linphone-developers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Linphone-developers] setting up secure calling with linphone


From: Hans-Christoph Steiner
Subject: Re: [Linphone-developers] setting up secure calling with linphone
Date: Mon, 01 Dec 2014 17:02:55 +0100

I think it makes sense to use an https/http URI with a standard path.  That'll
be the most widely understood by apps.  In Android, it is easy to implement a
path pattern URI matcher.  I'd make it:

  https://ostel.co/linphone-config.xml
  https://linphone.org/linphone-config.xml
  http://foo.bar/linphone-config.xml

As in:

Then the Android pattern matcher looks like this:
<intent-filter>
  <action android:name="android.intent.action.VIEW" />

  <category android:name="android.intent.category.DEFAULT" />
  <category android:name="android.intent.category.BROWSABLE" />

  <data android:host="*" />
  <data android:scheme="http" />
  <data android:scheme="https" />
  <data android:pathPattern="linphone-config.xml" />
</intent-filter>


As for your URI, I don't think this is the meaning you intended:
linphone-config://http%3A//example.com/a.xml

It gives you a "hierarchical" URI with these parts:
  scheme: linphone-config
  authority: http%3A
  path: /example.com/a.xml

I think you mean:
  linphone-config:http%3A//example.com/a.xml

which gives you an "opaque" URI with these parts:
  scheme: linphone-config
  opaque-part: http%3A//example.com/a.xml

.hc

BIENKOWSKI Guillaume:
> Re-back Hans,
> 
> After tests, it appears that, at least on iOS, the Mail client won't parse
> the linphone config URL scheme as a valid URL: none of these addresses are
> displayed correctly in an email:
> 
> linphone-config://http%3A//example.com/a.xml # escaped ":" in URL
> 
> linphone-config://http%3A\/\/example.com/a.xml # escaped ":" and "/" in URL
> 
> linphoneconfig://http%3A\/\/example.com/a.xml # escaped ":" and "/" and
> removed the "-" in the scheme
> 
> So for the provisioning, I think it is simply better either:
> - to provide a trampoline URL (say, http://example.com/myprovisioning )
> which issues a 302 REDIRECT to the actual linphone-config:// URL
> - or to wrap the provisioning URL within an HTML email, in which <a
> href="linphone-config://blabla">Provision My Linphone</a> is present
> 
> What do you think?
> 
> 
> *Guillaume BIENKOWSKI*
> 
> *http://www.belledonne-communications.com/
> <http://www.belledonne-communications.com/>*
> 
> *sip:address@hidden <address@hidden>*
> 
> On Mon, Dec 1, 2014 at 11:34 AM, BIENKOWSKI Guillaume <
> address@hidden> wrote:
> 
>> Hello back Hans,
>>
>> I checked the code in iOS to implement the url encoding as you suggested,
>> and figured out that I was wrong in the first place, like you said.
>>
>> linphone-config-https://example.com/provisioning.xml
>> or
>> linphone-config-http://example.com/provisioning.xml
>>
>> We include the "http[s]://" into the URL spec for iOS.
>>
>> On android, the scheme is still linphone-config://, and after discussions
>> here, we will adopt it with escaping across mobile platforms for
>> consistency.
>>
>> I'll implement the changes on iOS, so you should expect the next release
>> to be provisionable with an url like this:
>>
>> linphone-config://http%3A//example.com/conf.xml
>>
>> We will implement the decoding of the URL in Android as well, so next
>> release should also be compatible.
>>
>> Thanks for your feedback!
>>
>> *Guillaume BIENKOWSKI*
>>
>> *http://www.belledonne-communications.com/
>> <http://www.belledonne-communications.com/>*
>>
>> *sip:address@hidden <address@hidden>*
>>
>> On Fri, Nov 28, 2014 at 10:24 AM, Hans-Christoph Steiner <
>> address@hidden> wrote:
>>
>>>
>>> Android definitely supports registering URL schemes, it is a common thing
>>> for
>>> an app to do. I'm happen to implement this one we get a couple details
>>> ironed
>>> out.  First, the URI format should follow the RFCs about how to format
>>> URIs
>>> (https://tools.ietf.org/html/rfc3986).  Otherwise, most apps like
>>> browsers,
>>> etc. will not correctly parse it.  Apps will need to write custom code for
>>> handling this URI, which kind of defeats the purpose of using a URI.  For
>>> example, my email client only parsed this part as a clickable URI:
>>>   https://example.org/provisioning.xml
>>>
>>> Here are the standard parts of a "hierarchical" URI (i.e. a URI that has
>>> "://"
>>> in it):
>>>   scheme://authority/path?querystring&key=value#feature
>>>
>>> The linphone config URI is incorrect because it has two schemes, which is
>>> not
>>> allowed:
>>>   linphone-config-https://https://example.org/provisioning.xml
>>> i.e.
>>>   scheme://scheme://authority/path
>>>
>>> If you want to embed a complete https URI in this config URI, then the
>>> embedded URI will need to be encoded, so it could be something like:
>>>   linphone-config:https%3A//example.org/provisioning.xml
>>>
>>> Using only ":" instead of "://" makes it an "opaque" URI, that just
>>> provides a
>>> clickable blob of data.  But since the scheme already includes the
>>> protocol to
>>> use ("https"), that can be used as the scheme:
>>>   linphone-config-https://example.org/provisioning.xml
>>>
>>> One thing that the Android URI pattern matcher can do is match URIs based
>>> on
>>> combinations of scheme, authority, and path. That means no special scheme
>>> is
>>> needed. So something like this as a regex:
>>>
>>>   https://.*/sip-provisioning.xml
>>>
>>>
>>> Great that you got things into transifex, we get a lot of volunteer
>>> contributions from it.  I'll point the OTF translators towards your
>>> Transifex.
>>>
>>> .hc
>>>
>>> BIENKOWSKI Guillaume:
>>>> Hello Hans-Christopher,
>>>>
>>>> We recently set up a transifex account for all translations!
>>>> https://www.transifex.com/organization/belledonne-communications
>>>> You will be able to enhance the russian version if your translators have
>>>> the time to do it.
>>>>
>>>> For the remote provisioning, it is actually possible through the
>>> wizard. It
>>>> is the last option in the list that you are presented at first boot, and
>>>> the provisioning file is a simple XML derived from the format of the
>>>> LinphoneRC file.
>>>>
>>>> An very simple example which should work for you:
>>>>
>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>> <config xmlns="http://www.linphone.org/xsds/lpconfig.xsd"; xmlns:xsi="
>>>> http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="
>>>> http://www.linphone.org/xsds/lpconfig.xsd lpconfig.xsd">
>>>>   <section name="proxy_default_values">
>>>>     <entry name="reg_proxy">sip.linphone.org;transport=tls</entry>
>>>>     <entry name="reg_route">sip.linphone.org;transport=tls;lr</entry>
>>>>     <entry name="reg_identity">sip:address@hidden</entry>
>>>>     <entry name="reg_expires">3600</entry>
>>>>     <entry name="reg_sendregister">1</entry>
>>>>   </section>
>>>>   <section name="sip">
>>>>     <entry name="media_encryption">zrtp</entry>
>>>>   </section>
>>>> </config>
>>>>
>>>> Just host an XML (or dynamically generate it) somewhere and send the
>>> URL to
>>>> your user.
>>>> There's even an automatic provisioning URI on iOS (I'm not sure for
>>>> Android): clicking a link that starts with: linphone-config-https://
>>> will
>>>> automatically launch linphone and provision the URL passed as argument.
>>>>
>>>> For instance, you could send the user this link:
>>>>
>>>> linphone-config-https://https://example.org/provisioning.xml
>>>>
>>>> And if the user clicks on it from an email for instance, it will launch
>>>> Linphone and grab the provisioning to set up linphone.
>>>>
>>>>
>>>>
>>>> Best regards,
>>>>
>>>>
>>>> *Guillaume BIENKOWSKI*
>>>>
>>>> *http://www.belledonne-communications.com/
>>>> <http://www.belledonne-communications.com/>*
>>>>
>>>> *sip:address@hidden <address@hidden>*
>>>>
>>>> On Thu, Nov 27, 2014 at 11:45 AM, Hans-Christoph Steiner <
>>>> address@hidden> wrote:
>>>>
>>>>>
>>>>> I just wanted to relay some of my experience using Linphone as a secure
>>>>> calling platform.  I just set up a bunch of people in Central and
>>> Eastern
>>>>> Europe with https://ostel.co using Linphone on Android and iOS.
>>> Overall,
>>>>> it
>>>>> went quite smoothly.  There were just the three settings that needed
>>> to be
>>>>> changed (TLS, Outbound Proxy, and ZRTP).  I think the biggest barrier
>>> to
>>>>> people was the language.  For example, many Eastern Europeans would do
>>>>> better
>>>>> with Russian than English, but English is second choice on Android if
>>> an
>>>>> app
>>>>> doesn't have the current language.
>>>>>
>>>>> I've done a lot with Transifex, so I'm happy to help set that up. When
>>> you
>>>>> use
>>>>> the 'transifex-client' app called 'tx', then it is really easy to sync
>>> the
>>>>> files between git and Transifex. Also, the Open Tech Fund
>>>>> (https://www.opentechfund.org/) has a pool of translators that we work
>>>>> with,
>>>>> and I'd be happy to add linphone as an app that they translate.
>>>>>
>>>>> Based on this experience, I asked https://ostel.co to recommend
>>> Linphone
>>>>> for
>>>>> Android and iOS.  I've been using Linphone for a while now on Android
>>> and
>>>>> it
>>>>> seems to work well.
>>>>>
>>>>> In a related note, I saw that it is possible to provision Jitsi using a
>>>>> URL.
>>>>> That would be awesome to have for Linphone as well.  For ostel, all
>>> that
>>>>> would
>>>>> be needed is to set username, domain, TLS, Outbound Proxy, and ZRTP.
>>>>> Maybe it
>>>>> makes sense to also set the password via the URL.  Then the user would
>>>>> install
>>>>> Linphone on their device, sign up on https://www.linphone.org or
>>>>> https://ostel.co, then scan the QR Code, and make a call!
>>>>>
>>>>> If we managed to get linphone.org's SIP service setup matching OSTN
>>>>> standards
>>>>> (solid TLS, good ZRTP support, privacy policy that describes logging,
>>> etc),
>>>>> and federating with OSTN, then we could have the easy one-stop service
>>> to
>>>>> tell
>>>>> people to use.  We can say "use linphone to make secure calls".
>>>>>
>>>>> .hc
>>>>>
>>>>> --
>>>>> PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Linphone-developers mailing list
>>>>> address@hidden
>>>>> https://lists.nongnu.org/mailman/listinfo/linphone-developers
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Linphone-developers mailing list
>>>> address@hidden
>>>> https://lists.nongnu.org/mailman/listinfo/linphone-developers
>>>>
>>>
>>> --
>>> PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
>>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81
>>>
>>> _______________________________________________
>>> Linphone-developers mailing list
>>> address@hidden
>>> https://lists.nongnu.org/mailman/listinfo/linphone-developers
>>>
>>
>>
> 
> 
> 
> _______________________________________________
> Linphone-developers mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/linphone-developers
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81



reply via email to

[Prev in Thread] Current Thread [Next in Thread]