Great responses on this thread... replying to the last one:
On Jul 9, 2008, at 10:17 AM, Spencer Dawkins wrote:
So I'd expect a single indicator ("it's all secure") to see more
uptake than two indicators ("the signaling is/is not secure", "the
media is/is not secure").
DY> I agree that I don't think "normal users" out there care about (or
even know about) the differences between secure signaling and secure
media. If we were to ask them what makes a call "secure" they would
probably almost always think of the media. I think there is zero
value in distinguishing between secure signaling and media. It should
just be "secure" or "not secure" where "secure" equals both signaling
and media security.
DY> However, I wonder if there's a need for a separate indicator for
authenticated *identity*. If I'm in a meeting and a call comes in and
the "Caller ID" displayed on the screen is for my wife, I might want
to interrupt what I'm doing and answer the phone. If I have some
unethical salesperson on the other end who was masquerading as my
wife's caller ID, I'm going to be very upset.
DY> Likewise, when I call my bank and wind up in some call center, I
would like assurance that I *am* talking to my bank and not some other
call center that I was re-directed to.
DY> In those cases, I want to be sure of the *identity* and I'm
potentially less concerned about the "security" of the call (although
with a bank I hopefully am). Does this need to be separate
indicator? Or could this fall into the same as the "secure"
indicator? I'm not sure. Given the woeful lack of implementation of
media encryption, I guess I could see more success of an identity
indicator being implemented than of a "secure" indicator.
On Jul 9, 2008, at 10:38 AM, David R Oran wrote:
I tend to agree, not just for simplicity, but to capture what people
really care about, which is in nearly all cases only three things,
and they are pretty tightly related:
- If I say something sensitive, is only the person/people I want to
hear it going to hear it.
- Is anybody overhearing what they are saying to me?
- Is either of us hearing anything neither of us said, or failing to
hear it due to manipulation of the communication channel.
DY> And "- Is the company/organization/person I am speaking with who I
think they are?" Obviously we can "authenticate" the voices of people
we know with our ears, but for large companies, call centers, etc. we
don't really have any way to do so.
Going onto this tangent however...
My personal preference is for something different from the lock icon
one sees in web browsers. Rather I like having a "go secure" button
on the phone that lights up green if the above conditions are met
and flashes or turns red if they are not. This allows either for the
light to come on in the few cases where everything works out at call
establishment time, or allows an attempt to secure the call via re-
invite, transfer, or whatever, during the call.
DY> And such a light look far better in a spy movie! :-)
DY> Seriously, though, this does point out the challenge with "visual
indicators" and perhaps why they can never really be standardized. On
the "hard" IP phone on my desk, having a light like this suggestion
would be far better than having an icon on the small little display
screen that is there. (Yeah, I should get an IP phone with a larger/
nicer display.) But if I'm using a SIP softphone, what does that
light mean? There, you need an icon or something like that.
On Jul 9, 2008, at 9:17 AM, Paul Kyzivat wrote:
So, I'm leaning towards separating identity security from media
security, but I think I am willing to roll all media security
together.
DY> As I noted above, I agree.
For identity security, I'm thinking of possibly three cases:
- secure (e2e or via transitive trust with some rules TBD)
- secure to the PSTN (secure as above, to a PSTN gw)
- insecure (all the rest)
I would render this as some sort of annotation on the callerid
display.
(Colors, icon, etc.)
DY> Agreed.
For media security, I suppose the same three cases apply. This
would need to be rendered independently of the callerid display.
It might be in the media stream itself. (Ring tone?) If in
display, maybe it would be a lock, rendered in different colors -
but separate from the callerid.
DY> Interesting. I hadn't thought of the PSTN as a special case with
media encryption but of course it is. We can do end-to-end media
encryption from a SIP endpoint to the SIP-to-PSTN gateway but after
that it's unencrypted.
I think this is important because callerid is important to people,
and because there is probably a lot better chance of getting
secure callerid than secure media. Treating the PSTN as a special
case is clearly a hack. But again, its probably an important hack
because people think they know what they are getting with the PSTN
(even if they are wrong), and trust it more than our new fangled
stuff. Also, for quite some time most calls are likely to have one
PSTN endpoint.
DY> Agreed.
Treating PSTN identity as totally insecure will distress people.
DY> (laughing) Wonderful statement! And very true. It continually
amazes me the degree to which people believe PSTN identity is solid
and reliable. But on one level, why not? The vast majority of people
out there have probably never received a PSTN call with a spoofed
Caller ID.
DY> That trust in the integrity of the PSTN identity will probably
remain until such time as the spammers start abusing it and people are
getting calls they think are from people they know.... and then over
time they realize that they can't trust Caller ID just like they can't
trust sender email addresses.
Regards,
Dan
P.S. Sadly, if you think about it, the components for abuse are very
readily available... an attacker could have a piece of malware on a PC
that grabs a users Outlook address book (or similar address list) and
sends that to the attacker. The attacker could then call everyone in
that address book and use some VoIP server/system that lets the
attacker set the Caller ID to that of the original user. The
recipients think they are getting a call from someone they know and
answer... only to get some telemarketing pitch. The economic model is
probably not there yet for doing this, but you could see how it could
be done very easily on a *technical* level.
--
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO Voxeo Corporation [EMAIL PROTECTED]
Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
Build voice applications based on open standards.
Find out how at http://www.voxeo.com/free
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
