Speaking of Standards

Do you trust the “Caller ID” you see on your phone when someone calls? Do you realize that it can be easily changed? Do you realize that spoofing that Caller ID gets even easier when we start communicating more over SIP?

Right now, one of the greatest challenges being addressed by the Real-time Applications and Infrastructure (RAI) area of the IETF is the whole concept of being able to trust the identity of the user who is calling you. You see, being able to trust the identity of the person on the other end of a SIP connection is incredibly hard. John Elwell recently summarized the issues well in his draft: “End-to-End Identity Important in the Session Initiation Protocol“. Getting “identity” right is one of the largest issues on the agenda of the various groups in the RAI area of the IETF.

Why? Given that we don’t have any way to trust the identity of a caller on the PSTN, why does it matter for SIP? I mean, Caller ID on the PSTN can be easily spoofed… either through any number of web sites or simply through hooking up your own IP-PBX to the PSTN (it’s even possible to do through applications built on our platform). Yet the vast majority of people I’ve asked still trust “Caller ID” on their PSTN phone.

I’d argue that this probably is mostly due to history… for the longest time, you couldn’t easily change your Caller ID. It was set within the carrier networks that make up the PSTN. People have grown to trust it. I expect that will change as unethical telemarketers will no doubt start to make more changes to get around all the call blocking users are doing. If it looks like the call is from your friend, you’re probably going to take the call.

The thing is that SIP makes this incredibly easy. Like SMTP for email, SIP is entirely text based and so just as you can change your email client to say you are sending mail from “elvis@heaven.gov”, you can change many SIP clients to say you are calling from whatever name or phone number you want. If you can’t change the client, you can set up and run your own SIP server.

The danger that many of us see is that if this capability gets widely abused, there is the strong potential that we could wind up in a situation where your identity over SIP is dismissed and not trusted… just like email addresses are today. Given the huge volume of email spam, how many of us actually trust that the “From” address on an email message is really who it is? We have to go into the email message to really see if it is someone we know… which is something you can’t really easily do with real-time communication like voice. You have to actually accept the call and start talking.

I don’t think we as an industry want to see SIP identity go that way… so we need to make sure that we get SIP identity right. We need to get to a state where users can trust that the “Caller ID” they see displayed on their IP phone, softphone, or other device is actually who it says it is.

From a Voxeo perspective, we’re interested because we’d like to see more and more communication occur over SIP. Our Prophecy product is a SIP application and media server. Our hosted platform allows inbound and outbound SIP connections to and from applications. On the back end, we’re a huge consumer of SIP trunks. We want to be able to trust the identity information we see.

Because we also host 10s of thousands of voice applications (55,000+ right now), we also are very interested to ensure that any identity mechanisms allow your SIP identity to be extended to a service provider. If you have pushed your voice applications out into our hosted cloud, right now your apps can set our PSTN Caller ID to be a number that is identified as you. We want to see the same capability within SIP - and want the recipients to be able to trust that the identity of the caller is in fact you - even if we may be actually hosting the infrastructure.

Obviously while most communication today occurs still over the PSTN, some of these issues aren’t immediate. But as we all go about building the great big SIP interconnect that lets us bypass the traditional PSTN, these issues become increasingly important.

We have to get SIP identity right - or risk being dismissed.

If you’re interested in getting more involved, I’d encourage you to subscribe to the IETF’s SIP and SIPPING mailing lists (but obviously be aware that “identity” is not the only topic being discussed there - and beware, they can be high volume lists). Here are some pointers to pieces to read for background:

• End-to-End Identity Important in the Session Initiation Protocol

• RFC 4474 - SIP Identity
• RFC 4916 - SIP Connected Identity
• RFC 3325 - P-Asserted-Identity
• SIP Identity Using Media Path
• Why SIP URIs Change Across Domains
• Adding Asserter Identification to P-A-I of RFC 3325

There will be a great amount of discussion in the weeks and months ahead… feel free to join in!

Technorati Tags:
ietf, standards, sip, identity, sip identity, caller id, telephony, telecommunications, internet, voip

Tags: identity, IETF, SIP

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.