Why SIP Doesn't Need openID
Written by dean on Feb 19, 2007 - 04:32 PM
I've seen quite a number of posts recently about openID and in particular its proposed use within the SIP framework for VoIP.
openID is, in their words, "an open, decentralized, free framework for user-centric digital identity". It's a great idea in prinicple and has even been adopted recently by Microsoft.
Going back through the trail, it seems to start with this post from Aswath on his blog:-
http://www.mocaedu.com/mt/archives/000280.html
Picked up by Phone Boy:-
http://www.phoneboy.com/node/1177
... and then followed up by Dan York on his new blog (and on BlueBox Podcast #48 ):-
http://www.disruptivetelephony.com/2007 ... ep_di.html
I personally don't see it as useful within the VoIP world.
Why? It's a means of enabling identification in a secure way between two individuals. But we don't really need that in SIP. That's a server-side job.
I think we do have identification problems, but what we need to resolve those is authentication on a server to server level within a multi-lateral peered "supernet" environment. That's the SIP environment of the future - authentication will need to be achieved inter-domain.
Measures of authentication already exist between client and SIP server. You have a username and password combination that you use to login to the server. Security, if required, can be implemented through TLS (an existing implementation of security at this layer). TLS is an open-standard and is available in pretty much all VoIP implementations, now.
Of course, there are exceptions. Some phones will accept SIP messages sent to its IP address, without having come from the registered server/proxy. But if you set your phone to allow that, then frankly you deserve all the Chinese Takeaway orders and other wrong numbers you get
The problem of identity authentication actually resides in the server to server realm in a peered environment. How does sip.fwd.com know for sure that a peered call request is really coming from sip.voipuser.org?
That's the identity problem.
Fortunately there is already a system in place that solves the identity problem. It's one that has been implemented by the leading server applications (SER, openSER, Asterisk and SIPfoundry). It was designed in 1999 by networking specialists Cisco, 3Com and TransNexus, and is an authorised standard under ETSI (the European Telecommunications Standards Institute).
It's name is OSP.
http://www.transnexus.com/OSP%20Toolkit ... 40101p.pdf
It's a technology that we've been experimenting with at VoIP User for a little while.
Dean
openID is, in their words, "an open, decentralized, free framework for user-centric digital identity". It's a great idea in prinicple and has even been adopted recently by Microsoft.
Going back through the trail, it seems to start with this post from Aswath on his blog:-
http://www.mocaedu.com/mt/archives/000280.html
Picked up by Phone Boy:-
http://www.phoneboy.com/node/1177
... and then followed up by Dan York on his new blog (and on BlueBox Podcast #48 ):-
http://www.disruptivetelephony.com/2007 ... ep_di.html
I personally don't see it as useful within the VoIP world.
Why? It's a means of enabling identification in a secure way between two individuals. But we don't really need that in SIP. That's a server-side job.
I think we do have identification problems, but what we need to resolve those is authentication on a server to server level within a multi-lateral peered "supernet" environment. That's the SIP environment of the future - authentication will need to be achieved inter-domain.
Measures of authentication already exist between client and SIP server. You have a username and password combination that you use to login to the server. Security, if required, can be implemented through TLS (an existing implementation of security at this layer). TLS is an open-standard and is available in pretty much all VoIP implementations, now.
Of course, there are exceptions. Some phones will accept SIP messages sent to its IP address, without having come from the registered server/proxy. But if you set your phone to allow that, then frankly you deserve all the Chinese Takeaway orders and other wrong numbers you get
The problem of identity authentication actually resides in the server to server realm in a peered environment. How does sip.fwd.com know for sure that a peered call request is really coming from sip.voipuser.org?
That's the identity problem.
Fortunately there is already a system in place that solves the identity problem. It's one that has been implemented by the leading server applications (SER, openSER, Asterisk and SIPfoundry). It was designed in 1999 by networking specialists Cisco, 3Com and TransNexus, and is an authorised standard under ETSI (the European Telecommunications Standards Institute).
It's name is OSP.
http://www.transnexus.com/OSP%20Toolkit ... 40101p.pdf
It's a technology that we've been experimenting with at VoIP User for a little while.
Dean
Reply from martyndavies on Feb 19, 2007 - 07:10 PM
I'm not sure I follow the OpenID argument in the SIP world. It's not clear to me whether we are talking about using OpenID for authenticating SIP devices with their proxy, or whether we are talking about secondary authentication where a SIP INVITE arrives, and at this point we quiz their OpenID service to see whether they are bona fide before we answer. In the former case, it's like treating a VoIP service as "just another Web 2.0 service", and I can see that argument. The second is less compelling for me. It seems somehow wasteful to be authenticating each incoming call when each user has already authenticated against a proxy and (presumably) there is some kind of trust relationship between the two SIP networks.
Reply from dean on Feb 21, 2007 - 01:39 PM
| Quote: |
| It seems somehow wasteful to be authenticating each incoming call when each user has already authenticated against a proxy |
I share that thought.
| Quote: |
| ...and (presumably) there is some kind of trust relationship between the two SIP networks. |
Trust, yes - absolutely. That's part and parcel of a peering relationship.
But what about authentication (between the servers, as opposed to client/server)?
What happens when a bunch of SPIT traffic enters Server B's network, supposedly from Server A's network? Server B's admin is going to get onto to Server A's admin and say "what the hell are you letting this stuff into my network for? You're in breach of our contractual peering relationship".
And let's say, for arguments sake, that the traffic never actually originated from Server A, but was spoofed.
Who's paying whos bill?
Reply from dean on Mar 23, 2007 - 01:02 PM
Aswath states his view that openID is not required in P2Psip, but that openID can create a Peer to Peer SIP environment. It seems this is where Aswath was coming from in his original post, but didn't want to get into the detail until now for (potentially) commercial reasons (fair enough):-
| Quote: |
| I can store the IP address and the port number on which my SIP client will listen for incoming calls in a web page and my partner can visit that page before initiating a session request.
But with OpenID one can achieve something more. The web site can now provide the mapped IP address and port number by taking into account the OpenID of the initiator, just like Relevance Engine from iotum will do. |
I accept, having read Aswaths latest post, that openID can be made useful in a Peer to Peer SIP environment. Without servers, we lack authentication and, without authentication, we have a potential Identity Misrepresentation problem. This is exactly what openID was designed to solve. And I do believe it's a good design - that for me is not an issue. Aswath suggests that with a little additional information provided via a personal webpage, you effectively have a complete, secure, signalling protocol. And actually it doesn't even have to be SIP.
My original post above really was concerned only with the current standard SIP model : client/server. In that model, I stick by my original post as openID doesn't offer us anything that doesn't already exist in the current SIP framework (client/server authentication via TLS). Server/Server authentication can, and should, be managed using OSP tokens. And we will always have client/server relationships within SIP, at least as long as we have a PSTN or 21CN and a requirement to gateway multiple network topologies.
So, yes, openID could help create a peer to peer environment for a VoIP platform, whether SIP or something else.
Interesting concept.
Dean
| Forum Rules and Guidelines | About VoIP User | Privacy Policy |
All logos and trademarks in this site are property of their respective owner. Comments and posts are property of the poster, all the rest (c) 2003-2008 VoIP User Limited. VoIP User Limited is incorporated in England and Wales under Company Number 6694577. No part of this site may be reproduced without our prior consent. |
