[VOIPSEC] A different view on the nature of Phil Zimmermann's new work...

[Lucas Fisher]

Can you achieve the same as the goal below (privacy controlled by the 
end users) with something like MIKEY?  It passes a token in SDP. As long 
someone in the middle doesn't try to filter SDP or rewrite the messages, 
we should still be able to agree on a key?  I would think we could 
establish a mechanism with MIKEY that also allows us to establish a 
shared key on first contact and then always use something derived from 
that key for future sessions. I don't know MIKEY that well, however.

Lucas

dan_york at Mitel.com wrote:
> The point I took away is that if I have zFone installed as a shim on my 
> system and you have it on your system, we can establish a secure 
> encrypted VoIP call using our softphones *regardless* of what systems
> we may be using.  No PKI involved.  No central authority.  Probably with
> no knowledge of the usage by the phone systems involved.
>
> Very much like PGP and e-mail.  I can just PGP-encrypt a message to you
> and send it off using my e-mail client and my e-mail system here.  It
> will traverse the world of SMTP and whatever other protocols and servers
> are there and will get to you where you, and you alone[1], will be able 
> to decrypt it. 
>
> The fact that we used PGP to encrypt that e-mail was most likely 
> completely
> unknown to the vendors and system administrators of the e-mail systems 
> to which we are connected.  The only time it might be noticed would be 
> when a sysadmin was scanning reports about mail system usage and might, 
> perhaps, find some notation of messages that were unable to be examined.
>
> We chose to use PGP as private individuals.  We somehow originally 
> verified our PGP key fingerprints (perhaps, ironically, by reading a key
> fingerprint over the phone).  But it was our choice and something done 
> outside of the control of any of the systems we use or employers or 
> others.
>