RFC3261: SIP:26.2.2 SIPS URI方案

26.2.2 SIPS URI Scheme
26.2.2 SIPS URI方案

   The SIPS URI scheme adheres to the syntax of the SIP URI (described in 19), although the scheme string is "sips" rather than "sip".  The semantics of SIPS are very different from the SIP URI, however.  SIPS allows resources to specify that they should be reached securely.

SIPS URI方案遵循SIP URI的语法（如19所述），尽管方案字符串是“SIPS”而不是“SIP”。然而，SIPS的语义与SIP URI非常不同。SIPS允许资源指定应该安全地访问它们。

   A SIPS URI can be used as an address-of-record for a particular user - the URI by which the user is canonically known (on their business cards, in the From header field of their requests, in the To header field of REGISTER requests).  When used as the Request-URI of a request, the SIPS scheme signifies that each hop over which the request is forwarded, until the request reaches the SIP entity responsible for the domain portion of the Request-URI, must be secured with TLS; once it reaches the domain in question it is handled in accordance with local security and routing policy, quite possibly using TLS for any last hop to a UAS.  When used by the originator of a request (as would be the case if they employed a SIPS URI as the address-of-record of the target), SIPS dictates that the entire request path to the target domain be so secured.

SIPS URI可以用作特定用户的记录地址，即用户在规范上已知的URI（在其名片上，在其请求的From报头字段中，在REGISTER请求的To报头字段中）。当用作请求的Request-URI时，SIPS方案表示，在请求到达负责请求URI的域部分的SIP实体之前，转发请求的每个跳都必须使用TLS进行保护；一旦它到达有问题的域，就会根据本地安全和路由策略进行处理，很可能会对到UAS的任何最后一跳使用TLS。当被请求的发起者使用时（如果他们使用SIPS URI作为目标的记录地址，就会出现这种情况），SIPS规定到目标域的整个请求路径都是安全的。

   The SIPS scheme is applicable to many of the other ways in which SIP URIs are used in SIP today in addition to the Request-URI, including in addresses-of-record, contact addresses (the contents of Contact headers, including those of REGISTER methods), and Route headers.  In each instance, the SIPS URI scheme allows these existing fields to designate secure resources.  The manner in which a SIPS URI is dereferenced in any of these contexts has its own security properties which are detailed in [4].

​除了Request-URI之外，SIPS方案还适用于今天在SIP中使用SIP URI的许多其他方式，包括记录地址、联系人地址（Contact报头的内容，包括REGISTER方法的内容）和路由报头。在每种情况下，SIPS URI方案都允许这些现有字段指定安全资源。SIPS URI在任何这些上下文中被取消引用的方式都有其自己的安全属性，详见[4]。

   The use of SIPS in particular entails that mutual TLS authentication SHOULD be employed, as SHOULD the ciphersuite TLS_RSA_WITH_AES_128_CBC_SHA.  Certificates received in the authentication process SHOULD be validated with root certificates held by the client; failure to validate a certificate SHOULD result in the failure of the request.

SIPS的使用尤其要求采用双向TLS身份验证，密码套件TLS_RSA_WITH_AES_128_CBC_SHA也应如此。在身份验证过程中收到的证书应使用客户端持有的根证书进行验证；未能验证证书应导致请求失败。

      Note that in the SIPS URI scheme, transport is independent of TLS, and thus "sips:alice@atlanta.com;transport=tcp" and "sips:alice@atlanta.com;transport=sctp" are both valid (although note that UDP is not a valid transport for SIPS).  The use of "transport=tls" has consequently been deprecated, partly because it was specific to a single hop of the request.  This is a change since RFC 2543.

​请注意，在SIPS URI方案中，传输独立于TLS，因此“sips:alice@atlanta.com;transport=tcp”和“sips:alice@atlanta.com;transport=sctp”都是有效的（尽管注意UDP不是SIPS的有效传输）。因此，“transport=tls”的使用被弃用，部分原因是它特定于请求的单跳。这是自RFC 2543以来的一个变化。

   Users that distribute a SIPS URI as an address-of-record may elect to operate devices that refuse requests over insecure transports.

分发SIPS URI作为记录地址的用户可以选择操作通过不安全传输拒绝请求的设备。