[VOIPSEC] Identity Management and VoIP and More

Paine, Richard H richard.h.paine at boeing.com
Sat Apr 22 11:33:15 CDT 2006 

Richard, I recently sent out a summary of the VOIP security and identity
management issues to this VOIPSEC list.  Perhaps you missed it.  It is
attached.

The issues in identity management in VOIP are in the requirement to
provide end-to-end security.  There is no way we are going to guarantee
VOIP security unless we address the requirement for end-to-end
communications security of VOIP calls.  The attached email and Secure
Mobile Architecture (SMA) approach address end-to end security with
cryptographic identities in every packet.  The identities, in this
approach, are in the ESP field of the IPSEC header.  The technology is
based on the IRTF's Host Identity Protocol (HIP) standard.  It is being
worked in the IETF to become a standard as well.  This can be
implemented in an enterprise, an ISP, or a governmental agency.  It can
also be introduced into the existing Internet without affecting the
existing Internet infrastructure.  It can be applied to both people and
device identities.  I would be glad to share more with you if you are
interested.  

Richard H. Paine
Success is getting what you want, happiness is liking what you get!
Cell:  206-854-8199
IPPhone:  425-373-8964
Email:  richard.h.paine at boeing.com 





-----Original Message-----
From: ZhaoL [mailto:hi2005 at gmail.com] 
Sent: Thursday, April 20, 2006 6:40 AM
To: Leslie Asamoa-Krodua
Cc: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] Identity Management and VoIP and More

I do agree to your points. Human identity and authentication is at a
higher level than equipment/OS identity and authentication. But they
both serve us well for different purpose. Current PSTN phones use
physical equipment
(line) authentication, while our today's IM/VoIP systems use
password/personalality recognition. At IMS time, both equipment and
person authentication  would be used at the same time for different
services.

On 4/19/06, Leslie Asamoa-Krodua <leslie at asamoa.fi> wrote:
>
> Hello All,
>
> I recently completed a major study on VoIP security initiated to 
> understand the impact of this means within this enterprise. The bottom

> line is that VoIP although ACL'd still lacks the necessary control and

> tracking because its so easy to impersonate in the virtual world.
>
> I then started wondering what eminent, real world, solutions may save 
> this great technology like it saved our society. I then started 
> dwelling on passports and driving licenses. In all forms of the 
> Internet, and maybe this is because of its simplicity or the intention

> of simplifying this technology (Internet) that such mechanisms of 
> control have been avoided.
>
> RATHER, the Internet is rigged with passwords and user names; and then

> I thought, well if that is the case; and IF simplicity is what I am 
> really gunning for, would I love to log into my car before I go to 
> work?
>
> Would I like to provide my user name and password before I purchase an

> item from a store?
>
> Its obvious isn't it? Well then why does this requirement fall on us 
> within the Internet? Because I would rather, and I imagine it to be 
> so, shortly, not have to log into a PC to use an application. I would 
> expect that the PC was like a Kiosk and I could access whatever 
> application IN a PERSONALISED way.
>
> This drew my to thinking how the talk of MIKEY for VoIP sounds like a 
> solution I would propose. But this problem is not limited to VoIP 
> only, its everywhere and security issues are hard to resolve because 
> we do not know who started it! And so we cannot ask the WHY and HOW.
>
> Well I want to be able to. And so going from Smart cards to 
> Certificates embedded into 'wallets' or credit cards or house keys, I 
> would like to find a way to deal with this. And enable a kiosking mode

> where personalisation and identity are managed in a different way. and

> in parallel bring that implementation to the handset or soft client.
>
> If VoIP could do anything for 911, it should be able to tell the 
> emergency services who you are and not just where you are.
>
> Leslie Asamoa-Krodua
> Asamoa Oy
> http://dev.asamoa.fi
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>



--
ZHAO, Liang (Richard)
Mobile: 86-13911532790
Office: 8610-58216804
Email: hi2005 at gmail.com
Blog: http://hi2005.wordpress.com
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list