John Todd wrote:
It is mostly as you describe it. However, it fits the desire for an opportunistic encryption system - if it's there, it will make itself known. If it's not, your client could possibly continue working without it in a less-secure fashion.
Actually opportunistic encryption doesn't require any form of authentication, so basically if the asterisk server can tell during handshaking if SRTP (or IAX equivalent) is possible, then do it. ZRTP wraps round the SRTP libs released by cisco and allows an authentication layer to be placed on top... I'm not entirely sure if the X.509 model is more suitable for server based authentication (the same as SMTP-TLS), or ZRTP model which uses vocal methods for authentication...
One thing is for sure though, and that is there currently is wide spread use of TLS with SMTP and other protocols (such as jabber) already, so administrators are familiar with, or can easily be, in setting up and deploying systems, there is a lot of documentation alone on http://wiki.cacert.org for setting up MTAs with TLS...
3) "Man in the Middle" mode, where Asterisk creates two separate ZRTP legs to different ZRTP clients. While this sounds like a security risk, it is actually a fairly desirable situation. Many calls need to be
Or codec/protocol translation needs to occur... (ULAW->G729 and SIP->IAX2 etc)...
-- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Because e164.arpa is a tax on VoIP "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Security mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-security
