[VOIPSEC] (Missed)Trust in Caller ID Act
John Osmon
josmon at rigozsaurus.com
Sun Oct 15 06:45:24 BST 2006
On Sat, Oct 14, 2006 at 11:01:16AM -0400, Geoff Devine wrote:
[...]
> In this thread, we're watching the VoIP community howl in anguish about
> CallerID problems they created and are expected to fix. Most of the
> legacy telephony requirements are there for very good public policy
> reasons. In my opinion, it's a very poor engineering job to build
> something without first learning the full requirements.
Requirements change with time, and new protocols arise. Even the
PSTN has had some major overhauls over its 80+ years. Moving
from in-band to out-of-band signalling wasn't due to poor engineering,
it was due to the fact that requirements changed while the system
was in use. Systems are dynamic -- change is natural.
Why doesn't the current CallerID system have a contingency to deal
with situations where the CallerID info might be suspect? It
seems like an obvious requirement in hindsight. If it had been a
design requirement, we wouldn't have to worry about the poor
engineering that we're in the middle of now... (Those darn design
folks -- why couldn't they devine the problems we're facing?)
The security problem is that people need to be able to identify
callers. Current CallerID info is less than 100% accurate -- and VOIP
services depress the percentage further. We'll never get to 100%
accuracy, so we should concentrate on:
- improving the accuracy of CallerID info ("truth in CallerID attempts
to do this -- but is unlikely to be significant, for many reasons
visited already on this mailing list)
- finding ways for end-users to identify each other in spite of
poor accuracy of CallerID
The latter solutions are likely to work for calls on the PSTN, a VOIP
system, or when both are in use together. I think I'll put my money
on the solutions can be extrapolated to multiple situations.
More information about the Voipsec
mailing list