On Jul 2, 2008, at 1:18 PM, Paul Kyzivat wrote:
If we had a way to indicate that the identity is untrusted in the
display to the user, that might be acceptable.
BUT, we have a world full of devices that don't have an established
way to indicate that. So when the call ends up going to one of them,
there remains the choice of displaying the (untrusted) number with
no disclaimers, or not displaying it.
The PSTN world has the same issue. Their choice has typically been
to display it. That may have been justified once, when the phone
network was relatively closed and those with the ability to forge
their identity were few. Its no longer true, for a variety of
reasons. And we are making it increasingly less true.
Perhaps we just have to accept the fact that entirely untrusted
callerids will be displayed with no indication that they are
suspect. But that then devalues doing anything secure, since the
users won't be able to tell the difference.
DY> Perhaps this is where we need the device manufacturers to step in
and provide some UI indication that the identity *is* trusted. If we
think about the world of the web, people have gotten used to seeing
that there is a "lock" icon or a changed address bar when they go to a
"secure" website with the correct certificate. We can argue about how
many people actually check that icon or browser bar before doing their
online ordering or banking, but nonetheless it is there.
DY> I don't know that there's any way you can go back and retrofit old
devices to say something is *insecure* or *untrusted*, but it would
seem that for *new* devices as they are built in the future and
support the kinds of identity authentication discussed here it would
be possible to have a UI indication of a *trusted* identity. If one
of the market leaders were to do this with their IP phones or
softphones - and were to market this new capability, it might cause
others in the market to follow.
DY>Of course, the user experience would be better if this was a common
icon or symbol across vendors phones/user agents... and it gets
increasingly complicated as we aren't only connecting "phones" but
also other user agents, applications, servers, etc. Still, it would
seem that the logic would be rather simple "If the identity is
trusted, display this symbol". (A challenge, of course, is that many
IP devices have limited display space, and there is the issue of
perhaps also wanting a symbol to indicate that a call is *encrypted*.
A call could be encrypted, have a trusted identity or be *both*
encrypted and have a trusted identity.)
DY> It's not immediately clear to me that this is something that the
IETF can tackle (vendor UIs), but it might be something that another
industry organization like the SIP Forum could take on.
My 2 cents,
Dan
--
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO Voxeo Corporation [EMAIL PROTECTED]
Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
Build voice applications based on open standards.
Find out how at http://www.voxeo.com/free
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
