Minutes of the 2012-11-04 IAB Business Meeting
Atlanta, GA, USA

1. Attendance

PRESENT

• Bernard Aboba (IAB Chair)
• Jari Arkko
• Mary Barnes (IAB Executive Director)
• Marc Blanchet
• Ross Callon
• Alissa Cooper
• Spencer Dawkins
• Lars Eggert (IRTF Chair)
• Mat Ford (ISOC Liaison)
• Heather Flanagan (RFC Editor Liaison)
• Russ Housley (IETF Chair)
• Joel Halpern
• David Kessens
• Danny McPherson
• Cindy Morgan (IAB Executive Assistant)
• Jon Peterson
• Robert Sparks (IESG Liaison)
• Dave Thaler
• Hannes Tschofenig

GUESTS

• Sally Wentworth, ISOC

2. Administrivia

David Kessens agreed to work with Alissa Cooper to interview IAOC candidates.

3. Challenges in Secure Origin Authentication

Sally Wentworth provided a high-level summary of current WCIT proposals.

Hannes Tschofenig presented slides outlining the challenges in secure origin authentication in Voice Over IP.

–Begin Slides–

  Fundamental issue is no agreement on origin identifiers because there 
  is no universal "VoIP" 
  - Unlike the PSTN, where signaling is a single system, there is no 
    universal VoIP
  - No central services to which one needs to connect to deliver calls
  - P2P possible with direct domain names or IP addresses (and WebRTC is 
    going to blow this all wide open)

  Examples of different origin identifiers such as: 
  - Skype
  - Facebook
  - jabber
  - gtalk
  - Vibe
  - Whatsapp
  - SIP
  - proprietary VoIP
  - OTT

  No method of securely ensuring the integrity
  - Text-based protocols that can be easily modified
  - No common encryption / digital signature model that works across all 
    VoIP systems

  Types of identities
  - Email-style URIs
  - E.164 numbers (subject to MiTM attack in RFC 4244)

  SIP-specific challenges:
  - 'From' header can be easily forged
  - Headers can be stripped/removed by middleboxes (SBCs, B2BUAs, 
    routers, firewalls)
  - No integrity protection - RFC 4474 tried but failed in actual 
    deployment
  - Other attempts at identifiers but none universally recognized (ex. 
    P-Asserted-Identity, various private billing identifiers) and all 
    having various challenges
  - INSIPID working group working on identifier, but not done, will take 
    years to be deployed and will only address SIP portion of the space 
    (and also not clear that it can be secured).

  Identity in WebRTC
  - DTLS/SRTP identity support (IdP, PKI, etc.)
  - Linkage between SIP/XMPP identity and media identity
  - Compatibility with legacy use cases (E.164 numbers, SIM/AKA 
    authentication, etc.)

–End Slides–

Hannes Tschofenig asked whether the IAB could do any work on this topic to help explain the issue at WCIT. After discussion, the board agreed that such a message would be better delivered by ISOC. Sally Wentworth agreed to send the proposals ISOC would like feedback on most to the IAB; Bernard Aboba, Alissa Cooper, Danny McPherson, Jon Peterson and Hannes Tschofenig agreed to draft feedback on those proposals once received.