Category: Identity

Video: VUC 528 Provides An Update On Matrix.org And Wire

Vuc logoLast Friday's VUC conference call / podcast / hangout provided some interesting updates about the ongoing work at Matrix.org to build services for scalable, distributed and federated collaboration systems as well as some discussion of Wire, the app I've written about here. Guests included Matthew Hodgson and Amandine Le Pape from Matrix.org, as well as the usual cast of characters and a couple of live demonstrations, too.

You can view the episode web page and listen to the show here:

I joined the show about mid-way through and naturally wound up talking about IPv6, the Internet of Things (IoT), ICANN, DNS and other topics.

FYI, some good info about Matrix.org can be found in their FAQ. Back in November 2014, there was also another VUC episode focused around Matrix.org.

It was an enjoyable show and I'd encourage you to give it a listen.


If you found this post interesting or useful, please consider either:


Can We Create A "Secure Caller ID" For VoIP? (Join Tomorrow’s STIR BOF To Learn More)

Can we create a "secure Caller ID" for IP-based communications, a.k.a. voice-over-IP (VoIP)? And specifically for VoIP based on the Session Initiation Protocol (SIP)? Can we create a way to securely identify the origin of a call that can be used to combat robocalling, phishing and telephony denial-of-service (TDOS) attacks?

That is the challenge to be undertaken by the "Secure Telephone Identity Revisited (STIR)" group meeting tomorrow morning, July 30, 2013, at 9:00 am in Berlin, Germany, as part of the 87th meeting of the Internet Engineering Task Force (IETF). The meeting tomorrow is a "Birds Of a Feather (BOF)", which in IETF language is a meeting to determine whether there is sufficient interest to create a formal "working group" to take on a new body of work within the IETF. The proposed "charter" for this new work begins:

Over the last decade, a growing set of problems have resulted from the lack of security mechanisms for attesting the origins of real-time communications. As with email, the claimed source identity of a SIP request is not verified, and this permits unauthorized use of source identities as part of deceptive and coercive activities, such as robocalling (bulk unsolicited commercial communications), vishing (voicemail hacking, and impersonating banks) and swatting (impersonating callers to emergency services to stimulate unwarranted large scale law enforcement deployments). This working group will define a deployable mechanism that verifies the authorization of the calling party to use a particular telephone number.

The agenda for tomorrow's STIR meeting begins with a presentation by Henning Schulzrinne, now CTO of the US Federal Communications Commission (FCC) but also a long-time IETF participant and one of the co-authors of the original RFC 3261 specification for SIP. Henning will be laying out the problem statement and there will be a discussion of the proposed scope of the IETF work. He'll be followed by presentations of potential solutions by Jon Peterson, Eric Rescorla and Hadriel Kaplan and then a discussion of the proposed charter and the work to be done. Given the intense debate that has occurred on the STIR mailing list over the past weeks I expect tomorrow's session to be one where some points will receive a great amount of passionate debate and discussion. (If you are interested in listening in or participating remotely in tomorrow's STIR meeting, see the information later in this article.)

Revisiting Previous SIP Identity Work

As some background, the Internet Architecture Board (IAB) laid out some of the challenges to "secure origin identification" in IP-based communication last November and took a very high-level look at the overall issue. Next, in preparation for what became this STIR effort, Jon Peterson, Henning Schulzrinne and Hannes Tschofenig authored a draft problem statement and requirements document.

The "Revisited" part of the group name is a nod to the fact that this whole issue of asserting "identity" has been explored within the SIP community in the past. Way back in 2006, RFC 4474 defined what has been called "SIP Identity" and provided a method for cryptographically signing certain SIP headers to identify the origin of a call. Unfortunately, RFC 4474 turned out not to work well with the way SIP was actually deployed and so usage has been virtually non-existent. An effort to update that document, what is called "RFC4474bis", has also been proposed and some of those ideas may be incorporated into the new proposed work for the STIR group.

There have also been other efforts such as the "P-Asserted-Identity (P-A-I)" defined in RFC 3325. The challenge here, though is that theoretically P-A-I is supposed to be limited to usage within a trusted network, although in practice it may be seen by other networks. There have also been several efforts to define or document identifiers for billing purposes (including my own P-Charge-Info) although these efforts are trying to solve a slightly different problem.

The point here really is that the STIR effort is drawing upon a rich body of "SIP identity" work that dates all the way back to some early drafts in 2002. Much thought has been given to this issue and many of the people involved with STIR have also been involved with earlier efforts and understand well some of the challenges faced by that past work.

An Important Difference

One important difference between STIR and earlier "SIP identity" efforts is that initially the STIR effort is only focused on telephone numbers. The draft charter explicitly states this:

As its first work item, the working group will specify a SIP header-based authorization mechanism to verify the originator of a SIP session is authorized to use the claimed source telephone number, where the session is established with SIP end to end. This is called an in-band mechanism. The mechanism will use a canonical telephone number representation specified by the working group, including any mappings that might be needed between the SIP header fields and the canonical telephone number representation.

and later:

Expansion of the authorization mechanism to identities using the user@domain form deferred since the main focus of the working group is to develop a solution for telephone numbers.

Previous "identity" work was also undertaken to include a "SIP URI" or "SIP address" and while the ultimate STIR mechanism (or a variant thereof) might also work for SIP URIs, the focus in this initial work is all around securing the origin identification of telephone numbers.

This initial focus makes a great amount of sense given that so much of the SIP traffic today is a result of telecom service providers moving their regular calls to telephone numbers off of the legacy PSTN networks and over to IP networks where they use SIP. Additionally, a great amount of the "problem" traffic seen in VoIP today can be created by attackers who use simple VoIP software to generate their calls to regular telephone numbers.

Remotely Participating In Tomorrow's STIR BOF

If you are interested in participating in the meeting (or at least listening in) on Tuesday, July 30, the meeting will go from 9:00 - 11:30 local time in Berlin, Germany. Berlin is in Central European Summer Time (CEST) which is UTC+2 (and 3:00 am US EDT / midnight US PDT for my friends back in the USA).

You can hear the audio stream at:

You can also join the Jabber chat room at:

The slides and other meeting materials can be found at (and note that materials may not be uploaded until shortly before the session and so you may need to refresh your browser):

Alternatively you can use the "MeetEcho" conferencing system that integrates the audio, the slides and the Jabber chat room at:

More information about participately remotely can be found on the IETF 87 Remote Participation page.

To get the most out of the meeting, you'll also want to read these three Internet Drafts that will be part of the solutions being discussed:

.... and be prepared for what should be a LIVELY discussion!

If you are unable to participate remotely, the session will be recorded and you will be able to listen to the archived audio stream, view the Jabber chat logs and also playback the MeetEcho recording.

Getting More Involved

Beyond listening to tomorrow's BOF session, the best way to get involved - either to actively participate or to at least monitor the effort - is to join the STIR mailing list at:

https://www.ietf.org/mailman/listinfo/stir

The list is open to anyone to join. There are no membership or corporate requirements or fees - anyone with an email address may participate.

WARNING! - As can be seen in the list archive, there is currently a large volume of discussion and it will probably continue for some time. If you do join the mailing list you may want to consider setting up rules to sort the STIR email into a folder - or just prepare for the volume to be added to your inbox.

The other way to be involved is to monitor and read the documents that are created for the STIR effort. Newer documents are being created with "stir" in the document name and so they can be easily found at:

http://datatracker.ietf.org/doc/search/?name=stir&activedrafts=on

Other documents that are useful to understand this effort are linked to earlier in this article and can also be found in the text of the proposed STIR charter. After tomorrow's STIR BOF session there will be more information about how the effort will proceed within the IETF. The meeting tomorrow should result, I expect, in the recommendation to go ahead with formally creating a working group and undertaking this work, but we'll see what outcome occurs.

Can a method of secure origin identification for SIP-based VoIP calls be created? Given that basically all telecom traffic is in the process of moving to be based on IP, the need for a secure origin identifier is very clearly here - and many of us do believe we can develop a system that will work in today's environment.

What do you think? Are you ready to join in and help?


Update: Added the additional charter text about "Expansion of the authorization mechanism to identities..."


If you found this post interesting or useful, please consider either:


John Battelle On The Importance of Aggregating The Digital Content We Post In Walled Gardens

The Internet Is Open
As we spread our digital content across the Internet, through separate services that we do NOT control, such as Facebook, Twitter, Google+ and Quora, how do we aggregate all that information somewhere where we DO control the content? So as to preserve our "identity" formed by that collective work?

That is at the heart of John Battelle's great piece yesterday, "We Need An Identity Re-Aggregator (That We Control). I've written at some length over the years about the re-emergence of online "walled gardens" and the need for us to maintain our own identity on the web. I've also spoken about this on any number of FIR reports I've submitted... and to me John really nails it with this paragraph:

The downsides of not owning your own words, on your own platform, are not limited simply to money. Over time, the words and opinions one leaves all over the web form a web of identity - your identity - and controlling that identity feels, to me, a human right. But unless you are a sophisticated netizen, you're never going to spend the time and effort required to gather all your utterances in one place, in a fashion that best reflects who you are in the world.

As he notes further on in the piece, even if you link to your contributions on one of those services, should that service disappear all your content is lost.

Over the past few months, I've been trying to change my behavior a bit and revert my own writing to how it used to be. I'm trying to post messages on my own blogs FIRST and then linking to it from the other services.

Even this post... I could have left it as a comment on John's blog, or as a reply inside of Facebook or Google+... but instead I am posting it here it is on a platform that I control.

It's hard... the various services make it seductively convenient just to have all your interaction within the walls of that service. And I certainly do have some level of conversation within those walls. But for longer content - or commentary that I want to preserve, even in the form of links to other sites with some comment, I'm trying to do more of that from my own sites. Kind of like how "blogging" was back about 5+ years ago before we got all caught up in these new shiny services that we all enjoy so much.

Meanwhile, I, too, would love to have a "meta service" along the lines of what John suggests...

Image credit: jeremybrooks on Flickr


If you found this post interesting or useful, please consider either:


Why The "Nym Wars" Matter – Preserving Pseudonymity On An Open Internet

Identity (Clone trooper Tales #44)

There's an identity war going on out on the Internet right now... there are multiple aspects to it... but the key is that:

it is a battle for control of YOUR identity!

Think of any website you've visited lately that has offered you the ability to "Login with Facebook" or "Sign in with Twitter".

It's simple. Easy. Convenient.

And dangerous.

Because in embracing the convenience of such services (and I am certainly guilty of this myself), we surrender control of our identity to the identity provider.

But that is a broader topic for a much longer piece I want to write...

Right now I want to touch on the point:

What if the "identity provider" won't let you use what you consider your "real" identity?

What if the identity provider requires you to use your "birth name" (or "real name") instead of the name that everyone knows you as?

Welcome to the world of pseudonyms... persistent identities used by people instead of the names they were given at birth.

Pseudonyms have been with us for eons... as noted above, authors and entertainers have long used them. In fact, a pseudonym was involved with the founding of the United States.

And this pseudonymity is exactly what is at stake in what is being tagged as the "#nymwars" on Twitter.

This latest battle in the much larger war really began back on July 22nd, when Kirrily Robert, a developer (and former co-worker of mine) who has gone by the pseudonym "Skud" for many years, was suspended from Google+ for not using her real name and took to her blog to publicize this fact. There have been literally hundreds (and maybe thousands) of articles on the topic posted between then and now... with the most recent wave being about Google CEO Eric Schmidt's comments that Google wants you to use your real name because they want to be an identity provider... and do things with that "real identity" of yours.

This battle isn't just about Google+, though. Facebook would also like you to only use your "real name" and to have you assert only your "real" identity.

I could go on at great length about why this is a bad idea, but would instead point you to this excellent but lengthy piece:

Read it... and then go back and read it again. A powerful piece laying out so many of the reasons why pseudonymity is important.

And a key point is:

Pseudonymity is NOT anonymity.

There is an entirely separate discussion to be had around true anonymity... and the value therein - or not.

But that is entirely different from the idea of a persistent identity that one uses as a replacement for one's "real name".

Should we not have the right to use the name that people know us by on these services?

The response, of course, is that using these services is optional and you can, of course, choose NOT to participate in Google+... or Facebook... or whatever other service requires you to use your "real name".

And obviously that is an option.

But what if many of the conversations I want to participate in have moved to one of those services? What if all my friends are sharing photos using some new service... and I can't because I'm forced to use a different identity than what I want to use?

What if I am an author or entertainer and want to engage on that service with my fans through the persona I use?

What if that service is the only way to communicate out of my country or region and using my real name may get me killed?

Pseudonymity matters.

Control over our identity matters.

The ability to control the identity we choose to use on services on the Internet matters.

The war for our identity will continue to rage... will the victor be the organizations who control the services we want to use? or will we retain the right to control our identity?

Your choice...


Other good articles worth reading:


Image credit: koisny on Flickr


If you found this post interesting or useful, please consider either: