[VOIPSEC] A different view on the nature of Phil Zimmermann's new work... (Was Re: Phil Zimmerman to release VoIP Encryption Software(c.March))
mailinglist at pbxnsip.com
Fri Feb 3 17:59:46 GMT 2006
My concern is that a new standard would send us "back to school" - for
years. Privacy of VoIP calls might not be sexy, but it is a must in
enterprise communications. I think everybody agrees that we don't have too
much time to get this problem fixed.
There was a discussion about end to end security and it seemed like
everybody agreed that S/MIME is not really the answer (too slow, picking up
fast is impossible). I would be interested in how ZRTP handles the fast
Phil is not a beginner - neither technically nor on how to get stuff through
the politics of standard boards. That makes me think I should take a serious
look at that.
Another cent! Christian
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of dan_york at Mitel.com
> Sent: Friday, February 03, 2006 6:21 PM
> To: voipsec at voipsa.org
> Subject: [VOIPSEC] A different view on the nature of Phil
> Zimmermann's new work... (Was Re: Phil Zimmerman to release
> VoIP Encryption Software(c.March))
> Christian & others,
> It's been interesting to read this discussion and I'm pleased
> to see the note about Phil Zimmermann's work entering the RFP
> process. I thought, though, that I'd just comment on what I
> took away from his talk. It seemed to me that he is not
> necessarily looking for this to be adopted by
> companies/vendors/etc. but rather that he's focused on
> *individual* security. I go back to his quote that I pulled
> out on the podcast blog:
> I would like to do for VoIP what I did for e-mail... I'd like to
> make it possible for you to whisper in someone's ear - even if
> their ear is thousands of miles away.
> The point I took away is that if I have zFone installed as a
> shim on my system and you have it on your system, we can
> establish a secure encrypted VoIP call using our softphones
> *regardless* of what systems we may be using. No PKI
> involved. No central authority. Probably with no knowledge
> of the usage by the phone systems involved.
> Very much like PGP and e-mail. I can just PGP-encrypt a
> message to you and send it off using my e-mail client and my
> e-mail system here. It will traverse the world of SMTP and
> whatever other protocols and servers are there and will get
> to you where you, and you alone, will be able to decrypt it.
> The fact that we used PGP to encrypt that e-mail was most
> likely completely unknown to the vendors and system
> administrators of the e-mail systems to which we are
> connected. The only time it might be noticed would be when a
> sysadmin was scanning reports about mail system usage and
> might, perhaps, find some notation of messages that were
> unable to be examined.
> We chose to use PGP as private individuals. We somehow
> originally verified our PGP key fingerprints (perhaps,
> ironically, by reading a key fingerprint over the phone).
> But it was our choice and something done outside of the
> control of any of the systems we use or employers or others.
> This was what I understood of the nature of zFone. Putting
> the control of the encryption down into the hands of the
> *individual* users so that they could have encrypted
> conversations regardless of what type of VoIP system they
> were connected to.
> If I have that view correctly, then it wouldn't matter
> whether any of the IP-PBX vendors or ITSPs or other providers
> supported zFone or not. As long as there was a way for
> the SRTP stream from my softphone to get to yours (without
> modification) - and as long as both of our softphones had the
> zFone shim - we could have a secure conversation.
> That is what I understood his proposal to be. Obviously until
> we see the specifications that Alan Johnston mentioned are in
> the works, all of this (how he would do it, who would support
> it, what softphones it would work with, how successful it
> would be, etc., etc.) is all mere speculation.
> My 2 cents,
>  Subject to your belief, of course, in the security of PGP
> and whether or not various gov't entities can decrypt PGP,
> but that's a topic for a different e-mail thread and not one
> for this mailing list.
>  In fact, I can think of issues like CALEA and "lawful intercept"
> and such that might prevent a carrier from even being able to
> support this, even if they wanted to. There would be no
> central repository of keys and such and therefore no way to
> decrypt the call. (like PGP, again)
> Dan York, CISSP
> Dir of IP Technology, Office of the CTO
> Mitel Corp. http://www.mitel.com
> dan_york at mitel.com +1-613-592-2122
> PGP key (F7E3C3B4) available for
> secure communication
> Voipsec mailing list
> Voipsec at voipsa.org
More information about the Voipsec