[VOIPSEC] Thoughts about OpenID as a means for SIP identification?

dan_york at Mitel.com dan_york at Mitel.com
Fri Feb 16 09:38:11 CST 2007 

VOIPSEC members,

Something for folks to ponder on a Friday... do you see a role for OpenID 
in the SIP identification process?  Aswath Rao suggested exactly that a 
couple of weeks ago:

  http://www.mocaedu.com/mt/archives/000285.html

and he and I have had a little bit of an ongoing dialogue in email and 
podcast form (Jonathan and I discussed this on Blue Box #48 - 
http://www.blueboxpodcast.com/2007/01/blue_box_48_the.html - and the 
yet-to-be-released Blue Box #51) and I'm still pondering it myself.  With 
all the press that OpenID has been getting with the announcement in Bill 
Gates' keynote at RSA that Microsoft would be supporting OpenID, I'm 
curious to know what others think.   (And today's announcement from AOL 
that they just enabled all 63 million AOL and AIM accounts to also work as 
an OpenID: http://www.disruptivetelephony.com/2007/02/aol_openid_63_m.html 
)

Is there a role for OpenID in VoIP?  And specifically in SIP?

If you have no clue what OpenID is, the idea is basically that you could 
have one ID (or a couple, if you chose) that you could use to login to any 
website instead of logging in separately.  A number of blogging platforms 
and sites have now enabled this, and there are increasing number of sites 
where you can login with your OpenID.  It's a decentralized system where 
this is no central authority... rather you obtain an OpenID from an 
identity provider, which could be any of a large number of providers. 

Here's a great screencast that explains the concept:

  http://simonwillison.net/2006/openid-screencast/

The main OpenID website at http://www.openid.net/ also has a great amount 
of information.  As a background into these identity issues in general, 
Dick Hardt over at SXIP Identity gave a good talk at ETech 2006 called 
"Who is the Dick on your site?" that goes into identity issues in general 
(and does get into SXIP-specific stuff toward the end):

  http://identity20.com/media/ETECH_2006/

So Aswath's question is - could OpenID be used in the SIP message 
initiation process as a potential way to authenticate (or not) the sender. 
 Aswath writes (and "OP" stands for "OpenID Provider"):

> The initiator of a session can include the validation response it 
received from OP to the 
> SIP INVITE message as a MIME encoded parameter. The recipient then can 
use the 
> content of the parameter to authenticate it  with OP. If the initiator 
did not include this 
> parameter, but the recipient prefers to authenticate the initiator,  the 
SIP protocol could 
> be extended so that the recipient can request the authentication 
information by sending
> an INFO message. 

What do folks think?    As I'm still exploring OpenID myself, I'm not 
entirely sure how it would precisely work... most OpenID implementations 
to date seem to require you to grant another party access to your ID 
before that party can see it- but that request is initiated by the site to 
which you are connecting, which seems to me that it would introduce 
another step into the SIP call process that I can't see working.  But 
perhaps that is an implementation issue in today's designs.... and perhaps 
I don't yet understand the intricate details of the OpenID process.

I'm also personally hung up a bit on the lack of a trust model.  OpenID 
folks are VERY clear that OpenID is about *identity*, and NOT about 
*authentication*.  It's a lightweight framework that allows a user to 
assert their identity.  I assert that I am http://www.claimid.com/danyork 
or http://dyork.livejournal.com/ or whomever else I choose to be 
(depending upon which identity provider I use).  It allows me to be 
*identified* to the site as that ID.

Authentication is a higher layer and up to the site, really.  And that's 
where the trust model - or lack thereof - comes in. 
But trust models aside, could OpenID be used as a way to assert your 
identity within a SIP call setup?

As I form my own thoughts around it, I'd just be curious what others may 
think.  If you're curious about more links and info on OpenID, I've posted 
some of my thoughts here:

  http://www.disruptivetelephony.com/2007/02/doing_a_deep_di.html

and you can see other links in my del.icio.us trail as well as the public 
trail of everything being tagged "openid":

  http://del.icio.us/dyork/openid
  http://del.icio.us/popular/openid
  http://del.icio.us/tag/openid

Looking forward to reading what folks think,
Dan

-- 
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel       http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for 
secure communication

More information about the Voipsec mailing list