 digital certificates shall be used for authentication in TLS. All X.509 certificates shall be signed by a trusted party. The certificates shall be profiled as specified in clause 6.1 in TS 33.310 [24] with the following additions: - for TLS entity certificates: - CRL distribution point in the certificates shall not be mandatory. - The common name CN shall be the FQDN (Fully Qualified Domain Name) of the server. Only a single FQDN is allowed in the CN field. - The subjectAltName shall contain the FQDN (Fully Qualified Domain Name) of the server. - for TLS CA certificates: - TLS CA certificates shall have no restriction in the issuer name. 3GPP 3GPP TS 33.203 V12.67.0 (2014-0609) 88 Release 12
Image of page 88

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
O.5.2 Certificate validation TLS certificates shall be verified as part of a certificate chain that chains up to a trusted Root certificate. The chain may contain intermediate Certification Authority (CA) certificates. Usually the first certificate in the chain is not explicitly included in the certificate chain that is sent by the P-CSCF to the UE. In the cases where the first certificate is explicitly included, it shall already be known to the verifying party ahead of time and shall not contain any changes to the certificate, with the possible exception of the certificate serial number, validity period and the value of the signature. If changes other than the certificate serial number, validity period and the value of the signature exist in the root certificate that was sent by the P-CSCF to the UE in comparison to the known root certificate, the UE shall conclude that the certificate verification has failed. UEs shall build the certificate chain and validate the TLS certificate according to the "Certification Path Validation" procedures described in RFC 5280 [52]. In general, X.509 certificates support a liberal set of rules for determining if the issuer name of a certificate matches the subject name of another. The rules are such that two name fields may be declared to match even though a binary comparison of the two name fields does not indicate a match. RFC 5280 [52]
Image of page 89
Image of page 90
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern