« New Blue Box shows coming soon... | Main | Blue Box #79: Asterisk vulnerabilities, VoiceCon/VON coverage, eavesdropping, FBI, ZFone, P2P, VoIP security news and more »

April 29, 2008


Your ID on legitimate traffic that resembles SPIT points out the ironic situation that vocal proponents of "Stupid Network" are in the process of introducing intelligence in the Middle. My position is that it should be handled only at the ends. If you take the recommendation of RFC 5039, we need three things - strong authentication, white list and an "external" introduction scheme. I recommend that we use OpenID for authentication and request those ID providers to mediate "letters" like iName providers do. For quick reference if you want to send an email to me when you know only my iName, then you send the note via a web page to my provider who will ensure that it is not from a bot and will forward it to me; I can send my reply via the provider as well. This way the dependence on the Middle is sufficiently minimized and there is no concern about the Middle being over eager and impacting legitimate scenarios that you identify. We have implemented such a scheme in EnThinnai.

The comments to this entry are closed.

The Obligatory Photo

Contact Information

Full Disclosure

  • Dan York, CISSP, is the Chair of the VOIP Security Alliance (VOIPSA) and Senior Content Strategist for the Internet Society.

    Jonathan Zar is affiliated with Pingalo and is the Secretary of VOIPSA and member of the Board of Directors.

    This is a personal project and neither the Internet Society, Pingalo nor VOIPSA have any formal connection to this podcast. In the interest of transparency we just thought you should know our affiliations.

Why "Blue Box"?

  • We chose the name "Blue Box" primarily as a nod to the era of phone phreaking in part to illustrate that threats to telephony are not new - they just continue to change and evolve. That and admittedly the name just sounded cool.

Promote Blue Box!

  • Add this graphic to your site!