[VOIPSEC] CALEA Enforcement

Randell Jesup rjesup at wgate.com
Tue May 9 22:22:55 CDT 2006 

"Gupta, Sachin" <s-gupta2 at ti.com> writes:
>Ken Peterson [mailto:kapnet at mindspring.com] wrote:
>>Some points based on just a little bit of research.
>>Comments or clarifications to points are welcome.
>>
>>1. the service provider doesnt have to store anything until
>>	the law shows up at the door with a court order

Correct (perhaps modulo the court order thing...)

>>2. the service provider has to have the capability to
>>	store the media stream only if it passes through
>>	their network

Is this still the case?  It used to be, but I thought the latest FCC
orders from last Sept/Oct modified that - if you have PSTN in/out access,
you have to apply CALEA intercept to all on-net calls as well.

> Service provider can always force this thru SDP.

Correct - though redirecting on warrant is detectable if not done all the
time, and it can't be detectable.

>>3.  the service provider has to have the capability to
>>	store the signaling only if it passes through
>>	their network

>Signaling has to pass thru Service Provider network. It is impossible for
>the Access device to figure out the location of all others they wish to
>talk to.

Unless you (somehow) know the IP/FQDN to talk to via SIP - but then it's
not really a Service-Provider-assisted call.

>>4. the service provider has to provide decryption/hashing/signing
>>	keys *if* it has them. Key escrow *could* be required
>>	for facilities-based VSPs in the future. I do not think
>>	this is the case now...

Correct.  And given the way the FCC is interpreting CALEA recently, lots of
things could be required in the future (the way on-net calls went from
exempt to covered).

>I think the benefit of using end-to-end media encryption with key escrow
>would be that the keys will only remain available at a single centralized
>place and access to these keys can be restricted.

Though (like the problems with credit-card customer databases) having a
large silo of data like that makes it a tempting target.  Also, if these
keys are escrowed, this is assuming some form of global PKI infrastructure
- and we all know how successful people have been at deploying broad,
secure PKIs.

>>If encryption keys are exchanged in signaling(say by using SDES), then
>>they are available to all intermidiate SIP nodes.

>>5. (opinion...) if the regs are too strict, providers will move
>>	facilities off-shore out of the reach of local govt
>>	authorities. example: skype (pre e-bay) would arguably
>>	not be subject to US CALEA requirements because the only
>>	servers they "own" are outside the US
>
>I do not think this would be a valid option. 

For most people, true.  For those who want to avoid surveilance, this would
be tempting.  Witness all the offshore internet casinos...

-- 
Randell Jesup, Worldgate (developers of the Ojo videophone), ex-Amiga OS team
rjesup at wgate.com
"The fetters imposed on liberty at home have ever been forged out of the weapons
provided for defence against real, pretended, or imaginary dangers from abroad."
		- James Madison, 4th US president (1751-1836)

More information about the Voipsec mailing list