[Asterisk-Users] VOIP Spam

Duane digium at aus-biz.com
Sat Apr 17 16:31:48 MST 2004 

Nicholas Bachmann wrote:

> A web of trust is different from the chain of trust I'm talking about.  
> In a web of trust, a key is signed by lots of different people; ideally, 
> everybody can trust everybody.  In a chain of trust, each member only 
> knows and trusts the adjacent members.

CAcert doesn't operate a web of trust in the PGP sense, for someone to 
issue "trust" points to other people they must already have a certain 
amount of trust points themselves. Both PKI and PGP models will fail, 
not because of the technology but because of the people factor. The PKI 
model *can* be to a larger is a slightly more resilient, in general no 
CA would have reason to issue false certificates and *usually* you can 
be sure more are issued on a correct basis. PGP model if you lived in 
say Africa and wanted to communicate with someone in South America with 
little or no prior relationship and you wanted to be sure the 
communication wouldn't be intercepted you have 2 choices, fly to meet 
each other or gain trust you both are who you say you are from an 
impartial 3rd party that if it did it's job correct would be correct.

*BUT*, and it's a very big but, there is 2 or 3 flaws in the PKI model, 
firstly there is a crap load of money usually involved, where there is 
money there is usually corruption, at this stage of the game the PKI 
industry has had very little over all impact, something like 0.3% of web 
servers (not websites) are protected with a "valid" certificate issued 
by a "valid" CA, the number of invalid and self signed and non-"valid" 
signed certificates is closer to 1.3%. There are a lot of websites that 
should use some form of crypto to protect against passive listening. 
Another major flaw is PKI based on issued certificates from any CA would 
be worthless in protecting a person in the country where governments 
repress free speech by arresting and killing their citizens. In the UK I 
believe the government has laws in place so they can demand your private 
key, and the US could coerce by legal means to force CAs to issue false 
certificates and then stick a gag order of them.

PGP model would obviously be an advantage in this case, but most people 
don't have a clue about security practises and get so many pop-up 
warning messages they simply click ok to whatever comes up.

The other flaw is safe keeping of certificates, unless you have a 
hardware device, the more difficult you make it for someone to break 
digital security will only make them turn round and break physical 
security...

Passwords are inherently bad and there are numerous articles on people 
giving their work/email passwords away for a cheap pen...

> Sort of... CAcert.org is a Certificate Authority.  A CA just signs 
> public keys, while a key server stores a copy of them.  What I'm talking 
> about is more like http://pgp.mit.edu/.

Working on it, we actually have a finger daemon setup/running to reply 
with certificates if you send it a exact request that matches an entry 
in the database, weather hostname or email address...

I've penned an internet-draft on what we've done which can be read here:

http://www.cacert.org/index.php?id=26&prob=8

I keep meaning to post it to the IETF as a informational document...

> But we're not looking at certificates; we're looking at public/private 
> keypairs.  Phones can generated the keypairs, but how does the phone 
> prove to the key server that it is an authorized phone?  With just a 
> simple password?

The PIX sends a certificate signing request and holds onto the private 
key, the CA then replies with a signed certificate and the PIX stores 
that with the private key...

When grabbing a certificate it doesn't matter if it's authorised to or 
not, because it has the private key so only it can decode data sent to 
it using the public certificate...

-- 
Best regards,
  Duane

http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://happysnapper.com.au - Sell your photos over the net!
http://e164.org - Using Enum.164 to interconnect asterisk servers

More information about the asterisk-users mailing list