+1 The reality is that while most of us may be aware that CallerID in the PSTN is easy to forge (and if you aren't, send me your number and I'll call you :-), the VAST majority of regular phone users actually *trust* the CallerID. So if a call comes in with the CallerID of your bank and you wind up talking to a very nice "representative", most folks will accept that as real. (I don't, but I am a paranoid security guy.)
SIP without strong identity just makes it that much more trivial to spoof CallerID. It's a wonderful playground for identity thieves, phishers, fraudsters and pranksters. Dan -- Dan York, CISSP, Director of Emerging Communication Technology Office of the CTO Voxeo Corporation [EMAIL PROTECTED] Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com Bring your web applications to the phone. Find out how at http://evolution.voxeo.com -----Original Message----- From: Paul Kyzivat <[EMAIL PROTECTED]> Date: Wed, 09 Apr 2008 00:24:22 To:[EMAIL PROTECTED] Cc:[email protected] Subject: Re: [Sip] RFC 4474 and PSTN Dale, Suppose you are building a sip adapter for black phones. (Well, black phones with a callerid display.) What criteria should it use before displaying the callerid of the incoming call? It is restricted by hardware and convention regarding what it displays - generally just digits for the number. The customer is going to be upset if he just replaced a pstn phone, and isn't getting callerid from the same callers he used to get it from. OTOH, the phone is likely to be worried about trusting From - its just too easy to forge. Paul [EMAIL PROTECTED] wrote: > From: Dean Willis <[EMAIL PROTECTED]> > > So are you saying that the gateway's calls won't get Identity headers, > or that they will, but they'll be signed using a bogus or less-trusted > cert than would be used for calls originating from IP terminals that > support strong authentication? > > It seems to me that any identity mechanism of the sort we have been > discussing will be used only in specialized cases where strong > indentity assurance are needed and can be provided, and that it is > likely that gateways won't use it at all, nor will most organizations. > > Dale > _______________________________________________ > Sip mailing list https://www.ietf.org/mailman/listinfo/sip > This list is for NEW development of the core SIP Protocol > Use [EMAIL PROTECTED] for questions on current sip > Use [EMAIL PROTECTED] for new developments on the application of sip > _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
