One thing that I'm ignorant of is whether XMPP/SIP/SMTP use bidirectional authentication when using TLS server to server? But it all becomes moot when the signaling traverses an intermediate domain. That's when you need something like DKIM which is a domain-level end to end solution.
For identity verification on XMPP, I trust my server and in turn it can prove the remote domain, and beyond that trust (or not) that domain's servers not to lie about the user identity within that domain.
It occurs to me that even doing a DKIM-like solution for SIP with
the e.164 address problem might be helpful. DKIM's main service is
a "complain to me" one. If you take off the table anything that
passes through a PSTN gateway which nobody can solve for, that
means that domain level authentication would give you somebody to
blame. Everybody did that willingly for email, but if SIP
providers were recalcitrant, governmental persuasion could come in
handy. The farther you push who to blame toward the originating
side, the smaller number of degrees of freedom the scammers have.
At that point, whether they have right to claim a given e.164
address is rather beside the point: you know the domain who is
originating it and you can... complain. Or call the cops on them.
Or any number of other things. The big thing that's changed in the
last 15 years is that SIP is pretty much everywhere for legacy
telephony which definitely wasn't the case when I hacked up a SIP
stack and put a DKIM signature in an INVITE.
On SIP, like email, I understand it to be more complicated, because the path is not nearly as constrained as it is with XMPP, but fundamentally with DKIM etc you are proving the provider's identity (ie, the domain) and not that of the end user. That may well be enough in most cases, but it's somewhat reliant on having a few providers with much to lose.
Yes, but SMTP-Auth closes that circle. Whether you can reliably know whether a domain in fact uses it consistently is another matter. In an out of band kind of way, you could be very certain, eg subpoenaed server logs, etc. I've been waiting for that shoe to drop.
Mike
