Richard Shockey wrote:
Paul of course I've read them, though the PVP document is uniquely dense and
gave me a headache. Security by ID Obscurity.
My assertion still stands. In the absence of any linkage in the PVP to the
E164 numbering authorities and or databases any assertion about verification
and validation of a E.164 is in essence self validation. The charter does
NOT state that. My point is the proposed charter is badly written and
implies a trust model that does not exist.
You make a phone call if it answers and you hopefully get a caller ID that
hasn't been spoofed then maybe you are OK and maybe you hope the TTL is set
to some interval that doesn't cause number hijacking. But gee what happens
when the number is disconnected from the PSTN? Hummmm
The use of the term validation and or verification here implies
authentication and my assertion is that any authentication of the
responsible domain for a E.164 number outside of the PSTN service provider
or national numbering authority is not possible under the current regulatory
circumstances. Consequently the charter implies an ability to develop a
solution which we all know is impossible.
Perhaps better terms can be found and used.
But the end effect is that the destination you reach using ViPR has the
same assuredness of being who you thought it would be as an actual PSTN
For the most part, that is a level of assurance that many people are
comfortable with, even if we know that is not as reliable as most people
think it is. And regardless of whether it is as good as people would
like, it is as good as can be had in most cases with the current state
of the art.
Ietf mailing list