By Date:	<-- -->
By Thread:	<-- -->
Voipsec Digest, Vol 14, Issue 5

From: "Browne, Derek" <Derek.Browne (at) emergis.com>
Date: Sat, 4 Feb 2006 13:00:05 -0500
Thanks...I already did :)

Dj
--------------------------
Derek Browne
derek.browne (at) emergis.com
905-707-4025


-----Original Message-----
From: Voipsec-bounces (at) voipsa.org
To: Voipsec (at) voipsa.org
Sent: Sat Feb 04 07:00:03 2006
Subject: Voipsec Digest, Vol 14, Issue 5

Send Voipsec mailing list submissions to
	Voipsec (at) voipsa.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
or, via email, send a message with subject or body 'help' to
	Voipsec-request (at) voipsa.org

You can reach the person managing the list at
	Voipsec-owner (at) voipsa.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Voipsec digest..."


Today's Topics:

   1. Re: A different view on the nature of Phil Zimmermann's	new
      work... (Was Re: Phil Zimmerman to release VoIP	Encryption
      Software(c.March)) (mailinglist)
   2. Re: A different view on the nature of Phil Zimmermann's new
      work... (Was Re: Phil Zimmerman to release VoIP Encryption
      Software(c.March)) (dan_york (at) Mitel.com)
   3. Re: A different view on the nature of Phil Zimmermann's new
      work... (Lucas Fisher)
   4. Re: A different view on the nature of Phil Zimmermann's	new
      work... (Ignjatic, Dragan)
   5. VoIP outage news coverage blog -
      http://voip-outage.blogspot.com (Shawn Merdinger)


----------------------------------------------------------------------

Message: 1
Date: Fri, 3 Feb 2006 18:59:46 +0100
From: "mailinglist" <mailinglist (at) pbxnsip.com>
Subject: Re: [VOIPSEC] A different view on the nature of Phil
	Zimmermann's	new work... (Was Re: Phil Zimmerman to release VoIP
	Encryption	Software(c.March))
To: <dan_york (at) Mitel.com>,	<voipsec (at) voipsa.org>
Message-ID: <mailman.9.1139054403.6869.voipsec_voipsa.org (at) voipsa.org>
Content-Type: text/plain;	charset="us-ascii"

My concern is that a new standard would send us "back to school" - for
years. Privacy of VoIP calls might not be sexy, but it is a must in
enterprise communications. I think everybody agrees that we don't have too
much time to get this problem fixed.

There was a discussion about end to end security and it seemed like
everybody agreed that S/MIME is not really the answer (too slow, picking up
fast is impossible). I would be interested in how ZRTP handles the fast
pickup (answer-after=0). 

Phil is not a beginner - neither technically nor on how to get stuff through
the politics of standard boards. That makes me think I should take a serious
look at that.

Another cent! Christian

> -----Original Message-----
> From: Voipsec-bounces (at) voipsa.org 
> [mailto:Voipsec-bounces (at) voipsa.org] On Behalf Of dan_york (at) Mitel.com
> Sent: Friday, February 03, 2006 6:21 PM
> To: voipsec (at) voipsa.org
> Subject: [VOIPSEC] A different view on the nature of Phil 
> Zimmermann's new work... (Was Re: Phil Zimmerman to release 
> VoIP Encryption Software(c.March))
> 
> Christian & others,
> 
> It's been interesting to read this discussion and I'm pleased 
> to see the note about Phil Zimmermann's work entering the RFP 
> process.  I thought, though, that I'd just comment on what I 
> took away from his talk. It seemed to me that he is not 
> necessarily looking for this to be adopted by 
> companies/vendors/etc. but rather that he's focused on 
> *individual* security.  I go back to his quote that I pulled 
> out on the podcast blog:
> 
>    I would like to do for VoIP what I did for e-mail... I'd like to 
>    make it possible for you to whisper in someone's ear - even if 
>    their ear is thousands of miles away. 
> 
> The point I took away is that if I have zFone installed as a 
> shim on my system and you have it on your system, we can 
> establish a secure encrypted VoIP call using our softphones 
> *regardless* of what systems we may be using.  No PKI 
> involved.  No central authority.  Probably with no knowledge 
> of the usage by the phone systems involved.
> 
> Very much like PGP and e-mail.  I can just PGP-encrypt a 
> message to you and send it off using my e-mail client and my 
> e-mail system here.  It will traverse the world of SMTP and 
> whatever other protocols and servers are there and will get 
> to you where you, and you alone[1], will be able to decrypt it. 
> 
> The fact that we used PGP to encrypt that e-mail was most 
> likely completely unknown to the vendors and system 
> administrators of the e-mail systems to which we are 
> connected.  The only time it might be noticed would be when a 
> sysadmin was scanning reports about mail system usage and 
> might, perhaps, find some notation of messages that were 
> unable to be examined.
> 
> We chose to use PGP as private individuals.  We somehow 
> originally verified our PGP key fingerprints (perhaps, 
> ironically, by reading a key fingerprint over the phone).  
> But it was our choice and something done outside of the 
> control of any of the systems we use or employers or others.
> 
> This was what I understood of the nature of zFone.  Putting 
> the control of the encryption down into the hands of the 
> *individual* users so that they could have encrypted 
> conversations regardless of what type of VoIP system they 
> were connected to.
> 
> If I have that view correctly, then it wouldn't matter 
> whether any of the IP-PBX vendors or ITSPs or other providers 
> supported zFone or not[2].  As long as there was a way for 
> the SRTP stream from my softphone to get to yours (without 
> modification) - and as long as both of our softphones had the 
> zFone shim - we could have a secure conversation.
> 
> That is what I understood his proposal to be. Obviously until 
> we see the specifications that Alan Johnston mentioned are in 
> the works, all of this (how he would do it, who would support 
> it, what softphones it would work with, how successful it 
> would be, etc., etc.) is all mere speculation.
> 
> My 2 cents,
> Dan
> 
> 
> [1] Subject to your belief, of course, in the security of PGP 
> and whether or not various gov't entities can decrypt PGP, 
> but that's a topic for a different e-mail thread and not one 
> for this mailing list.
> 
> [2] In fact, I can think of issues like CALEA and "lawful intercept"
> and such that might prevent a carrier from even being able to 
> support this, even if they wanted to.  There would be no 
> central repository of keys and such and therefore no way to 
> decrypt the call. (like PGP, again)
> 
> --
> Dan York, CISSP
> Dir of IP Technology, Office of the CTO
> Mitel Corp.     http://www.mitel.com
> dan_york (at) mitel.com +1-613-592-2122
> PGP key (F7E3C3B4) available for
> secure communication
> _______________________________________________
> Voipsec mailing list
> Voipsec (at) voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 





------------------------------

Message: 2
Date: Fri, 3 Feb 2006 14:29:54 -0500
From: dan_york (at) Mitel.com
Subject: Re: [VOIPSEC] A different view on the nature of Phil
	Zimmermann's new work... (Was Re: Phil Zimmerman to release VoIP
	Encryption	Software(c.March))
To: voipsec (at) voipsa.org
Message-ID:
	<OFDAF7C139.6DA9B6D8-ON8525710A.006A27DD-8525710A.006B19C8 (at) mitel.com>
Content-Type: text/plain; charset="us-ascii"

Christian,

> My concern is that a new standard would send us "back to school" - for
> years. Privacy of VoIP calls might not be sexy, but it is a must in
> enterprise communications. I think everybody agrees that we don't have 
too
> much time to get this problem fixed.

Yes... I think we can all agree to that.  It's also not clear to me 
whether this will be a solution for enterprise communications (versus
personal communications)... don't know... have to wait for the spec. 

> There was a discussion about end to end security and it seemed like
> everybody agreed that S/MIME is not really the answer (too slow, picking 
up
> fast is impossible). I would be interested in how ZRTP handles the fast
> pickup (answer-after=0). 

Yes, it will be interesting to see.

> Phil is not a beginner - neither technically nor on how to get stuff 
through
> the politics of standard boards. That makes me think I should take a 
serious
> look at that.

Yes, I personally think we should, if only because the thorny issues 
around
key exchange between enterprises continue to be a difficult problem to 
solve 
and another suggestion is always helpful.  Perhaps its something we can 
use. 
Perhaps not.  Perhaps the approach can be combined with something else. 
We all will now join the waiting game to see what "it" actually 
is.........
(somehow I have a feeling we'll have some good discussion here in a month 
or so when the specification is actually released)

Regards,
Dan

-- 
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp.     http://www.mitel.com
dan_york (at) mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for 
secure communication


------------------------------

Message: 3
Date: Fri, 03 Feb 2006 17:22:19 -0500
From: Lucas Fisher <ljfisher (at) toadmail.com>
Subject: Re: [VOIPSEC] A different view on the nature of Phil
	Zimmermann's new work...
To: dan_york (at) Mitel.com
Cc: voipsec (at) voipsa.org
Message-ID: <43E3D79B.6020704 (at) toadmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Can you achieve the same as the goal below (privacy controlled by the 
end users) with something like MIKEY?  It passes a token in SDP. As long 
someone in the middle doesn't try to filter SDP or rewrite the messages, 
we should still be able to agree on a key?  I would think we could 
establish a mechanism with MIKEY that also allows us to establish a 
shared key on first contact and then always use something derived from 
that key for future sessions. I don't know MIKEY that well, however.

Lucas

dan_york (at) Mitel.com wrote:
> The point I took away is that if I have zFone installed as a shim on my 
> system and you have it on your system, we can establish a secure 
> encrypted VoIP call using our softphones *regardless* of what systems
> we may be using.  No PKI involved.  No central authority.  Probably with
> no knowledge of the usage by the phone systems involved.
>
> Very much like PGP and e-mail.  I can just PGP-encrypt a message to you
> and send it off using my e-mail client and my e-mail system here.  It
> will traverse the world of SMTP and whatever other protocols and servers
> are there and will get to you where you, and you alone[1], will be able 
> to decrypt it. 
>
> The fact that we used PGP to encrypt that e-mail was most likely 
> completely
> unknown to the vendors and system administrators of the e-mail systems 
> to which we are connected.  The only time it might be noticed would be 
> when a sysadmin was scanning reports about mail system usage and might, 
> perhaps, find some notation of messages that were unable to be examined.
>
> We chose to use PGP as private individuals.  We somehow originally 
> verified our PGP key fingerprints (perhaps, ironically, by reading a key
> fingerprint over the phone).  But it was our choice and something done 
> outside of the control of any of the systems we use or employers or 
> others.
>   




------------------------------

Message: 4
Date: Fri, 3 Feb 2006 14:32:53 -0800
From: "Ignjatic, Dragan" <Dragan.Ignjatic (at) polycom.com>
Subject: Re: [VOIPSEC] A different view on the nature of Phil
	Zimmermann's	new work...
To: "Lucas Fisher" <ljfisher (at) toadmail.com>,	<dan_york (at) Mitel.com>
Cc: voipsec (at) voipsa.org
Message-ID:
	<4280DB4085C0FC4BAA41AB503C1024D0DE6972 (at) vanmail01.vancouver.polycom.com>
	
Content-Type: text/plain;	charset="iso-8859-1"

Lucas,
If you take a look at RFC 3830, the envelope key in public key modes can be reused as a shared secret for MIKEY pre-shared secret mode. I believe that is exactly what you were looking for.
 
Dragan

________________________________

From: Voipsec-bounces (at) voipsa.org on behalf of Lucas Fisher
Sent: Fri 2/3/2006 2:22 PM
To: dan_york (at) Mitel.com
Cc: voipsec (at) voipsa.org
Subject: Re: [VOIPSEC] A different view on the nature of Phil Zimmermann's new work...



Can you achieve the same as the goal below (privacy controlled by the
end users) with something like MIKEY?  It passes a token in SDP. As long
someone in the middle doesn't try to filter SDP or rewrite the messages,
we should still be able to agree on a key?  I would think we could
establish a mechanism with MIKEY that also allows us to establish a
shared key on first contact and then always use something derived from
that key for future sessions. I don't know MIKEY that well, however.

Lucas

dan_york (at) Mitel.com wrote:
> The point I took away is that if I have zFone installed as a shim on my
> system and you have it on your system, we can establish a secure
> encrypted VoIP call using our softphones *regardless* of what systems
> we may be using.  No PKI involved.  No central authority.  Probably with
> no knowledge of the usage by the phone systems involved.
>
> Very much like PGP and e-mail.  I can just PGP-encrypt a message to you
> and send it off using my e-mail client and my e-mail system here.  It
> will traverse the world of SMTP and whatever other protocols and servers
> are there and will get to you where you, and you alone[1], will be able
> to decrypt it.
>
> The fact that we used PGP to encrypt that e-mail was most likely
> completely
> unknown to the vendors and system administrators of the e-mail systems
> to which we are connected.  The only time it might be noticed would be
> when a sysadmin was scanning reports about mail system usage and might,
> perhaps, find some notation of messages that were unable to be examined.
>
> We chose to use PGP as private individuals.  We somehow originally
> verified our PGP key fingerprints (perhaps, ironically, by reading a key
> fingerprint over the phone).  But it was our choice and something done
> outside of the control of any of the systems we use or employers or
> others.
>  


_______________________________________________
Voipsec mailing list
Voipsec (at) voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org




------------------------------

Message: 5
Date: Fri, 3 Feb 2006 15:21:23 -0800
From: Shawn Merdinger <shawnmer (at) gmail.com>
Subject: [VOIPSEC] VoIP outage news coverage blog -
	http://voip-outage.blogspot.com
To: Voipsec (at) voipsa.org
Message-ID:
	<fb0927a80602031521k441a97wd80d3d55508ae338 (at) mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi,

To provide a public and informal place to keep track of such things, I
started a blog of VoIP outages reported in the news media.

If you know of or see public news coverage of a VoIP outage that is
not on the blog please drop me a email and/or post the link as a
comment (no need to register) to the "Blog Objective" (1st post)
entry.

http://voip-outage.blogspot.com/

Thanks!
--scm



------------------------------

_______________________________________________
Voipsec mailing list
Voipsec (at) voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


End of Voipsec Digest, Vol 14, Issue 5
**************************************
_______________________________________________
Voipsec mailing list
Voipsec (at) voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
Prev by Date: VoIP, Firewalls and NATs
Next by Date: A different view on the nature of Phil Zimmermann'snew work... (Was Phil Zimmerman to release VoIPEncryption Software(c.March))
Previous by thread: VoIP, Firewalls and NATs
Next by thread: A different view on the nature of Phil Zimmermann'snew work... (Was Phil Zimmerman to release VoIPEncryption Software(c.March))
Index(es):
- Main
- Thread