On Apr 8, 2008, at 5:14 PM, [EMAIL PROTECTED] wrote: > > I think we're losing sight of the context... *If* people who receive > calls actually care about authenticating the identity of callers via > SIP mechanisms (rather than by recognizing voices, or originating the > call themselves, etc.), then they're going to start depending on RFC > 4474, etc. And once they start depending on that, bad guys will start > trying to exploit that dependency, especially by exploiting identity > services that do not enforce identification effectively. Indeed, we > can expect bad guys to set up identity services specifically for this > purpose. At that point, people will discover the hard way that some > identity services are unreliable, so they will start whitelisting > identity services and/or CAs that reliably enforce reliability on > identity services.
I'm with you so far. Consequence: No "reliable" identity service will assert an identity with a phone number in it., But we NEED them to do so, otherwise we can't detect MITM attacks that affect both signaling and media. catch 22. > > > The sort of reputation that has wide public trust will come to be seen > as a valuable asset, and identity services with that sort of > reputation (of which there won't be many) will charge signficant money > for their services. > To whom? The user of the identity being authenticated, or the consumer of the authentication? Note that "quality" certs today aren't cheap. I don't have one. > Within that context, a PSTN gateway will not routinely apply > identification based on caller ID from an identity service which is > widely trusted - they can't determine the identity well enough, and > nobody is going to pay for it. So are you saying that the gateway's calls won't get Identity headers, or that they will, but they'll be signed using a bogus or less-trusted cert than would be used for calls originating from IP terminals that support strong authentication? > > Now please excuse me, I have to go wire $10,000 to a government > officer in Nigeria who needs it to finance the payment of a legacy to > a distant cousin of mine. (I can trust him, his From identity was > certified by the Nigerian government!) Can you please ask him about Barrister James and the million he was supposed to wire me for my new startup? We're launching a SIP Authentication Service, "allur419srus.com". It will be widely trusted. But James hasn't called back since I advanced his legal fees. -- Dean _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
