[VOIPSEC] Identity Management and VoIP and More

Pankaj Shroff shroffg at gmail.com
Mon Jul 24 21:09:37 CDT 2006 

Limiting identity and authentication to devices only is not practical
for softphones and IM/Voice applications. In these applications person
(user) authentication becomes a requirement, as with any other
application that accesses network stored data. One argument you can
make is that leaving your desktop PC locked is a bad idea anyway - so
if you lock the PC (OS level security) then you are safe from someone
using your softphone/IM client. The flaw in that argument though is
that as an application provider you are now pushing the security
responsibilities on the OS provider. Where does the buck stop? The OS
doesnt push these responsibilities on the PC manufacturer and neither
does PC manufacturers pass this responsibility to the consumer. In the
mobile phone world, this is an acceptable "punt" because mobile phones
are a a personal "ornament" not desktop metal. Also, this kind of
argument does not address softphone and IM mobility, such as the
ability to login from any computer not just your own, to send
messages/make phone calls. I think we are looking at two very
different viewpoints here - one of the PC world which is not so
personal and one of the device/handset world which is a lot more
personal than it has ever been. In the larger picture however, it is
my belief that user authentication is going to become imperative.

Pankaj



On 6/30/06, Lee Dilkie <lee_dilkie at mitel.com> wrote:
>

> >
> I think that we would do ourselves a favour if we limited identity and
> authentication discussions to device identity and not try and include
> people identity. At the device level the only strong identity that we
> can validate is, well, at the device level. In our case that is a dialed
> number (DN) or a sip URL perhaps.
>
> That means that if I'm setting up a call with 1234, I need to ensure
> that any security associations I negotiate with 1234 aren't tampered
> with, that ongoing communications are secured and that call teardown is
> also authenticated.  At the device level, that is the only information
> we have to authenticate. If it turns out that Bob stole Fred's phone and
> is using it, I think the responsibility for authenticating that lies
> outside our scope.
>
> I'm not saying that person authentication isn't a bad idea, and certain
> product markets (mobile phones) and some companies will implement
> solutions. But we should adopt the "onion skin" approach to securing our
> layer. Otherwise I fear we will get paralyzed by spiraling  "what if"
> scenarios.
>
> Personally, if I had to unlock my desk phone, I'd just heave it out the
> window. :)
>
> -lee dilkie
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>


-- 
Pankaj Shroff
shroffG at Gmail.com

More information about the Voipsec mailing list