[Asterisk-Users] VOIP Spam
Nicholas Bachmann
asterisk at not-real.org
Sat Apr 17 10:22:56 MST 2004
Duane wrote:
> Nicholas Bachmann wrote:
>
>> 1. It's a chain of trust: it's hard for Bob to verify Alice's
>> signature directly
>> -Not impossible to fix
>
>
> CAcert.org's whole purpose is cheap, easily obtainable security... It
> employs a web of trust in the website frame work to build up and
> distribute face to face identification checks...
A web of trust is different from the chain of trust I'm talking about.
In a web of trust, a key is signed by lots of different people; ideally,
everybody can trust everybody. In a chain of trust, each member only
knows and trusts the adjacent members.
>
>> 2. A central registry must be created that's free and open for
>> providers to use but secure enough to verify members.
>
>
> Again CAcert.org fulfils this criteria...
Sort of... CAcert.org is a Certificate Authority. A CA just signs
public keys, while a key server stores a copy of them. What I'm talking
about is more like http://pgp.mit.edu/.
>> -Think about the global IP address distribution agencies
>> 3. Phones must get private keys securely.
>
>
> Last one is as much a technical issue as a people issue, although PIX
> firewalls implement (forget the acronym) where they send a request to
> a CA and the CA sends back a certificate, I keep meaning to implement
> it for CAcert but I lack a PIX for dev & testing...
But we're not looking at certificates; we're looking at public/private
keypairs. Phones can generated the keypairs, but how does the phone
prove to the key server that it is an authorized phone? With just a
simple password?
Nick
More information about the asterisk-users
mailing list