[VOIPSEC] Identity Management and VoIP and More

Simon Horne s.horne at packetizer.com
Tue Jul 25 07:46:10 CDT 2006 

Pankaj

The approach we have taken (since we have actually got this stuff to work) 
is to not try and not get tied up determining the "true" identity but to 
develop a trust relationship (or a common security association) between the 
parties in a call/IM Session. I think in the most part you just need to 
know the remote party can be verified and trustworthy and not just a cold 
calling bot. Your softphone might be used by someone else but at least you 
know that it's that persons phone.

Simon

At 10:09 AM 25/07/2006, Pankaj Shroff wrote:
>Limiting identity and authentication to devices only is not practical
>for softphones and IM/Voice applications. In these applications person
>(user) authentication becomes a requirement, as with any other
>application that accesses network stored data. One argument you can
>make is that leaving your desktop PC locked is a bad idea anyway - so
>if you lock the PC (OS level security) then you are safe from someone
>using your softphone/IM client. The flaw in that argument though is
>that as an application provider you are now pushing the security
>responsibilities on the OS provider. Where does the buck stop? The OS
>doesnt push these responsibilities on the PC manufacturer and neither
>does PC manufacturers pass this responsibility to the consumer. In the
>mobile phone world, this is an acceptable "punt" because mobile phones
>are a a personal "ornament" not desktop metal. Also, this kind of
>argument does not address softphone and IM mobility, such as the
>ability to login from any computer not just your own, to send
>messages/make phone calls. I think we are looking at two very
>different viewpoints here - one of the PC world which is not so
>personal and one of the device/handset world which is a lot more
>personal than it has ever been. In the larger picture however, it is
>my belief that user authentication is going to become imperative.
>
>Pankaj
>
>
>
>On 6/30/06, Lee Dilkie <lee_dilkie at mitel.com> wrote:
> >
>
> > >
> > I think that we would do ourselves a favour if we limited identity and
> > authentication discussions to device identity and not try and include
> > people identity. At the device level the only strong identity that we
> > can validate is, well, at the device level. In our case that is a dialed
> > number (DN) or a sip URL perhaps.
> >
> > That means that if I'm setting up a call with 1234, I need to ensure
> > that any security associations I negotiate with 1234 aren't tampered
> > with, that ongoing communications are secured and that call teardown is
> > also authenticated.  At the device level, that is the only information
> > we have to authenticate. If it turns out that Bob stole Fred's phone and
> > is using it, I think the responsibility for authenticating that lies
> > outside our scope.
> >
> > I'm not saying that person authentication isn't a bad idea, and certain
> > product markets (mobile phones) and some companies will implement
> > solutions. But we should adopt the "onion skin" approach to securing our
> > layer. Otherwise I fear we will get paralyzed by spiraling  "what if"
> > scenarios.
> >
> > Personally, if I had to unlock my desk phone, I'd just heave it out the
> > window. :)
> >
> > -lee dilkie
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
>
>
>--
>Pankaj Shroff
>shroffG at Gmail.com
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list