[VOIPSEC] A different view on the nature of Phil Zimmermann's new work... (Was Re: Phil Zimmerman to release VoIP Encryption Software(c.March))

mailinglist mailinglist at pbxnsip.com
Fri Feb 3 17:59:46 GMT 2006 

My concern is that a new standard would send us "back to school" - for
years. Privacy of VoIP calls might not be sexy, but it is a must in
enterprise communications. I think everybody agrees that we don't have too
much time to get this problem fixed.

There was a discussion about end to end security and it seemed like
everybody agreed that S/MIME is not really the answer (too slow, picking up
fast is impossible). I would be interested in how ZRTP handles the fast
pickup (answer-after=0). 

Phil is not a beginner - neither technically nor on how to get stuff through
the politics of standard boards. That makes me think I should take a serious
look at that.

Another cent! Christian

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of dan_york at Mitel.com
> Sent: Friday, February 03, 2006 6:21 PM
> To: voipsec at voipsa.org
> Subject: [VOIPSEC] A different view on the nature of Phil 
> Zimmermann's new work... (Was Re: Phil Zimmerman to release 
> VoIP Encryption Software(c.March))
> 
> Christian & others,
> 
> It's been interesting to read this discussion and I'm pleased 
> to see the note about Phil Zimmermann's work entering the RFP 
> process.  I thought, though, that I'd just comment on what I 
> took away from his talk. It seemed to me that he is not 
> necessarily looking for this to be adopted by 
> companies/vendors/etc. but rather that he's focused on 
> *individual* security.  I go back to his quote that I pulled 
> out on the podcast blog:
> 
>    I would like to do for VoIP what I did for e-mail... I'd like to 
>    make it possible for you to whisper in someone's ear - even if 
>    their ear is thousands of miles away. 
> 
> The point I took away is that if I have zFone installed as a 
> shim on my system and you have it on your system, we can 
> establish a secure encrypted VoIP call using our softphones 
> *regardless* of what systems we may be using.  No PKI 
> involved.  No central authority.  Probably with no knowledge 
> of the usage by the phone systems involved.
> 
> Very much like PGP and e-mail.  I can just PGP-encrypt a 
> message to you and send it off using my e-mail client and my 
> e-mail system here.  It will traverse the world of SMTP and 
> whatever other protocols and servers are there and will get 
> to you where you, and you alone[1], will be able to decrypt it. 
> 
> The fact that we used PGP to encrypt that e-mail was most 
> likely completely unknown to the vendors and system 
> administrators of the e-mail systems to which we are 
> connected.  The only time it might be noticed would be when a 
> sysadmin was scanning reports about mail system usage and 
> might, perhaps, find some notation of messages that were 
> unable to be examined.
> 
> We chose to use PGP as private individuals.  We somehow 
> originally verified our PGP key fingerprints (perhaps, 
> ironically, by reading a key fingerprint over the phone).  
> But it was our choice and something done outside of the 
> control of any of the systems we use or employers or others.
> 
> This was what I understood of the nature of zFone.  Putting 
> the control of the encryption down into the hands of the 
> *individual* users so that they could have encrypted 
> conversations regardless of what type of VoIP system they 
> were connected to.
> 
> If I have that view correctly, then it wouldn't matter 
> whether any of the IP-PBX vendors or ITSPs or other providers 
> supported zFone or not[2].  As long as there was a way for 
> the SRTP stream from my softphone to get to yours (without 
> modification) - and as long as both of our softphones had the 
> zFone shim - we could have a secure conversation.
> 
> That is what I understood his proposal to be. Obviously until 
> we see the specifications that Alan Johnston mentioned are in 
> the works, all of this (how he would do it, who would support 
> it, what softphones it would work with, how successful it 
> would be, etc., etc.) is all mere speculation.
> 
> My 2 cents,
> Dan
> 
> 
> [1] Subject to your belief, of course, in the security of PGP 
> and whether or not various gov't entities can decrypt PGP, 
> but that's a topic for a different e-mail thread and not one 
> for this mailing list.
> 
> [2] In fact, I can think of issues like CALEA and "lawful intercept"
> and such that might prevent a carrier from even being able to 
> support this, even if they wanted to.  There would be no 
> central repository of keys and such and therefore no way to 
> decrypt the call. (like PGP, again)
> 
> --
> Dan York, CISSP
> Dir of IP Technology, Office of the CTO
> Mitel Corp.     http://www.mitel.com
> dan_york at mitel.com +1-613-592-2122
> PGP key (F7E3C3B4) available for
> secure communication
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list