Ok, into the fray. I've written a couple of blog posts on the subject
which go into more detail of what I've been thinking. Basically, after
much searching through the STIR/SHAKEN stuff I finally figured out that
sip:mike@xxxxxxxx was out of scope. And I mean, it took me a *long* time
figure that out reading problem statements, requirements, etc. What my
blog post wonders about is whether STIR/SHAKEN is solving the wrong
problem. That is, it's trying to solve the e.164 spoofing problem via
tel: uri and sip: uri's with embedded telephone numbers. This is an
incredibly complex and fraught problem, so i have to ask whether it's
even worth it? Telephony is pretty much all SIP these days, even to
mobile phones with SIPoLTE, there's not much point to stick with e.164
addresses as identifiers if it's SIP end to end or SIP end to almost the
end with POTS termination. Since STIR/SHAKEN can't do much of anything
with actual PSTN onramp/offramp based spam, it makes me wonder why we
are holding onto mostly dead technology's vestiges. The future seems to
me that a sip:mike@xxxxxxxx URI would be the future, but the did not
solve for that. It's not like people *like* e.164 based identity, and
mostly it's hidden from you on mobile phones anyway. Being one of the
authors of DKIM (rfc 4871, etc) it has always occurred to me that
something DKIM-like could work for SIP and actually hacked a version of
my DKIM code to prove the point on a SIP stack in about 2005.
https://rip-van-webble.blogspot.com/2020/02/sip-what-about-from-header-no-love.html
Now being the dutiful engineer that I am, I decided to have an argument
with myself and ask whether we both (STIR/SHAKEN and SIP-DKIM) are
wrong. That is, is telephony as we know it essentially dying. The Covid
pandemic has really put that into focus with services like Zoom in the
limelight which as far as I know doesn't use SIP. Maybe none of them
have an inter-provider problem like the PSTN does. So maybe the right
solution is to do nothing, or do just the STIR/SHAKEN stuff because
"Something Must Be Done".
https://rip-van-webble.blogspot.com/2020/04/on-second-thought-sip-security.html
Mike
PS: hi all, long time! missed y'all and hope you're keeping safe :)