[VOIPSEC] Identity Management and VoIP and More

Fri Jun 30 07:37:00 CDT 2006

Zmolek, Andrew (Andy) wrote:
> I've already got a mobile phone that I can't use to make calls unless I
> enter my GoodLink password (thankfully I can receive a call without
> entering it, but can't send DTMF or do much of anything else without
> that password. Given the amount of sensitive information on the phone
> and the public places it travels across, it's something I can deal with
> (though a biometric lock would be more convenient).
>
> But when I think about having to lock and unlock my desk phone, I'm
> having a hard time justifying that kind of distraction unless I work in
> a public space, and a lot of other questions immediately spring to mind,
> many related to mobility as well:
>
> - What kind of timeout is reasonable for my phone login?
> - Do I have to buy an expensive phone with a proximity reader that can
> sense that may RFID badge? 
> - Should I be able to receive a call when the phone is locked? 
> - Should the phones in my conference rooms require a login, and when I
> login should they take on my extension?
> - If I had an RFID badge, should I allow any phone in my proximity to
> ring when someone is calling me?
> - How do I handle the lobby phone?
> - How do I meet E911 regulations phones can be locked?
>
> And that doesn't even get into more practical issues of managing phones
> as authenticators and handling priority and precedence beyond the E911
> case. Suffice it to say that there are as many human issues here as
> engineering ones, but I'd love to hear what others on the list think
> would be both implementable and practical as we move to a more
> data-oriented authentication model for phones and other voice-oriented
> devices. 
>
>
>   
I think that we would do ourselves a favour if we limited identity and 
authentication discussions to device identity and not try and include 
people identity. At the device level the only strong identity that we 
can validate is, well, at the device level. In our case that is a dialed 
number (DN) or a sip URL perhaps.

That means that if I'm setting up a call with 1234, I need to ensure 
that any security associations I negotiate with 1234 aren't tampered 
with, that ongoing communications are secured and that call teardown is 
also authenticated.  At the device level, that is the only information 
we have to authenticate. If it turns out that Bob stole Fred's phone and 
is using it, I think the responsibility for authenticating that lies 
outside our scope.

I'm not saying that person authentication isn't a bad idea, and certain 
product markets (mobile phones) and some companies will implement 
solutions. But we should adopt the "onion skin" approach to securing our 
layer. Otherwise I fear we will get paralyzed by spiraling  "what if" 
scenarios.

Personally, if I had to unlock my desk phone, I'd just heave it out the 
window. :)

-lee dilkie