[VOIPSEC] Secure Real-time Transport Protocol (SRTP)

Richard Clayton richard at highwayman.com
Mon Mar 28 05:10:47 CST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <42456C96.1040203 at 3times25.net>, Geoffrey
<esoteric at 3times25.net> writes

>I'm completely ignorant about these issues, but I wonder whether the 
>public voice services (VoIP carriers inparticular) might not be required 
>to provide some assurances.  Just as the USPS does secure, to some 
>extent the packages and documents they transport.  Although, they do 
>usually end up on an unsecured mailbox.

In the European Union Directive 2002/58/EC (the "Directive on privacy
and electronic communications") explicitly covers this issue:

Article 4

    Security

    1. The provider of a publicly available electronic communications
    service must take appropriate technical and organisational measures
    to safeguard security of its services, if necessary in conjunction
    with the provider of the public communications network with respect
    to network security. Having regard to the state of the art and the
    cost of their implementation, these measures shall ensure a level of
    security appropriate to the risk presented.

    2. In case of a particular risk of a breach of the security of the
    network, the provider of a publicly available electronic
    communications service must inform the subscribers concerning such
    risk and, where the risk lies outside the scope of the measures to
    be taken by the service provider, of any possible remedies.

and you'll find this Directive (in theory! often now in practice)
transposed into national law in each of the EU member states. For
example in the UK it can be found in

    Statutory Instrument 2003 No. 2426 "The Privacy and Electronic
    Communications (EC Directive) Regulations 2003"

where the wording will look familiar -- a standard trick with EU
Directives is to "copy in" the wording so that there's no doubt in the
EU Commission's mind that the Directive has been complied with. This
gives some problems when the words used are not those traditionally
found in UK law ... but that's another story and straying way off-topic
for this list  :)

This is the UK provision:

5. -  (1) Subject to paragraph (2), a provider of a public electronic
      communications service ("the service provider") shall take
      appropriate technical and organisational measures to safeguard the
      security of that service.

      (2) If necessary, the measures required by paragraph (1) may be
      taken by the service provider in conjunction with the provider of
      the electronic communications network by means of which the
      service is provided, and that network provider shall comply with
      any reasonable requests made by the service provider for these
      purposes.

      (3) Where, notwithstanding the taking of measures as required by
      paragraph (1), there remains a significant risk to the security of
      the public electronic communications service, the service provider
      shall inform the subscribers concerned of - 

        (a) the nature of that risk;
        (b) any appropriate measures that the subscriber may take to
        safeguard against that risk; and
        (c) the likely costs to the subscriber involved in the taking of
        such measures.

      (4) For the purposes of paragraph (1), a measure shall only be
      taken to be appropriate if, having regard to - 

        (a) the state of technological developments, and
        (b) the cost of implementing it,

      it is proportionate to the risks against which it would safeguard.

      (5) Information provided for the purposes of paragraph (3) shall
      be provided to the subscriber free of any charge other than the
      cost to the subscriber of receiving or collecting the information.

There would be absolutely no doubt in my mind (albeit IANAL) that this
covered the underlying IP network AND any VoIP services run over that
network AND any "public electronic communication service" built over the
top of the VoIP service.

- -- 
richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBQkfmN5oAxkTY1oPiEQJV4gCfQeOatK7K/PjodqIcIiWozrEXAS4AoPdO
tsuvXNLfY7nqvtxX85VU2t6I
=Lx/H
-----END PGP SIGNATURE-----

More information about the Voipsec mailing list