linphone-developers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Linphone-developers] setting up secure calling with linphone


From: Hans-Christoph Steiner
Subject: Re: [Linphone-developers] setting up secure calling with linphone
Date: Mon, 01 Dec 2014 22:53:27 +0100

I just had a thought, perhaps it makes sense to also use file associations
here, since that is mostly what works on desktops.  And they can also work on
Android too (donno about iOS).  So that would make the URLs:

   https://ostel.co/ostel.co.linphone-config
   https://linphone.org/linphone.org.linphone-config
   http://foo.bar/foo.bar.linphone-config

That looks like this on Android:

<intent-filter>
  <action android:name="android.intent.action.VIEW" />

  <category android:name="android.intent.category.DEFAULT" />
  <category android:name="android.intent.category.BROWSABLE" />

  <data android:host="*" />
  <data android:scheme="content" />
  <data android:scheme="file" />
  <data android:scheme="http" />
  <data android:scheme="https" />
  <data android:pathPattern="*\\.linphone-config" />
</intent-filter>

Then on desktop, linphone would claim .linphone-config, so opening
*.linphone-config would open linphone, which would parse that file.

.hc

Hans-Christoph Steiner:
> 
> I think it makes sense to use an https/http URI with a standard path.  That'll
> be the most widely understood by apps.  In Android, it is easy to implement a
> path pattern URI matcher.  I'd make it:
> 
>   https://ostel.co/linphone-config.xml
>   https://linphone.org/linphone-config.xml
>   http://foo.bar/linphone-config.xml
> 
> As in:
> 
> Then the Android pattern matcher looks like this:
> <intent-filter>
>   <action android:name="android.intent.action.VIEW" />
> 
>   <category android:name="android.intent.category.DEFAULT" />
>   <category android:name="android.intent.category.BROWSABLE" />
> 
>   <data android:host="*" />
>   <data android:scheme="http" />
>   <data android:scheme="https" />
>   <data android:pathPattern="linphone-config.xml" />
> </intent-filter>
> 
> 
> As for your URI, I don't think this is the meaning you intended:
> linphone-config://http%3A//example.com/a.xml
> 
> It gives you a "hierarchical" URI with these parts:
>   scheme: linphone-config
>   authority: http%3A
>   path: /example.com/a.xml
> 
> I think you mean:
>   linphone-config:http%3A//example.com/a.xml
> 
> which gives you an "opaque" URI with these parts:
>   scheme: linphone-config
>   opaque-part: http%3A//example.com/a.xml
> 
> .hc
> 
> BIENKOWSKI Guillaume:
>> Re-back Hans,
>>
>> After tests, it appears that, at least on iOS, the Mail client won't parse
>> the linphone config URL scheme as a valid URL: none of these addresses are
>> displayed correctly in an email:
>>
>> linphone-config://http%3A//example.com/a.xml # escaped ":" in URL
>>
>> linphone-config://http%3A\/\/example.com/a.xml # escaped ":" and "/" in URL
>>
>> linphoneconfig://http%3A\/\/example.com/a.xml # escaped ":" and "/" and
>> removed the "-" in the scheme
>>
>> So for the provisioning, I think it is simply better either:
>> - to provide a trampoline URL (say, http://example.com/myprovisioning )
>> which issues a 302 REDIRECT to the actual linphone-config:// URL
>> - or to wrap the provisioning URL within an HTML email, in which <a
>> href="linphone-config://blabla">Provision My Linphone</a> is present
>>
>> What do you think?
>>
>>
>> *Guillaume BIENKOWSKI*
>>
>> *http://www.belledonne-communications.com/
>> <http://www.belledonne-communications.com/>*
>>
>> *sip:address@hidden <address@hidden>*
>>
>> On Mon, Dec 1, 2014 at 11:34 AM, BIENKOWSKI Guillaume <
>> address@hidden> wrote:
>>
>>> Hello back Hans,
>>>
>>> I checked the code in iOS to implement the url encoding as you suggested,
>>> and figured out that I was wrong in the first place, like you said.
>>>
>>> linphone-config-https://example.com/provisioning.xml
>>> or
>>> linphone-config-http://example.com/provisioning.xml
>>>
>>> We include the "http[s]://" into the URL spec for iOS.
>>>
>>> On android, the scheme is still linphone-config://, and after discussions
>>> here, we will adopt it with escaping across mobile platforms for
>>> consistency.
>>>
>>> I'll implement the changes on iOS, so you should expect the next release
>>> to be provisionable with an url like this:
>>>
>>> linphone-config://http%3A//example.com/conf.xml
>>>
>>> We will implement the decoding of the URL in Android as well, so next
>>> release should also be compatible.
>>>
>>> Thanks for your feedback!
>>>
>>> *Guillaume BIENKOWSKI*
>>>
>>> *http://www.belledonne-communications.com/
>>> <http://www.belledonne-communications.com/>*
>>>
>>> *sip:address@hidden <address@hidden>*
>>>
>>> On Fri, Nov 28, 2014 at 10:24 AM, Hans-Christoph Steiner <
>>> address@hidden> wrote:
>>>
>>>>
>>>> Android definitely supports registering URL schemes, it is a common thing
>>>> for
>>>> an app to do. I'm happen to implement this one we get a couple details
>>>> ironed
>>>> out.  First, the URI format should follow the RFCs about how to format
>>>> URIs
>>>> (https://tools.ietf.org/html/rfc3986).  Otherwise, most apps like
>>>> browsers,
>>>> etc. will not correctly parse it.  Apps will need to write custom code for
>>>> handling this URI, which kind of defeats the purpose of using a URI.  For
>>>> example, my email client only parsed this part as a clickable URI:
>>>>   https://example.org/provisioning.xml
>>>>
>>>> Here are the standard parts of a "hierarchical" URI (i.e. a URI that has
>>>> "://"
>>>> in it):
>>>>   scheme://authority/path?querystring&key=value#feature
>>>>
>>>> The linphone config URI is incorrect because it has two schemes, which is
>>>> not
>>>> allowed:
>>>>   linphone-config-https://https://example.org/provisioning.xml
>>>> i.e.
>>>>   scheme://scheme://authority/path
>>>>
>>>> If you want to embed a complete https URI in this config URI, then the
>>>> embedded URI will need to be encoded, so it could be something like:
>>>>   linphone-config:https%3A//example.org/provisioning.xml
>>>>
>>>> Using only ":" instead of "://" makes it an "opaque" URI, that just
>>>> provides a
>>>> clickable blob of data.  But since the scheme already includes the
>>>> protocol to
>>>> use ("https"), that can be used as the scheme:
>>>>   linphone-config-https://example.org/provisioning.xml
>>>>
>>>> One thing that the Android URI pattern matcher can do is match URIs based
>>>> on
>>>> combinations of scheme, authority, and path. That means no special scheme
>>>> is
>>>> needed. So something like this as a regex:
>>>>
>>>>   https://.*/sip-provisioning.xml
>>>>
>>>>
>>>> Great that you got things into transifex, we get a lot of volunteer
>>>> contributions from it.  I'll point the OTF translators towards your
>>>> Transifex.
>>>>
>>>> .hc
>>>>
>>>> BIENKOWSKI Guillaume:
>>>>> Hello Hans-Christopher,
>>>>>
>>>>> We recently set up a transifex account for all translations!
>>>>> https://www.transifex.com/organization/belledonne-communications
>>>>> You will be able to enhance the russian version if your translators have
>>>>> the time to do it.
>>>>>
>>>>> For the remote provisioning, it is actually possible through the
>>>> wizard. It
>>>>> is the last option in the list that you are presented at first boot, and
>>>>> the provisioning file is a simple XML derived from the format of the
>>>>> LinphoneRC file.
>>>>>
>>>>> An very simple example which should work for you:
>>>>>
>>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>>> <config xmlns="http://www.linphone.org/xsds/lpconfig.xsd"; xmlns:xsi="
>>>>> http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="
>>>>> http://www.linphone.org/xsds/lpconfig.xsd lpconfig.xsd">
>>>>>   <section name="proxy_default_values">
>>>>>     <entry name="reg_proxy">sip.linphone.org;transport=tls</entry>
>>>>>     <entry name="reg_route">sip.linphone.org;transport=tls;lr</entry>
>>>>>     <entry name="reg_identity">sip:address@hidden</entry>
>>>>>     <entry name="reg_expires">3600</entry>
>>>>>     <entry name="reg_sendregister">1</entry>
>>>>>   </section>
>>>>>   <section name="sip">
>>>>>     <entry name="media_encryption">zrtp</entry>
>>>>>   </section>
>>>>> </config>
>>>>>
>>>>> Just host an XML (or dynamically generate it) somewhere and send the
>>>> URL to
>>>>> your user.
>>>>> There's even an automatic provisioning URI on iOS (I'm not sure for
>>>>> Android): clicking a link that starts with: linphone-config-https://
>>>> will
>>>>> automatically launch linphone and provision the URL passed as argument.
>>>>>
>>>>> For instance, you could send the user this link:
>>>>>
>>>>> linphone-config-https://https://example.org/provisioning.xml
>>>>>
>>>>> And if the user clicks on it from an email for instance, it will launch
>>>>> Linphone and grab the provisioning to set up linphone.
>>>>>
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>>
>>>>> *Guillaume BIENKOWSKI*
>>>>>
>>>>> *http://www.belledonne-communications.com/
>>>>> <http://www.belledonne-communications.com/>*
>>>>>
>>>>> *sip:address@hidden <address@hidden>*
>>>>>
>>>>> On Thu, Nov 27, 2014 at 11:45 AM, Hans-Christoph Steiner <
>>>>> address@hidden> wrote:
>>>>>
>>>>>>
>>>>>> I just wanted to relay some of my experience using Linphone as a secure
>>>>>> calling platform.  I just set up a bunch of people in Central and
>>>> Eastern
>>>>>> Europe with https://ostel.co using Linphone on Android and iOS.
>>>> Overall,
>>>>>> it
>>>>>> went quite smoothly.  There were just the three settings that needed
>>>> to be
>>>>>> changed (TLS, Outbound Proxy, and ZRTP).  I think the biggest barrier
>>>> to
>>>>>> people was the language.  For example, many Eastern Europeans would do
>>>>>> better
>>>>>> with Russian than English, but English is second choice on Android if
>>>> an
>>>>>> app
>>>>>> doesn't have the current language.
>>>>>>
>>>>>> I've done a lot with Transifex, so I'm happy to help set that up. When
>>>> you
>>>>>> use
>>>>>> the 'transifex-client' app called 'tx', then it is really easy to sync
>>>> the
>>>>>> files between git and Transifex. Also, the Open Tech Fund
>>>>>> (https://www.opentechfund.org/) has a pool of translators that we work
>>>>>> with,
>>>>>> and I'd be happy to add linphone as an app that they translate.
>>>>>>
>>>>>> Based on this experience, I asked https://ostel.co to recommend
>>>> Linphone
>>>>>> for
>>>>>> Android and iOS.  I've been using Linphone for a while now on Android
>>>> and
>>>>>> it
>>>>>> seems to work well.
>>>>>>
>>>>>> In a related note, I saw that it is possible to provision Jitsi using a
>>>>>> URL.
>>>>>> That would be awesome to have for Linphone as well.  For ostel, all
>>>> that
>>>>>> would
>>>>>> be needed is to set username, domain, TLS, Outbound Proxy, and ZRTP.
>>>>>> Maybe it
>>>>>> makes sense to also set the password via the URL.  Then the user would
>>>>>> install
>>>>>> Linphone on their device, sign up on https://www.linphone.org or
>>>>>> https://ostel.co, then scan the QR Code, and make a call!
>>>>>>
>>>>>> If we managed to get linphone.org's SIP service setup matching OSTN
>>>>>> standards
>>>>>> (solid TLS, good ZRTP support, privacy policy that describes logging,
>>>> etc),
>>>>>> and federating with OSTN, then we could have the easy one-stop service
>>>> to
>>>>>> tell
>>>>>> people to use.  We can say "use linphone to make secure calls".
>>>>>>
>>>>>> .hc
>>>>>>
>>>>>> --
>>>>>> PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Linphone-developers mailing list
>>>>>> address@hidden
>>>>>> https://lists.nongnu.org/mailman/listinfo/linphone-developers
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Linphone-developers mailing list
>>>>> address@hidden
>>>>> https://lists.nongnu.org/mailman/listinfo/linphone-developers
>>>>>
>>>>
>>>> --
>>>> PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
>>>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81
>>>>
>>>> _______________________________________________
>>>> Linphone-developers mailing list
>>>> address@hidden
>>>> https://lists.nongnu.org/mailman/listinfo/linphone-developers
>>>>
>>>
>>>
>>
>>
>>
>> _______________________________________________
>> Linphone-developers mailing list
>> address@hidden
>> https://lists.nongnu.org/mailman/listinfo/linphone-developers
>>
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81



reply via email to

[Prev in Thread] Current Thread [Next in Thread]