> -----Original Message----- > From: Dean Willis [mailto:[EMAIL PROTECTED] > > If an identity server were to fully RFC 4474 "sign" a message rom a > PSTN, it's even possible that the identity server operator could be > held legally liable for inaccuracy in the asserted identity. In other > words, if a caller-ID spoofer made a call through the example.com > gateway, and the example.com identity server attaches an Identity > header on to the resulting INVITE that asserts the spoofed telephone > number identity, then someone injured (defrauded) by the caller could > claim negligence on the part of the example.com identity server and > sue for damages.
I'm pretty sure that's not possible. It's possible to sue the good guys, in the local country - but it's quite hard if not impossible for me to sue some enterprise in Thailand, for example. I don't know if verisign/thawte/etc. would give them a cert, but since we're not mandating specific "SIP 4474" certs and they can use the domain cert they legitimately got for web, I don't see how my UA is to know any better about their's than softarmor.com's cert. (without whitelists) But more importantly, if you're thinking these things would truly have *legal* ramification, then my guess is no "good-guys" would touch signing with 4474 with a ten foot pole, ever. Do DKIM email signatures have such legal implications? -hadriel _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
