Just a quick note to say that I was supplied a specially modified version of a Yealink T28P a few weeks ago which has HTTPS certificates loaded into it.
There are two certificate chains, one is used by the provisioning server to verify the identity of the phone. The other is used by the phone to verify the identity of the server. There is a list of a few popular certificate signing authorities you can buy a certificate from for the server identity.
This two way identification is what is required for a truely secure provisioning system. It protects against attackers attempting to obtain SIP configuration from our servers and protects against DNS spoofing/poisoning attacks against your phones.
We sometimes get asked for HTTPS provisioning and of course it is pretty simple to implement. But without these certificates it is fairly useless. It does nothing to guarantee the identity of the server or the client.
At the moment this is a Beta test, we will be rolling out this provisioning option as soon as we can, in the next few weeks. It requires Yealink to start supplying phones with certificates pre-loaded at the factory and requires a certain (currently test-only) firmware version.
If any of this is of interest, please let us know.