Speaking of Standards

So if we get to the point where we can truly “trust” the identity of the person calling us on the other end of a SIP connection, what will that look like to the end user? How will I know – easily – that I can trust that the “Caller ID” displayed on my IP phone is in fact who it says it is? Is there a “visual identifier” of some type that I could have on my IP phone (or softphone) that would clue me in? Kind of like the “lock” icon in web browsers that indicates a call is encrypted?

Those were the questions I was looking to address in a new Internet-Draft I submitted yesterday:

draft-york-sip-visual-identifier-trusted-identity-00

One of the things we focus on here at Voxeo is to ensure that the user experience is as simple and easy as possible. That’s why we rolled out our Designer tool a few years back. That’s why we spent a good amount of time looking to make Prophecy Log Search as simple to use as possible – and why we continue to improve it.

So in the discussions that have been going on within the IETF circles around the incredible need to nail down the ability to have “trusted identity” within communication based on SIP (which I wrote previously, one of the questions I’ve kept asking myself is “how will this appear to a regular end-user?” Based on some comments in the SIP mailing list the other day, I decided to write up this draft.

Feedback is welcome. I’ve already received the comments that I didn’t address the whole issue of PSTN interconnectivity, i.e. if it’s coming from a PSTN gateway, how do you deal with the fact that the Caller ID could have been spoofed on the PSTN side. I’m sure other comments will come in as well.

As I say in the draft, it’s not entirely clear to me that the IETF is the right place to have this discussion since ultimately it is about the user interface in vendor products… but at least it’s a place to start.

Technorati Tags: ietf, standards, sip, dan york, sip identity, identity

---

If you found this post interesting or helpful, please consider either subscribing via RSS, becoming a fan on Facebook, or following us on Twitter.

---

Do you trust the “Caller ID” you see on your phone when someone calls? Do you realize that it can be easily changed? Do you realize that spoofing that Caller ID gets even easier when we start communicating more over SIP?

Right now, one of the greatest challenges being addressed by the Real-time Applications and Infrastructure (RAI) area of the IETF is the whole concept of being able to trust the identity of the user who is calling you. You see, being able to trust the identity of the person on the other end of a SIP connection is incredibly hard. John Elwell recently summarized the issues well in his draft: “End-to-End Identity Important in the Session Initiation Protocol“. Getting “identity” right is one of the largest issues on the agenda of the various groups in the RAI area of the IETF.

Why? Given that we don’t have any way to trust the identity of a caller on the PSTN, why does it matter for SIP? I mean, Caller ID on the PSTN can be easily spoofed… either through any number of web sites or simply through hooking up your own IP-PBX to the PSTN (it’s even possible to do through applications built on our platform). Yet the vast majority of people I’ve asked still trust “Caller ID” on their PSTN phone.

I’d argue that this probably is mostly due to history… for the longest time, you couldn’t easily change your Caller ID. It was set within the carrier networks that make up the PSTN. People have grown to trust it. I expect that will change as unethical telemarketers will no doubt start to make more changes to get around all the call blocking users are doing. If it looks like the call is from your friend, you’re probably going to take the call.

The thing is that SIP makes this incredibly easy. Like SMTP for email, SIP is entirely text based and so just as you can change your email client to say you are sending mail from “elvis@heaven.gov”, you can change many SIP clients to say you are calling from whatever name or phone number you want. If you can’t change the client, you can set up and run your own SIP server.

The danger that many of us see is that if this capability gets widely abused, there is the strong potential that we could wind up in a situation where your identity over SIP is dismissed and not trusted… just like email addresses are today. Given the huge volume of email spam, how many of us actually trust that the “From” address on an email message is really who it is? We have to go into the email message to really see if it is someone we know… which is something you can’t really easily do with real-time communication like voice. You have to actually accept the call and start talking.

I don’t think we as an industry want to see SIP identity go that way… so we need to make sure that we get SIP identity right. We need to get to a state where users can trust that the “Caller ID” they see displayed on their IP phone, softphone, or other device is actually who it says it is.

From a Voxeo perspective, we’re interested because we’d like to see more and more communication occur over SIP. Our Prophecy product is a SIP application and media server. Our hosted platform allows inbound and outbound SIP connections to and from applications. On the back end, we’re a huge consumer of SIP trunks. We want to be able to trust the identity information we see.

Because we also host 10s of thousands of voice applications (55,000+ right now), we also are very interested to ensure that any identity mechanisms allow your SIP identity to be extended to a service provider. If you have pushed your voice applications out into our hosted cloud, right now your apps can set our PSTN Caller ID to be a number that is identified as you. We want to see the same capability within SIP – and want the recipients to be able to trust that the identity of the caller is in fact you – even if we may be actually hosting the infrastructure.

Obviously while most communication today occurs still over the PSTN, some of these issues aren’t immediate. But as we all go about building the great big SIP interconnect that lets us bypass the traditional PSTN, these issues become increasingly important.

We have to get SIP identity right – or risk being dismissed.

If you’re interested in getting more involved, I’d encourage you to subscribe to the IETF’s SIP and SIPPING mailing lists (but obviously be aware that “identity” is not the only topic being discussed there – and beware, they can be high volume lists). Here are some pointers to pieces to read for background:

• End-to-End Identity Important in the Session Initiation Protocol

• RFC 4474 – SIP Identity
• RFC 4916 – SIP Connected Identity
• RFC 3325 – P-Asserted-Identity
• SIP Identity Using Media Path
• Why SIP URIs Change Across Domains
• Adding Asserter Identification to P-A-I of RFC 3325

There will be a great amount of discussion in the weeks and months ahead… feel free to join in!

Technorati Tags: ietf, standards, sip, identity, sip identity, caller id, telephony, telecommunications, internet, voip

---

If you found this post interesting or helpful, please consider either subscribing via RSS, becoming a fan on Facebook, or following us on Twitter.

---

Although I haven’t discussed it much here on this site, one of my passionate interests is in the whole space of “online identity” and what we need to do to have a better sense of “identity” online. There’s a number of levels to my interest but one very basic one is the ability to have a single “identity” that you can use while logging into different websites. Or perhaps not a single identity, but at least a small number of “identities” such as one online identity to login to “work” sites and another to login to “personal” sites. OpenID has emerged as a leading contender in this space and as I noted on our Behind the Blog blog , I have now enabled this site as an OpenID provider so that those of us who write here can use this site as an OpenID URL to login to sites. (And yes, I’m working on making the site a user of OpenID as well.)

In any event, while I will write more about OpenID in the future, over on his blog, Hannes Tschofenig writes about a new document “Technical Comparison: OpenID and SAML” that compares OpenID with the Security Assertion Markup Language (SAML). Here is the abstract:

“This document presents a technical comparison of the OpenID Authentication protocol and the Security Assertion Markup Language (SAML) Web Browser SSO Profile and the SAML framework itself. Topics addressed include design centers, terminology, specification set contents and scope, user identifier treatment, web single sign-on profiles, trust, security, identity provider discovery mechanisms, key agreement approaches, as well as message formats and protocol bindings. An executive summary targeting various audiences, and presented from the perspectives of end-users, implementors, tna deployers, is provided. We do not attempt to assign relative value between OpenID and SAML, e.g., which is ‘better’; rather, it attempts to present an objective technical comparison.”

It’s great to see this kind of technical research now coming out in the field. The more we have of this kind of work the closer we will be to having solid and secure forms of online identity. If you are interested in reading the paper, it can be found here.

Technorati Tags: identity, openid, authentication, security, research

---

If you found this post interesting or helpful, please consider either subscribing via RSS, becoming a fan on Facebook, or following us on Twitter.

---

Over on the “Voice of VOIPSA” weblog, I posted about an excellent overview of SIP security issues that Hannes Tschofenig presented yesterday at the 3Rd ETSI Security Workshop in France. If you aren’t familiar with the current state of SIP security, I’d highly recommend you take a read through Hannes’ slides.

Technorati Tags: identity, ietf, security, sip, standards, voip, voip security

---

If you found this post interesting or helpful, please consider either subscribing via RSS, becoming a fan on Facebook, or following us on Twitter.

---