IETF Logo Mail Archive

Re: [rtcweb] Identity and PSTN gateways

"Olle E. Johansson" <oej@edvina.net> Tue, 03 April 2012 13:05 UTC

Return-Path: <oej@edvina.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C8C911E8087 for <rtcweb@ietfa.amsl.com>; Tue, 3 Apr 2012 06:05:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YjqBkIyMXWq4 for <rtcweb@ietfa.amsl.com>; Tue, 3 Apr 2012 06:05:30 -0700 (PDT)
Received: from smtp7.webway.se (smtp7.webway.se [IPv6:2a02:920:212e::205]) by ietfa.amsl.com (Postfix) with ESMTP id 63E3811E8088 for <rtcweb@ietf.org>; Tue, 3 Apr 2012 06:05:29 -0700 (PDT)
Received: from [192.168.40.89] (h87-96-134-129.dynamic.se.alltele.net [87.96.134.129]) by smtp7.webway.se (Postfix) with ESMTPA id 25192754A8AA; Tue, 3 Apr 2012 13:05:27 +0000 (UTC)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset="us-ascii"
From: "Olle E. Johansson" <oej@edvina.net>
In-Reply-To: <4F7AF40D.3010706@alvestrand.no>
Date: Tue, 03 Apr 2012 15:05:26 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <A61DB206-1B56-44B5-AADE-E4A820D76B93@edvina.net>
References: <4F7AF40D.3010706@alvestrand.no>
To: Harald Alvestrand <harald@alvestrand.no>
X-Mailer: Apple Mail (2.1257)
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Identity and PSTN gateways
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2012 13:05:31 -0000

3 apr 2012 kl. 14:58 skrev Harald Alvestrand:

> One thing that has come up repeatedly in the discussion is the claim that "you can't have a verified identity when you talk to someone via a telephone gateway" (and therefore <insert your favourite security mechanism here> is not needed / not an added benefit / other claim).
> 
> I think this is a fallacy.
> 
> Sure, as people have commented numerous times, telephone numbers are identities; they're being used as such every time someone prints them on a business card or a billboard.
> 
> When you're connecting via a gateway to the PSTN, the gateway operator gives you a guarantee that you're being connected to the right person; that's what gateways are for.
> 
> This makes for a fairly simple mapping to the "identity / identity provider" model we've been bandying about for the "full-blown" IdP / endpoint case:
> 
> The identity is the telephone number.
> The identity provider (one of many possible ones for the number) is the gateway operator.
> 
> Thus - if you call a telephone number via a gateway, you would perform a DTLS key exchange with the gateway, and an identity verification exchange with the gateway operator; you would then guarantee that the gateway operator vouches for this being a legitimate gateway function that you can reach for that number.
> 
> That's just about the best guarantee you can get when talking to the telephone system. But if we're using the IdP + DTLS-SRTP version, the exchange guarantees you that:
> a) nobody is listening in between you and the gateway (even if they snooped your signalling)
> b) the gateway operator vouches for the gateway being the right gateway to reach that number
> 
> Seems like a little bit better than what you get with SDES. Only a little.

Now we will have to separate "PSTN-emulating" gateways that accept calls to all phone numbers but play a prompt saying "You gotta be kidding me - calling a phone number?" from REAL gateways that have a connection to the PSTN world. 

Will guys connecting with SS7 have a certificate signed by the ITU as a "TRUE" PSTN provider and the voip guy in the basement next door just have a "Best effort fourth-tier PSTN service" certificate?

I think that any identity of any PSTN gateway just identifies the gateway as a server. Not as a service.

/O

v2.23.0 | Report a Bug | By Email