In message <Pine.GSO.4.58.0502152015130.16931@clifden.donelan.com>, Sean Donela n writes:
On Tue, 15 Feb 2005, Hannigan, Martin wrote:
Unfortunately, TFTP is the only protocol that many phone vendors implement -- and VoIP operators aren't happy about it. Some vendors have started implementing HTTP(S), but it's far from common at this point.
Wouldn't there be a fee to utilize https?
Only if you like giving $995 to Verisign for fancy SSL certificates.
Most https phones can use locally issued X.509 certificates for the download. Some use a manufacturer issued root certificates if you want to get fancy and use code signing, etc.
Not the same problem as Microsoft Internet Explorer trusting every root certificate in its cache. IP phones usually have a very short certificate trust list in the phone.
Precisely. You not only don't need a Verisign cert for this, you don't want one. The phone should trust the authorized operator, which bears no relationship to an identity that Verisign (or whomever) attests to. The really interesting question, to me, is how to let users provision their phones to talk to the operator of their choice. The simplest solution is probably something like a SIM; it would contain the customer subscription data and the operator's CA certificate. Switching providers would be as simple as switching SIMs. (Of course, that assumes that this time we can avoid SIM-locking nonsense....) --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb