[VOIPSEC] Actual Attacks

Brian Rosen br at brianrosen.net
Fri Feb 25 13:15:51 CST 2005 

I agree that Web of Trust works for friends.  There are few VoIP models that
have that characteristic.

Dunno much about ACES.

I'm an admirer of the "federation" concept for PKIs.

I do think the following will work:
URI's for SIP are of the form "user at domain".  User can be a phone number.
Put the cert for the domain in DNS
Put the SIP server for the domain in an SRV in DNS.

IFF the SIP server does strong authentication OF ITS OWN USERS, then you
have a reasonable system:

* A caller can reliably get to the right called party
* A called party can determine if the calling party is originating from the
sip server of the domain specified.
* The signaling can be secured with TLS

If the sip server does not do strong authentication, you at least know that
the call originated from the specified domain.

It's possible that global VoIP can be a forcing function for global PKI.
That would be very cool.  

However, the current state of the implementations/SBC/Firewall stuff makes
securing the signaling, and the media, more problematic than the PKI
problem.

Brian

> -----Original Message-----
> From: Robert Moskowitz [mailto:rgm at icsalabs.com]
> Sent: Friday, February 25, 2005 1:56 PM
> To: Brian Rosen; 'Simon Horne'; voipsec at voipsa.org
> Subject: RE: [VOIPSEC] Actual Attacks
> 
> At 09:36 AM 2/24/2005, Brian Rosen wrote:
> 
> >"Web of Trust" is a failed concept.  It works, but we have not been able
> to
> >successfully deploy in a large scale.
> 
> But it CAN work for groups of friends.
> 
> >Certificate authority chains work only within an enterprise.  We have not
> >really made them work well outside of that.
> 
> Check out ACES.
> 
> Check out the Federal PKI and work being done to duplicate it in
> commercial
> settings (drug industry for one).  Note I am the author of the Bridge CA
> model in the federal PKI.
> 
> Thing is you REALLY need a reason to get PKi s to work together.  Mail was
> never one.  Bout VoIP could be.
> 
> 
> Robert Moskowitz
> Senior Technical Director
> ICSA Labs, a division of Cybertrust, Inc.
> W:      248-968-9809
> F:      248-968-2824
> E:      rgm at icsalabs.com
> 
> There's no limit to what can be accomplished
> if it doesn't matter who gets the credit
> 
> 
>

More information about the Voipsec mailing list