[VOIPSEC] An issue of trust?

Randell Jesup rjesup at wgate.com
Tue Jun 20 08:35:49 CDT 2006 

"Geoff Devine" <gdevine at cedarpointcom.com> writes:
>Personally, I have very little sympathy for people who re-invent things
>without understanding all the requirements.  CALEA predated VoIP.  The
>implementers denied that CALEA could possibly apply to them.  The real
>world intruded on their nirvana.

>I don't see the difference.  It's reasonable public policy to expect
>that all telephone calls be wiretapped if there is a court order for it.

After some time to reflect I have one additional point to make on this
(and then, which I'm sure will please quite a few here, I'll try to cut
down on CALEA-oriented messages).  :-)

One of the big problems in trying to apply CALEA to non-PSTN IP
communication is that there's an underlying assumption that CALEA is based
on that doesn't hold in the internet world.  That assumption is that 
communication devices are defined by fixed numbers that are:
a) Tied to a location/person
b) The person requesting the number is authenticated in a number of manners
c) Take a long time to get installed (provisioned)
d) Are expensive to get installed
e) The number available to a person is (significantly) limited
f) Hard to change (related to c)

Most of these don't necessarily apply in the internet space.  The biggest
lever to trying to apply them to the internet would probably be E.164
numbers - but those are pretty easy to get even today, they don't apply at
all to many current and future domains of IP communication, and even areas
that currently use them will probably slowly move away from them.

The strongest thing helping CALEA in IP communication is that currently you
have to know how to contact someone, whether that's an E164 number, a sip:
address, email address, IM AIM name, etc.  The achilles heel for that is
that many of those service domains have no way to interject themselves into
the media streams, and many domains allow quick and easy creation of new
contacts/identities - it's quite hard to stop that from being so unless you
centralize all identity creation (ala E.164), and even there it's tough.

You can see these problems today in the PSTN world with throw-away/stolen
cellphones used by criminals.  The same dynamic (but worse, because there's
little/no monetary cost) would apply in the online world if you try to
tighten the screws on identity creation - they'd create throw-away
identities and steal legitimate users' identities.  Spam is another
example.


My point isn't that all lawful intercept per se is bad.  My point is that
CALEA is a bad law to try to extend to IP communications from the PSTN.
Lawful intercept for the internet needs to be designed for the internet
(and debated openly, not resolved in court cases).  

And obviously, all of this gets tied into security, which is why it's
relevant here.

-- 
Randell Jesup, Worldgate
rjesup at wgate.com
"The fetters imposed on liberty at home have ever been forged out of the weapons
provided for defence against real, pretended, or imaginary dangers from abroad."
		- James Madison, 4th US president (1751-1836)

More information about the Voipsec mailing list