From: Hadriel Kaplan <[EMAIL PROTECTED]> > From: Dean Willis [mailto:[EMAIL PROTECTED] > > If an identity server were to fully RFC 4474 "sign" a message rom a > PSTN, it's even possible that the identity server operator could be > held legally liable for inaccuracy in the asserted identity. In other > words, if a caller-ID spoofer made a call through the example.com > gateway, and the example.com identity server attaches an Identity > header on to the resulting INVITE that asserts the spoofed telephone > number identity, then someone injured (defrauded) by the caller could > claim negligence on the part of the example.com identity server and > sue for damages.
I'm pretty sure that's not possible. It's possible to sue the good guys, in the local country - but it's quite hard if not impossible for me to sue some enterprise in Thailand, for example. I don't know if verisign/thawte/etc. would give them a cert, but since we're not mandating specific "SIP 4474" certs and they can use the domain cert they legitimately got for web, I don't see how my UA is to know any better about their's than softarmor.com's cert. (without whitelists) But more importantly, if you're thinking these things would truly have *legal* ramification, then my guess is no "good-guys" would touch signing with 4474 with a ten foot pole, ever. Do DKIM email signatures have such legal implications? I think we're losing sight of the context... *If* people who receive calls actually care about authenticating the identity of callers via SIP mechanisms (rather than by recognizing voices, or originating the call themselves, etc.), then they're going to start depending on RFC 4474, etc. And once they start depending on that, bad guys will start trying to exploit that dependency, especially by exploiting identity services that do not enforce identification effectively. Indeed, we can expect bad guys to set up identity services specifically for this purpose. At that point, people will discover the hard way that some identity services are unreliable, so they will start whitelisting identity services and/or CAs that reliably enforce reliability on identity services. The sort of reputation that has wide public trust will come to be seen as a valuable asset, and identity services with that sort of reputation (of which there won't be many) will charge signficant money for their services. Within that context, a PSTN gateway will not routinely apply identification based on caller ID from an identity service which is widely trusted - they can't determine the identity well enough, and nobody is going to pay for it. Now please excuse me, I have to go wire $10,000 to a government officer in Nigeria who needs it to finance the payment of a legacy to a distant cousin of mine. (I can trust him, his From identity was certified by the Nigerian government!) Dale _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
