On Apr 4, 2008, at 6:15 PM, Hadriel Kaplan wrote: > >> -----Original Message----- >> From: Dean Willis [mailto:[EMAIL PROTECTED] >> >> If an identity server were to fully RFC 4474 "sign" a message rom a >> PSTN, it's even possible that the identity server operator could be >> held legally liable for inaccuracy in the asserted identity. In other >> words, if a caller-ID spoofer made a call through the example.com >> gateway, and the example.com identity server attaches an Identity >> header on to the resulting INVITE that asserts the spoofed telephone >> number identity, then someone injured (defrauded) by the caller could >> claim negligence on the part of the example.com identity server and >> sue for damages. > > I'm pretty sure that's not possible. It's possible to sue the good > guys, in the local country - but it's quite hard if not impossible > for me to sue some enterprise in Thailand, for example. I don't > know if verisign/thawte/etc. would give them a cert, but since we're > not mandating specific "SIP 4474" certs and they can use the domain > cert they legitimately got for web, I don't see how my UA is to know > any better about their's than softarmor.com's cert. (without > whitelists)
Dude, go talk to your lawyer. I'm NOT talking about a foreign identity service that is the source of caller-ID fraud. I'm talking about an allegedly trustworthy identity service that is culpably negligent because it has allowed itself to become a conduit of identity fraud. If you're a US business, and you sign a a request containing a telephone number, and it turns out you're wrong (not because you're doing it on purpose, but because you are incompetent) and I get taken in by a scammer as a result of your mistake, I can sue you for all the damages I receive. I might even win, and at the very least, I'm going to cost you a big chunk of money. But if you signed the request with a stipulation that you passed the request on, but that the identity came from the PSTN and is not something you have verified (and these things are true), then you are NOT liable, because there is no genenral expectation that PSTN caller ID is absolutely correct. You might also escape liability by very careful application of your published operations policy, but it's possible to run into the "implicit warranty" problem in some states. remember, this isn't criminal law, it's civil damages litigation, which has a much lower threshold of proof. > But more importantly, if you're thinking these things would truly > have *legal* ramification, then my guess is no "good-guys" would > touch signing with 4474 with a ten foot pole, ever. Do DKIM email > signatures have such legal implications? Certificate issuance certainly has such legal ramifications. That's why there is a mass of policy documents around each of the CAs, and why you can't really trust a cert in the absence of understanding a CA's policies, and even then you can trust it only to the extent of the insurance and assets of the CA. And it's why you're more likely to believe a Verisign or other tier-1 CA's signing than you are to believe one from the Elbonian Secret Police -- because Verisign and the other Tier-1s have done the homework to both make themselves credible and manage their liability. Even with this, I'm only describing the tip of the vast iceberg of legal complexity and liability that exist. Given this, and in the absence a mechanism for making a disclaimer, you WOULD have to be a fool to slap an identity header on something that you didn't authenticate. And yes, DKIM signatures can potentially have significant legal implications. The case law is generally undecided, but I expect it to be a lucrative area of practice for my attorneys. -- Dean _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
