RFC3261: SIP:26.3.2.1 注册

26.3.2.1 Registration
26.3.2.1 注册

   When a UA comes online and registers with its local administrative domain, it SHOULD establish a TLS connection with its registrar (Section 10 describes how the UA reaches its registrar).  The registrar SHOULD offer a certificate to the UA, and the site identified by the certificate MUST correspond with the domain in which the UA intends to register; for example, if the UA intends to register the address-of-record 'alice@atlanta.com', the site certificate must identify a host within the atlanta.com domain (such as sip.atlanta.com).  When it receives the TLS Certificate message, the UA SHOULD verify the certificate and inspect the site identified by the certificate.  If the certificate is invalid, revoked, or if it does not identify the appropriate party, the UA MUST NOT send the REGISTER message and otherwise proceed with the registration.

​当UA联机并在其本地管理域注册时，它应该与其注册商建立TLS连接（第10节描述了UA如何到达其注册商）。注册商应向UA提供证书，证书所标识的站点必须与UA打算注册的域相对应；例如，如果UA打算注册记录的地址'alice@atlanta.com'，站点证书必须标识atlanta.com域（如sip.atlanta..com）中的主机。当收到TLS证书消息时，UA应该验证证书并检查证书标识的站点。如果证书无效、被吊销，或者没有识别出合适的一方，UA不得发送REGISTER消息，否则继续注册。

      When a valid certificate has been provided by the registrar, the UA knows that the registrar is not an attacker who might redirect the UA, steal passwords, or attempt any similar attacks.

当注册器提供了有效证书时，UA知道注册器不是可能重定向UA、窃取密码或尝试任何类似攻击的攻击者。

   The UA then creates a REGISTER request that SHOULD be addressed to a Request-URI corresponding to the site certificate received from the registrar.  When the UA sends the REGISTER request over the existing TLS connection, the registrar SHOULD challenge the request with a 401 (Proxy Authentication Required) response.  The "realm" parameter within the Proxy-Authenticate header field of the response SHOULD correspond to the domain previously given by the site certificate. When the UAC receives the challenge, it SHOULD either prompt the user for credentials or take an appropriate credential from a keyring corresponding to the "realm" parameter in the challenge.  The username of this credential SHOULD correspond with the "userinfo" portion of the URI in the To header field of the REGISTER request. Once the Digest credentials have been inserted into an appropriate Proxy-Authorization header field, the REGISTER should be resubmitted to the registrar.

UA然后创建REGISTER请求，该请求应寻址到与从注册器接收的站点证书相对应的Request-URI。当UA通过现有TLS连接发送REGISTER请求时，注册器应该用401（需要代理验证）响应来质询该请求。响应的Proxy-Authenticate报头字段中的“realm”参数应与站点证书之前给定的域相对应。当UAC收到挑战时，它应该提示用户输入凭据，或者从与挑战中的“领域”参数相对应的密钥环中获取适当的凭据。此凭据的用户名应与REGISTER请求的To报头字段中URI的“userinfo”部分相对应。摘要式凭据插入适当的Proxy-Authorization报头字段后，应将REGISTER重新提交给注册商。

      Since the registrar requires the user agent to authenticate itself, it would be difficult for an attacker to forge REGISTER requests for the user's address-of-record.  Also note that since the REGISTER is sent over a confidential TLS connection, attackers will not be able to intercept the REGISTER to record credentials for any possible replay attack.

由于注册器要求用户代理对自己进行身份验证，因此攻击者很难伪造针对用户记录地址的REGISTER请求。还要注意，由于REGISTER是通过机密TLS连接发送的，因此攻击者将无法拦截REGISTER来记录任何可能的重放攻击的凭据。

   Once the registration has been accepted by the registrar, the UA SHOULD leave this TLS connection open provided that the registrar also acts as the proxy server to which requests are sent for users in this administrative domain.  The existing TLS connection will be reused to deliver incoming requests to the UA that has just completed registration.

注册商接受注册后，UA应保持此TLS连接处于打开状态，前提是注册商还充当向其发送此管理域中用户请求的代理服务器。现有TLS连接将被重新使用，以将传入请求传递给刚刚完成注册的UA。

      Because the UA has already authenticated the server on the other side of the TLS connection, all requests that come over this connection are known to have passed through the proxy server - attackers cannot create spoofed requests that appear to have been sent through that proxy server.

由于UA已经对TLS连接另一端的服务器进行了身份验证，因此已知通过该连接的所有请求都已通过代理服务器——攻击者无法创建看似通过该代理服务器发送的伪造请求。