Adam,
On Jul 9, 2008, at 12:04 PM, Adam Roach wrote:
Given that as a backdrop, I don't see how our defining Yet Another
Security Mechanism is going to make one whit of difference. ITSPs
aren't deploying the stuff we've already done, even the stuff that
is completely ready for prime time and doesn't get in the way of any
business needs. How will this effort be different?
I don't know that signing P-A-I is necessarily the answer, but in my
opinion there are perhaps two reasons why ITSPs might be inclined to
adopt some form of authenticated identity that we arrive at:
1. PERCEPTION VS. THE PSTN - There's a whole lot of ITSPs out there
who would like to get your "SIP trunk" business and ultimately would
like to build their own federated SIP networks to bypass the PSTN
entirely. So if you're going to do that, you have to be "at least as
good" as the PSTN. Right now, the majority of folks out there have a]
belief in the integrity of PSTN identity / "Caller ID". We all on
this list may understand how easy that identity is to spoof... but the
majority of folks out there do not. So if I'm an ITSP building a SIP
infrastructure and I want people to come to my system, I would think
that ITSP would not want telemarketers masquerading as other numbers
on a large scale.... this could lead to customers saying "Hmmm... we
didn't have these problems with the old system." I would *think*, but
certainly could be wrong, that preventing this would be of interest.
(A savvy ITSP could even turn it into a marketing feature in that they
provide *better* identity security than the PSTN.)
2. GOVERNMENT COMPLIANCE - As an example, the US Congress continues to
work on Caller ID-related legislation, the latest being last year's
"Truth in Caller ID Act of 2007" which passed the US House and then
floundered in the Senate:
http://www.govtrack.us/congress/bill.xpd?bill=h110-251
http://www.govtrack.us/congress/bill.xpd?bill=s110-704
http://www.opencongress.org/bill/110-s704/show
This bill "amends the Communications Act of 1934 to make it unlawful
for any person in the United States, in connection with any
telecommunications service or Internet protocol (IP)-enabled voice
service, to cause any caller identification (ID) service to knowingly
transmit misleading or inaccurate caller ID information with the
intent to defraud, cause harm, or wrongfully obtain anything of
value..."
I'd imagine that sooner or later something like this will pass in the
US (especially if there is a public case of identity theft linked to
spoofed Caller ID) and somewhere in there it may fall to ITSPs to
prove that they were not the ones altering identity information.
Obviously the IETF is a global organization and so it can't
necessarily care what the US gov't does... but I'm sure other
governments will pass similar legislation (if they haven't already).
At some point I think the ITSPs will have to care a bit more about the
identity of who is on their network. If there is an open standards-
based solution, they'll look at that... if not, they'll look at
proprietary solutions.
Then again, I could be completely wrong about all this. The warranty
expired long ago on my crystal ball.
My 2 cents,
Dan
--
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO Voxeo Corporation [EMAIL PROTECTED]
Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
Build voice applications based on open standards.
Find out how at http://www.voxeo.com/free
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
