Re: [cnit] CNIT Charter bashing..

Henning Schulzrinne <> Fri, 12 June 2015 22:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 82DC21A1A1C for <>; Fri, 12 Jun 2015 15:48:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id C_kOgL8M6mw6 for <>; Fri, 12 Jun 2015 15:47:58 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 378301A1A3D for <>; Fri, 12 Jun 2015 15:47:58 -0700 (PDT)
Message-ID: <>
From: Henning Schulzrinne <>
To: "Dwight, Timothy M (Tim)" <>, "" <>
Thread-Topic: [cnit] CNIT Charter bashing..
Date: Fri, 12 Jun 2015 22:47:56 +0000
References: <> <> <> <> <9384_1434103912_557AB068_9384_7221_1_B5939C6860701C49AA39C5DA5189448B14C216E0@OPEXCLILM42.corporate.adroot.infra.ftgroup> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [cnit] CNIT Charter bashing..
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Calling Name Identity Trust discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Jun 2015 22:48:00 -0000

I suspect there could be cases where a caller objects to the disclosure to intermediate entities; they clearly should have the option of not including the name information, either on a call-by-call or global basis. I'm guessing that this is a rare case; for the entities most reliant on caller name information, namely entities that cannot count on being in the address book of the called party, they usually have semi-public telephone numbers, so that the mapping to the name is essentially public. As I noted, as long as roughly the same information is in-band as out-of-band today, every single carrier can already look up CNAM information if they are so inclined. Thus, I'm not quite following how this makes things worse. (The difference is that today, I can look up CNAM information for any phone number, even if the entity never called me. In-band delivery would obviate the need for CNAM databases, so it would seem to make things better, not worse.)

The latter point obviously only applies to countries with CNAM; as long as the opt-in/opt-out nature is preserved, this seems more like a disclosure issue ("your name is visible to your carrier and, if the carrier is too lazy to implement SIP over TLS, any national intelligence agency that happens to be watching that fiber").

From: Dwight, Timothy M (Tim) []
Sent: Friday, June 12, 2015 12:47 PM
To: Richard Shockey; Stephen Farrell; Henning Schulzrinne;;
Subject: RE: [cnit] CNIT Charter bashing..


I'm probably not following this right, so bear with me.  In the current paradigm the calling party's name isn't sent in the call request message, right?  But you're proposing that it should be (or optionally could be, whatever).  Doesn't that open up the possibility Mr. Farrell suggested, that some entity that's in the path of the call request message can "see" something he previously could not?

Note that "existing anonymous calling protections" apply to the presentation of information to the user, not necessarily to carriage of information across the network.  The FROM header may be anonymized when the calling user requests privacy, for example, but the P-Asserted-Identity header will not.  So if we were to use the display name in the P-A-ID to carry the calling party name asserted by the originating network, that name would (unless we encrypt it) be "visible" to any network element on the path of the INVITE.


-----Original Message-----
From: cnit [] On Behalf Of Richard Shockey
Sent: Friday, June 12, 2015 10:50 AM
To: Stephen Farrell; Henning Schulzrinne;;
Subject: Re: [cnit] CNIT Charter bashing..

Henning is right. No one is forcing anything. Existing anonymous calling protections still apply.

Again my point is that is a great many cases Interconnected SIP between NA carriers are covered by other security mechanisms.

Right now your Facetime session is totally in the clear. My concern is we end up going down the rat hole of trying to create perfect end to end security nothing will get done.

On 6/12/15, 10:17 AM, "Stephen Farrell" <> wrote:

>On 12/06/15 15:13, Henning Schulzrinne wrote:
>> In almost all cases of interest, the calling party *wants* to
>> disclose accurate information to the called party, so the privacy
>> issues don't seem to arise. They would only arise if there was forced
>> disclosure; I don't think anybody is proposing that.
>Privacy issues could also arise if a middlebox could now see sensitive
>information that it previously could not see. I think that is
>independent of whether disclosure is desired by either of the
>cnit mailing list

cnit mailing list