[VOIPSEC] Truths on "Truth in Caller ID Act"

Geoff Devine gdevine at cedarpointcom.com
Fri Oct 6 13:05:48 BST 2006 

John Osmon <josmon at rigozsaurus.com> wrote:

> On Thu, Oct 05, 2006 at 11:08:05AM -0400, Geoff Devine wrote:
> > I see this as a trust federation.  [...]

> I like this trust federation idea.  But I also want to be able
> to use a non-trusted channel of communication, and use other
> means to establish trust (either in-band, or out-of-band).

>From a 2500 set (analog telephone with DTMF tone dialing), you can
already implement this with a recorded announcement and entry of an
identifying digit string.  That's your lowest common denominator method
for establishing identity if you're calling from a pay phone or some
other unauthenticated location.  It's clunky but it works for people who
absolutely don't want to be disturbed by unknown callers.

> In reality, those other means will also be used by security
> conscious types even when they use the trusted channels. 
> They will understand that the truth federation can be spoofed
> in some fashion (although it may be more difficult to do than
> the ANI/CLI spoofing that started this conversation).

It's not so much that it can or cannot be spoofed.... It's that the
people hacking the network will be penalized.  Paris Hilton pays a stiff
fine and gets a [well-deserved] public spanking.  The company that
provided the service pays a stiff fine and gets yanked off the PSTN.  If
you enact to public policy to make it illegal and actively enforce it,
it won't be much of a problem even though you can always breech security
no matter what active measures are taken to prevent it.

> More than anything, I'd like to ensure that the federation of
> trust (whatever its form) is *NOT* mandated by govenment. 
> Let providers decide whether or not to implement it.  I'll
> choose a provider that works with the standards I care to use. 

Telephone service is a regulated monopoly.  If you want people in rural
and poor areas to pay hundreds of dollars per month for their service
and have no access to cellular service at all, go ahead and deregulate
it.  I think the scheme we have, though flawed, is fairly good public
policy.  Go look at the financial statement of any rural mom & pop telco
or one of the specialty cellular operators like Rural Cellular
Corporation.  They wouldn't exist without the subsidies they get from
the universal service fund.

Geoff

More information about the Voipsec mailing list